How to Protect Connections Using Certificates

Various connections can be protected using a certificate.

The icom Data Suite will only establish a connection to the mail server, if the server certificate has been generated by a CA whose certificate is stored in the icom Data Suite.

Situation

The connection to a server is to be protected using the CA certificate of this server.

Solution

This Configuration Guide describes how to protect the connection to the Cumulocity server. Proceed accordingly to protect other connections.

Downloading the certificate file

The certificate file for the server to connect to must be downloaded first. The following describes a download using the commonly used Firefox browser. Other browsers should be similar. It is prerequisite that your configuration PC has Internet access.

Enter the server address in a browser and log in if required.
Click on the lock icon () to display the security information.
Click on the arrow behind the server address () and on More information.
Click on View certificate in the Page info window and select the Details tab.
Select the root CA certificate in the Certificate Hierarchy and click on Export to store the certificate on your computer. ^[1]

icom Data Suite configuration

It is prerequisite that you have access to the web interface of the icom Data Suite. The Smart Device must have Internet access. The CA certificate is stored on your computer as described above.

Open the web interface of the icom Data Suite using a browser:
- 192.168.1.10 or ids.local ^[2]
- User name: insys (default)
- Password: icom (default)
In the Administration → Certificates menu, click on Browse….
Select above downloaded CA certificate and click on Import certificates.
In the Messages → Cumulocity menu, add a new server () if you have not already set up a server.
Edit the configuration of your Cumulocity server ():
- Description: cumulocity server
- Protocol: HTTPS
- Server: enter the server URL of your Cumulocity server ^[3]
- Verify server certificate: ^[4]
- Verify host name of servers: ^[5]
- Device name: enter a descriptive name for your device
- Device type: insys-device
- Self registration: ^[6]
Click on Save settings.
Activate the profile ().

Troubleshooting

It facilitates troubleshooting to have a look at the Cumulocity log in the Status → Log view menu.

Resources

The following ASCII configuration can be taken over using copy & paste. It must be observed that the individual parameters need to be adapted to the own application. Correct numbering must be observed for numbered parameters. Moreover, it must be observed that no existing parameters with the same number will be overwritten. A proper functionality can only be ensured if the opened profile has been created from default settings before.

ASCII configuration

messages.cumulocity.server.add
messages.cumulocity.server[1].active=1
messages.cumulocity.server[1].name=c8yServ1
messages.cumulocity.server[1].description=cumulocity server
messages.cumulocity.server[1].protocol=https
messages.cumulocity.server[1].server=tenant.cumulocity.com
messages.cumulocity.server[1].verify_peer=1
messages.cumulocity.server[1].verify_host=1
messages.cumulocity.server[1].device_name=INSYS Smart Device
messages.cumulocity.server[1].self_registration=1
messages.cumulocity.server[1].username=serial_number
messages.cumulocity.server[1].password=
messages.cumulocity.server[1].device_id=

administration.certificates.ca_certs.ca_cert.add
administration.certificates.ca_certs.ca_cert[1].name=ca_cert1
administration.certificates.ca_certs.ca_cert[1].description=Issuer Root Certificate Authority
administration.certificates.ca_certs.ca_cert[1].ca_certificate=-----BEGIN CERTIFICATE-----
...
<certificate data>
...
-----END CERTIFICATE-----

administration.certificates.ca_certs.ca_cert[1].downloadable=1
administration.timezone.timezone=router_timezone
administration.ip_settings.mode=automatic
administration.ip_settings.default_gateway=
administration.ip_settings.dns_server=

ASCII configuration download (right-click and save as)

Back to the Configuration Guides for the icom Data Suite

Back to overview

1. The root certificate is the uppermost certificate in the hierarchy.

2. This IP address and host name only apply in case of a standard default installation.

3. Request these data from Cumulocity.

4. This ensures that it will be verified whether the certificate of the server corresponds to one of the CA certificates stored in the icom Data Suite. If the checkbox is not checked, all certificates of the server are accepted without verification.

5. This ensures that it will be verified whether the host name of the server corresponds to the Common Name in the certificate; otherwise, a connection to the server cannot be established. If the checkbox is not checked, no verification will be made.

6. Refer to the Cumulocity Device Guide to find out how to register a device if it is not yet registered.