Encryption
This section gives you an introduction to encryption and certificates.
XProtect systems support secure communication:
|
From |
To |
|---|---|
| Recording Server |
Management Server |
| Management Server |
Recording Server |
| Clients, servers, and integrations that retrieve data streams from the recording server |
Recording Server |
| Mobile devices | Mobile Server |
| Management Server | Data Collector servers affiliated with remote servers |
| Data Collector servers affiliated with remote servers | Management Server |
When do you need to install certificates?
First, decide whether your system actually needs encrypted communication.
Don't use certificates with recording server encryption if you are using one or more integrations that don't support HTTPS communication. This is, for example, third-part MIP SDK integrations that don't support HTTPS.
Unless your installation is made in a physically isolated network, it's recommended that you secure the communication by using certificates.
This document describes when to use certificates:
- If your XProtect VMS system is set up in a Windows Workgroup environment
- Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption during the installation
- Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption
- When you renew or replace certificates due to expiry
Introduction to certificates
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).
In XProtect VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).
TLS/SSL uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.
A certificate authority (CA) is anyone who can issue root certificates. This can be an internet service that issues root certificates, or anyone who manually generates and distributes a certificate. A CA can issue certificates to web services, that is to any software using https communication. This certificate contains two keys, a private key and a public key. The public key is installed on the clients of a web service (service clients) by installing a public certificate. The private key is used for signing server certificates that must be installed on the server. Whenever a service client calls the web service, the web service sends the server certificate, including the public key, to the client. The service client can validate the server certificate using the already installed public CA certificate. The client and the server can now use the public and private server certificates to exchange a secret key and thereby establish a secure TLS/SSL connection.
For manually distributed certificates, certificates must be installed before the client can make such a verification.
See Transport Layer Security for more information about TLS.
In XProtect VMS, the following locations are where you can enable TLS/SSL encryption:
- In the communication between the management server and the recording servers, event servers, and mobile servers
- On the recording server in the communication with clients, servers, and integrations that retrieve data streams from the recording server
- In the communication between clients and the mobile server
Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.
A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party that verifies the certificate (clients).
The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity of the certificates issued by the CA.
The CA certificate is used to issue private server authentication certificates to the servers.
The created private SSL certificates must be imported to the Windows Certificate Store on all servers.
Requirements for the private SSL certificate:
- Issued to the server so that the server's host name is included in the certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
- Trusted on all computers running services or applications that communicate with the service on the servers, by trusting the CA certificate that was used to issue the SSL certificate
- The service account that runs the server must have access to the private key of the certificate on the server.
Certificates have an expiry date. XProtect VMS will not warn you when a certificate is about to expire. If a certificate expires, the clients will no longer trust the server with the expired certificate and thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created certificates.
For more information, see the certificates guide about how to secure your XProtect VMS installations.