Secure Configuration User Guide
Contents
1. 4eeseeeeeeee eee eeen enne nnne nnnm tn natn nina nns 9 PortVision Plus with a Secured DeviceMaster UP Gateway e eeeeeeeeeeee eene enne nnns nnnm inna nnn tna nsa nnns natns 9 area m c NE 10 Pevi Master UDC 10 Enabling Web Page Configuration Security HTTPS sssssssussunsunnunnunnunnunnnunnnnnnnnunnnnnunnnnnnnnnnnnnnnnnnnnnnnnn 13 13 DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Table of Contents 3 Table of Contents This page was intentionally left blank to permit two sided printing 4 Table of Contents DeviceMaster Modbus Server User Guide 2000549 Rev A Password Authentication Setting and Usage This User Guide discusses secure web configuration for the DeviceMaster and DeviceMaster UP This section discusses the following e Authentication Method e Setting Clearing the Password with Telnet on Page 6 e Telnet Help on Page 7 e Web Page Password Access on Page 7 Authentication Method Before the Web page password access method can be enforced the log in authentication must be set The following steps must be performed in order for the password access to be enforced 1 Telnet to the DeviceMaster UP by typing telnet ip address and press Enter ti L mmand Promi C w telnet 18 80 0 182 2 When prompted for the password enter the password if one has been set otherwise press Enter 3 To display the current authentication setting2. Software Modbus TCP 5 04 Serial Number 9447 BO i IP Conlig cati DEWCEsKAASTER IP Address 10 0 0 102 ur IP Netmask 255 255 0 0 IP Gateway 10 0 0 1 Serial Device Configuration Ethernet Device Configuration Communication Statistics PLC Interface Diagnostics Display AU Modbus 5Slowe Devices Display Serial Logs Display Ethernet Device Logs Configure Network Configure Security Enabling Web Page Configuration Security HTTPS 13 Configuring Security 3 Onthe Edit Security Configuration page click Enable Secure Config Mode if you want to provide this level of security which disables the following features e Telnet access to administrative and diagnostic functions is disabled If enabled SSH log ins are still allowed e Unencrypted access to the web server via port 80 http URLs is disabled Encrypted access to the web server via port 443 https URLs is still allowed e Administrative commands that change configuration or operating state and are received using the Comtrol proprietary TCP driver protocol on TCP port 4606 are ignored e Administrative commands that change configuration or operating state and are received using the Comtrol MAC mode proprietary Ethernet protocol number Ox11FE are ignored Network Enabling Devices Server Configuration Home Edit Security Configuration Enable Secure Config Mode Enable Telnet ssh Enable SNMP C Undo Changes Key and Certificate Managem
3. 4 DEV CE MASTER UP Secure Configuration User Guide Cowrnor CNW Network E Network Enabling Devices Trademark Notices Comtrol DeviceMaster and PortVision are registered trademarks of Comtrol Corporation Other product names mentioned herein may be trademarks and or registered trademarks of their respective owners First Edition March 7 2011 Copyright 2010 2011 Comtrol Corporation All Rights Reserved Comtrol Corporation makes no representations or warranties with regard to the contents of this document or to the suitability of the Comtrol product for any particular purpose Specifications subject to change without notice Some software or features may not be available at the time of publication Contact your reseller for current product information Document Number 2000549 Rev A Table of Contents Password Authentication Setting and Usage csscssscsseessesseesseesseeeseeeseneseeeseeesenesseesseesseeneeenaeeneeesenenas 5 Authenncanon Mer ausit vt cxlo cad a i rv qus dara ci p cxi Halic va aca i Cdi Ud Dus E MG UR D br RED CLER 5 So CI Ie Passwobd SH TRIBIE ansam qaia CA oracio Babe nnnc 6 i r I T P 7 Wen Pape PASS woOPO ON 7 Usine PortVIsiol PIUS unam os er ott epe reet et teneis ii cease casa ieci EES EAEE EEEE EAEE EEE Eai 9 PortVision Plus with a Non Secured DeviceMaster UP Gateway
4. for the Web page log in functionality type auth 4 Toenable enforcing of the Web page log in functionality set the authentication to basic Type auth basic 5 To disable enforcing of the Web page log in functionality set the authentication to none Type auth none DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Password Authentication Setting and Usage 5 Setting Clearing the Password with Telnet 6 Reset the DeviceMaster UP by typing reset and press Enter c Telnet 10 0 0 102 assword Comtrol DeviceMaster UP Mode LID 5BHB82111 Modbus TCP 5 84 uilt Mon Feb 28 16 33 13 CST 2H11 IP Addr 1H H H 1H2 Mask 255 255 60 60 Gateway 1H H H 1 MAC Addr HH cH 4e H7 24 9H 7 Allow the system to start up By default this typically takes about 15 seconds Setting Clearing the Password with Telnet The password can be set or cleared with Telnet Perform the following procedure to set or clear the password 1 Telnet to the DeviceMaster UP Command Prompt 2 When prompted for the password enter the password if one has been set otherwise press Enter 3 Youcansetthe password by typing the following where xxxxxx is the password and pressing Enter password XXXXXX 4 Clearthe password by typing the following and pressing Enter password lelnot 10 0 0 107 mtrol DeviceHaster UP HodellDb 5882111 dhbuz TCP 5 84 Built Fri Feb 18 15 58 23 CST 281
