Secure Configuration Options (SSL/TLS)

Overview

Areas that require attention:

1. Authentication of each Seeq Connector with the source system. For example, the Seeq OSIsoft PI Connector to the PI System(s).

2. Changing the Seeq Server http port. By default, the port is 34216.

3. Seeq can run as a Windows service or as a desktop application. When run as a desktop application, all the processes run under the logged-in user. Services run under the Local System identity by default. This can be modified.

Windows Service Account Configuration

This section pertains to Seeq Server running on Windows. If you are using Linux, you will need to run Seeq as a daemon. Contact Seeq support for more information.

In order to control the domain account that is used for Seeq Server activity, you must run Seeq Server as a Windows Service. Take the following steps to configure it appropriately:

1. Double-click on the Launch Seeq icon on the Windows Desktop.

2. Click the Windows Service radio button. Seeq Server may shut down if it was running.

3. Launch the Windows Services control panel by pressing Windows+R key combination to bring up the Run dialog, type services.msc and hit ENTER.

4. Find the Seeq Server entry and double-click it.

5. In the resulting Properties dialog, change the Startup type to Automatic.

6. Click the Log On tab and change the credentials there as appropriate.

Windows uses the "Network Service" account as the default Log On for services. This account is a built-in account that has limited access to the registry and system folders and files. The account does not have privileges of Administrators group, but does have privileges of the Everyone, Authenticated Users, and Users groups as well as access network resources using windows authentications (using computer credentials).  The "Network Service" account typically will not have access to the various datasources you would like to connect with Seeq. 

It is recommended to work with your IT department to establish a dedicated service account on the Active Directory that has read permissions to any datasources to which Seeq will connect  The account must also have access to directories that Seeq requires to run (see Configuring Windows File Permissions).  The account should not be an individual user's account and should not have a password change policy on it, if possible; this is because changes to the user's account are not automatically propagated to the service logon, and downtime can result.

1. Click the

OK button. You may receive a confirmation dialog that indicates that the credentials you specified have been granted appropriate operating system privileges.

It is important to use the Services control panel to configure the log on credentials so that these privileges are granted. Using the Manage Windows Service button on the Seeq Server interface cannot grant the appropriate privileges.

1. Close the 

Services control panel window.

1. On the 

Seeq Server user interface, click the Manage Windows Service button.

10. Click Start. Over at the bottom of the Seeq Server user interface, you should see messages indicating that the server is starting up.

Configuration File Authorization

It is a best practice to secure the Seeq data folder such that only appropriate domain accounts have read and write access. The data folder can contain configuration files with database passwords that should only be viewable by appropriate personnel. Furthermore, the admin_reset.properties file (located in configuration/ in Seeq Server version R22.0.46.00 and later; located at configuration/appserver in prior versions) is used to add a new admin user or reset their password, and therefore should be secured appropriately.

Use operating system file access features to set read/write privileges appropriately. See Configuring Windows File Permissions for an example of how to do this on Windows.

Seeq Server HTTP Port

The Seeq Server, by default, listens on port 34216. This can be changed by:

Update the Network/Webserver/Port to the desired port using the Seeq Command Prompt

Update the Network/Hostname to the desired host name using the Seeq Command Prompt

Finally, restart the Seeq Server.

The Seeq installation provides all components, including a web server. Another web server, such as IIS, must not be running on the Seeq machine. If Seeq is configured to port 80 and another web server is running, Seeq will not start. 

If you set the port to 80, your users now just need to point their browser at http://ServerName, where ServerName is the address of the Seeq Server. Even if you configure Seeq for HTTPS, it is best to keep the Seeq server port set to 80; users will be redirected to the https port (443).

If you find that you can't connect to Seeq because it redirects to a non-existent url you'll likely need to configure Network/Hostname. For example, if you have created a dns entry for the Seeq Server so that it can be accessible by users at http://seeq.example.com:34216, but navigating to that url redirects your browser to http://win-abc123xyz:34216 and fails to connect, then you'll need to configure Network/Hostname to be "seeq.example.com"

Secure Server via HTTPS

Update the following options as described in Seeq Configuration and User Data Files:

Set the Network/Webserver/SecurePort option to 443

Set the Network/Hostname option to the subject of the SSL certificate

It is common to have a DNS define a hostname for the Seeq server that is different than the OS name of the Seeq server. The DNS name is the one the user references in the URL. This name must be the subject of the certificate and it must be set in the global.properties seeq_server_hostname property (or Network/Hostname option in R22.0.46.00 and later) as described above.

You must now place a certificate and key in the keys folder under the Seeq global folder (C:\ProgramData\Seeq\keys if the global folder has not been moved) with the names: 

If using Seeq 0.49 or earlier, place the certificate and key in the keys folder under the Seeq data folder (C:\Programdata\Seeq\data\keys if the data folder has not been moved).

seeq-cert.pem 
seeq-key.pem  

You will likely need to coordinate with the Information Technology team within your organization to obtain a certificate that can be deployed as a trusted certificate within the organization. Otherwise, you can create a certificate from a Certificate Authority (CA) like https://letsencrypt.org (free, but limited to internet-facing servers) or https://ssl.comodo.com  (not free). Seeq will also work with a self-signed certificate, but your users would see a certificate warning in their browser when navigating to Seeq. For more information on how to request a certificate under Windows, see our knowledge base article Request and install Seeq SSL certificate under Windows.

Seeq requires the public certificate seeq-cert.pem and private key seeq-key.pem to be in separate PEM-format files. IT may provide you with the certificate information in a different format. If that is the case, you can use OpenSSL to convert your file into a format for Seeq.

OpenSSL is a very common and well-supported open source library for working with security certificates. If you don't already have OpenSSL on a computer that's available to you (it doesn't have to be run on the Seeq server), you can download a pre-compiled binary. Note that most Linux platforms include OpenSSL by default.

Format Conversion Commands

Private key

PFX to PEM:  openssl pkcs12 -in key.pfx -nocerts -nodes | openssl rsa -out seeq-key.pem

Public certificate

CER or CRT:  openssl x509 -inform der -in certificate.cer -out seeq-cert.pem

P7B:  openssl pkcs7 -print_certs -in certificate.p7b -out seeq-cert.pem

PFX:  openssl pkcs12 -nodes -in certificate.pfx -out seeq-cert.pem

Creation Commands

Private key: openssl genrsa -out seeq-private.key 2048

Public certificate: openssl req -new -sha256 -key seeq-private.key -out seeq.csr

Once the key and certificate are in place and the secure settings have been configured in global.properties, restart Seeq Server. Connections should now display in the browser as secure, and the protocol should be https instead of http.

Seeq Remote Agents

If there are any Seeq Remote Agents that connect to this Seeq Server, make sure to update each Remote Agent.

The Seeq Server processes open several "internal" ports in the range 34210-34230.

For security reasons, it is recommended that the Seeq Server's firewall is configured to allow only the HTTP / HTTPS ports described in this article. Other ports may be necessary for SSH and RDP, but no other Seeq internal ports should be open.