Versions Compared

Old Version 2

changes.mady.by.user Nina Cardillo

Saved on

compared with

New Version 3

changes.mady.by.user Nina Cardillo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

For SmartServer 4.1 and prior, see Enhancing Security (Release 4.1 and Prior).

...

Enabling / Disabling enhanced security is available with SmartServer release 3.5 and higher.

Enhanced security is enabled by default on:

  • A factory-configured SmartServer that is shipped with 3.5 or higher
  • A SmartServer with 3.5 or higher after a factory reset
  • A SmartServer that is  re-imaged with 3.5 or higher

Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5.

Enhanced Security has no effect when using SAML or OAuth 2.0 Authentication Methods. Enhanced Security passwords are used when the Authentication Method is set to Basic. 

Enhanced security enables/disables the following features:

  • Password (pwd) – controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. 

    With SmartServer 3.6 and higher, if you log into the SmartServer Configuration pages and Enhanced Security is enabled, and your password does not meet the strength requirements, then you will be required to change your password. See Changing Passwords for Enhanced Security in the Managing Passwords section.

    Since the Enhanced Security feature is enabled by default, and the default factory password does not meet the enhanced security password requirements, you will always be required to change your password the first time you log into the SmartServer Configuration pages with SmartServer 3.6.

    If the Enhanced Security feature is disabled, then strong passwords are not enforced and changing the password will not be required. For example, if you upgrade to SmartServer 3.6 from previous release that has the Enhanced Security disabled, and you have a simple password, then the first time you log into the SmartServer Configuration pages, you will not be forced to change your password.

  • SCP (scp) – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.
  • Firewall (fw) – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.

You can enable/disable enhanced security using an option on the System Configuration page or using the SmartServer Secure Utility. These options are described in the sections that follow.

For SmartServer Pi, you can enable enhanced security using the CMS Settings widget. See Configuring Security (Authentication Method).

Using the System Configuration Page

...

  1. Open the SmartServer Configuration page as described in Accessing the SmartServer IoT Configuration PageThe Network tab appears as the default SmartServer Configuration page. Once the network settings are configured for the SmartServer system, then the System tab will appear.



    SmartServer IoT Network tab


    SmartServer IoT System tab

  2. Click the System tab if needed. The System tab appears.



    SmartServer IoT

  3. Enable the Enhanced Security option.


    SmartServer IoT


    The commands following commands are used by the System Configuration page to enable or disable enhanced security:

    • Enable:  sudo /sbin/smartserver-secure +all
    • Disable:  sudo /sbin/smartserver-secure -all

  4. Click Update

    A fresh login session is required for changes to take effect after the enhanced security option has been modified.

...

To use the SmartServer Secure Utility, perform the following steps:

  1. Log into the SmartServer console using USB or SSH.

  2. Use the following command to enable or disable enhanced security options:
     
    smartserver-secure [Option] [-|+<feat> ...]

    If all the options are enabled, the command output is all.
    • The help option outputs enabled features and provides information about the utility.
    • Features are as follows:
       +<feat> to enable a feature
      -<feat> to disable a feature

      where <feat> is one of the following:
      • pwd –  controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. A fresh login session is required for changes to take effect.
      • scp – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.
      • fw  – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.
      • all – controls all features.

        Examples:
        • To enable all features:
          smartserver-secure +all
          Output is all.

        • To disable strong passwords and console timeouts:
          smartserver-secure -pwd
          If this command followed the previous example, then the output is scp fw.

        • To output the currently enabled features:
          smartserver-secure
          If this command followed the previous example, then the output is scp fw.

...

To access a SmartServer from within a private network, use one of the methods described in Connecting to Your SmartServer.

By default, the SmartServer is configured to use self-signed certificates, and therefore when trying to establish a secure connection to a SmartServer, a browser will always indicate the connection is insecure, as shown below.  However, you can safely proceed to the web page.

...

  1. Ensure that the SmartServer has a good internet connection by pinging a know site such as google.com from a console connection. See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.

  2. Open the SmartServer Configuration pageThe Network tab appears as the default SmartServer Configuration page. Once the network settings are configured for the SmartServer system, then the System tab will appear.



