Configuring Secure Connections

Navigation:  Working with DW Spectrum >

Configuring Secure Connections

 Previous pageReturn to chapter overviewNext page

DW Spectrum supports standard connections through HTTP as well as secure connections via HTTPS, where all communications between the client (regular, web or mobile) and server are encrypted.

By default, DW Spectrum encryption is enabled for management traffic. Enabling encryption to force all servers in the System to accept only secure HTTPS connections prevents API requests, the server Web Admin interface, and other data (users accounts, device access credentials, etc.) from being intercepted and analyzed. Additionally, you also have the option to force video traffic encryption to prevent your video streams (live and playback) from being intercepted and viewed by third parties.

Also by default, the server is installed with a generated self-signed certificate which has the lowest security level. If you use this certificate and use a web browser to connect to the server through HTTPS, a warning message will appear stating that the connection to the site is not secure. This means that using the self-signed certificate is not recommended, even though a secure connection is used. It is therefore recommended to obtain a certificate from an authorized certificate provider and install it on the server that is used for public access (from outside of the local network).

To obtain and install an authorized certificate

1.Obtain a certificate from any certificate provider (for instance, see the list of top ones here: https://www.techradar.com/news/best-ssl-certificate-provider).

2.Create a file cert.pem with the Private Key and Entire Trust Chain (see the instructions on the certificate provider's web site).

3.Place the cert.pem file in the following folder:

Windows: C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl

Linux: /opt/digitalwatchdog/mediaserver/var/ssl

4.Restart the server.

For servers within the local network it is recommended to install the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store (https://specopssoft.com/support-docs/specops-password-reset/reference-material/installing-the-self-signed-ssl-certificate-into-the-trusted-root-certificate-authorities-store/).

To force secure connections

1.Open Main Menu > System Administration (Ctrl+Alt+A)

2.In the General tab, toggle the Allow only secure connections checkbox.

3.Apply changes.

! IMPORTANT: This setting will affect the following:

Generic Events should be reconfigured in the external system. All integrations configured to work with HTTP need to be updated and tested.

API calls – all external systems that use API for integrations should be re-configured to use HTTPS and then tested.

Once HTTPS is enabled, the first time you attempt to log onto a server's web page, the browser may first display warnings that indicate a bad certificate and insecure connection ("Your connection is not private. Attackers might be trying to steal your information..."). This is not the case. The warning is a safety feature due to the self-signed certificate on the server. The connection will in fact be more secure.

4.To proceed using an HTTPS connection, click on the word Advanced, then click the Proceed to [xxx.x.x.x] (unsafe) link to log in. You should only need to do this the first time the HTTPS connection is established.

note Note: This option is turned on by default.

To enable encrypted video traffic (only available if system is configured to use secure connections)

1.Open Main Menu > System Administration (Ctrl+Alt+A).

2.In the General tab, check the Encrypt video traffic checkbox.

! IMPORTANT: Encrypting video traffic will significantly increase CPU usage on the server, so it should not be used if a System has servers installed on weak computers or ARM devices.