5. two scenarios e DeviceMaster UP Already Located on Page 10 e PortVision Plus with a Secured DeviceMaster UP Gateway on Page 9 DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Using PortVision Plus 9 DeviceMaster UP Already Located DeviceMaster UP If PortVision Plus had located the DeviceMaster UP gateway before security was enforced Already Located it will keep the DeviceMaster UP in its device list The DeviceMaster UP will now have a lock symbol next to it EA PortVision Plus Sees File Folder Device View Tools Help A L ww d P CUP A 9 E3 2 O Scan Refresh Help About Exit PORT VISION DEV CESMASTER ef Local For this PC 2 of 3 online Madel IP Address MAC Address Software Version Status eT Scan Results 4 of 5 online amp Device 29 FF E9 UP 2P 2E 10 0 0 127 00 C0 4E 29 FF E9 Modbus TCP 5 04 ON LINE DeviceMaster UP Not If PortVision Plus had not located the DeviceMaster UP gateway before security was Previously Located enforced it may not be able to locate the DeviceMaster UP A screen similar to the one shown below is displayed EA PortVision Plus File Folder Device View Tools Help m t PSN E ex Ime Scan Refresh Help About Exit PORT VISION PLUS DEV CE MASTER mi Local for this PC 2 of 3 online Device Name Model WIP Addr MAC Address Software version f Scan Results 5 of 6 onli
6. 1 IP Addr 18 H 8 182 Mask 255 255 080 860 Gateway 18 8 8 1 AC Addr BB cH de 07 24 FH m password muypaszword aszword set kdm pazzword ageword cleared dim gt 5 Type quit to exit 6 Password Authentication Setting and Usage DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Telnet Help Telnet Help To access the Telnet help type help Telnet 10 0 0 117 Resets the device Uisew zet IP address Set time in seconds until default application loads automatically View AAC address Set admin password Set user password Enablerdisable telnet Set the telnet timeout period in seconds View the Model ID Display firmware revision Display this help info Exit session Type quit to exit Web Page Password Access When the authentication is set to require a password such as basic yu ese lip will need to log into each web server session To log in 1 Leave the User name blank 2 Type in your password If there is no password configured leave the The server 10 0 0 102 at Godhead requires a username and Password blank password 3 Click OK Warning This server is requesting that your username and password be sent in an insecure manner basic authentication Once logged in you will have full read without a secure connection write access to the web pages User name we Password IITITIITIT RBemember my password DeviceMaster and Device
7. EV CE MASTER Configuration Updated Changes to security configuration will not take effect until DeviceMaster unit is rebooted Continue Reboot 18 Enabling Web Page Configuration Security HTTPS DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A
8. Master UP Secure Configuration User Guide 2000549 Rev A Password Authentication Setting and Usage 7 Web Page Password Access This page was intentionally left blank to permit two sided printing 8 Password Authentication Setting and Usage DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Using PortVision Plus PortVision Plus can be used to automatically locate non secured devices Once located PortVision Plus will remember the DeviceMaster UP gateway PortVision Plus may not be able to automatically locate a secure DeviceMaster UP gateway If the DeviceMaster UP gateway is configured to enforce security before PortVision Plus has located it then you may have to add the DeviceMaster UP to the device list manually PortVision Plus with a Non Secured DeviceMaster UP Gateway PortVision Plus can automatically locate non secured DeviceMaster UP gateways by clicking the Scan button e PortVision Plus Sele File Folder Device View Tools Help m A 0x writ gt gt M sw O zl Scan Refresh Help About Exit PORT VISION PLUS i DEV CE MASTER f Local For this PC 2 of 3 online 4 Device Name IP Address MAC Address Software Version Status T Scan Results 4 of 5 online Device29 FF ES UP 2P 2E 10 0 0 127 00 C0 4E 29 FF E9 Modbus TCP 5 04 ON LINE Secure Devices 1 of 1 online PortVision Plus with a Secured DeviceMaster UP Gateway This subsection discusses
