This document contains information about client-server data security.
The contents in this section explains internal cryptography and security measures to protect the data exchange among the various processes. Its reading is NOT necessary to any project configuration; it is intend to proved detailed implementation information for IT and Network security professionals. |
Data Encryption
All communication between Clients and Server are encrypted by default. Clients are external modules that executes out of server (TServer). Examples of clients: Script Task Server, DataAccess, Devices, TRichClient, TSmartClient, WebClient[legacy], HTML5Client, Module Information, TraceWindow, PropertyWatch, TReportServer, OPC Server.
The communication can be using .NET/WCF and TCP binary, and in both they are encrypted. TCP binary is used mainly while running runtime on Mono/Linux and also when exchanging data between Mono/Linux and Windows Desktop, and it wil be explained in last section of this document.
The cryptography uses basically two classes of .NET Framework:
- System.Security.Cryptography.RSACryptoServiceProvider (Asymmetric, KeySize: 1024): Performs asymmetric encryption and decryption using the implementation of the RSA algorithm provided by the cryptographic service provider (CSP). It is used to generate "private/public keys" during the initial connection.
- System.Security.Cryptography.Rijndael (KeySize: 256). It is used to encrypt/decrypt the data and it uses "private/public keys" generated during the initial connection.
Windows Process Data Connections
Host the following bindings:
- WCF/NetNamedPipeBinding/NetNamedPipeSecurityMode.None. Used only for local connections between clients and server (clients and server running on the same computer).
- WCF/NetTcpBinding
- SecurityMode.None: Default port is 3101.
- SecurityMode.Transport(SSL): Default port is 3101, available from "FactoryStudio fs-8.1.15". See "Note" section.
- SecurityMode.Message: Default port is 3102. This binding is used when using "Windows Authentication".
- WCF/WebHttpBinding: HTML5, http/https: Default port is 80 (http) or 443 (https)
- It is necessary to reserve via "command prompt" (Run as Administrator) the url's:
- netsh http add urlacl url=[http/https]://+:<port number>/thtml5/service.svc sddl=D:(A;;GX;;;IU)
- netsh http add urlacl url=[http/https]://+:<port number>/thtml5/ws/service.svc sddl=D:(A;;GX;;;IU)
- It is necessary to reserve via "command prompt" (Run as Administrator) the url's:
- .NET/HttpListener: HTML5/WebSocket, http: Default port is 80
- .NET/TcpListener: Basic WebServer, Host Mono connections: Default port is 3103.
Note: From "FactoryStudio fs-8.1.15" SSL can be enabled changing settings (EnableSSL) of TWebServer.exe.configfile. In this case:
- TSmartClient: You need add argument "enableSSL=true".
- DataAccess:Set EnableSSL property to true.
Mono/Linux Data Connections
Host the following bindings:
- .NET/TcpListener: Basic WebServer, HTML5/WebSocket
Exchanging data between Mono/Linux and Windows
- It is used TCP Binary (.NET/TcpListener).
- The server can execute on Windows Desktop and Mono/Linux.
- TRemoteClient can connect to both platforms.
- Debugging tools (PropertyWatch, TraceWindow and ModuleInformation) also can connect to server running Mono/Linux. For this it is necessary add argument "/iot" while running these tools.
- TRichClient (fs-8.1/IoT/Runtime/TRichClient.exe) can connect to server running on Mono/Linux. The opposite is not possible.
- HTML5 clients in any platform can connect to server on Windows Desktop and Mono/Linux.