2 Replies Latest reply on Feb 4, 2014 4:14 PM by stefanbe RSS
    stefanbe Explorer

    XMPP security

    Hi again,


    I had some questions about the security of the XMPP protocol used by Thingworx, namely: is this secure, and how secure is it?


    I found out that XMPP TLS is used for communication, using a self-signed certificate issued by Thingworx.


    We have a development and a test server running. It appears (but maybe I'm wrong) that the same certificate is used by both Thingworx servers (fingerprint c4 1b bd 45 13 05 91 8a eb ae 1e 4a 7d 4d a9 12 af 53 5e ed, public key 30 81 89 02 81 81 00 a8...)? Does that mean that all Thingworx servers use the same certificate, or am I wrong here?


    I also saw a setting in the Always on Settings, Certificate Store & Certificate Password. Does that mean it's possible to upload a custom certificate that the Thingworx server will use instead of the default one?


    Thanks in advance!

      • XMPP security
        andyb Explorer

        All deployments of the ThingWorx server have the same embedded certificate that is used by default.  A custom certificate can be used by providing its location and password in the fields of the Always On Settings mentioned.

         

        In addition, it is also possible to tell the EMS to reject self-signed certificates.  The default is for it to accept them though, so that it will work with the default cert we provide. To override this, add the following line to your config.lua:

         

        agent.reject_selfsigned_cert = true

         

        • XMPP security
          stefanbe Explorer

               

          Ok, thanks for the information!