Manage trust stores for AWS IoT SiteWise Edge proxy support - AWS IoT SiteWise

Manage trust stores for AWS IoT SiteWise Edge proxy support

When configuring AWS IoT SiteWise Edge components to connect through an HTTPS proxy, add the proxy server's certificate to the appropriate trust stores. SiteWise Edge uses multiple trust stores depending on the component type.

Implementation requirements for proxy support

There are varied implementation requirements based on your component usage and functionality requirements.

  • For full DPP functionality with HTTPS proxy, update all three trust stores.

  • For IoT SiteWise OPC UA collector and IoT SiteWise publisher only, update the AWS IoT Greengrass Core and Java trust stores.

Configure trust store locations for proxy support

SiteWise Edge components use three different trust stores based on their implementation:

AWS IoT Greengrass Core component trust store configuration

For AWS IoT Greengrass Core functions that use Amazon's root CA:

  1. Locate the certificate file at /greengrass/v2/AmazonRootCA1.pem

  2. Append the HTTPS proxy root certificate (self-signed) to this file.

-----BEGIN CERTIFICATE----- MIIEFTCCAv2gAwIQWgIVAMHSAzWG/5YVRYtRQOxXUTEpHuEmApzGCSqGSIb3DQEK \nCwUAhuL9MQswCQwJVUzEPMAVUzEYMBYGA1UECgwP1hem9uLmNvbSBJbmMuMRww ... content of proxy CA certificate ... +vHIRlt0e5JAm5\noTIZGoFbK82A0/nO7f/t5PSIDAim9V3Gc3pSXxCCAQoFYnui GaPUlGk1gCE84a0X\n7Rp/lND/PuMZ/s8YjlkY2NmYmNjMCAXDTE5MTEyN2cM216 gJMIADggEPADf2/m45hzEXAMPLE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQTCCAimgF6AwIBAgITBmyfz/5mjAo54vB4ikPmljZKyjANJmApzyMZFo6qBg ADA5MQswCQYDVQQGEwJVUzEPMA0tMVT8QtPHRh8jrdkGA1UEChMGDV3QQDExBBKW ... content of root CA certificate ... o/ufQJQWUCyziar1hem9uMRkwFwYVPSHCb2XV4cdFyQzR1KldZwgJcIQ6XUDgHaa 5MsI+yMRQ+hDaXJiobldXgjUka642M4UwtBV8oK2xJNDd2ZhwLnoQdeXeGADKkpy rqXRfKoQnoZsG4q5WTP46EXAMPLE -----END CERTIFICATE-----

HTTPS Proxy configuration for AWS IoT Greengrass

When you use an HTTPS proxy with AWS IoT Greengrass on SiteWise Edge, note the following:

  • Based on the provided URL, SiteWise Edge software automatically chooses between HTTP and HTTPS for proxy connections.

  • The user info must be provided through the URI rather than as separate username and password fields.

For more information on using a proxy server, see Connect on port 443 or through a network proxy in the AWS IoT Greengrass Version 2 Developer Guide.

Important

Update all required trust stores before attempting to connect through an HTTPS proxy.

Java-based component trust store configuration

For IoT SiteWise publisher, IoT SiteWise OPC UA collector, and Java services in the data processing pack, the default Java trust store location is $JAVA_HOME/jre/lib/security/cacerts

To add a certificate:
  1. Create a file to store the proxy server's certificate, such as proxy.crt.

    Note

    Create the file ahead of time using the proxy server's certificate.

  2. Add the file to Java's trust store using the following command:

    sudo keytool -import -alias proxyCert -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -file proxy.crt
  3. When prompted, use the default password: changeit

System-level component trust store configuration

For components written in Rust, Go, and other languages that use the system trust store:

  • Linux systems: Add certificates to /etc/ssl/certs/ca-certificates.crt

  • Windows systems: To configure the trust store, follow the Certificate Store procedure in the Microsoft Ignite documentation.

    Windows offers multiple certificate stores, including separate stores for User and Computer scopes, each with several sub-stores. For most SiteWise Edge setups, we recommend adding certificates to the COMPUTER | Trusted Root Certification Authorities store. However, depending on your specific configuration and security requirements, you might need to use a different store.