TLS

Transport Layer Security (TLS) is an internet communications security protocol. TLS settings are necessary for server applications, not for client applications. The primary reason for using TLS is to encrypt communications between a server and its clients. Using TLS is recommended when connecting to a data logger over an IP connection using the web interface. TLS does not affect PakBus communications.

Example server application instructions include:

  • HTTPS server
  • DNP() using the optional DNPTLS parameter

Example client application instructions include:

  • HTTPGet(), HTTPPut() and HTTPPost()
  • EmailRelay()
  • EmailSend() and EmailRecv()
  • FTPClient()
  • MQTTConnect()
  • MQTTPublishTable()
  • MQTTPublishConstTable()

CSI Web Server can also use TLS.

NOTE:

For enhanced security, TLS settings are only shown in Device Configuration Utility when using a direct USB connection, or an IP connection using PakBus Encryption.

Use the following steps to configure TLS:

  1. Use the Device Configuration Utility to enable HTTPS and disable HTTP. See Deployment > Network Services tab.

  2. Use the Device Configuration Utility to enable and set up TLS. See Deployment > Datalogger > TLS tab.

  1. Increase the number of Max TLS Server Connections to greater than zero. Each additional connection uses about 20 KB of memory. For general use, such as publishing web pages, use a minimum of five connections. Add more if multiple users may access the hosted web pages at the same time. See Web interface.

  2. Use Set Private Key and Set Certificate to upload files in .PEM format. These can either be self-signed or issued from a trusted third party organization. See Obtaining certificate and private key for more information.

    • Maximum key file size: 4 KB public, 4 KB private

    Review the Will send file path message to ensure you have the correct files.

  1. Apply to save your changes.

  2. Confirm your TLS security settings by connecting to the data logger using a web browser. See Web interface. This connection can initially take up to 30 seconds as the data logger negotiates the TLS with the web browser. If the default data logger web page loads then TLS has been set up correctly.

    NOTE:

    If the certificates uploaded to the data logger are from an unknown source, such as most self-signed certificates, the web browser will likely display a warning. If the issuer can be trusted, this warning can be bypassed.