Allowed Hosts tab
The Allowed Hosts tab contains security exemptions for the currently open platform. These are the certificates (signed or self-signed) received by a client from a server (host) that could not be validated against a root CA certificate in a client’s Trust Store. Whether you approve or reject the certificate, the system lists it in the Allowed Hosts list.
Allowed Hosts columns
To be authentic, a root CA certificate in the client’s System or User Trust Store must be able to validate the server certificate’s signature, and the Subject of the root CA certificate must be the same as the Issuer of the server certificate.
Allowing exemptions makes it possible for a human operator to override the lack of trust between a server and client when the human user knows the server can be trusted.
If this is a Workbench-to–station connection, the system prompts you to approve the host exemption. Workbench challenges server identity at connection time for unapproved hosts and, unless specific permission is granted, prohibits communication. Once permission is granted, future communication occurs automatically (you still have to log in). Both approved and unapproved hosts remain in this list until deleted.
If this is a station–to–station connection, and there is a problem with the certificates, the connection fails silently. There is no prompt to approve the host exemption. However, the last failure cause in the station reports the problem (expand the station ClientConnection under NiagaraNetwork).
The approved host exemption in the Allowed Hosts list is only valid when a client connects to the server using the IP address or domain name that was used when the system originally created the exemption. If you use a different IP address or domain name to connect to the server, you must approve an updated exemption. The same is true if a new self-signed certificate is generated on the host.
If you continue to use an approved self-signed certificate (rather than implement signed certificates, which are more secure), and the self-signed certificate’s public key changes, the system negates the certificate, the green shield icon changes to a yellow shield icon with an exclamation mark (
), and the system returns an error. To approve this change, view the exemption (right-click the certificate row on the Allowed Hosts tab and click View) then approve the certificate by clicking Accept.
To open this view using Workbench, click and click the Allowed Hosts tab.
| Column | Description |
|---|---|
| Host | Reports the server, usually an IP address. |
| Subject |
Specifies the Distinguished Name,
the name of the company that owns the certificate.
|
| Approval | Reports the servers within the network to which the a client may connect. If approval is no, the system does not allow the client to connect. |
| Created | Identifies the date the record was created. |
| Issued By |
Identifies the entity that signed
the certificate.
|
| Not Before |
Specifies the date before which
the certificate is not valid. This date on a server certificate should
not be earlier than the Not Before date on
the CA certificate used to sign it.
|
| Not After |
Specifies the expiration date
for the certificate. This date on a server certificate should not
be later than the Not After date on the CA
certificate used to sign it.
A period no longer than a year ensures regular certificate changes making it more likely that the certificate contains the latest cryptographic standards, and reducing the number of old, neglected certificates that can be stolen and re-used for phishing and drive-by malware attacks. Changing certificates more frequently is even better. |
| Key Algorithm |
Refers to the cryptographic
formula used to calculate the certificate keys.
|
| Key Size |
Specifies the size of the keys
in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is
the default), 3072 bits, and 4096 bits. Larger keys take longer to
generate but offer greater security.
|
| Signature Algorithm |
Specifies the cryptographic
formula used to sign the certificate.
|
| Signature Size |
Specifies the size of the
signature.
|
| Valid |
Specifies certificate dates.
|
Allowed Hosts buttons
-
View displays details for the selected item.
-
Approve designates the server as an allowed host.
-
Unapprove prohibits a connection to this server host. The system terminates any attempted communication.