Config Entries for MxProxy and HTTP Server

The WinCC_OA Multiplexing Proxy and the HTTP Server use SSL for the secure communication. Which certificates must be used for the SSL communication is specified via config entries. This chapter contains a list of config entries that are required for the secure communication.

SSL communication with filebased certificates

The following table contains config entries that are required for the SSL communication with filebased certificates.

Multiplexing Proxy

Use the following config entries for the Multiplexing Proxy. You can find the detailed description of the entries under Reference tables-> Configuration file->[section]. You can open the detailed description via the links below.

Config entry Description

securityMode = "cert"

Defines the security mode (cert, wincert..). See the description of the config entry on the left.

sslCertificate = "<cert-file> <private-key> <CAFile>"

sslCertificate = "D:/Certificates/host-cert.pem D:/Certificates/host-key.pem D:/Certificates/root-certificate.pem"

The sslCertificate entry specifies the absolute path and the file name of 3 files needed for SSL/TLS encrypted communication.

The following example shows a config file for Single System Configuration (remote UI):

The Proxy and the Server are deployed on the same host. The Client (on a separate host) communicates with the Server via the MxProxy.

Figure 1. Client Config File - Use Pem Certificates in the Config File
Figure 2. Server Config File - Use Pem Certificates in the Config File

HTTP Server

Use the following config entries for the HTTP Server with ULC UX. You can find the detailed description of the entries under Reference tables-> Configuration file->[section]. You can open the detailed description via the links below.

Config Entry Description

[httpServer]

uiArguments="-p login.pnl"

Start parameter for the ULC UX.

[webClient]

httpAuth=1

Activates the HTTP server authentication.

SSL communication with Windows Certificate Store Certificates

The following table contains config entries that are required for the SSL communication via Windows certificate store certificates.

For how to convert the certificates into Windows Certificate Store format and how to import them into Windows Certificate Store, see chapter Windows Certificate Store

Multiplexing Proxy

Use these config entries for the Multiplexing Proxy. You can find the detailed description of the entries under Reference tables-> Configuration file->[section]. You can open the detailed description via the links below.

Config entry Description

[general]

securityMode = "winCert"

winCert = "USER:MY:host_MxProxy"

winRootCA = "USER:ROOT:root_mxProxy"

mxProxy = "<HOSTNAME> <HOSTNAME> wincert"

Defines the security mode (cert, winCert). See the description of the config entry.

If security mode winCert is configured, the config entry winCert determines which certificate from the Windows Certificate Store is used for SSL/TLS communication.

If security mode winCert is configured, the config entry winRootCA determines which certificate from the Windows Certificate Store to be used for certificate verification during SSL/TLS session negotiation. Please see the description of the SecurityMode entry.

The mxProxy specifies the WinCC OA server host as well as the MXProxy host.

If certificates are used via thumbprints, use the following config entries:

[general]

securityMode = "WINCERT"

winCertSearchBy = "SHA1"

mxProxy = "<HOSTNAME> <HOSTNAME> wincert"

winRootCA = "USER:ROOT:a7 8F b0 9A 96 A4 A0 4E 6F B3 BF 4D 24 B3 85 0D 4A 64 9B 30"

winCert = "USER:MY:0A C4 9B FB 7A 70 65 58 84 08 76 36 35 FF C0 CC 35 BE E8 A3"

See above.
CAUTION:

Note that the Windows registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\forcekeyprotection must be set to 0 so that the certificates for the Multiplexing Proxy can be used. Open the registry via the regedit command and add the entry or change the default value 2 to 0. Furthermore, note that certificates that were imported before the entry was set, must be reimported. The registry entry is by default 2 due to security reasons (key protection for keys that are saved on the computer).