- Mersive Documentation
- Solstice
- Deploy Solstice
- Deploy Solstice Locally with Solstice Dashboard
- Step 5: Set Base Security Settings
Step 5: Set Base Security Settings
Before deploying your Solstice Pods, certain security baselines should be configured to harden the security of your deployment. The following are the base security settings that Mersive recommends configuring. These basic security settings can apply to any organization that operates in a security-conscious environment, especially for larger, centrally-managed deployments. For additional security configurations, see Security Settings.
How To
To protect Solstice Pod configurations, you can set an admin password for each Pod that may be required to add Pods to Solstice Dashboard management and to make Pod configuration changes through USB-based local config, browser-based web config, and the configuration API. The admin password is also required to retrieve usage logs from Solstice Pods or to perform a factory reset.
Tip
Mersive strongly recommends setting the same administrator password for all your Solstice displays.
In Solstice Dashboard, select all your displays from the list of Your Solstice Instances.
Go to the Security tab.
To enforce password validation rules (8-character minimum, one uppercase and one lowercase character, one number or special character), select the Enforce password validation rules option.
In the Admin Password field, enter in the password to use for the selected displays, or remove the password entirely .
Click Apply.
When the screen key is enabled, in-room users will be required to enter the four-digit code that appears on the Solstice display before they are able to connect.
In Solstice Dashboard, select your displays from the list of Your Solstice Instances.
Go to the Security tab and scroll to the Access Control settings.
Check Screen key enabled to require the entry of the screen key to connect to a display. A pop-up warning may appear.
If you agree with the requirements of the warning, click Yes, enable Screen Key.
Click Apply.
Moderator Mode allows a user to make a session moderated, meaning they can approve or deny subsequent requests for users to join the session or post content to the display. Moderator mode is enabled by default.
In Solstice Dashboard, select your displays from the list of Your Solstice Instances.
Go to the Security tab.
In the Access Control section, uncheck Moderator approval disabled.
Click Apply.
This setting allows Solstice network traffic between a Solstice display and Solstice user apps to be encrypted using a standard RSA/SHA cipher with a 2048-bit private key. This also includes network traffic related to configuration via either the Solstice Dashboard, the display’s web-based configuration (if enabled), or Solstice Cloud management. When this option is enabled, Dashboard also sends Solstice Local Release updates via port 443.
By default, Solstice display servers are loaded with a self-signed CA certificate from Mersive that is used when a display receives HTTPS connections. However, you may also upload a custom CA certificate bundle to be used instead. Note that the display always uses the CA certificate for HTTPS traffic, even when Solstice client-server encryption is disabled. For more information about certificate management in Solstice, see Enterprise Certificate Management.
Note
An issue existed in Solstice 5.5 and 5.5.1 where loading a custom PFX (.p12) certificate to encrypt Solstice client/server traffic caused a fatal boot loop. Installing a custom .p12 certificate should be avoided for Solstice Pods running these versions of Solstice. (PEM certificates can still be used.) Mersive resolved this issue in Solstice 5.5.2.
In Solstice Dashboard, select a Solstice display from the list of Your Solstice Instances.
Go to the Security tab.
In the Encryption section, select Encrypt Client/Server Communications to encrypt communication between the Solstice Pod or Solstice Windows Display and user devices.
To upload a custom CA certificate bundle to be used instead of the Solstice display's default self-signed certificate for external HTTPS connections, check Use Custom CA Certificate Bundle for External Communications and Browse to select the PFX certificate file.
Click Apply.