Enable encryption

Enable encryption to and from the management server

You can encrypt the two-way connection between the management server and the recording server or other remote servers that use the Data Collector.

If your system contains multiple recording servers or remote servers, you must enable encryption on all of them. For more information, see Management server encryption (explained).

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

  • A server authentication certificate is trusted on the computer that hosts the management server

First, enable encryption on the management server.

Steps:

  1. On a computer with a management server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The Management Server Manager by right-clicking the Management Server Manager icon on the computer task bar

  2. In the Server Configurator, under Server certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt communication between the recording server, management server, failover server, and data collector server.

    5. Select Details to view Windows Certificate Store information about the selected certificate.


  5. Click Apply.

To complete the enabling of encryption, the next step is to update the encryption settings on each recording server and each server with a data collector (Event Server, Log Server, LPR Server, and Mobile Server).

For more information, see Enable server encryption for recording servers or remote servers.

Enable server encryption for recording servers or remote servers

You can encrypt the two-way connection between the management server and the recording server or other remote servers that use the Data Collector.

If your system contains multiple recording servers or remote servers, you must enable encryption on all of them. For more information, see Encryption from the management server to the recording server (explained) and Encryption between the management server and the Data Collector server (explained).

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

Steps:

  1. On a computer with a recording server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The Recording Server Manager by right-clicking the Recording Server Manager icon on the computer task bar

  2. In the Server Configurator, under Server certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt communication between the recording server, management server, failover server, and data collector server.

    5. Select Details to view Windows Certificate Store information about the selected certificate.

    The Recording Server service user has been given access to the private key. It is required that this certificate is trusted on all clients.


  5. Click Apply.

When you apply certificates, the recording server will be stopped and restarted. Stopping the Recording Server service means that you cannot record and view live video while you are verifying or changing the recording server's basic configuration.

Enable encryption to clients and servers

You can encrypt connections from the recording server to clients and servers that stream data from the recording server. For more information, see Encryption to clients and servers that retrieve data from the recording server (explained).

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

  • The server authentication certificate to be used is trusted on all computers running services that retrieve data streams from the recording server
  • XProtect Smart Client and all services that retrieve data streams from the recording server must be version 2019 R1 or later
  • Some third-party solutions created using MIP SDK versions earlier than 2019 R1 may need to be updated

Steps:

  1. On a computer with a recording server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The Recording Server Manager by right-clicking the Recording Server Manager icon on the computer task bar

  2. In the Server Configurator, under Streaming media certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt communication between the clients and servers that retrieve data streams from the recording server.

    5. Select Details to view Windows Certificate Store information about the selected certificate.

    The Recording Server service user has been given access to the private key. It is required that this certificate is trusted on all clients.


  5. Click Apply.

When you apply certificates, the recording server will be stopped and restarted. Stopping the Recording Server service means that you cannot record and view live video while you are verifying or changing the recording server's basic configuration.

To verify if the recording server uses encryption, see View encryption status to clients.

Enable encryption on the mobile server

To use an HTTPS protocol for establishing a secure connection between the mobile server and clients and services, you must apply a valid certificate on the server. The certificate confirms that the certificate holder is authorized to establish secure connections. For more information, see Mobile server data encryption (explained) and Mobile server encryption requirements for clients.

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

Certificates issued by CA (Certificate Authority) have a chain of certificates and on the root of that chain is the CA root certificate. When a device or browser sees this certificate, it compares its root certificate with pre-installed ones on the OS (Android, iOS, Windows, etc.). If the root certificate is listed in the pre-installed certificates list, then the OS ensures the user that the connection to the server is secure enough. These certificates are issued for a domain name and are not free of charge.

Steps:

  1. On a computer with a mobile server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The Mobile Server Manager by right-clicking the Mobile Server Manager icon on the computer task bar

  2. In the Server Configurator, under Mobile streaming media certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt the communication of XProtect Mobile client and XProtect Web Client with the mobile server.

    5. Select Details to view Windows Certificate Store information about the selected certificate.

    The Mobile Server service user has been given access to the private key. It is required that this certificate be trusted on all clients.


  5. Click Apply.

When you apply certificates, the Mobile Server service restarts.