TCP Server device and
TCP Client device can be configured with the following TLS handshake types:
To work properly, TcpServer and TcpClients should be using the same TLS handshake type.
For example, if Server is using TLS handshake but client is using Mutual TLS handshake, this may lead to errors.
- No security/encryption
- TCP traffic is not encrypted
- Any client can connect to server
- TLS (server certificate only)
- TCP traffic (for data and control TCP ports) is encrypted
- Any client can connect to server
- Client: Remote server certificate can be validated and compared with "allow-list" by thumbprint
- Server needs load certificate with private key from Personal Certificate Store (User or Machine store)
- Mutual TLS (server and client certificates)
- TCP traffic (for data and control TCP ports) is encrypted
- Only trusted clients can connect to server
- Server: Remote client certificate can be validated and compared with "allow-list" by thumbprint
- Client: Remote server certificate can be validated and compared with "allow-list" by thumbprint
- Both Server and Client need to load certificate with private key from Personal Certificate Store (User or Machine store)
By default, EterlogicVspeDeviceManagerService Windows Service is running under LOCAL SERVICE account. This account is low privileged and does not have access to Windows certificate store.
To address that, you can identify existing user account to use (or create a new one for VSPE service) and use one of the options:
- Option 1: Configure EterlogicVspeDeviceManagerService Windows service to run under account which has access to certificate store
- Open Services from Control Panel
- Double click on EterlogicVspeDeviceManagerService and set account under "Log On" tab
- Option 2: Start EterlogicVspeDeviceManagerService manually under account which has access to certificate store (EterlogicVspeDeviceManagerService.exe run). See Running VSPE without service.
- See also:
-
