Open the Web Server dialog to set the camera's web server options.
For further information on working with certificates, see section Procedures for Using and Creating X.509 Certificates.
|Port(s) for the web server||
Per factory default settings, browsers can reach the camera's web server using port 80 (standard port for HTTP requests).
However, if the camera needs to be accessible from the local network (Intranet) and from the Internet, two web server ports can be defined for security reasons, so that local network and Internet access can be clearly separated.
Within the local network, the camera is accessible via port 80 and can be integrated in a MultiView display, for example. Access from the Internet uses a router connection with a mapped port to the camera. As port 80 is used already on the local network, the router channels access from the Internet to a different camera port (e.g. 8080).
In this case, you would have to enter the values 80 and 8080 for the ports.
Modify these settings only if you are fully aware of the consequences. One single invalid setting may render the camera unreachable.
Select this setting if you would like to enable unencrypted connections to the camera's web server. In this case, the web server opens the port(s) specified in Port or ports for web server for HTTP requests.
Select this setting if you would like to enable encrypted connections to the camera's web server. In this case, the web server opens the port specified in SSL/TLS port for HTTPS server for HTTPS requests.
|SSL/TLS port for HTTPS server||Specify the TCP port for SSL connections in this field. You can set only one port for HTTPS. If this field is empty and Enable HTTPS is activated, the web server will use port 443 (default) for HTTPS requests.|
|Download X.509 certificate||This button is only active if the camera contains an individual X.509 certificate. Use this button to download the X.509 certificate and the corresponding private key in PEM format currently used by the camera's web server to your computer.|
|Download X.509 certificate request||This button is only active if the camera has generated an X.509 certificate request before (see Generate self-signed X.509 certificate and X.509 certificate request). Use this button to download a certificate request in PEM format to your computer, which corresponds to the generated private key. This certificate request can be signed by an external certification authority and the resulting X.509 certificate can be uploaded to the camera (see Replace the X.509 certificate and private key currently used by the camera).|
This section contains the information of the certificate currently used by the camera.
Displays the information of the certifying institution. The encoding of the information corresponds to the fields in the Generate self-signed X.509 certificate and X.509 certificate request section.
Displays the information of the certified body (e.g. you). The encoding of the information corresponds to the fields in the Generate self-signed X.509 certificate and X.509 certificate request section.
|Validity period||Displays the validity period of the currently used certificate.|
|Delete the X.509 certificate||Deletes the X.509 certificate and corresponding private key currently used by the camera. After rebooting the camera, it will use its factory-supplied self-signed X.509 certificate again (factory default).|
|Upload the X.509 certificate and private key||Replaces the X.509 certificate and corresponding private key currently used by the camera. This X.509 certificate and the corresponding private key have to be created and signed by an external certification authority.|
|Upload X.509 certificate||Replaces the currently used X.509 certificate while keeping the currently used private key. Use this function to upload a X.509 certificate, which has been generated from a previously created certificate request (see Generate self-signed X.509 certificate and X.509 certificate request).|
|Generate||Creates a new, self-signed X.509 certificate, the corresponding private key and a certificate request according to the information entered in the Generate self-signed X.509 certificate and X.509 certificate request section.|
|Upload X.509 certificate from file||In order to upload a X.509 certificate, enter the file name of the certificate file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.|
|Upload X.509 private key from file||In order to upload the corresponding private key for a X.509 certificate, enter the file name of the file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.|
|Passphrase||Enter the passphrase if the private key has been encrypted with a passphrase.|
The fields of the form correspond to the fields of a X.509 certificate.
Abbreviation: CN. This is the only required information in this section of the dialog. Enter the complete DNS name (Fully Qualified Domain Name) of this camera. It is also possible to enter an IP address, but this is not recommended. Make sure that this field really matches the DNS name, which you use in a web browser to access the camera since the certificate would be invalid otherwise.
Abbreviation: C. Nationality of the certificate owner (optional).
|State or province||
Abbreviation: ST. State/province of the certificate owner (optional).
Abbreviation: L. City/location of the certificate owner (optional).
Abbreviation: O. Company, organization, etc. of the certificate owner (optional).
Abbreviation: OU. Department/work group of the certificate owner (optional).
E-mail address of the certificate owner (included in CN, optional).
|Note:||If an external certification authority should sign the certificate request generated using this function, make sure that you follow the guidelines of the certification authority on the optional and required fields and not the recommendations of this form. The self-signed X.509 certificate has a validity period of 10 years. The key pair is 2048 bits long.|
The X.509 certificates used in this dialog do not affect other areas of the camera and will be ignored if HTTPS with SSL/TLS has not ben activated.
As soon as HTTPS has been activated and the camera has been rebooted, you can use HTTPS. The camera will then use its factory-supplied, self-signed X.509 certificate that is identical for all MOBOTIX cameras. This certificate will not offer much security as it cannot guarantee the authenticity of the camera. This would allow a potential attacker to manipulate the data stream even though the camera uses a high-performance encryption scheme ("Man-in-the-middle" attack).
