Overview of the Certificate-based Security

Historian uses the Mutual Transport Layer Security (MTLS) protocol along with certificate-based security to strengthen the authentication mechanism and build trusted connections among the core Historian services, and also collectors.
Note: MTLS Security and MTLS Data Encryption are not applicable to the File collector.

The core Historian services include:

  • Data Archiver
  • Client Manager
  • Configuration Manager
  • Diagnostic Manager

When you install Historian, you are provided with the Enable Certificate-based Security check box to enable Certificate-based Security and generate root certificate with a password for Server and the core services. By selecting this option, the installer will generate the root certificates, machine specific certificates, and the core services certificates in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, and add it to Trusted Root Certification Authorities in the machine.

Warning: If you do not select the Enable Certificate-based Security check box during installation, you must generate the root certificates manually, as described in the Manually Install Certificates for Historian section. However, this is not recommended.
Certificate Applicability
ica_key.cer and ica_key.pfx Root certificates.
ClientManager.cer, and ClientManager.pfx Historian Core Services specific certificates.
ConfigManager.cer, and ConfigManager.pfx
DataArchiver.cer, and DataArchiver.pfx
DiagnosticManager.cer, and DiagnosticManager.pfx
<Machine name>.cer, and <Machine name>.pfx Machine specific certificates.

If you want to connect a distributed/mirror node to a Historian primary mirror server, or you want to connect your collectors to a remote Historian server, you need the server specific root certificates (ica_key.cer and ica_key.pfx) on the client machine to establish a successful handshake. To establish a successful handshake, you must copy the root certificates from the server machine and place them in the machines where the mirror nodes or collectors are installed. For more information, see the table below.

After installation, based on the install type, you must perform the following configuration:

Installation Type Description Configurations
Historian Single Server This is for a stand-alone Historian system, which contains only one Historian server. This type of system is suitable for a small-scale Historian setup.

Collectors and server are installed on the same machine

You do not have to perform any additional configurations.

To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed. For more information, refer to Enable MTLS Security for Collectors.

Collectors and server are installed on different machines (Collectors trying to connect to a remote Historian)

  1. On the server machine, from the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, copy the following root certificate files: ica_key.cer and ica_key.pfx, and then place them in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder on the collector machine. For more information, refer to Copy server root certificate to the client machine.
  2. On the collector machine, add the copied certificates to the Trusted Root Certification Authorities folder. For more information on how to add a certificate to the Trusted Root Certification Authorities folder, refer to Adding a Certificate to the Trusted Root Certification Authorities Folder.
  3. Generate MTLS certificate (client certificate) on the collector machine. For more information on how to generate MTLS certificate (client certificate), refer to Generate MTLS certificate.
  4. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed. For more information, refer to Enable MTLS Security for Collectors.
Historian Mirror Primary Server This is for a horizontally scalable Historian system, which contains multiple Historian servers, all of which are connected to one another. This will be the primary server for the distributed/mirror node(s).

Collectors and Historian primary mirror server are installed on the same machine

You do not have to perform any additional configurations.

To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors.

Collectors and Historian primary mirror server are installed on different machines (Collectors trying to connect to a remote Historian primary mirror server)

  1. On the mirror server machine, from the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, copy the following root certificate files: ica_key.cer and ica_key.pfx, and then place them in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder on the collector machine. For more information,refer to Copy server root certificate to the client machine.
  2. On the collector machine, add the copied certificates to the Trusted Root Certification Authorities folder. For more information on how to add a certificate to the Trusted Root Certification Authorities folder, refer to Adding a Certificate to the Trusted Root Certification Authorities Folder.
  3. Generate MTLS certificate (client certificate) on the collector machine. For more information on how to generate MTLS certificate (client certificate), refer to Generate MTLS certificate.
  4. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors.
Historian Distributed/Mirror Node This is for a horizontally scalable Historian system. Installing this server will allow you to add this node to a primary server.

Configuration on the distributed/ mirror node machine(s)

  1. On the Historian mirror primary server machine, from the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, copy the following root certificate files: ica_key.cer and ica_key.pfx, and then place them in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder on the distributed/mirror node machine(s). For more information, refer to Copy server root certificate to the client machine.
  2. On the distributed/mirror node machine(s), add the copied certificates to the Trusted Root Certification Authorities folder. For more information on how to add a certificate to the Trusted Root Certification Authorities folder, refer to Adding a Certificate to the Trusted Root Certification Authorities Folder.
  3. Generate MTLS certificate (client certificate) on the distributed/mirror node machine(s). For more information on how to generate MTLS certificate (client certificate), refer to Generate MTLS certificate.

Collectors and distributed/mirror node are installed on the same machine

You do not have to perform any additional configurations.

To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors.

Collectors and distributed/mirror node are installed on different machines (Collectors trying to connect to a remote distributed/mirror node)

  1. On the Historian mirror primary server machine, from the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, copy the following root certificate files: ica_key.cer, ica_key.pfx, and then place them in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder on the distributed/mirror node machine(s). For more information, refer to Copy server root certificate to the client machine.
  2. On the distributed/mirror node machine(s), add the copied certificates to the Trusted Root Certification Authorities folder. For more information on how to add a certificate to the Trusted Root Certification Authorities folder, refer to Adding a Certificate to the Trusted Root Certification Authorities Folder.
  3. On the Historian distributed/mirror node machine, from the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, copy the following root certificate files: ica_key.cer, ica_key.pfx, and then place them in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder on the collector machine. For more information, refer to Copy server root certificate to the client machine.
  4. On the collector machine, add the copied certificates to the Trusted Root Certification Authorities folder. For more information on how to add a certificate to the Trusted Root Certification Authorities folder, refer to Adding a Certificate to the Trusted Root Certification Authorities Folder.
  5. Generate MTLS certificate (client certificate) on the collector. For more information on how to generate MTLS certificate (client certificate), refer to Generate MTLS certificate.
  6. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors.
Note: If you are using a cluster node setup, you can follow the configurations similar to the Historian Single Server installation type on all the nodes.