To setup an Axis camera for HTTPS support in 8.4.1 server.
Log into the camera web page and go to the setup page.
Select “System options” and HTTPS.
The HTTPS settings page might look different between fw’s.
To create self signed certificates, select the create option and fill in the required fields such as country/locality/state/organization/etc in the popup.
To load a certificate, select the install signed certificates option and navigate to the certificate.
Install the certificate.
Set the policy for admin/operator/viewer to https or both(http/https)
The plugin will try https and if failed will then try http.
The Client will show a lock beside the device to indicate HTTPS connections.
To connect to ACTi cameras using HTTPS requires firmware 6.12.34 or higher, or a signed x509 certificate below version 4. HTTPS connections will work with a version 3 x509 certificate.
Self-signed certificates for most ACTi firmware is not supported by the embedTLS library used by the server.
To set the HTTPS mode for Illustra Essentials and any Dahua OEM cameras:
Go to camera web page
Enable the HTTPS option in the Network/Connection section
The camera will auto generate a self-signed certificate so that exacqVision may connect with HTTPS.
Note that if the camera is in HTTPS mode and the camera’s IP address is changed, the camera may need to re-generate the self-signed certificate for exacqVision to connect with HTTPS or to reach the camera’s web page with HTTPS.
To re-generate the self-signed certificate:
Connect to the camera web page via HTTP, instead of HTTPS
Go to the Network/Connection settings page and disable HTTPS
Wait for the camera to reboot and log back into the camera web page with HTTP
The following steps are intended for manually setting the certificate and key path for exacqVision Web Service versions 8.4 and higher.
NOTE: Wildcard certificates cannot be uploaded through the exacqVision Web Service administration interface. However, they may be used when manually configured.
<br>
Products
exacqVision Web Service version 8.4 and above
<br>
Steps
Find the web service configuration file:
Windows: C:\ProgramData\Webservice\conf\wfe.json
Linux: /etc/webservice/wfe.json<br><br>
Open this JSON configuration file with the text editor of your choice.
Windows: Open the text editor choosing, ‘Run as Administrator’
Linux: Run with sudo privileges when needed.<br><br>
Within this file, locate the top-level key ‘webserver’.<br><br>
One level underneath the ‘webserver’ key, locate the ‘tls’ key.
Note: The ‘tls’ key is optional. If it does not exist, create it as such: "webserver": { "listen": 80, "tls": { }<br><br>
Inside the ‘tls’ key, modify the values for the following fields (creating keys for them if they are not already present)
“type”: The literal string “external” (including the quotes)
“listen”: The port on which you want the web service to conduct HTTPS traffic. The default HTTPS port is 443. Provide this value as a literal number without quotes.
“cert”: The absolute path to your HTTPS certificate (surrounded in double-quote markers, e.g. “/home/admin/certificates/webservice.cert”)
“key”: The absolute path to your HTTPS private key (surrounded in double-quote markers as well)
If you have followed these steps correctly, the contents of webserver key section of the wfe.json should now look something like the following: "webserver": { "listen": 80, "tls": { "listen": 443, "cert": "path/to/your/cert", "key": "path/to/your/key", "type": "none" }<br><br>
With the increase of remote cameras, and as systems become large and more interconnected, it has become increasingly necessary to secure the video stream using SSL.
Change
Several of the IP camera plugins have supported HTTPS connections since 8.4 (Axis/Illustra3), 8.6 (Dahua/HikVision), 8.8 (Samsung) and 9.0 (Acti). However, this only secured the configuration connection and not the RTSP video stream.
Beginning in 9.6, the Axis and Samsung plugins will support a secure connection for both the configuration and the video stream. This will be accomplished by tunneling the RTSP traffic through HTTPS.
Some older cameras have the ability to connect over HTTPS, but are not able to stream video securely. Customers may experience problems after updating to 9.6 if they are using the ‘HTTPS Required’ protocol option.
HTTP – This will cause the camera to connect insecurely over port 80.
HTTPS If Available – This will attempt to connect using SSL. If it fails, HTTP is used.
HTTPS Required – This will force the IP plugin to connect using SSL and fail if the camera is not configured to use SSL. Additionally, if the camera supports HTTPS for configuration, the plugin will request a secure video stream as well.
Beginning with 9.6, the Axis and Samsung plugins will support overrides that force a specific streaming type.
#transport=udp Insecure over UDP
#transport=tcp Insecure over TCP
#transport=rtsph Insecure tunneled over HTTP
#transport=rtsphs Secure tunneled over HTTPS
Additionally, the port used for tunneling can be specified with:
tunnelport={1025-65535}
For instance, to connect to a camera at 192.168.1.1 which supports a secure configuration connection, but not a secure video stream, and specify 5544 as the tunnel port, use the following as the ‘Hostname/IP Address’ on the ‘Add IP cameras’ page:
exacqVision supports connecting to many cameras using HTTPS. Depending on the camera firmware capabilities and the device type plugin used in exacqVision the level of encryption provided may vary.
Using the IP Camera Integration Database, you may choose to filter the displayed results by devices which support SSL (HTTPS).
