Domain/SSL

the settings > domain/ssl pane is used to configure the domain name, ssl, and edge remote endpoint in belden horizon data manager this pane includes the following sections domain ssl settings edge remote ssl certificate workflow you can choose between two methods for adding an ssl certificate to belden horizon data manager (bhdm) or belden horizon data operations (bhdo) manual request process digicert iot trust manager integration method 1 manual request process step 1 you will need to request an ssl certificate from your it team step 2 your it team will make a request for the ssl certificate from a certificate authority (ca) (for example, let's encrypt, digicert) step 3 the ca will return the following to your it team the root ca certificate file any required intermediate certificates the ssl certificate file step 4 the it team will send you the following the root certificate file any required intermediate certificates the ssl certificate file the private key file step 5 you will apply the following in either belden horizon data manager (see ssl settings section below) or belden horizon data operations (see docid\ jdbx3fiqp3ypazf1d8bd5 ) the ca chain file (root ca file and all intermediate certificates) the ssl certificate the private key file method 2 digicert iot trust manager integration step 1 set up digicert iot trust manager integration through the bhdm admin console step 2 access digicert iot trust manager to retrieve the url, profile id, and passcode, then configure the ca for bhdm and bhdo step 3 digicert iot trust manager handles the entire certificate management process including issuing the ssl certificate managing the ca chain file private key file step 4 apply and issue certificates to your edge devices through bhdm domain settings you can use the domain name to obtain access to belden horizon data manager without knowing the ip address this helps when configuring settings base domain name the basic domain name is used by clients accessing the belden horizon data manager admin console, belden horizon data manager application, and keycloak application before you begin ensure a dns server exists to handle requests by clients using the domain name \[1] edit base domain name changing the domain name can cause connection issues such as disconnecting all previously connected edge devices it is recommended that you make dns changes prior to configuring the rest of your settings the domain name also causes an update to the certificates it may be necessary to accept new certificates after reloading the current browser tab see docid\ xdogp5r8urqnihm4ofbht for more information if the domain name is valid, a green check mark displays if the domain name is invalid, a red exclamation mark displays \[2] copy base domain name \[3] view domain log enabling auto scroll is helpful when running an import process \[4] save base domain name ssl settings there are three options when selecting a ssl setting instance default certificate allows you to use the default self signed ssl certificate that is automatically created during deployment when you first boot up for https, and mqtt ssl let's encrypt webroot mode the certificate is based on https //en wikipedia org/wiki/let's encrypt using their webroot mode you must enter the domain name for your web server in the domain section an ip address cannot be used this is used when the web server is exposed to the internet and should not be used for private networks digicert the digicert option integrates with a unique passcode for each bhdm instance, which should be securely stored and managed within the admin interface this ensures a secure and reliable ssl certificate management process for your bhdm user defined the ssl encryption uses a self signed certificate ( crt or pem file) and a ( key or pem file) that has been uploaded to belden horizon data manager the same certificate must be uploaded to the connected edge device \[5] select ssl setting select instance default certificate to ensure that the ssl certificates that are used for the server and instances are valid and trusted by the server select let's encrypt webroot mode to secure publicly available content in a domain by encryption, and then click save it issues a certificate when ownership is proven this selection requires that a domain name is set this selection cannot be used with an ip address select user defined to use an ssl certificate and key file to secure content a crt or pem file and a key or pem file is required for this selection \[6] (user defined only) upload ssl certificate \[7] (user defined only) key file \[8] (user defined only) root ca certificate upload a ca chain file creating a ca (certificate authority) chain file involves consolidating the necessary certificates to establish a trust hierarchy for secure communication to do this, you'll typically need the intermediate certificates that link your ssl certificate to the root certificate, ensuring a complete chain of trust begin by gathering the required certificates, which often include intermediate certificates, and the root certificate then, execute a command to combine all required certificates into a single file see the example below example you have the following intermediate certificates intermediate1 pem and intermediate2 pem you create a ca chain file by combining the intermediate certificates with the root certificate ( root pem ) with the following command cat intermediate1 pem intermediate2 pem root pem > ca chain pem the ca chain file is named ca chain pem \[9] view ssl log enabling auto scroll is helpful when running an import process \[10] save ssl settings edge remote the edge remote endpoint is the location of the belden horizon data manager remote service that forms a private secured connection between this belden horizon data manager instance and all of its associated belden horizon data operations devices this endpoint can be used for a dns or an ip address by default and in most circumstances, the edge remote endpoint will be identical to the belden horizon data manager instance's ip address/dns the only exception is when the belden horizon data manager is deployed on google kubernetes engine in this deployment situation, the ip address of the belden horizon data manager and the ip address of the bhdm remote service will differ the ip address of the belden horizon data manager remote service will be generated by kubernetes and should be set as the edge remote endpoint accordingly if a dns is associated with the ip address received from kubernetes, then the dns should likewise also be set as the edge remote endpoint accordingly setting the dns this way prevents the need to reactivate belden horizon data operations devices when the belden horizon data manager ip address changes refer to the following actions you can take on belden horizon data manager admin console's domain/ssl pane \[11] edit edge remote \[12] copy edge remote endpoint \[13] save edge remote endpoint you can only save when the dns/ip address is valid