User's Manual FC33 full HDIP HTTPS communicationsUser's Manual IM 85A7C04E-01 FC33 full HDIP HTTPS communications IM 85A7C04E-01 1st edition 2020/10/30.

User's Manual

IM 85A7C04E-01

FC33 full HDIP

HTTPS communications

IM 85A7C04E-01 1st edition 2020/10/30.

TOC-1

IM85A7C04E-01

CONTENTS A Introduction............................................................................................................................................ i 1 Network settings ................................................................................................................................... 1 2 HTTPS ................................................................................................................................................... 2 3 Self-signed Certificate .......................................................................................................................... 3 3.1 Generating Private key ........................................................................................................................ 3 3.2 Generating Self-signed certificate ........................................................................................................ 4 3.3 Downloading Root Certificate ............................................................................................................... 6 3.4 Installing Root certificate ...................................................................................................................... 7 3.5 Activation of HTTPS ...........................................................................................................................10 3.6 Confirmation of HTTPS access ...........................................................................................................11 4 Certificate Signing Request (CSR) ......................................................................................................12 4.1 Generating Private key .......................................................................................................................12 4.2 Requesting certificate signing to Certificate Authority ..........................................................................12 4.3 Initializing Server certificate ................................................................................................................14 4.4 Installing Root certificate .....................................................................................................................15 4.5 Activation of HTTPS ...........................................................................................................................15 4.6 Confirmation of HTTPS access ...........................................................................................................15 4.7 Re-create Server certificate ................................................................................................................15 5 Delete ...................................................................................................................................................15 6 Initializing Settings ..............................................................................................................................16 7 Restrictions .........................................................................................................................................16 NOTE .......................................................................................................................................................16

FC33 full HDIP HTTPS communications

IM 85A7C04E-01 1st Edition

IM85A7C04E-01

Blank Page

i

IM85A7C04E-01

A Introduction ■IM 30B10A10-01JA 1st Edition : 2019.2.7- 00

Warning and Disclaimer

■ HTTPS communications (Hereinafter “this function”)

YOKOGAWA shall have neither liability nor responsibility to any person or entity with respect to any direct or indirect loss or damage arising from using this function or any defect of this function that YOKOGAWA cannot predict in advance.

Documentation Conventions

■ NOTE in the manual

NOTE Draws attention to information essential for understanding the operation and features.

Copyright and Trademark Notices ■ Copyright

The copyright of the programs and online manuals contained in the software medium of the Software Product shall remain with YOKOGAWA. You are allowed to print the required pages of the online manuals for the purposes of using or operating the Product; however, reprinting or reproducing the entire document is prohibited by the Copyright Law. Except as stated above, no part of the online manuals may be reproduced, transferred, sold, or distributed to a third party in any manner (either in electronic or written form including, without limitation, in the forms of paper documents, electronic media, and transmission via the network). Nor it may be registered or recorded in the media such as films without permission.

■Trademark

All other company, organization and trade names and logos mentioned in the product are registered trademarks or trademarks of YOKOGAWA or of their respective companies or organizations.

IM85A7C04E-01

Blank Page

1

IM85A7C04E-01

1 Network settings

Select [Network] of the Admin Menu in the left column, next, select [Protocol] Tab, then screen fig.1 shown below will display: (1) HTTP S

Default settings: enable status and default TCP/IP port number value is 80.

In case of ONVIF access、enabling setting of http will be needed.

(2) HTTPS (corresponding to this function. For details, please refer to 3.5 or 4.5 “Activation of HTTPS”) Default settings: disable status and default port number value is 443. Can only be available when install Server Certificate.

(3) RTSP Default settings: enable status and default port number value is 554.

Fig.1 Settings of Protocols

2

IM85A7C04E-01

2 HTTPS

Secure communications can be provided by HTTPS protocol（this function available after ENC

V3.00）. To operate HTTPS communication, a server certificate issued by certificate authority

should be needed. Selectable for Authority type a Self-signed certificate which this product itself becomes a certificate, and a Public or a private Certificate as third party.

Start

CErtificationType

CSR filedownload

Private key Generate

CA Certificate Signing Request

Self-signed Certificate

CA CertificateSigning Request

Install Server Certificate

Self-signed Certificate

・Issue Server Certificate

・Install Server Certificate

Issue Server Certificate

END

Enable HTTPS

*

*You must issue the server certificate yourself.

