Configuring Advanced Security Settings

To add an extra layer of security, provide a custom prime number value to the Diffie-Hellman algorithm that TLS protocol uses as part of the connection handshake. By default, NI Web Server uses a set of prime values defined by the Apache Web Server. This default is sufficient for most cases.

Longer parameters increase the computational cost of handling each TLS connection to the server. Additionally, older TLS client applications may not support longer keys. Ensure you test before you deploy to production.
  1. On the SystemLink Server machine, open Command Prompt and run the following command.
    Note The following command uses the copy of OpenSSL installed with SystemLink 23.5 or later. You can substitute a different copy of OpenSSL.
    "c:\Program Files\National Instruments\Shared\Skyline\OpenSSL\openssl.exe" dhparam -outform PEM -out dhparam.txt numbits

    Where

    • numbits is the bit length for the prime. You can specify 1024, 2048, 3072, 4096, 7680, or 8192 bits. NI recommends using a length of at least 3072 bits.
    The command creates a file called dhparam.txt in the current directory.
  2. Run a text editor as an administrator and open the NI Web Server certificate located at C:\Program Files\National Instruments\Shared\Web Server\certs\. If there are multiple certificate files in this directory, open C:\Program Files\National Instruments\Shared\Web Server\conf\defines.d\50_httpd-defines.conf and use the file specified for the TLS_CERTIFICATE_PATH variable.
  3. Open dhparam.txt and copy and paste the contents into the certificate file on a new line after the last -----END CERTIFICATE-----.
  4. Save and close the certificate file.
  5. Open NI Web Server Configuration and click Restart on the Control tab.
Repeat this process whenever you update the configured HTTP certificate in the NI Web Sever Configuration tool.