Securing the Milestone AI Bridge connection (Docker Compose)

You can employ TLS encryption to help secure the connections between your XProtect installation and Milestone AI Bridge but before you can use TLS encryption, you will first have to enable TLS encryption for all communication in XProtect.

The Milestone Server Configurator is used to enable TLS encryption and to select the server certificates.

For more information, see the https://doc.milestonesys.com/2025r1/en-US/portal/htm/chapter-page-certificates-guide.htm.

Server certificates are issued by a Certificate Authority (CA). This can be an externally trusted certificate authority, or you can act as your own certificate authority by using a self-signed CA certificate.

In the following the certificate authority is referred to as the VMS CA and the actual CA certificate in question is referred to as the VMS CA certificate.

The zipped resource file for installing Milestone AI Bridge using Docker Compose contains a certs folder which contains dummy certification files. These files (vms-authority.crt, server.crt and server.key) must be replaced with your real certification files.

For more information on the resource file, see Download the Docker Compose resource file

The vms-authority.crt certification file in the tls-ca folder must be replaced with the VMS CA certificate to allow the Milestone AI Bridge to validate its connection to a trusted XProtect server.

The Milestone AI Bridge itself acts as a server towards XProtect and therefore must also have a server certificate issued for it by the VMS CA. This server certificate and its associated private key must be stored in the two server.crt and server.key files in the tls-server folder.

All certificates must use the PEM format and must be named with the .crt file extension. For more information, see Ubuntu manual - certificates

Once you have replaced the dummy certificate files with your own real certificates, you can enable TLS encryption for all connections between XProtect and the Milestone AI Bridge.

To enable TLS encryption

You can edit the .env file by using the HTTPS scheme in the URL of the XProtect management server and remove the comment character (#) from the two macros prefixed with TLS_.

For more information about the system communication and data flow in XProtect scheme, see System communication and data flow

Streaming container security considerations

For improved compliance with defined user permissions in the XProtect VMS, user OAuth tokens assigned to video sent from the XProtect VMS to the IVA application must be assigned to webRTC feeds forwarded by the IVA application back into the XProtect VMS.

User OAuth tokens assigned to video sent from the XProtect VMS to the IVA application can also be assigned to snapshot feeds. If you do not assign OAuth tokens to snapshot feeds, the Milestone XProtect basic user defined when installing Milestone AI Bridge will be used as a token instead.

In a production environment

For production environments, IVA application developers should always set the enforce-oauth parameter in the AI Bridge Streaming (aibridge-streaming) container to true in the docker compose or helm chart settings.

If the enforce-oauth parameter is set to false in a production environment, the OAuth token of the Milestone XProtect basic user defined when installing the Milestone AI Bridge is used as a token. This means that snapshots or webRTC feeds from the IVA application may be available for Milestone XProtect users that otherwise do not have permission to this data.

In a test environment

For test purposes, IVA application developers can set the enforce-oauth parameter to false to facilitate testing results unless security testing is being performed.

The enforce-oauth parameter is located in the docker-compose.yml file.