Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Asset Information Management

TABLE OF CONTENTS

SSL, HTTPS and TLS

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 31, 2025
  • 6 minute read

When a user visits the AIM Dashboard, information is transmitted over the internet between the web server and the web browser. Data travelling over the internet is vulnerable to interception. Due to this vulnerability, the AIM Dashboard must be configured to use SSL (Secure Sockets Layer). SSL works by encrypting the data before it is transmitted and then decrypting it at the other end. This means that if the data is intercepted along the way it will be meaningless to the interceptor.

The following steps must be followed to secure the AIM Dashboard.

SSL Certificates in IIS

To enable encryption of the data transmission in IIS, between the web server and the browser, you must install an SSL certificate on the web server.

This section explains how to create and configure two types of SSL certificates:

  • A purchased SSL certificate

  • A self-signed SSL certificate

    Note: A self-signed SSL certificate is free and needs additional efforts in configuration. This type of certificate is recommended for familiarization and testing HTTPS, rather than production use.

Using a Purchased Certificate

A purchased SSL certificate requires a much simplified configuration, compared to a self-signed certificate. The certificate providers supply their own software, to assist the users with the purchase and certificate installation.

Note: For help with purchasing and installing an SSL certificate, refer to a certificate provider website, for example https://www.verisign.com/.

Installing a Self-Signed Certificate (Windows Server 2019-IIS10)

To create and configure a self-signed test SSL certificate:

  1. Open IIS.

  2. In the Connections pane, select the server, and then double-click Server Certificates.

  3. In the Actions pane, select Create Self-Signed Certificate.

  4. Type a Friendly Name (for example, Temp Certificate) for the test certificate and select OK.

  5. In the Connections pane, select the AIM Dashboard site.

  6. In the Actions pane, select Bindings.

  7. For Type, select https.

  8. For IP address, select All unassigned.

  9. For Port, type 443 (or any other available port number).

  10. For SSL certificate, select the certificate you created in step 4.

  11. Select OK.

    The certificate is now configured for use with the AIM Dashboard.

Adding the Certificate to the Trusted Root Certification Authorities

If the client browser does not trust the web server certificate, a warning message will appear, while visiting the website. To make the browser trust the web server certificate, you must add the certificate to the Trusted Root Certification Authorities certificate store of the client machine.

To add the certificate to the Trusted Root Certification Authorities:

  1. Open IIS.

  2. In the Connections pane, select the server, and then double-click Server Certificates.

  3. In the Actions pane, select Export.

  4. For Export to, browse [] to the location you want to use for the exported certificate, type a filename, and then select Open.

  5. Type and confirm a Password for the certificate.

  6. Log on to the client machine.

  7. Open the Certificate Manager console by pressing Windows+R, and then type mmc.exe certmgr.msc.

  8. Under Certificates - Current User, expand Trusted Root Certification Authorities.

  9. Right-click Certificates.

  10. Select All Tasks, Import.

  11. Select Next.

  12. Browse to the certificate you exported in step 4, and then select Open.

    Note: Select Personal Information Exchange (*.pfx, *.p12) in the file extension box to see the pfx.

  13. Select OK, Next, Finish.

  14. Type the Password you created in step 5, and then select Next.

  15. Select Browse, select Show Physical Stores, expand Trusted Root Certification Authorities, and then select Local Computer.

  16. Select Finish.

    You have added the Certificate to Trusted Root Certificate Authorities for the Current User.

    Client Access to a Secure AVEVA Asset Information Management Dashboard Web

    After the preceding instructions have been followed and you have secured the AIM Dashboard, users should access the secured site.

    An example URL might read like the following: https://{myserver}:443

    Note: If you are accessing an HTTPS site that is NOT on the default port, you must specify the SSL port number.

    Warning Messages

    When using the AIM Dashboard, you may see a number of warning messages.

    Some of these are described below:

    • Security Alert - You are about to view pages over a secure connection. This indicates that you are entering a secure connection, select OK.

