Network Communication and Encryption

Secure communication between the components that integrate an Automation Engine system relies on encryption and authenticity. It secures the data flow between the components and ensures that data cannot be read or modified during transfer. As a system administrator, you configure the encryption of your system.

This page includes the following:

Overview

Encryption is used for the following purposes:

Password storage within the Automation Engine database repository
Database password reference within the Automation Engine configuration file
Communication between Automation Engines and Agents
Web interfaces and APIs
Outbound communication

The communication between the Automation Engine, the Automic Web Interface, and the Java API, as well as between the Automation Engine and agents uses TLS through a secure WebSocket (WSS). All these components establish a connection with a Java Communication Process (JCP) and/or REST process. For more information, see Types of Server Processes.

The JCP and REST processes use trusted certificates to prove their identity to other communication partners, such as Agents. These certificates are stored in a keystore, which must be created beforehand using pkcs12 format. The relevant parameters for the keystore and the keys are defined in the [TLS] section of the configuration (UCSRV.INI) file of the Automation Engine. For more information, see Automation Engine.

Network Communication

The Automation Engine uses the TCP/IP protocol family for data transmission. These protocols have been developed for fail-safe peripheral communication and are therefore very well suited for safe data transfer. TCP/IP needs relatively low effort for the design of redundant networks, thus making the design of highly available and fail-safe networks easy.

The security of the communication between each connection partner relies on encryption. uses TLS to ensure confidentiality, integrity and authenticity. The architecture consists of multiple certificates, which enable the client to verify the identity of the endpoint. The Automation Engine exposes a TLS endpoint through the Java communication process (JCP) to which agents can connect to. To enable a painless integration, it is recommended to use a certificate that is already trusted in the client machines, such as a certificate signed by a trusted certificate authority (CA).

The Automation Engine deploys certificates automatically to the Agents. All certificates are handled and signed by the Automation Engine. There are no manual steps involved, which ensures an easy setup and removes the need of an additional certificate management process. For the initial setup, the Agent requires an authentication package used to register the new Agent in the system. During this initial setup, the Agent receives a certificate from the Automation Engine; the certificate is then used to authenticate against other Agents, for example, during file transfers. This ensures a secure communication between Agents without complicated setup.

Encryption

The Automation Engine only communicates with current Agents using TLS. An unencrypted communication is not possible, therefore a proper TLS setup of the JCP endpoint is required. For more information, see TLS Configuration.

All other Agents establish a connection with a Communication Process (CP) and use an AES key level of your choice for encryption. For more information, see Non-TLS Agent Encryption.