Desigo™ CC Installing the Web Client Application Certificate Version 2.1 A6V10380509_en_a_21 2015-06-23 Siemens Industry, Inc. Building Technologies Copyright Notice Copyright Notice Notice Document information is subject to change without notice by Siemens Industry, Inc. Companies, names, and various data used in examples are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Siemens Industry, Inc. All software described in this document is furnished under a license agreement and may be used or copied only in accordance with license terms. For further information, contact your nearest Siemens Industry, Inc. representative. © Siemens Industry, Inc. 2015 To the Reader Your feedback is important to us. If you have comments about this manual, please submit them to: SBT_technical.editor.us.sbt@siemens.com Credits Desigo, Desigo CC, Cerberus DMS, APOGEE, XLS FireFinder, and Sinteso are registered trademarks of Siemens Industry, Inc. Other product or company names mentioned herein may be the trademarks of their respective owners. Edition: 2015-06-23 Document ID: A6V10380509_en_a_21 2 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Table of Contents About this Document ........................................................................................................ 4 Document Revision History ................................................................................................. 8 1 Web Site and Web Client Application Certificates .......................................... 9 1.1 Launching the Web or Windows App Clients ..................................................... 10 2 Installing the Web Site Certificate .................................................................. 12 3 Installing the Web Application Certificate ..................................................... 15 4 Installing the Certificate in the Windows Certificate Store .......................... 17 4.1 Trusted Root Certification Authorities ................................................................ 18 4.2 Trusted Publisher ............................................................................................... 22 3 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 About this Document Document Revision History About this Document Purpose This manual describes the procedure for downloading a security certificate from the Desigo CC Web page, which is used to verify the signature of the Web application. Scope This document applies to Desigo CC Version 2.1. Target Audience End-Users are the primary users of the system. Depending on the specific application, end users can be a building services engineer, a security guard, a member of the fire brigade, the facility manager, and so on. They are responsible for monitoring and managing the facility and any related events. They have the appropriate training for operating the management station. Project Engineers are responsible for planning and configuring a customer project. They provide the parameterization of products, devices, and systems and are responsible for general system troubleshooting. They have the training appropriate to their function and to the products, devices, and systems to be configured. They are familiar with the applied operating system(s) and the related network environment. Field Engineers provide the basic installation of devices and systems for a specific customer at the customer site. They have the training appropriate to their function and to the products, devices, and systems to be installed. They are also familiar with the applied operating system(s) and the related network environment. Field engineers are responsible for infrastructure troubleshooting (for example, hardware, communication, network, and so on). 4 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 About this Document Document Revision History Liability Disclaimer We have checked the contents of this manual for agreement with the hardware and software described. Since deviations cannot be precluded entirely, we cannot guarantee full agreement. However, the data in this manual are reviewed regularly and any necessary corrections included in subsequent editions. Suggestions for improvement are welcome. Product Security Disclaimer Siemens products and solutions provide IT-specific security functions to ensure the secure operation of building comfort, fire safety, security management and physical security systems. The security functions on these products and solutions are important components of a comprehensive security concept. However, it is necessary to implement and maintain a comprehensive, state-of-the-art security concept that is customized to individual security needs. Such a security concept may result in additional site-specific preventive action to ensure that the building comfort, fire safety, security management or physical security systems for your site are operated in a secure manner. These measures may include, but are not limited to, separating networks, physically protecting system components, user awareness programs, in-depth security, and so on. For additional information on building technology security and our offerings, contact your Siemens sales or project department. We strongly recommend signing up for our security advisories, which provide information on the latest security threats, patches and other mitigation measures. http://www.siemens.com/innovation/en/technology-focus/siemens-cert/cert-securityadvisories.htm 5 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 About this Document Document Revision History Document Conventions The following table lists conventions to help you use this document in a quick and efficient manner. Convention Examples Numbered Lists (1, 2, 3…) indicate a procedure with sequential steps. 1. Turn OFF power to the field panel. 2. Turn ON power to the field panel. 