Chapter 9. Security

Table of Contents

9.1. SSL and Firewalls
9.2. User Authentication
9.3. Authorization and User Permissions
9.4. How To Configure a Common Scenario
9.5. Passwords

The Cascade DataHub provides a means for full access control to all DDE, TCP, OPC, and tunnel/mirror connections, using authentication and authorization. Authentication limits access to recognized users, based on a username/password combination. Authorization provides a set of permissions for each user, allowing access to certain functions while denying access to others.

The DataHub also provides full SSL (Secure Sockets Layer) encryption for TCP/IP tunnelling and mirroring connections.

9.1. SSL and Firewalls

The Cascade DataHub provides the option to use SSL encryption to protect your data when tunnelling/mirroring to another DataHub across a network connection. The SSL implementation uses the default SSL-3 encryption cipher: DHE-RSA-AES256-SHA, which is a 256-bit encryption method. The Tunnel/Mirror section of this manual explains how to configure SSL for tunnelling and mirroring.

SSL Certificates

An SSL certificate is required to use SSL encryption between DataHubs. The DataHub installs a default SSL Certificate for you, but you can use your own certificate if you prefer.

Because the DataHub is often used under circumstances where it is not possible or desirable to connect to the Internet, it does not check the issuing authority for a security certificate against the IP address or DNS name of the target computer, nor does it check the expiry date of the certificate. In most control applications it is not acceptable for the DataHub to refuse access to a critical process due to a simple mismatch in machine name declaration or the expiry of a time-limited certificate. Thus, any well-formed certificate will be accepted. Most important, the data encryption will be performed regardless of the validity of the certificate.

Firewall Ports

The DataHub lets you specify which ports it will use for tunnelling/mirroring over a network. Firewalled ports can be secured, because if you open a port on the firewall, any program that attempts to connect on this port will need to be able to communicate with the DataHub that is listening on that port. As long as authentication is used for tunnelling, even a user who attempts to connect using another DataHub program will need to have access to a valid username and password.