NI Linux Real-Time Discussions

Hi mrmas,

From my understanding, the WebDAV server is used to transfer files during software installation, so all components that you install to the cRIO will be dependent upon the WebDAV server.

Thanks,

Andy

You might consider enabling the firewall to whitelist network services you need and block everything else. Keep in mind that blocking services will prevent some applications from working. For example, blocking tcp ports 80 and 443 (System Web Server) prevents remote management in MAX (format, software install, configuration, etc) as Andy mentioned above. That may or may not be desirable depending on your security requirements.

I see,

Can everything be done over port 443?

http over port 80 is not accaptable because it is unencrypted as i understand it. Can all max, webserver and file install be done with port 443 and perhaps get a security certificate to avoid message like the one seen in the image attached here.

Or i can do without the system webserver but as a bare minimum i need to be able to install new software via the image install system included in the RT software. Example using the RAD (http://www.ni.com/example/30986/en/) system to install disk images can be done without port 80?

regards

Afaik, MAX can install software over HTTPS. You'll need to keep ports 3580 (NI Service Locator) and 443 (HTTPS System Web Server) open to your host machine in order to discover and connect to the system.

Signed TLS certificates can be installed in the Web Configuration tool. You can purchase a certificate for any Internet-facing system with a domain, or use a free service like Let's Encrypt. Work with your IT department for private systems.

You might also checkout the Securing cRIO System presentation from NIWeek where I discussed various security configuration options of NI Linux RT, including firewall and TLS configuration.

I don't know if RAD works over HTTPS.

Thank you for the information. That seems hopefull as a solution then. How would i go about closing port 80. Normally i would just remove the service that is using it, but webdav needs to stay. Would port 80 go away if i install https version of webdav or do i need to close the port manually using some linux magic?

Regards

mrmas

There are two ways you could do this:

(1) Turn off HTTP in the web configuration tool. WebDAV is hosted over HTTPS (port 443) as well.

(2) If you're using the firewall, simply don't whitelist port 80 in your rules and it will be closed.

I have tried turning off port 80 by the web interface , see attched image. This works so that port 80 is closed. However now as i see it i cant configure the ip address of the system anymore using Ni MAX for example, nor can i find the system using RAD. How would one go about change the ip address for a system with port 80 closed?

Hi Mrmas,

RAD and NI MAX share underlying components (i.e., RAD is built on the NI System Configuration API). My understanding is that for remote access/configuration much of the communication these do for our Linux RT Targets is handled via HTTP and not HTTPS. Both of these currently appear to require HTTP access though they are secured through the NI Auth login options available. Essentially, by closing port 80 you've blocked access for anything with doesn't use HTTPS to access web services in the NI System Web Server. 

I'm not sure if there's a way to configure those items to use HTTPS instead of HTTP, but I've been unable to find one. 

You would need to use a standard Linux command via shell or some other method to change the IP address of the device as it now cannot be reached by MAX or System Configuration.

Hi GatorBait,

Is there any dokumentation i can reference for the " NI Auth login options"? 

I think i could argue for port 80 if the communication is secure and dokumented, and hopefully there is  a way to just remove the webinterface?

Regards

Mrmas