Skip to content

Securing the Communication between Kiosk Applications

Warning

To provide the highest security, the communication between Kiosk Applications and also the Kiosk Admin web site are secured using SSL/TLS following the procedures depicted in this section.

The secure communication is implemented by means of SSL/TLS sockets. This communication methods requires deployment of digital certificates issued by a trusted Certificate Authority (CA).

By default, all Kiosk Services are deployed with this secure communication, and certificates are created using a Certificate Authority generated by the Kiosk Orchestrator. Kiosk Position configuration files downloaded from Kiosk Admin contain client certificate and private key information used to securely authenticate the Kiosk Client when communicating with Kiosk Services.

Tip

We recommend using a DNS server to resolve FQDNs and machine names. This DNS needs to be configured both on the Adapter Hub and on the UIP machine.

Warning

Some features such as the Scan Data feature can be enabled to deliver guest document image data to the owner or purchaser of the software. It is the responsibility of the owner or purchaser to properly handle and secure the data that is provided to the owner's chosen scanned data location. Once it is out of the Kiosk System and saved to the chosen location, the Kiosk System and the Kiosk manufacturer are not responsible for the data's security.

Connecting to a UIP securely

UIP must be configured in secure mode (accessible via HTTPS) using a certificate configured in Administration > Client Access. When configuring Adapter Hub to securely communicate with UIP, please make sure that the following aspects are all covered:

  • The Adapter Hub is configured to connect to an UIP URL which is equal to wss:// as described in the UIP Adapter Hub documentation.
  • If the UIP connection is secured using enterprise certificates, copy the corresponding CA certificate into /etc/wfadapterhub/cacerts.
    • This does not need to be done if the UIP is a cloud based UIP which works in secure mode, or if it is an on-prem UIP secured with certificates trusted by a public CA
    • Before copying the CA certificate, be sure that it fulfills all criteria described in the UIP Adapter Hub documentation.
    • After copying restart Docker (and consequently all services running as containers) using:
      sudo systemctl restart docker

Accessing the Certificate Authority (CA) for Kiosk Admin when using UIP + Adapter Hub Machine

When browsing to the Kiosk Admin application running on an Adapter Hub on the same host as UIP, you will be presented with a message that the site is not secure, but does not present a link to proceed:

//

Accessing the Certificate Authority (CA) may be accomplished by:

Once the certificate is downloaded, it must be installed on each computer that will be using Kiosk Administrator.

Use Windows application. "Manage Computer Certificates" found in Windows Control Panel. Install the certificate to local machine and in the Trusted Root Certificate Authority.

Securing the communication between Kiosk Client and wrapper services

The Kiosk Clients and the wrapper services will always run on the same Kiosk machine. Moreover, the wrapper services always listen on the localhost address (127.0.0.1), which is not reachable from outside the Kiosk Client machine. So from this perspective, the connection between scanner services and Kiosk Client can be left not secure without posing a risk of being attacked with MITM kind of attacks.

However, the Kiosk machine is always exposed directly to end users, because of the nature of this machine. Allowing physical access to a machine is a security risk itself - therefore, some customers' IT departments might explicitly require that Kiosk Clients communicate using secure sockets with the wrapper services also (even if they run on the same machine).

Wrapper service

  1. Deploy the PFX file that contains the client key and signed certificate to the Kiosk machine. Use a folder of your own choice as the location can be anywhere on the disk.

    Note

    This certificate can be generated using the guidelines from the appendix.

  2. Edit the wrapper service config file (typically C:\Program Files (x86)\NecAIScannerService\config.json for AssureID wrapper, or C:\Program Files (x86)\NecVeridocsService\config.json for the Veridocs wrapper)

    1. For certificatefilepath - specify the full path to the PFX file. Careful at path delimiters, use either slashes (/) or double backslashes (\\)

    2. For certificatepassword - specify the password that you have entered when generating the PFX file

      Example

      "certificatefilepath": "c:/cert/kiosk.pfx",
"certificatepassword": "myP@ssword123"

  3. Restart the wrapper service using Windows' Services utility (services.msc)

Kiosk Client

  1. Copy the trusted CA certificate in PEM format to the machine running Kiosk Client. Use a folder of your own choice as the location can be anywhere on the disk.

  2. Edit the Kiosk Client config file located C:\ProgramData\NEC\kiosk\kioskconf.json

    1. Leave the scanner_service_address setting unchanged. Change it only if for some reasons the scanner service cannot run on the default port 60080.
    2. Set scanner_service_usetls key with the value of true

    3. For scanner_service_cacert use the path to the trusted CA certificate (be sure to select the CA certificate, not the client certificate). Careful at path delimiters, use either slashes (/) or double backslashes (\\)

      Example

      "scanner_service_address": "localhost:60080",
"scanner_service_usetls": true,
"scanner_service_cacert": "c:/cert/MyRootCA.pem",

  3. Restart the Kiosk Client application.