Rugged Operating System (ROS ® ) Software User ... - RuggedCom
Rugged Operating System (ROS ® ) Software User ... - RuggedCom
Rugged Operating System (ROS ® ) Software User ... - RuggedCom
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 1<br />
Introduction<br />
RUGGEDCOM <strong>ROS</strong><br />
<strong>User</strong> Guide<br />
the configuration file) and replace the current certificates and keys with temporary certificates and keys that can<br />
be destroyed upon the device's return.<br />
Section 1.1.2<br />
Key Files<br />
This section describes in detail the security keys used by <strong>ROS</strong> for the establishment of secure remote login<br />
(SSH) and web access (SSL).<br />
It is strongly recommended to create and provision your own SSL certificates and SSH keys. The default<br />
certificate and keys are only ever used when upgrading to <strong>ROS</strong> v3.12.0 or later. New <strong>ROS</strong>-based units from<br />
Siemens' will already have unique certificate and keys preconfigured in ssl.crt and ssh.keys flash files.<br />
The default and auto-generated SSL certificate are self-signed. It is recommended to use SSL certificates that<br />
are either signed by a trusted third party Certificate Authority (CA) or by an organization's own CA. This technique<br />
is described in the Siemens' application note: Creating/Uploading SSH Keys and SSL Certificates to <strong>ROS</strong> Using<br />
Windows, available from www.siemens.com/ruggedcom.<br />
The sequence of events related to Key Management during an upgrade to <strong>ROS</strong> v3.12.0 or later is as follows:<br />
NOTE<br />
The auto-generation of SSH keys is not available for Non-Controlled (NC) versions of <strong>ROS</strong>.<br />
• Upgrade Boot <strong>Software</strong> to v2.20.0 or newer (see Section 1.1.3, “Bootloader Considerations”).<br />
• On first boot, <strong>ROS</strong> >= v3.12.0 will start the SSH and SSL (secure web) services using the default keys.<br />
• Immediately after boot, <strong>ROS</strong> will start to generate a unique SSL certificate and SSH key pair, and save each<br />
one to its corresponding flash file. This process will take approximately one hour on a lightly loaded unit. As<br />
each one is created, the corresponding service is immediately restarted with the new keys.<br />
• At any time during the key generation process, one may upload custom keys, which will take precedence over<br />
both the default and auto-generated keys and will take effect immediately.<br />
• On subsequent boot, if there is a valid ssl.crt file, the default certificate will not be used for SSL. If there is a<br />
valid ssh.keys file, the default SSH key will not be used.<br />
• At any time, new keys may be uploaded or generated by <strong>ROS</strong> using the "sslkeygen" or "sshkeygen" CLI<br />
commands.<br />
Section 1.1.2.1<br />
SSL Certificates<br />
<strong>ROS</strong> supports SSL certificates that conform to the following specifications:<br />
• X.509 v3 digital certificate format<br />
• PEM format<br />
• RSA key pair, 512 to 2048 bits in length<br />
The RSA key pair used in the default certificate and in those generated by <strong>ROS</strong> uses a public key of 1024 bits in<br />
length.<br />
2 Key Files