We have a use case with a self made DMA protocol driver (running on DMA 10.1 CU18 cluster) connected to a 3rd party HTTP REST API service which uses SSL 1.2 and self signed certificates (we'll have proper SSL certificates in the future, but test and validation service currently uses self made ones). DMA seems not to work in that kind of setup even if we insert/import certificate into Windows Certification store (on all DMA nodes in the DMA cluster); message reported is forced disconnect and/pr similar. Furthermore, we did not find a way to properly connect DMA using HTTPS if service is not hosted on port 443 (btw. service may be on port 8443 for example). We cannot find anything useful in the documentation. Is there a way we can test the REST API using HTTPS with self signed certificates and connect that particular DMA protocol driver to some other port than 443?
More information about implementing HTTPS in a protocol:
The important bit:
To poll an HTTPS server on a different port than 443, you have to specify the "https://" prefix in the address field of the server in the element wizard.
The <Request> tag should also allow you to specify a different port number:
It is also possible to specify an absolute URL (e.g. "http://google.com"), which possibly specifies another host (or IP address/port) than the one specified in the corresponding element connection.
If you have tried these and it still doesn't work, could you share the exact error message you are receiving and the relevant parts of the protocol?
Thanks for info, I’ll try with specifying “https://” prefix in the address field of the server in the element wizard, hope this works as unfortunately we cannot use absolute URL’s.
Btw. is there any workaround for self signed certificates and how to tackle these?
Self-Signed certificates should be supported. It’s required to import them in the trusted root certification authorities in the windows certificate store (on the dataminer agent hosting the element). This may require a dataminer restart before it can work.
Self signed certificate has been imported into windows cert store and DMA was restarted couple of times already. We can use IE or Firefox browser from that windows node to make a REST API call towards the service and all goes well but DMA element is in timeout when doing the same. Service runs on port 443 and is accessible. Element logging currently reports only element timeout, no other errors are visible in the logging. We’ve checked SLErrors and SLErrorsInProtocol log files as well. Same element seems to work fine if we remove SSL (port 443) and we reconfigure everything to work over HTTP (port 80). Basic authentication is used to access the REST API data, but this should not affect the SSL (transport layer).
Can you confirm the certificate usage is set to “server”? Web servers offering a client certificate will be rejected. Certificates with a weak signature will also be rejected (e.g. MD5 or SHA1), could you share the signature algorithm used in your certificate?
Checking at the certificate, intended purpose(s) :
– All issuance policies
– All application policies
Signature algorithm: SHA256RSA
Signature hash: SHA256
Subject Type=CA
Path Length Constraint=None
As this question has been inactive for a long time, we will now close it. If you want further assistance, feel free to post a new question about this topic.