Download Root Certificate

Install root certificate

Certificate AuthorityType

PublicCertificateAuthority

PrivateCertificate Authority

Get Root Certificate

Fig 2 Operation scheme of HTTPS

Table1 SSL/TLS communication specification

Private key length 2048

Common key AES256

Hash function SHA-256

Digital Certificate X.509

3

IM85A7C04E-01

NOTE

・Narrowing bitrate and video stream should be needed due to high load processing by HTTPS.

・Before settings HTTPS, time adjustment by NTP and so on should be needed.

3 Self-signed Certificate

This section describes certification step by Self-signed Authority. In case of using public or private Certificate Authority, please refer to section 4 below

3.1Generating Private key

By clicking “Submit” button in the [Private key Generate] menu, Generating private key will execute.

Fig.3 Generating Private key

4

IM85A7C04E-01

3.2 Generating Self-signed certificate Select a radio button of [Self-signed certificate] in [Certificate Generate]-menu, first. And clicking “Submit” button in the menu, generating step of the Certificate will start. Then “Is the correct date and time set?” dialog box will popup for confirmation. If the time and date set up correctly, the generation step can proceed.

Fig.4 Certificate Generate(Self-signed certificate)

Fill each specified content in the Certificate Fields in the “Self-signed certificate” pop up window. Specified contents in the Certificate are shown in Table 2. After filling up all the Certificate Fields, click “Submit” button.

Fig. 5 Registration of Self-signed certificate

※ If violated or an irreal contents was typed in, “Submit” button above will be unable to click.

5

IM85A7C04E-01

Table 2 Certificate Fields and allowable characters

item Contents of Fields maximum characters

Common Name

URL(FQDN) when connecting SSL or IPv4 address (allowable characters: half-width alphanumeric, hyphen [-], dot [.])

64

Country

National ISO (allowable characters: uppercase letter)

2

State or province

for example：Tokyo

(allowable characters: refer to Note)

128

Locality

for example：Musashino-shi


128

Organization

for example：Yokogawa Electric Corporation


64

Organizational Unit

Optional (allowable characters: refer to Note)

64

Note: half-width alphanumeric, space [ ], comma [,], plus [+], hyphen [-], dot [.], slash [/], underscore [_], opening parenthesis [(], close parenthesis [)] Completion of installing Self-signed Server certification brings message as shown Fig.6 below. Click “Save” button in the Admin Menu field left side to saving settings

Fig 6 Completion of installing Self-signed Server certification

6

IM85A7C04E-01

3.3 Downloading Root Certificate Click a “Display” button in the [Certificate information] menu.

Fig. 7-1 Certificate information

Click “Download(Root CA CRT)” button, after confirmation of contents of Certificate. And downloading CER file from FC 33 to the client laptop will be done.

Fig 8-2 Certificate information(example)

7

IM85A7C04E-01

3.4 Installing Root certificate By double clicking an icon symbol of CER file (which was downloaded), open the certificate window. Next, clicking “Install Certificate...” button at [General]-tab.

Fig. 9 CER file window

Select “Local Machine” radio button and click “Next” button in the “Welcome to the Certificate Import Wizard” window. (If pop up window for confirmation of changing arose, response by a button of “OK” or “Yes”.)

Fig. 10 Certificate Import Wizard window

8

IM85A7C04E-01

Select a “Place all certificate in the following store” button and Click “Browse…” button.

Fig 11 Certificate Store

Select “Trusted Root Certification Authorities” folder and Click “OK” button.

Fig. 12 Selection of Certificate Store

9

IM85A7C04E-01

Confirm a display that “Trusted Root Certification Authorities” at the frame of “certificate store:” in

window which was re-pop upped. And Click “Next” button.

Fig.13 Certificate Store(re-pop upped)

Click “Finish” button to completing the Certificate Import Wizard.

Fig.14 Completion of Certificate import wizard

10

IM85A7C04E-01

3.5 Activation of HTTPS Select [Network] in the Admin Menu list, click [Protocols]- Tab and turn on the check box of HTTPS as an "enable". Click “Set” button below and next “Save” button to save the settings.