3. Open the panel. One-step procedures are indicated by a bullet point. Conditions that you must complete or must be met before beginning a procedure are designated with a ⊳. Intermediate results (what will happen following the execution of a procedure step), are designated with an indented ⇨. Results, after completing a procedure, are designated with a ⇨. ⊳ The report you want to print is open. Bold font indicates something you should type or select, or when a dialog box or window is specified. Type F for field panels. Click OK to save changes and close the dialog box. The Create a New Project dialog box displays. Menu paths in procedures are indicated in bold. Select File > Text, Copy > Group, which means from the File menu, select Text, Copy and then Group. File paths containing placeholders display the placeholders in italics enclosed in square brackets. [installation drive:]\[installation folder]\[project]\... Error and system messages are displayed in Courier New font. The message Report Definition successfully renamed displays in the status bar. Expand the Event List. 1. Click Print . ⇨ The Print dialog box displays. 2. Select the printer and click Print. ⇨ The print confirmation displays. Italics are used to emphasize new or important The reaction processor continuously executes terms. a user-defined set of instructions called the control program. This symbol signifies a Note. Notes provide additional information or helpful hints. Cross references to other information in printed material are indicated with an arrow and the page number, enclosed in brackets: [→ 92] For more information on creating flowcharts, see Flowcharts [→ 92]. Getting Help For more information about the Desigo CC products, contact your local sales representative. 6 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 About this Document Document Revision History Safety Messages According ANSI Z535.6 The following examples show the ANSI standard safety messages used in this document to draw the reader’s attention to important information. ANSI distinguishes between personal injury safety messages and property damage warning messages. The personal injury safety messages have safety alert symbols and the following alert level labels: DANGER!, WARNING!, CAUTION! The label for property damage messages is: NOTICE. Examples: NOTICE Property Damage Warning Message Equipment damage or loss of data may occur if you do not follow a procedure or instruction as specified. CAUTION Caution Safety Message Minor or moderate injury may occur if you do not follow a procedure or instruction as specified. WARNING Warning Safety Message Personal injury or property damage may occur if you do not follow a procedure as specified. DANGER Danger Safety Message Electric shock, death, or severe property damage may occur if you do not perform a procedure as specified. 7 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 About this Document Document Revision History Document Revision History Document Identification The document ID is structured as follows: ID_Language(COUNTRY)_ModificationIndex_ProductVersionIndex Example: A6Vnnnnnnnn_en_a_02 Document Revision History Modification Index Edition Date Brief Description a 2015-06-23 Market Release Edition 8 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Web Site and Web Client Application Certificates Launching the Web or Windows App Clients 1 1 Web Site and Web Client Application Certificates Installing a Web Client Application Certificate is a one-time procedure required the first time before you start a Desigo CC Web Client or Windows App Client. This procedure downloads a security certificate from the Desigo CC Web page, which allows the browser to verify the signature when downloading the application. Definitions Web Client application certificate or Web application certificate: It is a certificate for signing a Web application on the Server and for verifying the signature on the client. Web site certificate: A certificate used by the Web site to prove it's identity and to secure the communication between the Web Server (IIS) and the Web Client. If the Web site certificates are not already installed on the computer where you are about to launch the Web Client, then on accessing the HTTPs URL for a Web site/Web application, the Certificate Error: Navigation Blocked page displays. The Web site certificate needs to be valid on the client. Depending on the type of certificate used for the web site, proceed as follows: In case of a self-signed certificate [➙ 12], you need to install the web site certificate in the Trusted Root Certification Authorities and Trusted Publisher store of the Windows Certificate store. In case of an SMC-created or commercial host certificate, typically its root certificate is missing on the client and you need to install it in the Trusted Root Certification Authorities store. Moreover, you need to install the host certificate (that was used for signing the Web application) in the Trusted Publisher store of the Windows Certificate store. NOTICE Self-signed certificates are supported to allow local deployments without the overhead of obtaining commercial certificates. When using self-signed certificates, the owner of the Desigo CC system is responsible for maintaining their validity status, and for manually adding them to and removing them from the list of trusted certificates. Self-signed certificates must only be used in accordance with local IT regulations (several CIO organizations do not allow them, and network scans will identify them). Importing of commercial certificates follows the same procedures. 9 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 1 Web Site and Web Client Application Certificates Launching the Web or Windows App Clients 1.1 Launching the Web or Windows App Clients Launching Web/Windows App Clients Using Web Application HTTPs URL 1. Browse the HTTPs URL for the Web application in the Internet Explorer browser IE 11. For more information, see section Browsing a Web Site/Application in the System Management Console Manual (A6V10381671 ). NOTE: If you accessed the Web page using the Web site URL instead of using the URL of the Web application directly, then you must click one of the Web application links available on the Web page to launch the Web/Windows App Clients. The Desigo CC Web page displays to launch Web/Windows App Clients. OR The Certificate Error:Navigation Blocked page displays. This error occurs with self-signed certificates and SMC-created host certificates if they are not already available in the respective Windows Certificate stores. Usually this error is not observed with commercial certificates. 