7.6.4. Encryption and TLS

When client software connects to the recorder and transfers data over the network, this data can be sent in plain text (unencrypted) over the network or can be encrypted using Transport Layer Security (TLS). TLS is the replacement of the now deprecated Secure Socket Layer (SSL). TLS is commonly referred to as SSL, and for the remainder of this guide, we will use the term SSL when referring to TLS.

While SSL is not required for client connections such as MediaWorks DX, it is highly recommended to protect access to potentially sensitive information.

TLS/SSL Connection Example

Fig. 7.117 TLS/SSL Connection Example

7.6.4.1. Issuing a Certificate

An SSL or TLS certificate must be issued or signed by a Certificate Authority (CA). A CA can be self-managed by a System Administrator or a trusted public third party. A common self-managed CA is Microsoft Certificate Services. Common public third-party CAs are Sectigo (formerly Comodo CA), DigiCert, GeoTrust, Thawte, or Verisign.

If you already have a TLS certificate that’s ready to apply to the system, then you can upload a password protected PKCS #12 (PFX or P12) file directly. See Section 7.6.4.3.3 Upload PFX/P12 File. If you do not already have a certificate, you will first need to generate a PKCS #10 Certificate Signing Request (CSR), See Section 7.6.4.3.3 Upload PFX/P12 File.

After you have generated a CSR, you will need to submit the request to your CA.

Once your CA approves the request, they will issue your certificate and return either a PKCS #7 (P7B) file, or Base-64 PEM file with a .crt or .cer extension.

The P7B file is the easiest response to apply to the system. See Section 7.6.4.3.2 Upload P7B File.

Once a response has been applied, you can enable SSL for your system. See Section 7.6.4.5 Connection Settings.

If your system has a public DNS record pointing to it, you can use the Let’s Encrypt option to obtain a publicly trusted certificate. See Section 7.6.4.3.5 Obtain Certificate from Let’s Encrypt.

7.6.4.2. Generate CSR

To generate a CSR, you must enable the checkbox as shown in the example below

Generate New CSR

Fig. 7.118 Generate New CSR

Fill in all required details, with the critical information in this form being

Common Name. While all fields are mandatory, your CA may not use them.

The Common Name is the DNS name that you will be accessing the recorder from

  • Example: rec1.eventide.com

After the CSR has been generated, you can view it for copy/pasting, or download it to send via email to your CA administrator.

Important

Do not reboot the system for 30 minutes after generating a new CSR request. The system will be building Diffie-Hellman parameters in the background.

7.6.4.3. Manage Certificates

This tab will allow you to manage existing certificates, apply the CA response from your CSR, or upload a new certificate directly.

Manage Certificates

Fig. 7.119 Manage Certificates

7.6.4.3.1. Copy/Paste Certificates

If the response received from your CA is in PEM format, you can use this option to apply it.

Important

When copying a PEM certificate, be sure to include the header -----BEGIN CERTIFICATE----- and the footer -----END CERTIFICATE-----. Notice that there are 5 hyphens at the beginning and end of those strings.

Open the file in a text editor, copy the contents, and paste them into the field provided.

If a CA Bundle or PEM chain was provided, you can paste it separately by enabling the Set Intermediate Certificates checkbox. If there are multiple certificates in the bundle, be sure to include them all, excluding the Root Certificate.

7.6.4.3.2. Upload P7B File

A PKCS #7 file, typically a .p7b extension, contains a certificate and all of the intermediates in its signature chain.

After a CSR response has been received from your CA, you can upload a Base-64 P7B file directly to the system, if provided.

You would only upload a P7B, or copy and paste individual files (previous option), not both.

7.6.4.3.3. Upload PFX/P12 File

If you already have a certificate and private key to apply to the system, you can upload a PKCS #12 file, typically a .p12 or .pfx extension.

