Custom security settings

Here you get information how to use a custom trust store, disable TLS verification and establish an unsecure local connection.

Custom trust store

If you want to use a custom trust store for the certificate validation, you can achieve this by setting the system property javax.net.ssl.trustStore as shown in this example:

import com.phoenixcontact.arp.plc.domain.services.IPlcManagerService2;
import com.phoenixcontact.arp.plc.domain.services.PlcStates;
import com.phoenixcontact.arp.system.rsc.ConnectionInfo;
import com.phoenixcontact.arp.system.rsc.SecurityInfo;
import com.phoenixcontact.arp.system.rsc.ServiceManager;
import java.util.Arrays;
public class Example {
  public static void main(String[] args) throws Exception {
    String hostname = "192.168.1.10";
    int port = 41100;
    int connectTimeout = 10000;
    int readTimeout = 10000;
    ConnectionInfo connectionInfo = new ConnectionInfo(hostname, port, connectTimeout, readTimeout);
    String username = "admin";
    char[] password = new char[] { '1', '2', '3', '4' };
    SecurityInfo securityInfo = new SecurityInfo(username, password);
    try (ServiceManager serviceManager = new ServiceManager()) {
      boolean useSystemTrustStore = true;
      // if the trustStore is null the default java trust store will be used.
      System.setProperty("javax.net.ssl.trustStore", "path to your trust store");
      System.setProperty("javax.net.ssl.trustStorePassword", "password of your trust store");
      serviceManager.connect(connectionInfo, securityInfo, null, useSystemTrustStore);
      IPlcManagerService2 service = serviceManager.getService(IPlcManagerService2.class);
      PlcStates state = service.getPlcState();
      System.out.println(state.getFlags());
    } finally {
      Arrays.fill(password, '\0');
    }
  }
}

Disable TLS verification

In some cases during development you might like to disable the TLS verification. For this you just need to call serviceManager.connect(connectionInfo, securityInfo, false);
instead of
serviceManager.connect(connectionInfo, securityInfo);

Local connection without TLS

Warning: The following action results in an unsecure local communication channel. Root privileges on the device are needed. We do not recommend and support this.

If you want to establish a connection without TLS you have to use the constructor
new ConnectionInfo(hostname, port, connectTimeout, receiveTimeout, false);


Additionally you have to edit the /etc/plcnext/device/System/RscGateway/RscGateway.settings file on the target to allow insecure connections. Add a second TcpGatewaySettings like the following example. We recommend a port nearby the original port 41100.

...
<TcpGatewaySettings gatewayId="2" tcpPort="41110" sessionTimeout="300000" encrypted="false" ipAddress="127.0.0.1" />
...