Skip to main content

Communication Security

To configure a secure connection between the tray application and integrator, the app_config.json may be configured in a number of different ways.

The config's settings will differ depending on the solution employed by the user:

Scenario 1: TCP connection with certificate in directory

If the user wants to load a certificate from files:

  • UseLocalCertificate needs to be set to false, and
  • ClientCertificate and ClientCertificatePassword need to be set.

This enables the certificate to be accessed/used as a client certificate for authenticated TCP connections.

{
  "UseNamedPipe": false,
  "ServerEndpoint": "localhost",
  "TcpPort": 5555,

...

 "UseLocalCertificate": false,
 "ClientCertificate": "MyClient.pfx",
 "ClientCertificatePassword": "password",

...

 "TrustedServers": [
     "MIGJAoGBAJkzpXgmu5TeNR5mdatFZEzaTyMvKp91rUV5IsgMBAAE="
 ],
}

Scenario 2: TCP connection with certificate from local machine or user store

If the user wants to load a certificate from a.) their machine or b.) user certificate storage:

  • UseLocalCertificate needs to be set to true, and
  • ClientCertificate and ClientCertificatePassword can be removed

In order for the certificate to be found, ClientCertificateThumbprint needs to provide the thumbprint of the certificate stored in the keystore.

{
"UseNamedPipe": false,
"ServerEndpoint": "localhost",
"TcpPort": 5555,

...

"UseLocalCertificate": true,

...

 "TrustedServers": [
 "MIGJAoGBAJkzpXgmu5TeNR5mdatFZEzaTyMvKp91rUV5IsgMBAAE="
 ],
 "ClientCertificateThumbprint": "3A396124E4435F661D8B211EA5AE118C132F5B34"
}

Scenario 3: Secure Namedpipe communication with certificate from local machine or user store

If the customer wants to load a certificate from their local machine or a user certificate storage, SecureCommunication must be set to true in order to enable secure communication.

In order for the certificate to be found, ClientCertificateThumbprint needs to provide the thumbprint of the certificate stored in the keystore.


{
"UseNamedPipe": true,

...

"SecureCommunication": true,

...

 "TrustedServers": [
 "MIGJAoGBAJkzpXgmu5TeNR5mdatFZEzaTyMvKp91rUV5IsgMBAAE="
 ],
 "ClientCertificateThumbprint": "3A396124E4435F661D8B211EA5AE118C132F5B34"
}
Note on TrustedServers

TrustedServers allows the client tray (icon tray) application to recognize and trust integrator applications based on the public key of the certificate used during integration. The tray application maintains a whitelist of trusted integration certificates to ensure that only authorized integrators can connect, whether running locally (local = true) or from another machine.

If any or all integrator applications should be trusted, TrustedServers can be left empty or removed.

Unsecure Namedpipe communication

Namedpipe communication has no security features enabled and no configuration tweaks are required.

{
"UseNamedPipe": true,
"SecureCommunication": false
}