A common scenario where this would be the case is if you have a single wildcard certificate to apply on multiple systems. Example: *.recorders.example.com

After choosing your file, you will be prompted for the password.

The PKCS #12 should have been created with the same password for the private key, and the container.

PFX/P12 Password Prompt

Fig. 7.120 PFX/P12 Password Prompt

7.6.4.3.4. Create Self Signed Certificate

Self Signed Certificates are usually used for testing purposes and are not recommended for production.

A self signed certificate can be created after generating a CSR.

The system will create a CA, and sign the certificate itself, so it will not be trusted by your client.

You must install the CA certificate into your client’s trusted root certificate store in order for trust to be established.

Consult your operating systems documentation for how to install this certificate.

7.6.4.3.5. Obtain Certificate from Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

If your system already has a public DNS name pointing to it, and it’s accessible from the public internet, you can use this option.

Enter your full public DNS name in the Domain Name field.

Your full public DNS name would be the web address that is typed into the web browser to access your system. Example: recorder.example.com

Let’s Encrypt certificates expire every 90 days, but the system will automatically renew it before then to insure that you always have an valid one.

Important

Your system must have a connection to the internet in order to renew this certificate type.

New in version 2023.1: New configuration options

When using Let’s Encrypt CA, users now have access to adding and editing Let’s Encrypt configurations

In more complex environments, it may be necessary to alter the default configuration used to create and renew Let’s Encrypt certificates. This can be done by navigating to System → Configuration Files and editing Certbot cfg for Lets Encrypt.

Let's Encrypt Configuration

Fig. 7.121 Let’s Encrypt Configuration

Global Certbot configuration parameters can be modified in this file and will apply to the initial certificate. Renewals often have their own configuration based on the globals. If the configuration for an exiting Let’s Encrypt certificate needs to be altered, you will simply need to request a new one after editing the global configuration file.

7.6.4.4. Manage Certificate Authorities

New in version 2023.1: New Feature - Manage Certificate Authorities

When using an internal (not publicly trusted) certificate authority, the system will not typically trust it by default. This means that secure NAB and Centralized Archive connections may not work if the other end is using a certificate signed by the CA.

In order to trust the connections, the CA’s root certificate must be uploaded.

Manage Certificate Authorities

Fig. 7.122 Manage Certificate Authorities

To upload a new trusted CA certificate click Add CA and select your Base-64 PEM file. Click OK to complete the upload.

In very rare circumstances, a reboot may be required for some internal system components to trust the new root CA.

7.6.4.5. Connection Settings

This Setup page determines where encryption is used. For each entry, the recorder can be configured to accept Unencrypted Connections only, SSL Connections only or to accept both. When clients connect to the recorder they must use an enabled form of communication. Encryption provides for data security at the expense of causing more CPU resources to be utilized on the recorder. The following connection types can each be configured:

Web Server Connections

Determines how web browsers are allowed to connect to the recorder.

New in version 2024.1.

By selecting “Limit config access to port 8443”, a user can separate the Configuration Manager from MediaWorks DX when using encryption options (“SSL Only” or “Both”).

Examples:

  • SSL Only (8443): Configuration Manager is only accessible over 8443. MediaWorks DX is only on 443.

  • Both (8443): Configuration Manager is accessible on both 80 and 8443. MediaWorks DX is accessible on both 80 and 443.

Limit Config Access

Fig. 7.123 Limit Config Access

Database Connections

This includes Eventide software such as MediaWorks DX which communicates with the recorder’s onboard database as well as ODBC Connections to the recorder’s database made by third party applications such as Crystal Reports (TM).

Client Service Connections

Controls the live data sent between the Recorder and MediaWorks DX/MediaAgent.

Centralized Archive Connections

Controls the connections made between two NexLog DX-Series recorders when one acts as an archive destination for another.

Screen Agent DX Connections

Enables Screen Agent clients to encrypt all communication to and from the system.

Important

No changes made on this page will take effect until the recorder is rebooted.