Managing certificates

By default, Power Operation is installed so that web services and web applications are set up to use the Transport Layer Security (TLS) 1.3 encryption protocol with self-signed certificates.

• To manually set up certificates, use the following procedures:
  • Configuring browser encryption
  • Configuring without encryption (not recommended)

• In a redundant system, you must replicate certificates from one server to the other. Use the following procedure:
  • Replicating self-signed certificates from one server to the other in a redundant system

• To configure third-party certificates for use with Power Operation, refer to the following topic:
  • Configuring third-party certificates

Configuring browser encryption

1. Navigate to Administrative Tools and open Internet Information Services (IIS).
2. In the left Connections pane, select [Machine Name] > Sites > Default Web Site.
3. In the right Actions pane, click Bindings.
4. In the Site Bindings window, select https and click Edit.
5. In the Edit Site Binding window, in the SSL certificate drop-down, select [Machine Name] Grpc Certificate.
6. Click OK to close the Edit Site Binding window, then click Close to close the Site Bindings window.
7. Restart IIS.

To apply a third-party certificate, see Configuring third-party certificates.

Configuring without encryption (not recommended)

Setup browser configuration to work in Google Chrome.

1. Type chrome://flags in the URL area of Google Chrome.
2. Search for Insecure origins treated as secure and enter the IP address.

   

   NOTE: Use the Power Operation web server IP address.

3. Set Insecure origins treated as secure to Enabled.
   
   

   NOTE: You will not receive the pop-up message if Enabled is not selected for this setting.

Replicating self-signed certificates from one server to the other in a redundant system

In a redundant system, you must replicate certificates from one server to the other.

To use the installed, self-signed certificates in a redundant system:

1. Open the Application Configuration Utility and navigate to the Certificate Management > Redundancy Management tab. Do the following:
1. On the Redundancy Management page, follow the instructions to export certificates from the primary machine to a secondary system.
2. On the Redundancy Management page, follow the instructions to import the certificate to the secondary system.
3. Use the Information tab to compare the Root Certificate Thumbprint and the Certificate Thumbprint. The values must be identical.
2. Using Task Manager, cycle CoreServiceHost:
• Right-click, select Stop, then right-click and select Start. Do not use Restart.
3. Open Windows Command Prompt and type iisreset, and then press Enter to restart Internet Information Services (IIS).
4. Navigate to ..\Program Files (x86)\Schneider Electric\Power Operation\v [version #]\Applications\Services\Platform Server\Logs.
5. Open the Platform Server logs and verify that the connection is being made to both Platform Servers. A successful connection is displayed in the following example:

"[2022-04-04 10:35:23.570 AM [Information] Connected to web service at SECONDARY:23200
[2022-04-04 10:35:23.571 AM [Information] Connected to web service at PRIMARY:23200"

To configure third-party certificates for use with Power Operation, see Configuring third-party certificates.

Troubleshooting

If the Platform Server Log includes or shows the error message: "Unable to connect to the web service PRIMARY:23200", you may need to add environmental variables to ignore proxy settings.

To add environmental variables:

1. Open System Properties, and navigate to Advanced > Environment Variables.
2. In the Environment Variables dialog, in the System variables section, create a NO_PROXY variable.
3. Click OK.
4. Restart the services again and check the logs, as described in step 4 and 5 previous.

For more information on platform and service layer ports, see Default port numbers.