1. Resonate RFID Reader Management User Guide
  2. Digital Certificates
  3. Certificates Overview
  • Resonate RFID Reader Management 2.0 User Guide
Certificates Overview

Certificates Overview

Currently,
Resonate
 supports CA certificates, but has limited support for endpoint certificates with readers.
X.509 digital certificates are files that contain information to secure connections between networked devices (for example, a server, reader, or web client (web interface)). Certificates work with public-private key pairs and with digital signatures to assert the identity of the networked device. These endpoint certificates can be self-signed at the time of generation or can be signed by a separate Certificate Authority (CA). Companies often have policies that prevent trusting self-signed certificates, so enterprises often require signed certificates. If both networked devices in the connection trust the CA (that is, both have a copy of the CA certificate), they can both trust the networked device (endpoint) certificate signed by that CA. Large enterprises often issue their own CA certificates so that devices restricted to their private enterprise network can trust their enterprise-signed endpoint certificates, without having to pay a third party to do so.
Resonate
 always sets readers to operate in their secure mode. This tells the readers to always require a secure connection when possible. For example, if you connect via browser to the reader's web interface, the reader will always require HTTPS. HTTPS requires TLS security, which uses X.509 digital certificates. The reader can support HTTPS using its default self-signed certificate, but this might cause a pop-up browser message, indicating that self-signed certificates are not trusted. To avoid this message, you can add a CA-signed certificate.
Currently,
Resonate
 has limited support for endpoint certificates with readers, so in some cases, you must add those signed certificates using the reader's web interface instead of through
Resonate
.
In general, readers have three types of network connections that can be secured with the help of X.509 digital certificates:
  • Reader-to-
    Resonate
     for management
  • Reader data endpoints to share RFID read data
  • Browser-to-readers direct web interface
In addition, the browser connection between users and the
Resonate RFID Reader Management web interface
 can also be secured with X.509 digital certificates.

Reader-to-Resonate

During device initialization, the
Resonate
 on-reader management agent (
Resonate Agent
) is given a copy of the CA certificate used by
Resonate
. The reader initialization process uses that certificate to trust the
Resonate
 instance, so they can work together to securely generate reader keys and login tokens (Keycloak client credentials) for securing the reader's
Resonate Agent
 management connection.
Resonate
 comes with a self-signed certificate, but you can choose to use an enterprise-signed or publicly signed certificate for
Resonate
. If so, copy the certificate to the
Resonate server
's file system; then, use the
Resonate
 installer (
install.sh
) with the
--tls-certificate
 and
--tls-key
 options to assign the certificate to the server. This tells the
Resonate
install.sh
 script to include the new certificate instead of the self-signed one included by default. If required, this should typically be done at
Resonate
 installation time or before adding readers; otherwise, you will have to re-initialize the readers.

Read Data

Currently,
Resonate
 managed readers support a single WebSocket server data export endpoint. This connection is secured with the reader's server certificate. In this case, the reader is serving the data, so the reader is the server side of the connection, not the client side. The customer's WebSocket client application can connect to the reader's WebSocket server endpoint at
wss://<reader FQDN>/resonate
.
Zebra readers come with a self-signed certificate, but you can choose to use an enterprise-signed or publicly signed certificate for reader communications. If so, you must load the new certificate onto the reader via the ZIoTC APIs or the reader's built-in web interface.

Reader's Web Interface

The third possible connection to a reader is through its built-in web interface, accessed from a browser. It allows you to access ZIoTC settings on the reader, but not the
Resonate
 settings. It is not recommended that users access the reader's web interface when using
Resonate
 because this can cause confusion and potentially interfere with
Resonate
 management of the reader. If you require web interface access, connect to the reader's web interface server endpoint at
https://<reader FQDN>/
.
Zebra readers come with a self-signed certificate, but you can choose to use an enterprise-signed or publicly signed certificate for reader communications. If so, you should load a new certificate onto the reader via the ZIoTC APIs or via the reader's built-in web interface. The same reader server endpoint certificate is used to secure both the WebSocket server data endpoint and the web interface server endpoint.

Resonate
's Web Interface

Although not reader-related,
Resonate
 can use an enterprise certificate to authenticate the
Resonate server
 to its web client (
Resonate
's web interface loaded in the browser). This avoids receiving the self-signed certificate error when browsing to the
Resonate
 web interface. If you added an enterprise-signed certificate during
Resonate
 installation (as described above), this is already handled. If not, follow the same instructions to add the certificate (that is, copy the certificate to the
Resonate server
's file system; then, use the
Resonate
 installer with the
--tls-certificate
 and -
-tls-key
 options). If required, this should typically be done at
Resonate
 installation time or before adding readers; otherwise, you will have to re-initialize the readers. For more information, refer to the
install.sh
 topic in the Software Installation Guide.

CA certificates

Although
Resonate
 currently does not support endpoint certificate maintenance,
Resonate
 can download a Certificate Authority (CA) certificate to the reader to authenticate the signature of a CA-signed endpoint certificate installed manually.

Certificate Installation

When you enable communication between the
Resonate server
 and an RFID reader,
Resonate Device Initializer
 automatically secures the onboarding process using the
Resonate server
’s digital certificate. After the onboarding process, the new reader uploads all its known CA certificates to
Resonate
, and
Resonate
 installs all CA certificates not already installed on the reader to it.
To install other CA certificates on the RFID readers, upload them to
Resonate
;
Resonate
 automatically installs the certificates on all the RFID readers after you upload them. Refer to Installing a CA Certificate.
Zebra RFID readers come from the factory with CA certificates from many trusted Certificate Authorities. Zebra RFID readers also come from the factory preloaded with a self-signed reader certificate identifying and securing that reader. Zebra readers do not come with enterprise-signed certificates, allowing trusted operation on the customer's network. You must add those to the reader.
At this time,
Resonate
 supports adding new CA certificates to readers and automatically handles the certificates securing the reader-to-
Resonate
 management connection. However, it does not yet support managing other reader endpoint (client or server) certificates. For now, you must install them manually, using the reader's built-in web interface or ZIoTC APIs. See the instructions for your specific reader.