Activate TLS/SSL

To activate TLS/SSL in the web server of the NETx BMS Server, a valid X509 certificate and its corresponding private key are required. It is possible to buy any commercial TLS/SSL certificate from a CA (e.g. Verisign). As an alternative, self-signed certificates which are free of charge can be used, too.

The NETx BMS Server 2.0 Webserver supports the TLS protocol up to version 1.2.

Generating a self-signed certificate

To create a self-signed certificate, the Windows SDK is necessary. It can be downloaded here:

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Although the SDK consists of a lot of components, only the "Windows App Certifcation Kit" is necessary. All other components do not need to be installed.

After having installed the "Windows App Certifcation Kit", a self-signed certificate and its private key can be created with the following command in the Windows CMD. Note that the CMD must be started as Administrator:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=webserver" -sr localmachine -ss My -r websrv.cer

This command generates a self-signed certificate and its private key and automatically stores it in the "Personal" certificate store of the Local Machine.

Using this method, the certificate must be generated on the machine where the NETx BMS Server is running. If the certificate is generated on other machine, copying the "websrv.cer" is not enough since the private key is missing within the Windows certificate store.

Configuring the web server

Afterwards, the resulting "websrv.cer" file has to be copied to the "ConfigFiles" directory of the BMS Server workspace.

Although any TCP port for https can be used, it is suggested to change the web server port (BMS Studio / Server / Server Configuration / TCP Port of NXA Webserver) to 443 since this is the default port for https. 

BMS Client Access

If the standard https port 443 is used, the following URL has to be used to access the BMS Client visualization:

https://<ip webserver>/<client_name>/

If a non-standard port number is used, the port number has to be specified, too:

https://<ip webserver>:<port>/<client_name>/