Encrypted Communication between Backend and InfluxDB®

The InfluxDB® can be configured to use encrypted transmission (SSL / HTTPS) between the backend and the database instance. By default, this encryption is not enabled. It is recommended if the database is running on a different node than WinCC OA.

Note: To use encrypted communication, certificates (located in <winccoa installation dir>/config) are installed with WinCC OA (nga_influx.crt, nga_influx.key). For real facility projects you must create your own project-specific certificates. You can create the certificates by using the Panel for SSL Certificates. Select the type Certificate for the HTTP-server. See also the Certificate documentation - Why to use Certificates.

HTTPS encryption can be enabled as follows:

  • Edit the file <projdir>/config/influxdb.conf.
  • Change the line for https-enabled from false to true:
    #Determines whether HTTPS is enabled.
    https-enabled = false -> change to true
  • Change the https-certificate and https-private-key entries according to your certificates:
    # The SSL certificate to use when HTTPS is enabled.
    https-certificate = "C:/winccoa_projects/test130622/config/certificate.pem" 
    # Use a separate private key location.
    https-private-key = "C:/winccoa_projects/test130622/config/privkey.pem"
  • Save the file.
  • Stop and restart the InfluxDB® by using the Database configuration panel.
Figure 1. Stop Database
  • Select Backend and under Basic Configuration, select the Database Connection.
  • Change Connection from <$host1> to https://IP Address of the database host:8086. $host1/$host2 are used as placeholders in redundant systems.
Figure 2. Basic Configuration - Change the Database Connection to "https"
  • Click Save in the lower part of the panel.
  • Restart the backend (out-of-proc) by using the Stop Backend button of the Backend tab -> General Settings:
Figure 3. Backend tab -> General Settings -> "Stop Backend" button

or NGA (in-proc) by restarting the NextGen Archiver in the WinCC OA console.

Figure 4. WinCC OA Console - Restart NexGen Archiver
  • To test if SSL is working correctly, open a command window in the bin subfolder of the WinCC OA installation directory and enter:
influx -ssl -unsafeSsl

If SSL does not work - if the connection was not changed in the configuration panel - see note below, the following error message is shown:

"Failed to connect to https://IP address:8086: Get https://IP address:8086:ping: dial tcp IP address:8086: connectex: No connection could be made because the target machine actively refused it.Please check your connection settings and ensure 'influxd' is running."

After the database is restarted with https-enabled, the error message:

WCCOAnextgenarch(118), 2021.04.19 12:24:53.469, IMPL, SEVERE, 0, , Could not connect to the InfluxDB® database process within the specified timeout period. Check path settings in config/influxdb.conf in the project directory (from _NGA_B_InfluxDB)

is shown in the WinCC OA log if the "Database connection" is not set correctly in the configuration panel. See the step above where the "Database connection" was set, to set the "Database connection" correctly.