At Inductive Automation, we are serious about security and believe our community should be aware of all the available tools to help keep Ignition secure. Since October is National Cybersecurity Awareness Month, this is a great time to highlight one of the ways you can add security to your Ignition platform: adding SSL/TLS.
With the release of Ignition 8 and the Ignition Perspective Module, the use of web browsers and mobile apps will only increase. With the ability to access data from multiple locations, locally or remotely, it is imperative that data transferred between clients, Perspective sessions, and the Ignition Gateway is kept secure. With that in mind, using SSL/TLS security is definitely a best practice to adopt right away.
What is SSL/TLS?
SSL/TLS is a security protocol that provides privacy and data integrity between two or more parties communicating over an insecure network such as the Internet. When surfing the web, you may have noticed that the HTTPS (HyperText Transfer Protocol Secure) now appears in the URL when you visit a website. Normally it appears as “http,” but the “s” now signifies that the website is secured by an SSL/TLS certificate. The certificate contains information such as the issuing authority and the corporate name of the website owner.
SSL stands for Secure Sockets Layer and the newer version of the protocol is TLS which stands for Transport Layer Security. (Although TLS is the new gold standard and SSL has been deprecated, digital certificates are often still referred to as “SSL certificates” in the industry.) SSL/TLS technology helps keep an internet connection secure by safeguarding any sensitive data that is shared between two systems (for example, between a server and a client, or between two servers). It prevents criminals from reading or modifying any information being transferred by using cryptographic algorithms to scramble data in transit.
SSL/TLS and Ignition
Since Ignition clients and sessions can be accessed remotely via the web, it is highly recommended to enable SSL/TLS on the Ignition Gateway. In order to use this feature, you will need an SSL/TLS certificate. We offer several resources on how to enable and use SSL/TLS in your Ignition platform, such as the User Manual entry on Using SSL, the Ignition Security Hardening Guide, and the Inductive University video on Requiring SSL. Here, we’ll also go a step further by looking at how to generate an SSL/TLS certificate.
While you can obtain an SSL/TLS certificate from any certified authority, we wanted to highlight a great resource called Let’s Encrypt, an open certificate authority operated by the Internet Security Research Group, which offers free SSL/TLS certificates along with automated management.
Our support and development teams recommend Let’s Encrypt. Depending on your project needs, you may need additional features or services beyond what Let’s Encrypt provides, but if you need an easy, cost-effective way to generate and manage an SSL/TLS certificate, Let’s Encrypt is the way to go.
Ignition 8.0.3 introduced support for hot-reloading the Gateway’s SSL key store. This feature, which enables Ignition to work well with services such as Let’s Encrypt, allows for automatic SSL/TLS certificate management with zero Gateway downtime.
For more information on how to use Let’s Encrypt, we have two great resources that can get you up and running in no time. First, we have a Support Knowledgebase article that talks about Let’s Encrypt and how to generate free SSL certificates. The second resource is a new, in-depth Let’s Encrypt Guide for Ignition, written by Inductive Automation Software Developer Joel Specht, which shows you how to take advantage of the hot-reloading capability, generate SSL/TLS certificates, and set up automatic SSL/TLS certificate management.
To get the Let’s Encrypt Guide for Ignition, click here. We hope you’ll find that these free resources make cybersecurity a little easier to manage.