2. If the Certificate Error:Navigation Blocked page displays, do the following: – Install the Web site certificate [➙ 12]. – Refresh the Web application HTTPs URL in the IE 11 browser or re-launch the Web application The Desigo CC Web page with thumbnails for Web and Windows App Clients displays. 3. Install the Web Application Certificate [➙ 15] for verifying the signature when downloading the application in the appropriate Windows certificate store [➙ 17]. NOTE 1: Run the Web/Windows App Clients with Windows Internet Explorer 11. Microsoft recommends upgrading and staying up-to-date on the latest Internet Explorer browser version. Beginning January 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates. NOTE 2: In case host certificates created with SMC are used for the Web site / Web application, it is recommended to add the Web site/Web application URL to the Trusted sites zone from Tools > Internet Options > Security to avoid failing certificate revocation checks. 10 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Web Site and Web Client Application Certificates Launching the Web or Windows App Clients 1 Technical Tips If you change the Web application certificate using SMC, then you must reinstall the updated certificate on the clients. If you are unable to access the Web/Windows App Client, see section Troubleshooting in SMC in the System Management Console Manual (A6V10381671 ). If host certificates created with SMC are used for signing the web application and the internet browser is configured to check the publisher's certificate revocation, you might get the Security Warning message even after installing the certificate. In this case you can either add the web site to the Trusted Sites zone to resolve the issue or ignore the warning and click Run (for Web Client) or Install (for Windows App Client). For more information on how to launch the Web or Windows App Client see Getting Started (A6V10380492 ). 11 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 2 Installing the Web Site Certificate 2 Installing the Web Site Certificate You have created a Web site/Web application using SMC and the URLs (HTTP/HTTPs) are available. For more information, see the System Management Console Manual (A6V10381671 ). You have not installed the certificate used in the Web site. 1. Browse the Web site/Web application HTTPs URL in the Windows Internet Explorer 11 browser. The Certificate Error: Navigation Blocked page displays due to untrusted certificate. 2. Click Continue to this website (not recommended). In the Desigo CC Web page address bar, a security report Certificate Error, displays. 3. Click Certificate Error to open a menu that contains a hyperlink to View certificates. 12 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Web Site Certificate 2 4. Click View Certificates. The Certificate dialog box that displays. 5. In the Certificate dialog box, click Install Certificate. NOTE: If you have used a host/self-signed certificate during Web site creation, then on clicking Install Certificate, the same Web site host certificate displays and you proceed with installing it in the TRCA store. However, note that in case of a host certificate to work with Web/Windows App Clients, you need the root of the host certificate used during Web site creation in the TRCA store. Ensure that it is imported in TRCA. 13 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 2 Installing the Web Site Certificate 6. Depending on the type of certificate used, proceed with importing the certificate as follows: – If the certificate you used while creating a Web site is a self-signed certificate, then you need to install it in the Trusted Root Certification Authorities [➙ 18] store. – If the certificate you used while creating a Web site is a host certificate, then you need to install the root certificate of the host in the Trusted Root Certification Authorities [➙ 18] store. If the Certificate Error: Navigation Blocked page displays even after installing the Web site certificate then check if the Subject Alternative Name (SAN) property for the selected certificate contains the host name provided at the creation of the Web site. For example, if the Web site Host name field contains the full computer name, ABCXY022PC.dom01.company.net, then the certificate provided in the Certificate issued to field must contain the full computer name ABCXY022PC.dom01.company.net as one of its name in the SAN. 14 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Web Application Certificate 3 3 Installing the Web Application Certificate You have created a Web application using SMC and the HTTP/HTTPs URLs display. For more information, see the System Management Console Manual (A6V10381671 ). The Desigo CC Web page is open in the Windows Internet Explorer browser, and the Desigo CC tab contents are displayed. 1. Do one of the following: – In the Desigo CC Web page, click the Click Here link on the Desigo CC page for a Web application. – In the Desigo CC Web page, click the Support tab; then select the Web Client Application Certificate link. 2. In the File download – Security Warning dialog box, click Open. 3. In the Certificate dialog box, click Install Certificate. 