Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PropertiesValues
TLS Version

Select the version of TLS or SSL protocol to use.

TLS protocol versions are more secure than SSL. Select "all" to allow the client and server to negotiate the protocol. 

Compression

Selet the type of data compression to use.

Select 'none', 'zlib', or 'rle'. 

Verify Certificate

Select whether (and how) to use certificate verification for authentication to an TLS/SSL server. A security certificate is optional for a client but required on a server.

The number after the option indicates the "verify=" stunnel value:

  • NO certificate verification
  • ALWAYS require peer cert (2)
  • Request and ignore peer cert (0)
  • Validate only if cert is present (1)
  • Verify peer with locally installed cert (3)
  • Ignore CA chain & only verify peer cert (4) 
Certificate File

If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the certificate chain PEM file. If used, this property must begin with "cert = ".

NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; cert = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.

The certificate file must be obtained from an appropriate certificate authority containing credentials for this device, which are also known by the TLS/SSL server. The certificate file must be put on the device in the specified location, and must be in PEM format. 

Key File

If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the private key assocated with the certificate. If used, this property must begin with "key = ".

NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; key = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.

The key file is typically created along with the certificate and must be put on the device in the specified location, and must be in PEM format. 

CA File

If the TLS/SSL server's certificate must be validated with a Certificate Authority before connecting to it, a file identifying the CA must be stored on the Linux file system. If used, this property must begin with "CAfile = " (case-sensitive).

The CA file must be in PEM format. 

CRL Path

If using a Certificate Revocation List file(s) to confirm the validity of the server's certificate, this property is used to identify the directory on the Linux file system where the CRL file(s) will be stored.

Only two options are available:

  • none
  • /etc/stunnel/crls
    If using CRL files, they must be stored in the above directory in PEM format. 
Connect Timeout

Select the amount of time to wait for a TLS/SSL connection to be established.

Default selection is 10 seconds. 

Idle Timeout

Select the amount of time to keep an idle connection open when there is no data transmitted.

Default selection is 1 hour. 

Busy Timeout

Select the amount of time to wait for expected data in case of a busy network.

Default selection is 5 minutes. 

FIPS mode

Select whether to use FIPS 140-2 encryption mode.

Default is no. (FIPS mode is not currently supported.)

Cipher List

Enter a list of encryption ciphers to allow for the TLS/SSL connection. This property must begin with "ciphers = " and must contain some criteria for the list of ciphers to include or exclude. Use a colon (:) to separate cipher names or criteria. (This property is not required and may be disabled by adding a semicolon before "ciphers" or by clearing the property entirely.)

Example: ciphers = !SSLv3:DH+AES:ECDH:-AES128

In Linux, the ciphers available in the system may be listed using the command: openssl ciphers -v
or (for example): openssl ciphers -v '!SSLv3:DH+AES:ECDH:-AES128'

The openssl command lists ciphers of various strengths, including those used by SSL or TLS protocol versions. In order to ensure more robust encryption, the list may be filtered to allow only more secure ciphers.

In the above example, "!SSLv3" excludes all ciphers used with the older SSLv3. "DH+AES" includes ciphers that use DH or AES, but excludes those using RSA. "ECDH" includes protocols that use ECDH. "-AES128" filters the list of whatever ciphers may have been included in the previous list by excluding those which use AES with 128-bit encryption, but allows those with 256-bit or better.

Consult 'openssl' documentation for further information. 

RenegotiationSelect whether to support connection renegotiation. 
Delay DNSSelect whether to delay DNS lookup until connection. 
Debug Level

Select the debugging level for TLS/SSL diagnostics.

The default level is 5 (notice). Use level 7 for a greater quantity of diagnostic messages in the Log File to troubleshoot connection problems. 

Log File

This property is hard-coded and indicates where the TLS/SSL debug messages may be found.

Only option is /var/log/messages 

Socket option 1

Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.

Default value is "socket = l:TCP_NODELAY=1" 

Socket option 2

Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.

Default value is "socket = r:TCP_NODELAY=1"

PIDName of PID file used by Linux for the TLS/SSL process. This option is hard-coded to /var/run/stunnel.pid 

Param 1
Param 2
Param 3

Additional (optional) stunnel parameters.

If used, these fields must be formatted as proper 'stunnel' configuration options and will be placed verbatim in the stunnel.conf Linux configuration file.

Client ModeChoose whether to use client mode for the TLS/SSL connection. In Client Mode, this will listen for a local (non-secure) connection to be made to its listener port, and then initiate a connection to a remote server. If set to Server Mode, this will operate as a TLS/SSL server, waiting for a connection to be made to it from another secure client. 
STUNNEL  ParametersIn the STUNNEL Parameters field, enter a series of properties that are used to define one or more TLS/SSL tunnel between a non-secure and a secure port connection. 
Tunnel NameEnter a unique logical name of the stunnel service (limited to 16 characters) for each tunnel being defined. 
Accept Connection

 Enter a string that defines the port which will receive the connection, and an optional IP address. Some examples of port or "IP:port" are given below:

  • 443
  • 127.0.0.2:1883
  • 192.168.1.2:3040 
Connect To

Enter a string that defines the address and IP port to which a connection will be made after receiving a socket on the "Accept Connection" port. The address being connected to must be accessible using the system's DNS and routing rules. Some examples are:

  • 10.1.2.1:443
  • xyz.com:20000
  • 127.0.0.3:3040

Network Monitor

 Image Added

The Network Monitor icon is a placeholder in the ACE configuration, under which individual NetMon objects are defined to monitor system or network conditions.