Fig 15 Protocols-tab

Select [System] in the Admin Menu list, select [Reboot]-tab and click “Submit” button to reboot.

Fig 16 Reboot

11

IM85A7C04E-01

3.6 Confirmation of HTTPS access Close all windows on your laptop. Type in “https:/common name/ “into the address bar of the browser, and press enter key to connect. Confirm each normal operation after login.

Fig 17 login screen for HTTPS

If red address bar depicted in the browser, installing of the Certificate may be failed.

12

IM85A7C04E-01

4 Certificate Signing Request (CSR)

This section describes certification steps by public or private Certificate Authority. In case of using private Certificate Authority, please refer to section 3 above

4.1 Generating Private key

Please refer to the section 3.1 above

4.2 Requesting certificate signing to

Certificate Authority Select a radio button of [CA certificate signing request] in [Certificate Generate]-menu, first. And clicking “Submit” button in the menu, generating step of the Certificate will start. “CA certificate signing request” dialog box will popup. If the time and date set up correctly, the generation step can proceed.

Fig 18 Requesting Certificate

Fill each specified content in the Certificate Fields in the “CA certificate signing request” pop up window. Specified contents in the Certificate are shown in Table 2. After fill up all the Certificate Fields, click “Download(CSR)” button .

13

IM85A7C04E-01

Fig. 19 CA certificate signing request

After complete downloading the CSR file, click “Save” button to save settings

Fig. 20 Saving CA certificate settings

Please ask for issuing the Server certificate to Certificate Agency by submitting that CSR file.

14

IM85A7C04E-01

4.3 Initializing Server certificate Install the Server-certificate-file being provided from the Certificate Authority into the [Server certificate installation], as shown below. The Server-certificate-file can be used X509 of PEM format only. If other type, conversion will be needed.

[Server certificate installation] will be shown when radio button of [CA certificate signing request] is selected in the [Certificate Generated] column.

Fig. 21 Initializing Server certificate

In case of the Certificate Authority having Intermediate certificate, open the Server-certificate-file by Text editor, and coding as shown below:

-----BEGIN CERTIFICATE-----

Contents of Server certificate

-----END CERTIFICATE-----


Contents of Intermediate certificate



Contents of Upper Intermediate certificate


15

IM85A7C04E-01

4.4 Installing Root certificate Root certificates issued by Public Certificate Authority for server certification are pre-installed in the browser. Therefore, no need to installing newly. In case of server certifications which issued by Private Certificate Authority, obtain the root certificate from such Private Certificate Authority and install it. For the installation procedure, please refer to 3.4 Installing Root certificate.

4.5Activation of HTTPS Please refer to section 3.5 above.

4.6 Confirmation of HTTPS access Please refer to section 3.6 above.

4.7 Re-create Server certificate In case of re-creating the server certificate, please execute from the step section 4.2 above.

5 Delete

〔Private key〕 and 〔Server Certificate〕 can be deleted by clicking submit button.

Fig.22 Delete

NOTE

・Unable to delete when HTTPS protocol available setting.

・Unable to delete [Private key] only , when [Server Certificate] is existing.

・Re-create Server Certificate should be needed also, when delete and re-create [Private key].

16

IM85A7C04E-01

6 Initializing Settings

Clicking execute button can make the initializing Settings. Whole initializing and partial initializing excepting IPv4 setting can be selectable. Ii case of whole initializing, it will delete [Private key] and [Server Certificate].

7 Restrictions

➢ Updating ENC firmware from V2 to V3 is available, but not vice versa as downgrade version. ➢ If server certificate was expired, address bar of IE11 browser tarn to red with no SSL

connection. ➢ Video stream (RTSP) as SSL (over HTTPS) communication is unsupported. ➢ When ONVIF communication, enabling http will be needed.

・The contents of this manual are subject to change without notice in future due to

improvements in performance and functions.

NOTE For details, or If you have any questions, please contact to us.

Headquarters

9-32 Nakacho, 2-chome, Musashino-shi Tokyo, 180-8750 JAPAN Phone: +81-422-52-5555

Printed in Japan

Yokogawa Electric Corporation

User's Manual FC33 full HDIP HTTPS communicationsUser's Manual IM 85A7C04E-01 FC33 full HDIP HTTPS communications IM 85A7C04E-01 1st edition 2020/10/30.

Documents