Table of Contents
Advertisement
ICDM-RX/TCP Installation and Configuration Guide
ICDM-RX/TCP Security
6. ICDM-RX/TCP Security
This subsection provides a basic understanding of the ICDM-RX/TCP security options, and the repercussions
of setting these options. See Removing ICDM-RX/TCP Security Features on Page 150 if you need to reset
ICDM-RX/TCP security options. See Restoring Defaults on Page 107 if you want to return the ICDM-RX/TCP
settings to their default values.
6.1. Understanding Security Methods and Terminology
The following table provides background information and definitions.
If configured with a CA certificate, the ICDM-RX/TCP requires all SSL/TLS clients to present
an RSA identity certificate that has been signed by the configured CA certificate. As
shipped, the ICDM-RX/TCP is not configured with a CA certificate and all SSL/TLS clients
are allowed.
CA (Client
This uploaded CA certificate that is used to validate a client's identity is sometimes referred
Authentication
to as a trusted root certificate, a trusted authority certificate, or a trusted CA certificate. This
†
certificate)
CA certificate might be that of a trusted commercial certificate authority or it may be a
privately generated certificate that an organization creates internally to provide a mechanism
to control access to resources that are protected by the SSL/TLS protocols.
See Key and Certificate Management on Page 67 for more information. This section does
not discuss the creation of CA Certificates.
A process using paired keys and identity certificates to prevent unauthorized access to the
Client
ICDM-RX/TCP. Client authentication is discussed in Client Authentication on Page 58 and
Authentication
Changing Keys and Certificates on Page 70.
This is a private/public key pair that is used by some cipher suites to encrypt the SSL/TLS
handshaking messages. Possession of the private portion of the key pair allows an
eavesdropper to decrypt traffic on SSL/TLS connections that use DH encryption during
handshaking.
The DH (Diffie-Hellman) key exchange, also called exponential key exchange, is a method of
digital encryption that uses numbers raised to specific powers to produce decryption keys on
the basis of components that are never directly transmitted, making the task of a would-be
DH Key Pair
code breaker mathematically overwhelming.
Used by SSL
Servers †
The most serious limitation of Diffie-Hellman (DH key) in its basic or pure form is the lack of
authentication. Communications using Diffie-Hellman all by itself are vulnerable to man in the
middle attacks. Ideally, Diffie-Hellman should be used in conjunction with a recognized
authentication method such as digital signatures to verify the identities of the users over the
public communications medium.
See Certificates and Keys on Page 58 and Key and Certificate Management on Page 67 for
more information.
† All ICDM-RX/TCP units are shipped from the factory with identical configurations. They all have the
identical, self-signed, Pepperl+Fuchs Server RSA Certificates, Server RSA Keys, Server DH Keys, and no
Client Authentication Certificates. For maximum data and access security, you should configure all ICDM-
RX/TCP units with custom certificates and keys.
Term or Issue Explanation
50
Advertisement
Table of Contents
Troubleshooting
