Secure communication (explained)

安全超文本传输协议 (HTTPS) 是超文本传输协议 (HTTP) 的扩展,用于通过计算机网络进行安全通信。在 HTTPS 中,通信协议使用传输层安全 (TLS) 或其前身安全套接字层 (SSL) 进行加密。

XProtect 视频管理软件中,安全通信是通过使用 TLS/SSL 和非对称加密 (RSA) 实现。

TLS/SSL 使用一对密钥(一个私钥和一个公钥)来验证、保护和管理安全连接。

证书颁发机构 (CA) 是任何能够颁发根证书的人。这可以是颁发根证书的互联网服务,或任何手动生成并发放证书的人。CA 可以向 web 服务,即向任何使用 https 通信的软件颁发证书。此证书包含两个密钥,即私钥和公钥。公钥通过安装公共证书安装在 Web 服务的客户端(服务客户端)上。私钥用于签署必须安装在服务器上的服务器证书。每当服务客户端调用 Web 服务时,Web 服务都会将包含公钥的服务器证书发送到客户端。服务客户端可以使用已安装的公共 CA 证书验证服务器证书。客户端和服务器现在可以使用公共和私人服务器证书来交换密钥,从而建立安全的 TLS/SSL 连接。

对于手动发放的证书,必须在客户端可以进行此类验证前安装证书。

有关 TLS 的更多信息,请参阅传输层安全

证书具有到期日。XProtect 视频管理软件不会在证书即将到期时警告您。如果证书到期:
•客户端将不再信任具有过期证书的记录服务器,因此无法与其进行通信
•记录服务器将不再信任具有过期证书的管理服务器,因此无法与其进行通信
•移动设备将不再信任具有过期证书的移动设备服务器,因此无法与其进行通信

要更新证书,请按照本指南中的步骤进行操作,就像您创建证书时所做的那样。

Management server encryption (explained)

You can encrypt the two-way connection between the management server and the recording server. When you enable encryption on the management server, it applies to connections from all the recording servers that connect to the management server. If you enable encryption on the management server, you must also enable encryption on all of the recording servers. Before you enable encryption, you must install security certificates on the management server and all recording servers.

Certificate distribution for management servers

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS to secure the communication to the management server.

Graphical illustration of certificate distribution for management servers

A CA certificate acts as a trusted third party, trusted by both the subject/owner (management server) and by the party that verifies the certificate (recording servers)

The CA certificate must be trusted on all recording servers. In this way, the recording servers can verify the validity of the certificates issued by the CA

The CA certificate is used to establish a secure connection between the management server and the recording servers

The CA certificate must be installed on the computer on which the management server is running

Requirements for the private management server certificate:

  • Issued to the management server so that the management server's host name is included in the certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
  • Trusted on the management server itself, by trusting the CA certificate that was used to issue the management server certificate
  • Trusted on all recording servers connected to the management server by trusting the CA certificate that was used to issue the management server certificate

Recording server data encryption (explained)

Encryption to clients and servers that retrieve data from the recording server

When you enable encryption on a recording server, communication to all clients, servers, and integrations that retrieve data streams from the recording server are encrypted. In this document referred to as 'clients':

  • XProtect Smart Client
  • Management Client
  • Management Server (for System Monitor and for images and AVI video clips in email notifications)
  • XProtect Mobile Server
  • XProtect Event Server
  • XProtect LPR
  • Milestone Open Network Bridge
  • XProtect DLNA Server
  • Sites that retrieve data streams from the recording server through Milestone Interconnect
  • Some third-party MIP SDK integrations
  • For solutions built with MIP SDK 2018 R3 or earlier that accesses recording servers: If the integrations are made using MIP SDK libraries, they need to be rebuild with MIP SDK 2019 R1; if the integrations communicate directly with the Recording Server APIs without using MIP SDK libraries, the integrators have to add HTTPS support themselves.

    • Certificate distribution

    The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS to secure the communication to the recording server.

    A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (recording server) and by the party that verify the certificate (clients)

    The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity of the certificates issued by the CA

    The CA certificate is used to issue private server authentication certificates to the recording servers

    The created private recording server certificates must be imported to the Windows Certificate Store on all recording servers

    Requirements for the private recording server certificate:

    • Issued to the recording server so that the recording server's host name is included in the certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
    • Trusted on all computers running services that retrieve data streams from the recording servers, by trusting the CA certificate that was used to issue the recording server certificate
    • The service account that runs the recording server must have access to the private key of the certificate on the recording server.

    If you enable encryption on the recording servers and your system applies failover recording servers, Milestone recommends that you also prepare the failover recording servers for encryption.

    Encryption from the management server

    You can encrypt the two-way connection between the management server and the recording server. When you enable encryption on the management server, it applies to connections from all the recording servers that connect to the management server. Therefore, you need to enable encryption on all the recording servers. Before you enable encryption, you must install security certificates on the management server and all recording servers.

    Certificate distribution

    The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS to secure the communication from the management server.

    A CA certificate acts as a trusted third party, trusted by both the Subject/owner (recording server) and by the party that verify the certificate (management server)

    The public CA certificate must be trusted on the management server. In this way the management server can verify the validity of the certificates issued by the CA

    The CA certificate is used to issue private server authentication certificates to the recording servers

    The created private recording server certificates must be imported to the Windows Certificate Store on the management server

    Requirements for the private recording server certificate:

    • Issued to the recording server so that the recording server's host name is included in the certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
    • Trusted on the management server, by trusting the CA certificate that was used to issue the recording server certificate
    • The service account that runs the recording server must have access to the private key of the certificate on the recording server.

    Mobile server data encryption (explained)

    XProtect 视频管理软件中,每个移动设备服务器都启用或禁用加密。如果在移动设备服务器上启用加密,那么对于与检索数据流的所有客户端、服务和集成之间的通信,您可以选择使用加密通信。

    移动设备服务器的证书分发

    该图说明了如何在 XProtect 视频管理软件中签署、信任和分发证书以保护与移动设备服务器的通信的基本概念。

    Graphical illustration of certificate distribution for secure communication with the mobile server.

    CA 证书充当受信任的第三方,受主体/所有者(移动设备服务器)和证书验证方(所有客户端)的信任

    必须在所有客户端上信任 CA 证书。通过这种方式,客户端可以验证 CA 颁发的证书的有效性

    CA 证书用来在移动设备服务器与客户端和服务之间建立安全连接

    必须在运行移动设备服务器的计算机上安装 CA 证书

    CA 证书要求:

    • 移动设备服务器的主机名必须包含在证书的名称中,作为主体(所有者)或位于作为证书颁发对象的 DNS 名称列表中
    • 必须在运行从移动设备服务器检索数据流的服务的所有设备上都信任证书
    • 运行移动设备服务器的服务帐户必须能够访问 CA 证书的私钥