    SmartServer IoT Network tab


    SmartServer IoT System tab

  3. Click the System tab if needed. The System tab appears.



    SmartServer IoT

  4. Enable the Signed Certificates option.


    SmartServer IoT

  5. Reboot the SmartServer.

    Once you enable signed certificates, the SmartServer will automatically update its DDNS entry for the hostname printed on the label on the bottom of your SmartServer appended with echelon.cloud, checking every 30 minutes if the SmartServer's external address has changed. If an external address change is detected, the SmartServer will update DDNS accordingly, allowing for network reconfiguration if required. The SmartServer automatically renews the signed certificates with a certificate authority every 90 days.

    Note
    Even though DDNS is supported, the use of non-fixed IP address SIM cards for cellular connections may cause frequent communication disruptions because the external address may change as frequently as once a minute.  Any change to the SmartServer's external IP address requires some time to be reflected in the global DNS.  Frequent external IP address changes can cause complete loss of external access


  6. Refer to the SmartServer by its registered FQDN within the global DNS to provide secure access. The registered FQDN consists of the hostname concatenated with .echelon.cloud as shown in this example:

    smartserver-17q3jd2.echelon.cloud

  7. You can manually update the SmartServer's DDNS entry from a console connection having logged in as root (see Logging into the SmartServer in the Connect to Your SmartServer section for more information) using the following command. The update will require some time to propagate through the global DNS: 
    /sbin/aws-update

  8. To verify the correct DNS entry for the SmartServer, ping <smartserver hostname>.echelon.cloud and compare this to the result of the dig command shown below, which you can use to find the SmartServer's external address from a console connection.
    dig myip.opendns.com @resolver1.opendns.com

...

  1. Place your signed certificates in a suitably named directory within /var/apollo/data/certs as shown in the figure below.



    As an example, with signed certificates enabled, the contents of /etc/nginx/sites-enabled/certs.conf are as follows for smartserver-17q4rsx.echelon.cloud:

    Code Block
    # ======= SSL keys - CA Signed ======
ssl_certificate         /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/fullchain.pem;
ssl_certificate_key     /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/privkey.pem;
ssl_dhparam             /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/dhparams.pem;
# ===================================

    The expected names of signed certificate files are fullchain.pem and privkey.pem, which are soft links to the actual files. The expected names of self-signed certificate files are server.crt and server.key, which are not soft-links.

  2. Edit /etc/nginx/sites-enabled/certs.conf to reflect your own certificates.

  3. Restart nginx from a console connection using the following command, or simply reboot your SmartServer:
    sudo systemctl restart nginx
    Info

    See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.


  4. Populate your own DNS to reflect the SmartServer’s hostname and chosen domain such that it matches the certificate common name.

802.1x Mutual Authentication

The 802.1x Mutual Authentication option is available with SmartServer 3.6 and higher.

You can enable wired 802.1x mutual authentication using the EAP-TLS EAP mode (i.e., Extensible Authentication Protocol mode that tunnels over Transport Layer Security) using the System Configuration page or the BACnet Configuration page. Doing so enables wired 802.1x mutual authentication with EAP-TLS as shown in the figure below, where the supplicant is a SmartServer or Remote CMS host, the authenticator is an Ethernet switch with 802.1x support, and the authentication server is a RADIUS server or equivalent.

...

  • The SmartServer uses SSL certificates obtained from Certificate Manager (these certificates are configured as client-side and server-side and can therefore be used as client-side certificates for 802.1x).
  • The interface name starts with eth.

To enable 802.1x mutual authentication, follow these steps:

  1. Open the SmartServer Configuration pageThe Network tab appears as the default SmartServer Configuration page. Once the network settings are configured for the SmartServer system, then the System tab will appear.



    SmartServer IoT Network tab


    SmartServer IoT System tab

  2. Click the System tab if needed. The System tab appears.


    SmartServer IoT

  3. Click the eth0 or eth1 option in the 802.1x Mutual Authentication area as shown in the example below.


    SmartServer IoT

  4. Click Update to save your configuration.

PKI Certificate Management

PKI certificate management is available with SmartServer 3.6 and higher.

With SmartServer 3.6 and higher, a certificate manager service in the Remote CMS provides the ability to certify each SmartServer and communicate with the public key infrastructure (PKI) site. The figure below shows the PKI infrastructure with a Remote CMS host and multiple SmartServers.

See Install and Start the Remote CMS for more information about starting the Remote CMS using PKI certificate management.

...