Security

EYE+ comes with built-in security features: a secure connection using an SSL/TLS certificate and User Access Control to restrict the access to EYE+ Studio to authenticated users only.

The security page consists of two distinct chapters:

../../_images/configuration_security.png

Fig. 225 SECURITY main page

Secure Connection

EYE+ has the ability to setup an encrypted connection between EYE+ Studio and EYE+ Controller. This will make it so all data exchanged between the two can be decrypted by no one else, making sure your data stays safe from any malicious actor trying to monitor the connection.

Warning

We recommend creating a System backup of your system before enabling this feature. This precaution ensures that if you experience any unexpected issues, you can easily restore your system. In the unlikely event that a factory reset is necessary to regain access, your backup will help you restore your system quickly.

To setup such a connection, EYE+ needs an SSL/TLS certificate you need to generate alongside the private key used to generate it. The private key will be safely stored inside EYE+, while the certificate part will be used to provide EYE+ Studio with a matching public key, allowing them both to generate encrypted messages only them can decrypt.

For more information about SSL/TLS certificates, please refer to the SSL/TLS Certificate chapter of the knowledge database.

You can import a certificate file in the .pem format, and the file must contain both the certificate and the private key. If you have both in separate files, you can merge them into one .pem easily provided you keep the headers for each section (the “-----BEGIN XXXXX-----” and “-----END XXXXX-----”).

../../_images/configuration_security_no_certificate.png

Fig. 226 SECURE CONNECTION Import a certificate

Once imported, some information about the certificate will be displayed, such as the issuer, expiration date, fingerprint and more. The certificate can be changed at any time.

../../_images/configuration_security_with_certificate.png

Fig. 227 SECURE CONNECTION certificate imported

Important

Once you upload the certificate and save it with the dedicated button, EYE+ Studio will be redirected to a secured route on port 443. Make sure it is not blocked by your firewall or it will no be possible to access EYE+ Studio.

In case you are sure the port is not being blocked and you still cannot access EYE+ Studio, try refreshing the page and/or power cycle the EYE+ Controller. At this point in time, restarting the EYE+ Controller will remove the certificate so you can upload a new one.

Note

If you try to connect to EYE+ Studio but the certificate is expired, your browser will show a warning message and you’ll have to either accept to use a non-secure connection so you can update the certificate or perform a factory reset using the dedicated button on the EYE+ Controller.

Important

With Secure Connection enabled, performing a system backup will also backup the SSL/TLS certificate in the backup file unencrypted.

User Access Control

With User Access Control (UAC), you can prevent unauthorized users from accessing EYE+ Studio so no one but authorized people can make any modifications to your system.

UAC defines two users: ADMIN and ANONYMOUS. The former has access to all features of EYE+ Studio while the latter either has none or can be allowed to monitor production through the dashboard.

To enable UAC, you need to define a password for the ADMIN user and whether to allow ANONYMOUS users to see the dashboard while in production.

../../_images/enable_uac.png

Fig. 228 UAC settings

Important

As with the secure connection feature, we recommend you back your system up before enabling UAC. Should you forget your password, your data will be unrecoverable and you will need to perform a factory reset to regain access to your EYE+.

UAC does not have any effect on the communication protocols between EYE+ and the outside meaning any TCP/IP or fieldbus connection will not be affected by any restriction resulting from UAC.

To increase security, we encourage you to choose a strong password. Here are a few recommendations to create a strong password:

  • Aim for at least 12 characters. The longer the password, the harder it is to crack.

  • Use a combination of uppercase and lowercase letters, numbers, and symbols.

  • Don’t use dictionary words, personal information (birthdays, addresses), common phrases, or keyboard patterns.

  • Never reuse passwords across different accounts.

  • Make it easy to remember by using a random sentence or phrase and incorporate some uppercase letters, numbers, and symbols.

Note

We strongly encourage you enable the secure connection feature alongside UAC to guarantee your system is entirely secured.

Once you choose a password and save it, you will automatically be logged in as ADMIN. Once logged in, you will stay that way for 30 minutes without any action on your part (e.g. navigating to a different page) after which you will have to log in again. You can also choose to log out at any time using the dedicated button on the rightmost part of the top bar.

Logging into EYE+ Studio is done per session, which means you can be connected to it from multiple computers at once with the same credentials. All sessions can log out independently and have their own inactivity timeout.

If you try to access EYE+ Studio with UAC enabled but aren’t logged in, you will be greeted by the login page where you will be asked for your password to authenticate.

../../_images/login_page.png

Fig. 229 Login page

To change your password, you first need to be logged in. Navigate to the SECURITY card in CONFIGURATION. The UAC card has now been updated to let you modify your password. You need to first type in your current password and then the new one twice before saving. Once the verification succeeds, your password will be modified.

../../_images/change_password_uac.png

Fig. 230 Change UAC password

Important

With UAC enabled, performing a system backup will also backup the password in the backup file. It is encrypted so it cannot be read by anyone. If you restore a backup file with UAC enabled, it will be restored as well with the password defined in the backup.