<br>
Connecting with HTTPS
When adding a new camera to an exacqVision Server or editing an existing camera connection, the IP Camera Information section on the Add IP Cameras page provides a Protocol drop-down menu. The following options are available:
HTTP
HTTPS If Available
HTTPS Required
Selecting ‘HTTPS If Available‘ does not permit customizing the Port number field. This option will attempt to connect to the camera using HTTPS on port 443. If this attempt fails it will fall back to attempt connection with HTTP on port 80. This may add a small delay to the initial connection as it tests HTTPS first.
Selecting ‘HTTPS Required‘ will only permit connection to the device using HTTPS. If the device cannot accept such a connection the device will fail to connect. You are permitted to change the Port number field should your camera be configured to provide HTTPS over a custom port number.
<br>
HTTPS Connection Symbols
The IP Camera List on the Add IP Cameras page as well as the Camera Recording page provide symbols in the Protocol column allowing you to quickly view which devices are connected with HTTPS and to what level.
An empty field in the Protocol column indicates an HTTP connection.
The gear icon denotes that the connection is made to the device with HTTPS, which encrypts the login credentials to the device, the camera web interface in the Client’s web panels, and CGI commands made to the camera.
A padlock icon in the Protocol column indicates that the HTTPS connection encrypts the credentials, web page, and CGI commands, but also includes encryption of the video stream.
NOTE: HTTPS between the exacqVision software and camera encrypts only the communications between those two devices.
<br>
Enabling HTTPS on Your Camera
Cameras will vary from manufacturer to manufacturer as well as between versions of firmware. Legacy firmware on some devices may require you to apply your own certificate. Many IP cameras today provide HTTPS support out-of-box using self-signed certificates. Below, we examine the settings on an Illustra IQ camera. For other devices, please refer to your device’s documentation.
NOTE: When accessing a camera through the web browser interface using HTTPS, your browser may warn you or prompt you for permission to continue due to having a self-signed certificate. A self-signed certificate can be used to encrypt communication but cannot provide certificate validation. Certificate validation requires the certificate be issued by a Certificate Authority (CA).
Some devices may require you to generate a new self-signed certificate if you have changed the IP address since the last certificate was created.
<br>
Illustra IQ Cameras
Illustra IQ devices provide self-signed certificates out-of-box. When entering the Setup mode of an Illustra IQ camera expand the Security menu, then navigate to the HTTP/HTTPS page, as shown.
This page allows you to configure the port number used. Using the Upload button will allow you to upload your own certificate from a trusted Certificate Authority rather than using the camera’s self-signed certificate.
If you decide to use a certificate from a Certificate Authority you must provide them with a Certificate Signing Request (CSR) from the camera. Each camera requires its own, unique certificate from your CA.
NOTE: Do not use wildcard certificates for this purpose.
To generate a CSR file to provide to your CA, navigate to the Generate CSR page, also found under the Security menu. Complete the form on the left as required for your site and needs, then click Apply. The field to the right will populate. You will copy the data from this field into a new text file, but save it as a .CSR file. If you accidentally save the file as .txt, simply replace the .txt file extension with .csr. Provide this file to your CA.
Click on the ‘Configuration’ link in the left hand navigation bar. This will expand with more options.
Click on the ‘HTTPS’ link.
Click on the ‘Configure’ button. If you already have an SSL certificate and private key (e.g. purchased from DigiCert, Thawte, GoDaddy, etc) choose External. Select “Let’s Encrypt / ACME” to provision a certificate and private key automatically. NOTE: There are prerequisites that have to be met to use this option.
Follow the instructions for the chosen configuration below
NOTE: Both the certificate and private key must be PEM encoded. The private key should be in RSA format.
Click on the File button next to the Certificate input and select the certificate to upload.
Click on the File button next to the Private Key and select the corresponding private key to upload.
(Optional) If you were given a certificate chain from your certificate provider click the File button next to the Certificate Chain input and select the chain certificate to upload.
Click Apply to upload the files.
Follow the prompts to restart the Web Service for the changes to take effect.
(Optional) Modify the External URL of your Web Service to use HTTPS.
This option is found under Configuration | Basic
NOTE: If you do not see any File buttons then you are using an older browser. Instead paste the contents of each file into the large text boxes provided.
<br>
Configuring HTTPS using Let’s Encrypt / ACME Server
Please check that the following prerequisites are met before proceeding.
A. Your Web Service is configured and running on the standard port (80) B. Your Web Service is accessible over the internet at the domain name(s) you wish to provision a certificate for.
In the input under Domain Name enter the domain name you wish to provision a certificate for.
(Optional) If you have any Subject Alternative Names to add to the certificate enter them into the input under Subject Alternative Name(s)
Click Apply
A dialog should popup with the status of your request. Provisioning a certificate may take a few minutes, please be patient.
If a certificate was issued successfully follow the prompts to restart the Web Service for the changes to take effect.
If an error is encountered attempt to solve the underlying issue before retrying. The production Let’s Encrypt service will rate limit you if you attempt too many times in a row. See https://letsencrypt.org/docs/rate-limits/ for more information.