9. blank to permit two sided printing 12 Using PortVision Plus DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Configuring Security DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Enabling Web Page Configuration Security HTTPS After loading firmware with secure configuration capabilities HTTPS configuration becomes available It is up to you to determine which access will be allowed The default settings are e Both HTTP non secure unencrypted and HTTPS secure encrypted configurations are enabled e Telnet ssh are enabled e SNMP is disabled It is up to you to determine whether or not to disable the unencrypted HTTP configuration access The embedded web pages are used to configure the DeviceMaster UP security Secure configuration mode is enabled on the security configuration web page screen by clicking the Configure Security link on the main page Selecting this option disables the non secure configuration functionality 1 Openthe DeviceMaster UP Server Configuration page using one of these methods e Web browser Open a web browser and enter the IP address of the DeviceMaster UP that you want to configure e PortVision Plus Start PortVision Plus click Scan right click the DeviceMaster UP that you want to configure and then click Web Manager 2 Click Configure Security on the home page ANotwork Enabling Devices Server Configuration
10. eleting the uploaded one The RSA key and RSA certificate are uted together by chents to authenticate the identity of the server If you update one without updating the other clients will be unable to authenticate the server identiby and you will probably recermmng warnengs from web browsers and other SSL chenta The uploaded fila must be in DER format File to upload Browse Upload Unde Changes Cancel DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Enabling Web Page Configuration Security HTTPS 15 Configuring Security 8 Ifrequired click Set to enter the DH Key Pair used by SSL servers on the Edit Security Configuration page This is the private public key pair that is used by some cipher suites to encrypt the SSL TLS handshaking messages Note Possession of the private portion of the key pair can allow an eavesdropper to decrypt traffic on SSL TLS connections that use DH encryption during handshaking a Click Browse to locate the private public key pair b Click Upload Network Enabling Devices File Upload This page allows you to upload a file containing a user defined DH key to be used by DeviceMaster SSL servers After rebooting the uploaded key or certificate will be used instead of the permanently installed factory default one At any time you may revert bo using the factory default key or certificate by deleting the uploaded one The RSA key and RSA certihicate are u
11. ent RSA Key pair used by SSL and SSH servers factory Set RSA Server Certificate used by SSL servers factory Set DH Key pair used by SSL servers factory Set Client Authentication Certificate used by SSL servers none Sot 4 Ifnecessary click Enable Telnet ssh 5 Ifnecessary click Enable SNMP 14 Enabling Web Page Configuration Security HTTPS DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Configuring Security 6 Ifrequired click Set on the Edit Security Configuration page to configure RSA key pair used by SSL and SSH servers The RSA Key Pair is used to sign the Server RSA Certificate This verifies that the DeviceMaster UP is authorized to use the server RSA identity certificate If the Server RSA Key is to be replaced a corresponding RSA identity certificate must also be generated and uploaded If this is not done clients will not be able to verify the identity certificate Note Possession of the private portion of this key pair could allow someone to pose as the DeviceMaster UP a Click Browse to locate the server RSA key b Click Upload Network Enabling Devices File Upload The page allows you to upload a file contareng a user defined RSA key ta be used by DeviceMaster SSL and SSH servers After rebooting the uploaded key or certificate will be used instead of tha parmanently installed factory default one AE any time YOU may revert to using the factory dafault key or certi