Attributes
Function
Object TypeNetworkMonitor
Parent(s)System → Networks
InstanceMust be 0

NetMon (Network Monitor instance)

Image Added

The NetMon icon defines a Network Monitor process, which allows the RediGate to detect certain conditions in the system or networking (such as, ping success/failure, RTDB register value, network port or interface status, etc.) and take some action in response (such as, send pings, switch redundant path, write to an RTDB register, restart networking, or run a script).

AttributesFunction
Object TypeNetMon
Parent(s)System → Networks → NetworkMonitor
Instance

Enter a unique instance number between 0 and 99. 

PropertiesValues
MONITOR IntervalEnter period (in seconds) for how often to check the system condition.
Condition 

Select which network condition to monitor. For most conditions, the actual value is checked against VALUE property, using the comparison type specified in Criteria. A resulting action will be triggered if the Criteria is satisfied.

  • No Criteria – Always trigger on MONITOR Interval
  • PING FAIL – Send one ping at a time (to one or more network addresses) and check the failure counter. Trigger only occurs if pings to ALL addresses fail a number of sequential times as compared with VALUE.
  • PING GOOD – Send one ping (to one or more network addresses) and check success counter. Trigger occurs if pings to ANY address succeeds a number of sequential times as compared with VALUE.
  • READ REGISTER value – Read the value specified in Channel/RTU/Register and compare VALUE.
  • RX PACKET COUNT on Interface – Compare VALUE with the Linux network specified in the "Interface or Register" property (such as "eth0", "ppp0", etc.) for the total "RX packets" count in 'ifconfig'.
  • RX PACKET ERROR on Interface – Compare VALUE with the Linux network specified in the "Interface or Register" property (such as "eth0", "ppp0", etc.) for the total RX packets "error" count in 'ifconfig'.
  • # of STATIC ROUTES on Interface or all – Compare VALUE with the number of 'route' entries. If the "Interface or Register property specifies a Linux interface (such as "eth0", "ppp0", etc.), only count those. If Interface is left blank, then count all route entries on all interfaces.
  • # of ESTABLISHED port connections – Compare VALUE with the number of entries in 'netstat' which have "ESTABLISHED" TCP connections.
  • # of FAILED PASSWORD login attempts – Compare VALUE with the number of "Failed password" entries in /var/log/auth.log.
  • # of ACCEPTED PASSWORD logins – Compare VALUE with the number of "Accepted password" entries in /var/log/auth.log.
Criteria

Select the criteria to use for detecting a trigger condition that will result in an Action. The measured value obtained from the Condition, above, is compared with the VALUE property of this NetMon instance. Criteria may be:

  • Measured value is "Greater than or equal to" the VALUE property (or "Greater than", "Less than or equal to", "Less than", "Equal to", or "Not equal to" VALUE)
  • Changed (+-) ≥ Value – The measured value is compared with the value obtained the last time the action was triggered (or zero, on startup). The action will occur if the measured value changes (increase or decrease) more than the amount specified in the VALUE property.
  • Increased ≥ Value – The action will occur if the measured value increases more than the amount specified in the VALUE property. A value that stays the same or decreases will NOT cause a trigger (NOTE that a decreasing integer that wraps from 0 to a large maximum value will be counted as an increase).
  • NOT Increased ≥ Value – The action will occur if the measured value does not increases more than the amount specified in the VALUE property. This can detect a value which should normally increase (such as network packet count or a PLC heartbeat) but stops incrementing. A value that stays the same or decreases will cause a trigger (NOTE that a decreasing integer that wraps from 0 to a large value will be counted as an increase).
VALUE 
Channel 
RTU  
Interface or Register 
Ping Addresses  
IP or URL  
Redundant Path  
ACTION Taken  
Ping Count  
Action Text  
NOTIFY Channel  
NOTIFY Rtu  
Monitor Register  
Action Register  
Debug Level  

 

DNS Client

The DNS Client object is used to manually configure DNS entries into the Linux resolv.conf file.

...

PropertiesValues
 The following parameters are stored into the SNMP configuration file, located at /etc/snmpd.conf. 
rocommunity

Read-only community name. The RediGate currently only supports read-only community, not read-write community.

Enter a text string between 1 and 63 characters. 

sysdescr

User-defined system description.

Enter a text string between 1 and 127 characters. 

syslocation

User-defined system location.

Enter a text string between 1 and 127 characters. 

syscontact

System contact of the individual who manages this system.

Enter a text string between 1 and 127 characters. 

The following parameters are used as command-line arguments for the script which calls the snmpd service. Elecsys uses a standard Linux SNMP agent, and documentation on these properties can be obtained from public sources if extra options might be needed.

Agent_ExtraOpts

Extra command line options for the SNMP agent service may be entered here. Normally, this should be left blank.

Text string must be 127 characters or less. 

Agent_ListenOn

This sets the port to listen for an SNMP management system connection.

The default option, 'UDP:161' establishes a server on the standard UDP port 161 to use for SNMP. Multiple ports or protocols (such as TCP) can be added, separated by commas. For example the string 'UDP:161,5000,TCP:2000@localhost' would listen for SNMP on ports 161 and 5000 using UDP protocol, and using TCP protocol on localhost only at port 2000.