In the section Replace the X.509 certificate and private key currently used by the camera, click on Generate and and enter the appropriate information in section Generate self-signed X.509 certificate and X.509 certificate request. Next, click on the Set button. The camera will generate an individual, self-signed X.509 certificate (this may take some time). The certificate request created at the same time will not be used. After rebooting the camera, it will use the new self-signed X.509 certificate.
|Note:||Make sure that you save the changes permanently before rebooting the camera (click Set, click on Close and approve the prompt).|
When first accessing the camera after the reboot, your web browser will tell you that it cannot verify the certificate and will ask you, if you would like to accept the certificate anyway. The next step is relevant for security: Make sure that you only accept the certificate if you are absolutely sure that you are actually connected to the certified camera (e.g. by directly connecting the camera to the computer using a crossover cable). Note that you will have to accept the certificate for each accessed camera. This certificate is sufficient for securing the data transmission, but it is not the optimum yet. The authenticity of the camera can only be verified if the certificate of the camera is known beforehand.
Option 1: You can upload an X.509 certificate and the private key to the camera. To do so, use the function Upload the X.509 certificate and private key in the section Replace the X.509 certificate and private key currently used by the camera. You can purchase an X.509 certificate and private key from an external authority or you can run your own certification authority, e.g. by using OpenSSL. In this case, it is not required to generate a certificate request beforehand. A certificate request already present in the camera will be deleted upon executing this function. Every camera requires an individual certificate from the certification authority.
Option 2: Create a certificate request on the camera. The certificate request will be created together with the self-signed X.509 certificate (see HTTPS with an Individual, Self-Certified X.509 Certificate). As soon as the camera has created the certificate request, you can download this file in the Web Server section by clicking on the Download button behind Download X.509 certificate request. Send this certificate request file to the certification authority for signing. Until you receive the X.509 certificate from the certification authority, the camera will use its self-signed X.509 certificate.
Upload the X.509 certificate signed by the certification authority using Upload X.509 certificate from file in the section Replace the X.509 certificate and private key currently used by the camera to the camera you would like to certify. This option has the advantage that the private key does not leave the camera, again enhancing its trustworthiness. Every camera requires an individual certificate from the certification authority. The certificate request, the certificate and the private key belong together. It is not possible to upload a certificate into a camera that matches the certificate request created by a different camera.
Such a certificate guarantees the optimum security for data transmission, since the camera's authenticity can be verified against the root certificate of the certification authority. "Man-in-the-middle" attacks are not possible any more. Moreover, it is not necessary to download the certificate of every camera as is the case with the self-signed X.509 certificate. All you need to do is to import the root certificate of the certification authority into the browser, once. The root certificates of commercial certification authorities are usually already present in the modern browsers.
The parameters in the Intrusion Detection section provide an additional protection layer against unwanted intruders. If an intruder should try to access the camera using "brute force" methods to guess user names and passwords, the camera send an alert and can automatically lock out the offending IP address after a certain number of failed attempts, if required.
The Notification threshold controls the number of allowed failed attempts when trying to establish a connection to the camera (minimum value is 5). The alert will be sent off, if this number is exceeded.
|Caution:||Even if a user with valid credentials accesses the camera for the first time, this causes a failed attempt. The browser on the user's computer needs this first failed attempt to recognize that this website need authentication credentials, prompting the browser to show its user name/password dialog. This weakness of the HTTP protocol is "by design" and hence unavoidable.|
Successive attempts of a user when trying to access a URL will be combined to one entry in the Web Server Logfile. This entry only contains information on when the user accessed the camera and how many access attempts of this user have been recorded during the specified time span. If a user accesses the camera again within the time span specified in Timeout after the last access, this additional access will be added to the existing entry in the Web Server Logfile (increase access counter by one, update date and time of the last access).
If the new access of a user occurs after the time span specified in Timeout, this access creates a new entry in the Web Server Logfile. This procedure will be applied to all authorized and unauthorized accesses. Intrusion Detection uses the data from the Web Server Logfile and is hence influenced by the Timeout parameter.
A Timeout value of a few minutes will make distinguishing the individual access attempts easier. On the other hand, this will also increase the possibility of false alarms, since a successful access attempt cannot be added to a preceding failed attempt. The default value is 60 minutes, which is a good compromise.
The Deadtime controls the minimum time between two successive alert notifications. Once a notification has been sent, a new notification will only be sent if the deadtime has expired and the number of failed attempts has again exceeded the notification threshold. The default value is 60 minutes. Setting this parameter to 0 will prompt the camera to send a notification on every access attempt.
If the camera triggers an alert, it can use the following options for sending notifications:
|Note:||When sending an e-mail notification, the camera will always append the Web Server Logfile as an attachment, independent from the attachment specified in the e-mail profile.|
The alerts triggered by Intrusion Detection are independent of the other alerting mechanisms and the event storage of the camera. If an alert triggered by Intrusion Detection should appear in the event storage for camera images, you should proceed as follows:
127.0.0.1:8000as the Destination Address).
If IP-Level Access Control has been set up, the camera can use the Block IP Address feature to automatically block the IP address from which the unsuccessful logins had been attempted. This lock will be triggered if the Notification Threshold is reached; it is temporary and will be lifted upon the next reboot of the camera.
|Note:||If an IP address has been granted access in the IP-Level Access Control dialog, this IP address cannot be locked automatically. If you would like to activate the automatic locking of any IP address, you should delete all Allow access rules in the IP-Level Access Control dialog.|
Click on the Set button to activate your settings and to save them until the next reboot of the camera.
Click on the Close button to close the dialog. While closing the dialog, the system checks the entire configuration for changes. If changes are detected, you will be asked if you would like to store the entire configuration permanently.
In order to enable these settings, you need to store the configuration and reboot the camera!