Versions Compared

Version Old Version 2 New Version Current
Changes made by

Nina Cardillo

Nina Cardillo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

For SmartServer 4.2 and higher, see Enhancing Security.

...

Enabling / Disabling enhanced security is Available with SmartServer release 3.5 and higher.
Info

Enhanced security is enabled by default on:

  • A factory-configured SmartServer that is shipped with 3.5 or higher
  • A SmartServer with 3.5 or higher after a factory reset
  • A SmartServer that is  re-imaged with 3.5 or higher

Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5.

Enhanced Security has no effect when using SAML or OAuth 2.0 Authentication Methods. Enhanced Security passwords are used when the Authentication Method is set to Basic. 

Enhanced security enables/disables the following features:

  • Password (pwd) – controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. 

    Info
    titleChanging passwords with SmartServer release 3.6

    With SmartServer 3.6 and higher, if you log into the SmartServer Configuration pages and Enhanced Security is enabled, and your password does not meet the strength requirements, then you will be required to change your password. See Changing Passwords for Enhanced Security in the Managing SmartServer IoT Passwords section.

    Since the Enhanced Security feature is enabled by default, and the default factory password does not meet the enhanced security password requirements, you will always be required to change your password the first time you log into the SmartServer Configuration pages with SmartServer 3.6.

    If the Enhanced Security feature is disabled, then strong passwords are not enforced and changing the password will not be required. For example, if you upgrade to SmartServer 3.6 from previous release that has the Enhanced Security disabled, and you have a simple password, then the first time you log into the SmartServer Configuration pages, you will not be forced to change your password.


  • SCP (scp) – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.
  • Firewall (fw) – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.

You can enable/disable enhanced security using an option on the System Configuration page or using the SmartServer Secure Utility. These options are described in the sections that follow.

Using the System Configuration Page

...

  1. Log into the SmartServer console using USB or SSH.

  2. Use the following command to enable or disable enhanced security options:
     
    smartserver-secure [Option] [-|+<feat> ...]

    If all the options are enabled, the command output is all.
    • The help option outputs enabled features and provides information about the utility.
    • Features are as follows:
       +<feat> to enable a feature
      -<feat> to disable a feature

      where <feat> is one of the following:
      • pwd –  controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. A fresh login session is required for changes to take effect.
      • scp – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.
      • fw  – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.
      • all – controls all features.

        Examples:
        • To enable all features:
          smartserver-secure +all
          Output is all.

        • To disable strong passwords and console timeouts:
          smartserver-secure -pwd
          If this command followed the previous example, then the output is scp fw.

        • To output the currently enabled features:
          smartserver-secure
          If this command followed the previous example, then the output is scp fw.

...

To access a SmartServer from within a private network, use one of the methods described in Connecting to Your SmartServer.

By default, the SmartServer is configured to use self-signed certificates, and therefore when trying to establish a secure connection to a SmartServer, a browser will always indicate the connection is insecure, as shown below.  However, you can safely proceed to the web page.

...

  1. Ensure that the SmartServer has a good internet connection by pinging a know site such as google.com from a console connection.

    Info

    See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.


  2. Open the SmartServer Configuration page.  


    The Network Configuration page appears.



  3. Click the System tab at the top of the page.

    The System Configuration page appears.



  4. Click Enable Signed Certificates so that a check mark appears.



  5. Reboot the SmartServer.

    Once you enable signed certificates, the SmartServer will automatically update its DDNS entry for the hostname printed on the label on the bottom of your SmartServer appended with echelon.cloud, checking every 30 minutes if the SmartServer's external address has changed. If an external address change is detected, the SmartServer will update DDNS accordingly, allowing for network reconfiguration if required. The SmartServer automatically renews the signed certificates with a certificate authority every 90 days.

    Note
    Even though DDNS is supported, the use of non-fixed IP address SIM cards for cellular connections may cause frequent communication disruptions because the external address may change as frequently as once a minute.  Any change to the SmartServer's external IP address requires some time to be reflected in the global DNS.  Frequent external IP address changes can cause complete loss of external access


  6. Refer to the SmartServer by its registered FQDN within the global DNS to provide secure access. The registered FQDN consists of the hostname concatenated with .echelon.cloud as shown in this example:

    smartserver-17q3jd2.echelon.cloud

  7. You can manually update the SmartServer's DDNS entry from a console connection having logged in as root (see Logging into the SmartServer in the Connect to Your SmartServer section for more information) using the following command. The update will require some time to propagate through the global DNS: 
    /sbin/aws-update

  8. To verify the correct DNS entry for the SmartServer, ping <smartserver hostname>.echelon.cloud and compare this to the result of the dig command shown below, which you can use to find the SmartServer's external address from a console connection.
    dig myip.opendns.com @resolver1.opendns.com

...