15 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 3 Installing the Web Application Certificate 4. Depending on the type of certificate used, proceed with importing the certificate as follows: – If the certificate you used while creating a Web application is a self-signed certificate, then you need to install it in the Trusted Root Certification Authorities [➙ 18] and Trusted Publisher [➙ 22] Windows certificate store. – If the certificate you used while creating a Web application is a host certificate, then you need to install it in the Trusted Publisher [➙ 22] Windows Certificate store. You also need to install the root certificate of the host in the Trusted Root Certification Authorities [➙ 18] store. NOTE: If host certificates created with SMC are used for signing the web application and the Internet browser is configured to check the publisher's certificate revocation, you might get the Security Warning message even after installing the certificate. In this case you can either add the web site to the Trusted Sites zone to resolve the issue or ignore the warning and click Run (for Web Client) or Install (for Windows App Client). 16 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Certificate in the Windows Certificate Store Launching the Web or Windows App Clients 4 4 Installing the Certificate in the Windows Certificate Store On the machine where you are launching the Web/Windows App Client, you must install the certificates, the default self-signed or commercial (host and its root), in the appropriate store location in the Windows Certificate store as described in the following table. Certificate Used for Certificate Type Install in the Windows Certificate Store Remarks Web site Self-signed Trusted Root Certification Authorities You must import the self signed certificate in the Trusted Root Certification Authorities Windows Certificate store. Host Web Application The host certificate is installed in TRCA. However, to work with Web/Windows App Clients you must ensure the following: If the host certificate was created with SMC, you must import the root certificate of the host certificate in the Trusted Root Certification Authorities Windows Certificate store. If the certificate is a commercial certificate, then the Root Certification Authority and the Intermediate Certification Authority certificates are most often already available in the corresponding Windows Certificate stores. Self-signed Trusted Root Certification Authorities and Trusted Publisher Host Trusted Publisher You must add the root certificate of the host certificate in the Trusted Root Certification Authorities Windows Certificate Store. If host certificates created with SMC are used for signing the web application and the Internet browser is configured to check the publisher's certificate revocation, you might get the Security Warning message even after installing the certificate. In this case you can either add the Web site to the Trusted Sites zone to resolve the issue or ignore the warning and click Run (for Web Client) or Install (for Windows App Client). 17 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 4 Installing the Certificate in the Windows Certificate Store Trusted Root Certification Authorities 4.1 Trusted Root Certification Authorities You want to install the certificates in the Trusted Root Certification Authorities Windows Certificate store using the Certificate dialog box. 1. In the Certificate dialog box, click Install Certificate. The Certificate Import Wizard dialog box displays. 2. In the Certificate Import Wizard, click Next. 18 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Certificate in the Windows Certificate Store Trusted Root Certification Authorities 4 3. Now, select the Place all certificates in the following store option, and browse to and select Trusted Root Certification Authorities certificate store. NOTE: On the Windows 8.1 operating system, while installing the certificates you must select the Windows store, for example User Store, from where you want to import the certificate. 4. Click Next. 19 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 4 Installing the Certificate in the Windows Certificate Store Trusted Root Certification Authorities 5. Click Finish. 6. When the Security Warning message displays, click Yes to install the certificate. 20 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Certificate in the Windows Certificate Store Trusted Root Certification Authorities 4 7. Click OK to acknowledge the successful import. In the Desigo CC Web page, select the Desigo CC tab; then click the Web Client thumbnail to start the application in the Web browser. 21 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 4 Installing the Certificate in the Windows Certificate Store Trusted Publisher 4.2 Trusted Publisher You want to install the certificates in the Trusted Publisher Windows Certificate store using the Certificate dialog box. 1. In the Certificate dialog box, click Install Certificate. The Certificate Import Wizard dialog box displays. 2. In the Certificate Import Wizard, click Next. 22 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Certificate in the Windows Certificate Store Trusted Publisher 4 3. Now, select the Place all certificates in the following store option, and browse to and select Trusted Publisher Certificate store. NOTE: On the Windows 8.1 operating system, while installing the certificates, you must select the Windows store, for example User Store, from where you want to import the certificate. 4. Click Next. 23 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 4 Installing the Certificate in the Windows Certificate Store Trusted Publisher 5. Click Finish. 6. Click OK to close the Certificate dialog box after the successful import. 24 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Installing the Certificate in the Windows Certificate Store Trusted Publisher 4 In the Desigo CC Web page, select the Desigo CC tab; then click the Web Client thumbnail to start the application in the Web browser. 25 Siemens Industry, Inc. Building Technologies Web Client Application Certificate A6V10380509_en_a_21 2015-06-23 Issued by Siemens Industry, Inc. Building Technologies Division 1000 Deerfield Pkwy Buffalo Grove IL 60089 Tel. +1 847-215-1000 Document ID A6V10380509_en_a_21 Edition 2015-06-23 © Siemens Industry, Inc., 2015 Technical specifications and availability subject to change without notice.