12. ficate by deleting the uploaded ena The RSA key and ASA certificate are used together by chents bo authenticate the identity of the server If you update ome without updating the other clients will be unable to authenticate the server identity and you wil probably receiving warnings from web browsers and other SSL clients The uploaded file must be in DER format File to upload Browse Upload Undo Changes Cancel 7 Ifrequired click Set on the Edit Security Configuration page to configure the RSAServer Certificate used by SSL servers This is the certificate that the DeviceMaster UP uses during SSL TLS handshaking to identify itself It is used most frequently by the DeviceMaster UP SSL server firmware when clients open connections to the DeviceMaster UP s secure web server or other secure TCP ports In order to function properly this certificate must be signed using the Server RSA Key This means that the server RSA certificate and server RSA key must be replaced as a pair a Click Browse to locate the RSA server certificate b Click Upload Network Enabling Devices File Upload This page allows you to upload a file contaming a user defined ASA server certificate t be used by DeviceMaster SSL servers After rebooting the uploaded key or certihcate will be used msbead of the permanently installed factory default ane At any time you may r evert to using the factory default key or certificate by d
13. iceMaster UP s SSL TLS protected resources you should create your own custom CA certificate and then configure authorized client applications with identity certificates signed by the custom CA certificate Network Enabling Devices File Upload This page allows you to upload a file containing a user defined RSA certificate that will be used to authenticate SSL chents who are connecting to the DeviceMaster SSL servers After rebooting the uploaded key or certificate will be used instead of the permanently installed factory default one At any time you may revert to using the factory default key or certibeate by deleting the uploaded one The RSA key and RSA certificate are used together by clients to authenticate the identity of the server If you update one without updabng the other chents will be unable te authenticate the server identity and you wil probably recanang warnings from web browsers and other SSL clients The uploaded fle must be in DER format File to upload Browse Upload Undo Changes Cancel a Click Browse to locate the Client Authentication Certificate b Click Upload 10 After completing the key and certification management click Save DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Enabling Web Page Configuration Security HTTPS 17 Configuring Security 11 To allow the changes to become affective click Reboot Network Enabling Devices D
14. ne Secure Devices 0 of 0 online The DeviceMaster UP will need to be added to the list by using the Add New Device option In PortVision Plus click Device gt Add New Device and the following screen appears 1 Entera Device Name 2 Enterthe IP Address of the DeviceMaster UP 10 Using PortVision Plus DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A 3 Click OK Add Mew Device Device Hame Detection Type DeviceMaster UP Not Previously Located Device name here REMOTE Identification Mode P MAC Mode MAC Address noc QAE Device Type IP Mode PortVision Plus File Folder Device View Tools Help IP Address 10 Ta Subnet Mask Default Gateway i DERK JS J ow Ww se 4 Scan Refresh enfia Load PORT VISION PLUS wf Local For this PC 2 of 3 online f Scan Results 5 of 6 online of Secure Devices 1 of 1 online For Help press Fl DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A ey amp Device name here UP 2P 2E O lt Help About Exit DEV CESMASTER _Device Name Model WIP Addr MAC Address Software Version status 10 0 0 127 00 C0 4E 29 FF E9 Modbus TCP 5 04 ON LINE TCP Secure Devices 1 0 Ready 2 Using PortVision Plus 11 DeviceMaster UP Not Previously Located This page was intentionally left
15. sed together by clients to authenticate the identity of the server If you update one without updating the other chents will be unable to authenticate the server identity and you will probably receiving warnings from web browsers and other SSL clients The uploaded file must be in DER format Fila to upload Browse Upload Undo Changes Cancel 16 Enabling Web Page Configuration Security HTTPS DeviceMaster and DeviceMaster UP Secure Configuration User Guide 2000549 Rev A Configuring Security 9 If required click Set on the Edit Security Configuration page to upload the Client Authentication Certificate used by SSL servers If a CA certificate is uploaded the DeviceMaster UP only allows SSL TLS connections from client applications that provide to the DeviceMaster UP an identity certificate This identity certificate must have been signed by the CA certificate that was uploaded to the DeviceMaster UP The uploaded CA certificate is used to validate a client s identity e The uploaded CA certificate is sometimes referred to as a trusted root certificate a trusted authority certificate or a trusted CA certificate e The uploaded CA certificate might be that of a trusted commercial certificate authority or it may be a privately generated certificate that an organization creates internally to provide a mechanism to control access to resources that are protected by the SSL TLS protocols e To control access to the Dev
Download Pdf Manuals
Related Search