FAQ 05/2015

How to Access the Web Interface for ROS

Non-Controlled (NC) Using Microsoft®
Internet Explorer
RUGGEDCOM ROS

https://support.industry.siemens.com/cs/ww/en/view/109476726
 This entry is from the Siemens Industry Online Support. The general terms of use
(http://www.siemens.com/terms_of_use) apply.

Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, solutions, machines, equipment and/or
tion networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens’ products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-
specific newsletter. For more information, visit
http://support.industry.siemens.com.
Siemens AG 2015 All rights reserved

Table of contents
1 Overview ............................................................................................................. 3
2 Configuring Windows to Work with an NC Version of ROS .......................... 4
2.1 Enabling Support for RSA 512-bit Keys ............................................... 4
2.2 Enabling Support for DES 56-bit Encryption ........................................ 5
2.3 Enabling Support for SSL 3.0 and TLS 1.0 .......................................... 6

Access the Web Interface for ROS Non-Controlled (NC)

Entry-ID: 109476726, V 1.1, 05/2015 2
 1 Overview

1 Overview
This entry shows how to access the Web Interface for ROS Non-Controlled (NC)
using Microsoft® Internet Explorer.
Non-Controlled (NC) versions of ROS use DES 56-bit encryption. Due to
restrictions in Microsoft Windows operating systems (i. e. Windows 7), this renders
the ROS Web interface inaccessible, by default, through Microsoft Internet
Explorer. However, through small changes to the Windows registry, Internet
Explorer can be configured to support the DES 56 cipher mechanism.

CAUTION The DES 56 cipher suite, RSA 512-bit keys and SSLv3.0 are not recommended
for use and are restricted by default in Windows. Only enable support in a secure
environment.

CAUTION If NULL ciphers are supported, a connection to the ROS device could result in all
traffic to and from the device being transported in plain text. To ensure the
encryption of traffic when connecting via SSL/TLS, remove NULL ciphers from
the list of supported SSL/TLS ciphers in Windows.
Siemens AG 2015 All rights reserved

Access the Web Interface for ROS Non-Controlled (NC)

Entry-ID: 109476726, V 1.1, 05/2015 3
 2 Configuring Windows to Work with an NC Version of ROS

2 Configuring Windows to Work with an NC

Version of ROS
NOTE The following procedures have been verified on Internet Explorer Version
11.0.9600.17728 on Windows 7 Professional, 32 bit Operating System.

To configure Windows to work with an NC version of ROS, do the following:

1. Click “Start”, then click “Run”.
2. Type “regedit”, and click “OK”. The Registry Editor window appears.
3. Create a backup of the Windows registry.
4. Configure Windows to support RSA 512-bit keys. For more information, refer to
Chapter 2.1.
5. Configure Windows to support DES 56-bit encryption. For more information,
refer to Chapter 2.2.
6. Enable support for SSL 3.0 and TLS 1.0 in Internet Explorer. For more
information, refer to Chapter 2.3.

2.1 Enabling Support for RSA 512-bit Keys

Siemens AG 2015 All rights reserved

To enable support for RSA 512-bit keys in Windows, do the following:

1. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\
EncodingType0\CertDllCreateCertificateChainEngine\Config
2. If the “CertDllCreateCertificateChainEngine” key does not exist, create it by
doing the following:
a. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptog
raphy\OID\EncodingType0
b. On the “Edit” menu, select “New” and click “Key”. A new key is created.
c. Rename the key “CertDllCreateCertificateChainEngine”.
d. On the “Edit” menu, select “New” and click “Key”. A new key is created.
e. Rename the key “Config”.
3. On the “Edit” menu, select “New” and click “DWORD (32-bit) Value”. A new
registry entry is created.
4. Rename the registry entry “minRSAPubKeyBitLength”.
5. On the “Edit” menu, click “Modify”. The “Edit DWORD Value” dialog box
appears.
6. Select the Decimal option and type “512” under Value data.
7. Click “OK”.
8. If Steps 1 through 6 are unsuccessful in enabling 512-bit keys, proceed as
follows:
a. Open a Command Prompt window as Administrator.
b. Enter the following:
certutil -setreg chain\minRSAPubKeyBitLength 512
This should enable 512-bit RSA keys as the minimal acceptable size.

Access the Web Interface for ROS Non-Controlled (NC)

Entry-ID: 109476726, V 1.1, 05/2015 4
 2 Configuring Windows to Work with an NC Version of ROS

2.2 Enabling Support for DES 56-bit Encryption

To enable support for DES 56-bit Encryption in Windows, do the following:
1. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\
Configuration\Local\SSL\0001002\Functions
2. On the “Edit” menu, select “Modify”. The “Edit Multi-String” dialog box appears.
3. In the “Value” data box, add TLS_RSA_WITH_DES_CBC_SHA to the current
list of cipher strings.
4. Remove any NULL ciphers from the “Value” data box. For example:
– TLS_RSA_WITH_NULL_SHA256
– TLS_RSA_WITH_NULL_SHA
– TLS_RSA_WITH_NULL_MD5
5. Click “OK”.
6. Open a Command Prompt window. Type “gpedit.msc” to open the Group
Policy Editor.
7. Choose Computer Configuration | Administrative Templates | Network | SSL
Configuration Settings.
8. Open SSL Cipher Suite Order.
Siemens AG 2015 All rights reserved

9. Select “Enabled”.
10. Add the following to the list of allowed ciphers (comma separated):
TLS_RSA_WITH_DES_CBC_SHA
11. Make sure any NULL ciphers are removed from the list. For example:
– TLS_RSA_WITH_NULL_SHA256
– TLS_RSA_WITH_NULL_SHA
– TLS_RSA_WITH_NULL_MD5
12. Close the Group Policy Editor.
13. Restart the computer.

Access the Web Interface for ROS Non-Controlled (NC)

Entry-ID: 109476726, V 1.1, 05/2015 5
 2 Configuring Windows to Work with an NC Version of ROS

2.3 Enabling Support for SSL 3.0 and TLS 1.0

NOTE Siemens recommends using Microsoft Internet Explorer, as other browsers such
as Mozilla Firefox and Google Chrome do not allow support for DES-56 bit
encryption.

To enable support for SSL 3.0 and TLS 1.0 in Internet Explorer, do the following:
1. In Internet Explorer, click “Internet Options” on the “Tools” menu, and then click
the “Advanced” tab.
2. Under Settings, make sure “Use SSL 3.0” and “Use TLS 1.0” are selected.
3. Click “OK”.
4. Attempt to access the ROS Web interface in Internet Explorer. When the
certificate error appears, click “Continue to this website (not recommended)” to
access the interface.
Siemens AG 2015 All rights reserved

Access the Web Interface for ROS Non-Controlled (NC)

Entry-ID: 109476726, V 1.1, 05/2015 6