Secure communication between Milestone XProtect and Secure Display Stations

Introduction

This article describes secure communication using encryption with the Secure Display Station plugin for Milestone XProtect®.  There are two areas where you can enable TLS/SSL encryption:

  • Command and Control
  • Media Streaming

Command and Control

Secure communication is enabled simply by selecting the HTTPS protocol in the Network Configuration of the Secure Display Station (SDS). This is the default option shown in the plugin User Manual. It can be set when adding the SDS or at any time after from the management client.

 

The SDS uses a self-signed certificate for its web server that handles command and control. Milestone XProtect® supports devices with self-signed certificates by default. Since firmware version 6.8.1.0, you can upload your own certificates and generate certificate signing requests for the SDS web server.

Media Streaming

With the plugin for Milestone XProtect®, the SDS obtains video streams from recording servers using the same protocol used by XProtect® Smart Client. When enabling encryption in the Milestone Server Configurator, all media streams are encrypted with Secure Socket Layer (SSL), including those requested by Secure Display Stations.

Requirements for media streaming encryption:

  • SDS plugin for Milestone plugin XProtect® version 1.0.2.5 or newer, and
  • SDS firmware version 15.3.0.0 or newer

Certificate Management

SDS certificates are managed from the Security page of its web interface, under the Certificate Management tab. This tab is accessible only to users with 'Administrator' role.


Web Server Certificate

To replace the built-in self-signed certificate used by the SDS web server, click on the Add New Certificate. Select the certificate file to upload and set its role to HTTP Server ('Inactive' indicates that the current certificate is not used, the web server uses its built-in self-signed certificate). This will restart the SDS web server and disconnect your web browser session.

 

The bottom section of the Certificate Management tab allows generating a certificate signing request (CSR) that can be transmitted to an external certificate authority (CA) to obtain a certificate. Fill in the required fields and click on the Generate Certificate Signing Request button. The CSR will be downloaded by your web browser. Transmit that file to your CA and follow the same process above to assign the obtained certificate to the SDS web server.


Milestone Media Streaming Certificate

When requesting a stream from a recording server, the SDS establishes a secure socket and verifies the recording server's certificate chain to ensure it trusts its identity. The SDS runs a locked down operating system in workgroup environment, with a predefined store of trusted root certification authorities (CA). If the root CA certificate that signed the recording server's certificate is not included in the SDS built-in store, it needs to be manually added to the SDS. Click on the Add New Certificate, select the certificate file to upload and set its role to Milestone SSL.

 


Enabling Media Streaming Encryption on an Existing System

Follow these steps to enable media streaming encryption on a system already using the Secure Display Station plugin for Milestone XProtect®:

  1. Upgrade the plugin version to 1.0.2.5 or newer on all Milestone Server(s) and computers running XProtect® Smart Client
  2. Upgrade SDS firmware version to 15.3.0.0 or newer
  3. Follow Milestone XProtect® online documentation (XProtect VMS certificates guide) to enable media streaming encryption
  4. Follow steps in this article to add the recording server(s) root CA certificate(s) in all SDS on the system. Multiple certificates can be added to an SDS if recording servers use certificates signed by different root CAs.
  5. From XProtect® Smart Client, push desired views to SDS output display(s). Views pushed with an earlier version of the plugin and SDS firmware will not work because they lack information related to encryption.

Troubleshooting

These troubleshooting hints apply when enabling encryption on an existing system, and video tile(s) that used to display correctly now show connection lost. For troubleshooting a new installation, refer to the plugin user manual. If a video tile (or more likely all tiles) show Connection Lost, logon to the SDS Web interface and enable the Video Output's Stream Details to display troubleshooting overlays. 

A continuous Connecting… error on a video tile that displayed before likely indicates the SDS data source was configured with an earlier version of the plugin and firmware. Pushing the view again from Smart Client should resolve this issue.

A Missing Milestone streaming media certificate error on a video tile indicates the SDS does not trust this recording server's certificate. Follow steps above to add the root CA certificate that signed the recording server's certificate to the SDS' certificate management.