TLS/SSL Communication and Encryption

Secure communication between the components that integrate an Automation Engine system relies on encryption and authenticity. It secures the data flow between the components and ensures that data cannot be read or modified during transfer. As a system administrator, you configure the encryption of your system.

Important! Check Broadcom's Enterprise Software Academy. There is a course available for this topic. For more information, see the Education section at the end of this topic.

This page includes the following:

Overview

Encryption is used for the following purposes:

  • Password storage within the Automation Engine database repository
  • Database password reference within the Automation Engine configuration file
  • Communication between Automation Engine instances and different components
  • Web interfaces and APIs
  • Outbound communication

For a more detailed overview of which components use TLS/SSL to secure the connection with their communication partners, see TLS/SSL Component Communication.

Network Communication

The Automation Engine uses the TCP/IP protocol family for data transmission. These protocols have been developed for fail-safe peripheral communication and are therefore very well suited for safe data transfer. TCP/IP needs relatively low effort for the design of redundant networks, thus making the design of highly available and fail-safe networks easy.

The security of the communication between each connection partner relies on encryption. Automic Automation uses TLS/SSL to ensure confidentiality, integrity and authenticity. The architecture consists of multiple certificates, which enable the client to verify the identity of the endpoint. The Automation Engine exposes a TLS/SSL endpoint through the Java communication process (JCP) to which agents can connect. To enable a painless integration, it is recommended to use a certificate that is already trusted in the client machines, such as a certificate signed by a trusted certificate authority (CA).

The Automation Engine deploys certificates automatically to the Agents. All certificates are handled and signed by the Automation Engine. There are no manual steps involved, which ensures an easy setup and removes the need of an additional certificate management process. For the initial setup, the Agent requires an authentication package used to register the new Agent in the system. During this initial setup, the Agent receives a certificate from the Automation Engine; the certificate is then used to authenticate against other Agents, for example, during file transfers. This ensures a secure communication between Agents without complicated setup.

Encryption

The Automation Engine only communicates with current Agents using TLS/SSL. An unencrypted communication is not possible, therefore a proper TLS/SSL setup of the JCP endpoint is required. For more information, see Securing Connections to the AE (TLS/SSL).

All other Agents establish a connection with a Communication Process (CP) and use an AES key level of your choice for encryption. For more information, see Non-TLS/SSL Communication and Encryption.

TLS/SSL Component Communication

This section gives you an overview of all TLS/SSL connections in the system.

TLS/SSL and the Automation Engine

The communication between the Automation Engine, the Automic Web Interface, the Java API, and the Proxy Client as well as between the Automation Engine, the Java, Windows and UNIX Agents and the TLS Gateway uses TLS/SSL through a secure WebSocket (WSS). These components establish a connection with the Java communication process (JCP) and/or the REST process (REST), which use trusted certificates to prove their identity to other communication partners. These certificates are stored in a keystore, which must be created beforehand using pkcs12 format. The relevant parameters for the keystore and the keys are defined in the [TLS] section of the configuration (UCSRV.INI) file of the Automation Engine.

TLS/SSL Agents and the TLS Gateway, when used for the Automic Automation Kubernetes Edition, establish a connection to an ingress / HTTPS load balancer and not the JCP directly. The ingress / HTTPS load balancer must be reachable and requires a certificate for authentication. The address of the load balancer must be defined on both sides: the Automation Engine and the Agent / TLS Gateway.

For more information about the different certificate types and for detailed instructions on how to create and use them, see What Kind of Certificates Should I Use for Automic Automation v21.

More information:

TLS/SSL and the Automic Web Interface

The Automic Web Interface connects to the Automation Engine using TLS/SSL. However, it usually uses common security principles to connect to an application server. This is one of the most important components that influences the security of AWI.

You can enable the TLS/SSL for the communication between AWI and an application server.

More information:

TLS/SSL and PostgreSQL Database

The connection between a PostgreSQL database (DB Server v11 and higher) and the Automation Engine can be secure using TLS/SSL. This connection also requires a corresponding certificate. For more information ,see Preparing the AE Database - PostgreSQL.

TLS/SSL and the ServiceManager

The ServiceManager uses TLS 1.2 and CAPKI to establish secure connections to its clients, the ServiceManager - Service, the ServiceManager - Dialog Program, the ServiceManager - Command Line Program (CLI) and the Server Processes of the Automation Engine. Therefore, you need to install CAPKI on all computers in which any of the mentioned components run.

Important! CAPKI is not supported in the Automic Automation Kubernetes Edition but you can use the ServiceManager without CAPKI to start your agents.

More information:

TLS/SSL and the REST API

The AE REST API supports both HTTP and HTTPS (recommended). HTTP is used by default. You can enable HTTPS using the sslEnabled parameter in the INI file of the Automation Engine (ucsrv.ini).

When you enable TLS/SSL you have to make sure that the certificate you use for the Java communication process (JCP) is also configured so that the REST API can reach the REST process.

More information:

TLS/SSL and the Java Work Process

If you want, you can use TSL/SSL certificates for the LDAP connection. To do so, the required certificates must be available to the Java work process (JWP).

More information:

TLS/SSL and Analytics

Analytics uses TLS/SSL to secure the communication of the Analytics Backend with the Automation Engine and the UI plug-in, as well as the communication of the Event Engine and, optionally, the Rule Engine.

More information:

TLS/SSL and the Proxy

Besides the communication between the Automation Engine and the Proxy Client, the following Proxy connections also use TLS/SSL:

  • The communication between the Proxy Client and Proxy Server

  • The communication between the Proxy Server and the TLS/SSL Agents

More information:

Education

The Enterprise Software Academy provides a wide range of free online trainings. If you have not already done so, register at Enterprise Software Academy to start profiting from our education offer.

You can find the list of courses available for Automic products here: Automic Course Catalog.

The following course(s) are associated with this topic:

  • Automic Automation TLS and Certificates

  • Automic Automation TLS Gateway

For more information, see Free Online Courses

See also:

Security and System Hardening