    • Security Information - This page contains both secure and non-secure items. You can select either Yes or No - the choice does not affect the operation of the AIM Dashboard.

    • Security Alert - Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. If this appears, the SSL certificate installed at the web server is not trusted by the client browser. If you are sure you are visiting the correct site then select Yes to ignore the warning.

      However, if this warning comes up several times for each visit, another option is to configure the browser to trust the certificate issued by the website and therefore not display the warning any more.

      To do this, select View Certificate, then view the details of the certificate. If you are satisfied, then select Install Certificate and follow the instructions.

      After this is completed the prompt may still come up. Opening a new browser and trying again usually fixes it. However, sometimes it may be necessary to install the certificate again to successfully remove the warning.

    Configuring SSL for Accusoft PrizmDoc

    Note: The preferred method to enable SSL for the PrizmDoc Service website is to use a certificate from a certificate authority. You can utilize a self-signed certificate, but you have to add the certificate into the client’s Root Certification Authorities.

    Enabling SSL for the 'PrizmDoc Service' website

    If you have configured Windows authentication on the PrizmDoc server following the procedure given under the 'Configuring Windows Authentication' section (in the Install Accusoft PrizmDoc Server and Client section in the Install and Set up the Requirements topic), then you must perform the following steps for the proxy website, for example, PrizmDoc Proxy. Alternatively, you must create a proxy website [following the steps (except Step 10 and Step 11) given in the 'Configuring Windows Authentication' section] to configure SSL.

    To enable SSL for the PrizmDoc Proxy website:

    1. Have your SSL certificate available in IIS (you can use the same certificate you have assigned to another IIS website, if you desire).

    2. Highlight the PrizmDoc Proxy website and select on Bindings.

    3. Select Add and select https from the Type menu. Select your certificate from the SSL certificate menu, and choose the port over which you want to communicate (you can use 443 as long as another site is not already on that port, otherwise choose a non-utilized port).

    4. Validate that the PrizmDoc service is responding by pointing a web browser to the address:

      1. https://servername:23000/servicesConnection

      where the port refers to what you have defined in Step 3.

      1. You should receive the response as OK.

    5. Open the pcc.config file located in the AIM Dashboard website. This file is typically located here: C:\inetpub\Dashboard

      1. Modify the property <PrizmApplicationServicesScheme> and set the value to https.

      2. Modify the property <PrizmApplicationServicesPort> and set the value to the previously set port (see Step 3).

    6. To reset IIS, select Start, and then run IISRESET.

      Importing a Self-signed Certificate

      Note: The following steps are needed ONLY if you are using a self-signed certificate.

      To import the certificate into the client machine Root Certificate Authority:

      1. Press windows key + R.

      2. Type mmc and press ENTER.

        Note: To view certificates in the local machine store, you must be in the Administrator role.

      3. On the File menu, select Add/Remove Snap In.

      4. Select Add.

      5. In the Add Standalone Snap-in dialog box, select Certificates.

      6. Select Add.

      7. In the Certificates snap-in dialog box, select Computer account and select Next. Optionally, you can select My User account or Service account. If you are not an administrator of the computer, you can manage certificates only for your user account.

      8. In the Select Computer dialog box, select Finish.

      9. In the Add Standalone Snap-in dialog box, select Close.

      10. On the Add/Remove Snap-in dialog box, select OK.

      11. In the Console Root window, select Certificates (Local Computer) to view the certificate stores for the computer.

      12. Expand Trusted Root Certification Authorities.

      13. Right click Certificates, All tasks, select Import.

      14. Follow the instructions and use the file that you exported in the first part.

        TLS

        The AVEVA AIM only supports Transport Layer Security (TLS) versions 1.2 and above. Therefore, all older versions of TLS must be disabled on the AIM server to ensure compatibility and maintain security. Using deprecated TLS versions can expose the system to vulnerabilities and potential attacks. It is essential to configure the AIM server to enforce TLS 1.2 or higher for all secure communications.

        In This Topic
        Related Links
        TitleResults for “How to create a CRG?”Also Available in