(Optional) Modify the ExternalURL of your Web Service to use HTTPS.
This option is found under Configuration | Basic
<br>
Version 8.2 and Lower
Follow the instructions to manually configure HTTPS support in the Web Service.
There are two ways to modify the ports used by the Web Service:
Using the Web Service configuration interface
Hand editing the configuration file
It is recommended to use the configuration interface, whenever possible. However, it is possible that you must hand edit the configuration in cases where the Web Service cannot start (for example, if there is a port conflict). This article provides instructions for both methods.
Important: The structure and location of the Web Service config has changed over the life of the web service. Please pay close attention to the section headers in this article, as they indicate the versions to which particular instructions apply.
While various versions are mentioned in this article, it is recommend to keep your Web Service updated to the latest version to help prevent exposure to vulnerabilities and take advantage of the latest performance improvements.
<br>
Using the Web Service configuration UI
Versions 9.6 and above
Log into Web Service Configuration using your Web Service administrator account. Using the provided Web Service configuration interface navigate to Configuration > Ports.
Update the fields to change to your selected port number, then click ‘Apply’ to save your changes. The Web Service will need to restart to reflect your changes.
Versions 7.6 to 9.4
Web Service version 7.2 introduced Web Sockets for video streaming. Version 9.4 was the last version to feature Web Sockets, as it was replaced by other improvements.
When logging into Web Service Configuration, navigate to Configuration > Ports. Update the fields shown to your selected port numbers then click ‘Apply’ to save your changes. The Web Service will need to restart to reflect your changes.
Versions 7.2 to 7.6
Web Service version 7.2 introduced Web Sockets for video streaming. Version 9.4 was the last version to feature Web Sockets, as it was replaced by other improvements.
When logging into Web Service Configuration, navigate to Basic Service Configuration. You have the ability to update the Web Service Port and WebSocket Ports through the configuration page.
To change the HTTPS (SSL) or Secure WebSocket (SSL) ports requires manually editing the configuration file. See the section in this article titled ‘Manual Configuration‘ for more on these steps.
The Web Service will need to restart to reflect your changes.
Versions 7.0 and earlier
These versions are quite dated and as mentioned earlier, we recommend keeping your Web Services updated to help avoid vulnerabilities and take advantage of new features and performance enhancements.
<br>
Additional SSL Information
Note: Changing the SSL ports (https/wss) DOES NOT enable SSL. This merely allows you to easily modify those ports, but you still need to manually configure SSL support for both Apache and WebSockets. See the following article on configuring a certificate for HTTPS.
Firewall/Router Configuration
Note: Be sure to forward the new port in your router. Exacq Technical Support does not provide assistance with port forwarding, but see the following links if necessary:
Manual Configuration (hand editing the configuration)
The steps here will change depending on the type of port (HTTP vs. WebSockets) you wish to edit.
HTTP / HTTPS (Web Service verions 7.2 and above)
The first step to manual editing is to find the location of the config file where the port numbers are held. This depends on both the platform (operating system) and version of the Web Service you have installed.
Windows:
9.0.x+ (both HTTP and HTTPS are in the same file): C:\ProgramData\Webservice\conf\wfe.json
9.0.x+ (both HTTP and HTTPS are in the same file): /etc/webservice/wfe.json
7.2.x – 8.8.x:
HTTP: /etc/evapache/httpd.conf
HTTPS: /etc/evapache/extra/httpd-ssl.conf
Determine where this file is for your install before continuing.
Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform either of the following depending on its name:
For httpd.conf (HTTP port) and httpd-ssl.conf (HTTPS port):
Find the Listen directive in the file
For example, if the current port is 80, the line should read Listen 80
Modify the port number as desired
Save the file and restart Apache and the Web Service
For wfe.json:
Find the webserver section
For the HTTP port:
Find the listen key, nested one level within the webserver section
Modify the port number as desired
For the HTTPS port:
Find the tls key, nested one level within the webserver section
Under the tls section, find the listen key one level below
Modify the port number as desired
Save the file and restart the web service
<br>
Web Sockets (7.2.x – 9.4.x)
Both the standard and SSL WebSocket ports are changed from the Web Service ini/conf file. The location and name of this file depends on the platform (operating system) and web service version:
Determine where this file is for your install before continuing.
Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform the following:
Find the [Broker] section. This will only appear if it was entered manually before, or you configured it previously using the UI. So if you do not see it, and are configuring it for the first time, you may need to enter it by hand.
The standard websocket port configuration is websocket_port = 8082, while the secure websocket port (wss) is ssl_port = 8083. Modify the port numbers as desired.
As mentioned above, if these configuration settings are not already present, or the [Broker] section is missing, the defaults are being used. You may manually add the section/settings with desired values should this be the case. The resulting section of the file should appear similar to the below example, with your custom port numbers. [Broker] websocket_port = 8082 ssl_port = 8083
When a Panasonic camera is configured for Internet mode (over HTTP) when using H.264 or MPEG-4 compression, the camera’s trigger inputs do not work correctly. The triggers are in a normally open state by default, but they do not enter an alarm state when the circuit is closed.