  1. Place your signed certificates in a suitably named directory within /var/apollo/data/certs as shown in the figure below.



    As an example, with signed certificates enabled, the contents of /etc/nginx/sites-enabled/certs.conf are as follows for smartserver-17q4rsx.echelon.cloud:

    Code Block
    # ======= SSL keys - CA Signed ======
ssl_certificate         /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/fullchain.pem;
ssl_certificate_key     /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/privkey.pem;
ssl_dhparam             /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/dhparams.pem;
# ===================================

    The expected names of signed certificate files are fullchain.pem and privkey.pem, which are soft links to the actual files. The expected names of self-signed certificate files are server.crt and server.key, which are not soft-links.

  2. Edit /etc/nginx/sites-enabled/certs.conf to reflect your own certificates.

  3. Restart nginx from a console connection using the following command, or simply reboot your SmartServer:
    sudo systemctl restart nginx
    Info

    See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.


  4. Populate your own DNS to reflect the SmartServer’s hostname and chosen domain such that it matches the certificate common name.

802.1x Mutual Authentication

The 802.1x Mutual Authentication option is available with SmartServer 3.6 and higher.

You can enable wired 802.1x mutual authentication using the EAP-TLS EAP mode (i.e., Extensible Authentication Protocol mode that tunnels over Transport Layer Security) using the System Configuration page or the BACnet Configuration page. Doing so enables wired 802.1x mutual authentication with EAP-TLS as shown in the figure below, where the supplicant is a SmartServer or Remote CMS SmartSupervisor host, the authenticator is an Ethernet switch with 802.1x support, and the authentication server is a RADIUS server or equivalent.

MAC Authentication Bypass (MAB) fallback will be used for initial provisioning to support SmartServer or Remote CMS SmartSupervisor host authentication prior to availability of an 802.1x compatible certificate.  To install a new SmartServer, the SmartServer or Remote CMS SmartSupervisor host MAC address will be added to the authentication server allowed MAC ID-list. Doing so will enable the listed SmartServer or Remote CMS SmartSupervisor host to connect to the network for initial provisioning. Once provisioned, the MAC ID can be removed from the list.

Enabling 802.1x mutual authentication using the System Configuration page or the BACnet Configuration page requires that:

  • The SmartServer uses SSL certificates obtained from Certificate Manager (these certificates are configured as client-side and server-side and can therefore be used as client-side certificates for 802.1x).
  • The interface name starts with eth.

To enable 802.1x mutual authentication, follow these steps:

  1. Open the SmartServer Configuration page.  


    The Network Configuration page appears.



  2. Click the System tab at the top of the page.

    The System Configuration page appears.



    Or

    Click the BACnet tab at the top of the page.

    The BACnet Configuration page appears.



  3. On the System Configuration page, click the Enable Wired 802.1x Mutual Authentication for eth0 or Enable Wired 802.1x Mutual Authentication for eth1 checkbox so that a check mark appears next to it.



    Or

    On the BACnet Configuration page, click the 802.1x Mutual Authentication checkbox for the eth0 or eth1 interface so that a check mark appears next to it.


    Note

    Enabling 802.1x mutual authentication for lon0 on the BACnet Configuration page is not supported; this checkbox will always appear grey.


    Info

    Enabling 802.1x mutual authentication using either the System Configuration page or the BACnet Configuration page takes effect on both configuration pages.


  4. If you are enabling 802.1x mutual authentication using the BACnet Configuration page, then click Update to save your configuration changes.

PKI Certificate Management

PKI certificate management is available with SmartServer 3.6 and higher.

With SmartServer 3.6 and higher, a certificate manager service in the Remote CMS SmartSupervisor provides the ability to certify each SmartServer and communicate with the public key infrastructure (PKI) site.  The The figure below shows the PKI infrastructure with a Remote CMS SmartSupervisor host and multiple SmartServers.

See Install and Start the Remote CMSSmartSupervisor for more information about starting the Remote CMS SmartSupervisor using PKI certificate management.

...