Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Work Tasks

TABLE OF CONTENTS

Define Security Settings

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 08, 2025
  • 4 minute read

You can define the Security Settings using the Farm Configuration Wizard.

For more information on Security settings, see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client.

To define the security settings

  1. On the Windows Start menu, point to Programs, point to AVEVA, and then click Farm Configuration Wizard.

    The Welcome to the AVEVA Work Tasks Configuration Wizard screen appears.

  2. Click Next.

    The Edit AVEVA Work Tasks Farm Settings window is displayed.

  3. Select Security Settings and Service Settings and then, click Next.

  4. Select Secure Web Sites check box to configure secured web sites. Uncheck the Secure Web Sites check box to use HTTP sites. By default the sites are created in HTTPS mode.

    Note:
    - For secured websites, you cannot access the sites using localhost. You need to provide Fully Qualified Domain Name (FQDN) to access the secured sites.
    - The application does not support HTTP for Microsoft Entra authentication.

  5. Select Self Signed Certificate checkbox to acquire the self-signed certificate.

  6. From the Certificate drop-down list, select the available certificate. If your certificate is not listed, click the Refresh icon to repopulate the list.

    You can select one of the following certificates:

    • Self Signed Certificate:The certificate not signed by trusted certificate authority but by one's own private keys.
      This certificate bypasses all validation checks and is not recommended, but can be used when Certified Authority fails.

    • IT Certificate: The certificate provided by your IT department signed by the third-party trusted Certified Authority.
      This certificate applies default .NET and OS certificate validation, but enforces revocation and expiration checks.

    • Automatically Generated Certificate: The certificate generated by AVEVA using the Configurator tool.
      This certificate allows use of an expired certificate or revoked certificate.

      Note: If the required certificate is not listed, generate one using the System Management Server (Configurator tool). Do not use a self-signed certificate without a proper root chain.

  7. Enter the Port Number. The default port for the HTTPS site is 8001, and for the HTTP site is 8000. You can enter any port number that IIS accepts. But if any other services or applications are already using the entered port number, AVEVA Work Tasks will not start.

  8. Click the Validate button to validate the certificate before configuring the security settings.

    Note: An Internet connection is needed to validate the certificate.

  9. Click Configure, then Next, and then Finish to apply the new security settings.

Note:
- To update the port number, certificate, and websites from unsecure to secure or vice-versa, select Security Settings and Service Settings check box in Edit AVEVA Work Tasks Farm Settings window before updating the values. After the required details are provided, these settings get updated only when you click Configure, then Next, and then Finish buttons as you navigate through the Farm Configuration Wizard.
- If the Quickflow is already deployed on a machine, you need to deploy it again after you update the security settings. If secured web site is configured, then you cannot change the server configuration for Quickflow in Central Configuration. However, if the Secure Web Sites checkbox is not selected, you can make the changes to the server configuration.
- Advance Server communication cannot be configured on HTTP/HTTPS.
- For resources of Load Balanced Server, ensure to configure all services with the same protocol (HTTP or HTTPS).
- It is recommended to use Standard SSL certificate instead of self-signed SSL certificate.

Use ASB Certificate for Secured Communication

ASB Certificate is a PCS-managed SSL certificate and renews automatically every 30 days when the certificate is still valid. The certificate is valid for two years. The PCS watchdog service on the runtime node checks the validity of the SSL certificate within 5 minutes from when it starts and once a day. PCS also renews the SSL certificate if it is expired.

If the runtime node is offline and later back online, the PCS watchdog service regularly checks the certificate validity and renews it if it is required. Consider restarting the PCS watchdog service to enforce the SSL certificate validity check within 5 minutes from the restarting time.

Furthermore, when the SSL certificate is renewed, PCS binds it to port 443 (by default) and changes the SslThumbprint PCS registry value. If AVEVA Work Tasks sites are hosted on port 443, certificate binding will be auto-renewed when the SSL certificate is renewed. It is recommended to check the bindings in IIS with every certificate renewal to ensure the application is running seamlessly.

To disable the certificate renewal, consider disabling the ArchestrA Certificate Renewal Service windows service.

Note:
- Client Service will try to automatically bind the renewed certificate. If there are any issues in browsing the website or starting the services after certificate renewal, users need to reconfigure the secure communication in Farm Configuration. To reconfigure, see the steps mentioned in above section To define the Security Settings.
- If the Farm's security setting is configured as HTTPS with Secure Settings enabled, during Farm recovery, the Security Setting will remain set to HTTPS. However, due to the absence of the certificate, the configuration will be reset to "unselected." Users must manually select the certificate and reconfigure the Secure Setting in the Farm Configuration Wizard.
- The certificate should include both the host name and the fully qualified domain name in the Subject Alternative Names (SAN).

Secure Communication between Services

To have a secure communication between the services, apply the below changes to the Windows registry and reboot the server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

For more information on securing communication, see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client and

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358.

In This Topic
TitleResults for “How to create a CRG?”Also Available in