You can enable Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), on the Web Server for remote front panels and the Application Web Server for Web services. Use TLS/SSL encryption to create secure, encrypted connections when sending data between clients and the Web Server.
|
Note��TLS/SSL is available only in the LabVIEW Full Development System and the LabVIEW Professional Development System. |
TLS/SSL uses X.509 certificates to establish secure connections between a client and a server.
Certificates are digital files that contain identifying information about the server, as well as a public key and a digital signature. Server name, expiration date, and locale are examples of identifying information. A public key is a string of characters used to generate the encryption, and the digital signature is a confirmation of the authenticity of the certificate. The digital signature can be added by the certificate creator�a self-signed certificate�or added by a certificate authority (CA), a trusted third-party company that issues digital certifications.
When a client attempts to establish a secure connection to the server, the server provides this certificate. The client confirms the authenticity of certificate, often using a major Web browser. The Web browser automatically cross-checks the authenticity of the certificate against a root certificate list of known CAs and displays the appropriate prompts to accept or reject the certificate. If the client accepts the certificate, the client communicates back to the server with a unique encryption code based on the public key. The server then uses a private key that was created along with the certificate to decode the encryption. At this point, the client and server have established a secure, encrypted connection.
 |
Caution��The private key remains on the system running the Web Server and is not made public to either the client or CA. The private key is vital to maintaining the integrity of the encrypted connection and must remain on the system that generated the initial certificate. If the private key is compromised, discontinue use of the associated certificate. |
Enable TLS/SSL security for Web services using the Web Configuration page for the Application Web Server. You can enable TLS/SSL security for remote front panels in the Options dialog box. When Web clients connect to Web services or remote front panels with TLS/SSL enabled, you must use the https:// protocol. For example, https://localhost:443 connects to a Web Server with TLS/SSL set up on port 443.
Use self-signed certificates to begin using TLS/SSL immediately, without requiring a third-party CA to digitally sign your certificate. A self-signed certificate is signed by the creator of the certificate and is the quickest way to use TLS/SSL in LabVIEW. You also can use self-signed certificates to test a system before you obtain a certificate signed by a CA. Self-signed certificates might create additional security prompts when the client accesses the Web Server using a major Web browser.
You can use the default LabVIEW self-signed certificate, which LabVIEW creates when you enable TLS/SSL, or you can use the NI Web-based Configuration & Monitoring to create custom self-signed certificates.
LabVIEW creates a default self-signed certificate when you enable TLS/SSL, without the need to create a new self-signed certificate or certificate signing request (CSR). If you do not select a custom certificate when you enable TLS/SSL, LabVIEW uses the default certificate.
The default self-signed certificate is valid for 10 years from the date of creation.
You can find the default self-signed certificate file in the (Windows 7) C:\ProgramData\National Instruments\certstore\server_certs\server_0.cer directory.
In NI Web-based Configuration & Monitoring, use the SSL Certificate Management tab of the Web Server Configuration page to create and manage self-signed certificates and CSRs. Refer to the help included with NI Web-based Configuration & Monitoring for more information about the following procedures:
You can create a certificate signing request to obtain a certificate that is authorized with a digital signature from a CA, a trusted third-party company that digitally certifies the authenticity of certificates. A network administrator, such as a corporate IT department, might also issue digital signatures.
A CSR contains the identifying information and public key components of a certificate. You then send CSRs to a trusted CA, who adds a digital signature and returns a complete certificate.
When you create a CSR, you must send the CSR to a trusted CA to digitally sign. A network administrator might have a preferred CA or might digitally sign CSRs itself. The CA creates a valid certificate for use with the web server.
Configuring Web Services Security
Monitoring and Configuring a Remote Device from a Web Browser