Troubleshooting - Certificate Error Messages

This topic lists some common error messages you might encounter when using encrypted communications.

Use of IP address instead of machine name

Encrypted communications cannot be configured if you specify an IP address on the CtAPI client for the Plant SCADA machine you want to connect to. Connection will not be established in this case. Specify the machine name, which needs to match the machine name on the certificate. Other reasons for connection errors could be failure to resolve the machine name. You will see the message "Failed to secure connection and unsecured connection is not permitted" in the trace log.

Unable to establish connection between server and client

The following combination of modes of encryption can be used for a secure connection.

Note: It is recommended that you enable encryption on both the server and the client.

If either machine is not in the mode combination for encrypted communications, you will see the message "No connection could be made because the target machine actively refused it" in the trace log.

Note: For CtAPI clients, you need to restart the CtAPI server if you change the encryption mode from encrypted to mixed in the Configurator.

Runtime Manager not running as a service

If the Run Runtime Manager as a service option is not selected on the Configurator's Computer Setup page, you may encounter certificate errors. The syslog will display messages that indicate that the certificate is invalid, while the tracelog displays the message "Certificate Private key is not accessible". This will also be displayed on the hardware alarm page with the description "Cert private key is unreadable".

You need to configure Runtime Manager to run as a service if you are running any server processes, or if you are running a display client that has been configured to accept CtAPI connections (that is, the [CtAPI]Remote parameter is set to 1).

Note: The syslog and tracelog also display messages relating to expired certificates.

Thumbprint errors

If the thumbprint is incorrect, you will see a hardware alarm with the description "Certificate not found". Details of this can be viewed in the syslog as well as the tracelog. The syslog will display "Server thumbprint invalid", while the tracelog will display "Certificate not found. Failed to find certificate for thumbprint".

Remote client does not connect and generates "TLS Exchange Failed" hardware alarm

A remote client will use a DNS name to validate the certificate it receives from a server in a TLS exchange. The client will attempt to validate the name specified as the "Subject Alternative Name" in the certificate that it receives.

You can find the Subject Alternative Name by going to Configurator on the server and displaying the System Management Server page. To open the certificate properties, click on the Advanced button and select Details. On the Details tab, scroll down and find the "Subject Alternative Name" property. This will have three entries:

DNS Name=localhost
DNS Name=<computer name>
DNS Name=<FQDN>

As part of the TLS exchange, the computer name in the certificate is validated against the project. If the DNS name field is configured for the computer the server process is running on, the client will resolve the Subject Alternative Name against that field. If this is blank, the address field of the network address is used instead.

You should only use "localhost" when running a standalone server with no remote clients.

If the address from the network address on the server is a computer name, then the easiest way to configure this is to leave the DNS name blank. You will only need to set this to the actual computer name of the server if the network address is an IP Address.

If required, you can use the Plant SCADA Kernel to diagnose runtime connections using Page Table commands. See Page Table Platform.Session and Page Table Tran.