Appendix: Certificate management and security - Metasys - LIT-12013222 - M4-OASHIST-0 - M4-OASMIN-0 - M4-OASMIN-6 - M4-OASMIN-SC3 - M4-OASMIN-SCS - M4-OASPPA-0 - M4-OASSCHRPT-0 - M4-OASSTD-0 - M4-OASSTD-6 - M4-OASSTD-SC3 - M4-OASSTD-SCS - Server - Open Application Server - 12.0

Open Application Server (OAS) Installation Guide

Product
Building Automation Systems > Application Servers > Open Application Server
Document type
Installation Guide
Document number
LIT-12013222
Version
12.0
Revision date
2022-05-20
Product status
Active
Follow the steps in this appendix for managing the trusted certificates on the Metasys Server or SCT computer, and for selecting security levels for the site. The Metasys server, SCT computer, and network engines are installed with self-signed certificates, which enables encrypted network communication between the devices. Optionally, the customer can deploy trusted certificates at the Metasys server or SCT computer and enable encrypted and trusted communication between the Metasys server and network engines. Trusted certificates, installed on the client computer and the Metasys SMP or SCT computer, are either provided by the customer's IT department or a Certificate Authority (CA).
Important: Johnson Controls can assist in the assignment of certificates to Johnson Controls branded devices. However, Johnson Controls is not a Certificate Authority and does not manage certificates.

A security shield icon on the Metasys server or SCT login and user interface screens indicate the encryption state:

  • Green Shield: the connection is encrypted and trusted
  • Orange Shield: the connection is encrypted, but not trusted
  • Red Shield: the connection is encrypted, but the security level cannot be verified

To deploy a trusted server certificate at the Metasys server or SCT computer, follow Steps 1-3. Then, if the IT department or CA has provided separate files for the root and intermediate certificates, follow Step 4. Also follow Step 4 if you need to establish a trusted relationship between the client computer and the Metasys server and SCT computer. If you want to establish encrypted and trusted communication between the Metasys server and network engines, follow Step 5, which explains how to set the Site Security Level. Lastly, perform Step 6 if you want to verify all certificates are in place.

  1. Requesting a server certificate
  2. Completing a server certificate request
  3. Binding the secure certificate
  4. Importing root and intermediate certificates
  5. Setting the Site Security Level to Encrypted and Trusted
  6. Verifying the server certificate chain

For details on how to remove or rebind a secure certificate, see Removing or rebinding the secure certificate. For details about how to remove a self-signed certificate from the certificate store, see Removing the self-signed certificates in the certificate store. For details on renewing an existing certificate, see Renewing an existing certificate. For details on certificates from a third-party certificate authority, see Requesting certificates from a third party certificate authority. For details about managing certificates on network engines, refer to SCT: System Configuration Tool Help (LIT-12011964) .

Lastly, this appendix describes how to use two special security attributes that you set in the site object of the Site Director: Site Security Level and Advanced Security Enabled. See the following sections for details:

Setting the Site Security Level to Encrypted and Trusted

Changing Advanced Security Enabled to False