Securing WebHMI–FrameWorX Communication with HTTPS

By default, WebHMI communicates with FrameWorX servers over unencrypted HTTP. However, if your network topology cannot guarantee that the path between the Kubernetes nodes and the GENESIS machine is isolated from untrusted devices, you need to configure HTTPS on the FrameWorX web server, and then update the WebHMI Helm values to use it.

To configure HTTPS on the FrameWorX web server and the WebHMI Helm chart:

  1. Configure TLS in IIS on the FrameWorX machine.

    If TLS is not yet configured, bind a certificate to the default web site in IIS.

    If TLS is already configured on the FrameWorX machine, skip to step 2.

    1. Open IIS Manager on the Genesis/FrameWorX machine.

    2. In the left panel, select the server node, then open Server Certificates .

    3. Import or create a certificate (self-signed or CA-issued).

    4. In the left panel, expand SitesDefault Web SiteBindings…

    5. Click Add , set Type to https , select your certificate, and confirm.

  2. Export the certificate for verifying the FrameWorX server's identity in the PEM format.

    1. In IIS Manager, select the server node and open Server Certificates .

    2. Double-click the certificate that you want to export, go to the Details tab, and click Copy to File…

    3. In the Certificate Export Wizard:

      • Select No, do not export the private key .

      • Select Base-64 encoded X.509 (.CER) as the format.

      • Save the file; for example, frameworx.crt .

    4. Open the exported .crt file in a text editor. It should start with -----BEGIN CERTIFICATE----- .

    5. Copy the file content. If you have multiple FrameWorX servers, each with a different certificate, concatenate all their certificates. You will need to paste them into the Helm values in the next step.

  3. Configure the Helm chart to use HTTPS.

    • Using the command line:

      Set the frameworx.useHttps value in your values.yaml file to true and paste the certificate content into trustedCerts.content:

      frameworx: useHttps: true trustedCerts: content: | -----BEGIN CERTIFICATE----- MIIDRjCCAi6gAwIBAgIU... -----END CERTIFICATE-----

      Then apply the changes:

      helm upgrade <release-name> webhmi/ -f values.yaml
    • Using Rancher:

      1. In your WebHMI cluster view, navigate to AppsInstalled Apps and select the WebHMI Helm release.

      2. Click Edit/Upgrade , leave the first step as-is, and click Next .

      3. On the Edit Options tab, go to General Settings and select Use HTTPS for FrameWorX Connections .

      4. Paste the certificate content into the Trusted CA Certificate(s) (PEM) text box, and then click Upgrade .

Advanced: If you prefer to store certificates in a Kubernetes Secret yourself, create a secret with a tls.crt key containing the PEM bundle: kubectl create secret generic <name> --from-file=tls.crt=frameworx.crt , and then enter its name in the Existing Trusted CA Secret Name field instead of pasting the certificate content.