What is the BACnet/SC Management feature?
You can manage your BACnet/SC certificates and set the communication mode of your Ethernet devices with the BACnet/SC Management feature. The BACnet/SC Management feature is available in both Metasys UI and JCT. For more information about the BACnet/SC workflow, FAQs, and troubleshooting information, refer to BACnet/SC Workflow Technical Bulletin (LIT-12013959) .
Who can access the BACnet/SC Management feature?
Only administrators can access the BACnet/SC Management feature. You require the Metasys BACnet/SC license for Servers to use this feature.
How do I access the BACnet/SC Management feature?
- Open the User menu.
- Click Network Security.
- Click BACnet/SC Management.
- In the Device Connection window,
enter your credentials, then tap or click LOG
IN. Note: When the connection is made, the information about the connection is displayed left of the IMPORT OPERATIONAL CERTIFICATE(S) button. You can open the Device Connection window any time by selecting the Connected to link.
What is the layout of the BACnet/SC Management feature?
Number | Name | Description |
---|---|---|
1 | Devices | Manage all your Ethernet devices and their respective certificates from this tab. This is the default tab. |
2 | Actions | Request certificates, import signing certificates, delete unused signing certificates, and set the BACnet/IP communication mode in the Actions menu. |
3 | Settings | Contains basic site information, including the Secure Port Number, SC Primary Hub URI, and SC Failover Hub URI. |
4 | Filter | Filter your list of devices by network device, model, mode, or expiration date. |
5 | Data columns | Shows the devices
listed by:
You can resize the columns in the column header. |
6 | Import Operational Certificate(s) | Click this button
to import operational certificates. Note: You must first request at least one
certificate in the Actions menu before you can import
operational certificates. See How do I request a certificate? for more
information about requesting a certificate.
|
7 | Refresh icon | Click this icon to refresh the content and see changes that result from the actions performed in the dashboard. The summary does not dynamically refresh information such as the online or offline status of devices. |
8 | Pagination | Click on the arrows to go to another page, if applicable. |
What do the icons in the BACnet/SC Management feature represent?
Icon | Icon description |
---|---|
The device's operational certificate expires soon. | |
The device has only a signing certificate present and no operational certificate. The expiration date shown is for the signing certificate, if there is only one signing certificate present. If there are multiple signing certificates present, the value in the Expiration Date column shows Multiple. | |
The device's operational certificate is present. | |
The device's operational certificate expires soon, but there is a pending request for a new certificate. | |
An operational certificate is not available, but the device has a pending request to get an operational certificate. | |
The device does not support operational certificates. | |
The operational certificate for the device has expired. | |
No icon | There is no operational certificate. |
What does a grayed out row mean?
Devices that you cannot perform any actions on appear grayed out and you cannot select them. For example, a row is grayed out if the software version does not support BACnet/SC or if the device is offline. Move your cursor over the row to see why you cannot select the device.
What is the difference between an operational certificate and a signing certificate?
BACnet/SC requires that all devices in the BACnet/SC infrastructure have an operational certificate assigned to them to safeguard secure communication. You must request an operational certificate for all your devices to use the BACnet/SC communication mode. See How do I request a certificate? for detailed steps. When the request is completed, import the operational certificates. See How do I import operational certificates? for detailed steps. Operational certificates have an expiration period. You must renew operational certificates before they expire by requesting and importing them again.
How do I enable BACnet/SC for my devices on a site that supports BACnet/SC?
- Open the BACnet/SC Management feature in Metasys UI or JCT.
- Open the Settings tab and provide the common site data. See How do I specify the Secure Port Number?, How do I specify the SC Primary Hub?, and How do I specify the SC Failover Hub? for details.
- Obtain certificate signing requests from each device, as described in How do I request a certificate? and obtain signed certificates from the local CA.
- Import the signing certificate used for the site, as described in How do I import a signing certificate?
- Import the operational certificates, as described in How do I import operational certificates?
- Set the communication mode to BACnet/SC, as described in How do I set the BACnet/IP communication mode?
How do I request a certificate?
- Click the Devices tab, if it is not already open.
- Select one or more devices that you want to
request a certificate for. To see a full list of devices click Note: You can select a maximum of 50 devices at a time.
.
- Click .
- If you select devices that already have a Certificate Signing
Request (CSR) pending, choose to overwrite or keep the existing CSR. Note: If you select Overwrite and proceed, you generate a new CSR, which replaces the pending CSR and invalidates any operational certificate that is based on the pending CSR. If you select Keep existing, any devices that have a pending CSR are excluded, as if they were never selected. These devices are counted in the No Action Taken results at the Confirmation stage of the request process.
- Complete the Request Certificates parameters and click
REQUEST.Note: Domain Name is an optional field. You can append a domain name to the auto-generated common name. The presence of the Domain Name in the common name of the device may be required by a Public Key Infrastructure (PKI) in order for the PKI to sign the CSR. For example, if the device name is MAC00108D0B94AE and the Domain Name field is blank, the auto-generated common name in the CSR is "MAC00108D0B94AE". If you enter jci.com in the Domain Name field, the common name in the CSR is "MAC00108D0B94AE.jci.com".
- Click the DOWNLOAD CSR(S) button to download a .zip file that contains the CSRs. The CSRs are in a Privacy Enhanced Mail (PEM) format, each is put in their own file and all the files are zipped into a single .zip file. The .zip file is stored in the default path the browser uses, typically the Downloads folder in the users profile folder on the computer. The file name follows this format: Certificate Signing Requests_mm_dd_year_hh_mm_ss.zip.
- Submit the .zip file to
the Certificate Authority (CA) that is responsible for signing the certificates.
Note: There may be multiple .zip files, as one CSR covers 50 devices only.
How do I import a signing certificate?
- Click the Devices tab, if it is not already open.
- Select one or more devices that you want to import a signing
certificate for. Note: You can select a maximum of 50 devices at a time.
- Click .
- Click Choose File and go to the .pem file that you want to import.
- Confirm that the file is from a trusted source and click IMPORT AND APPLY.
How do I import operational certificates?
- Click the IMPORT OPERATIONAL CERTIFICATE(S) button in the upper right of the BACnet/SC Management widget.
- Click Choose File and
go to the .zip file that you want to
import. Note: The .zip file can contain a maximum of 50 operational certificates. The import fails if the number of operational certificates in the .zip file exceeds 50.
- Confirm that the file is from a trusted source and click IMPORT AND APPLY. Certificates that pass the validation checks are then automatically assigned to the specified device.
- Wait about 30 seconds before you set the communication mode to Secure Connect Only Mode.
How do I delete unused signing certificates?
- Click the Devices tab, if it is not already open.
- Select one or more devices that you want to delete an unused signing certificate from.
- Click .
- Click DELETE.
How do I view certificate details?
How do I set the BACnet/IP communication mode?
- Wait about 30 seconds after the certificate import before you set the communication mode.
- Click the Devices tab, if it is not already open.
- Select one or more devices that you want to set the BACnet/IP communication mode for.
- Click .
- Choose a mode for the selected devices and click APPLY.
Do I have to follow a particular order when setting the BACnet/IP communication mode to BACnet/SC for different devices?
- Click the Devices tab, if it is not already open.
- Select your engines.
- Click .
- Set your engines to Dual SC and IP Mode, so that they can communicate in both modes, and click APPLY.
- Repeat step 1 and then select your IP equipment controllers.
- Click .
- Set your equipment controllers to Secure Connect Only Mode and click APPLY.
- Repeat step 1 and select the engines that you want to set to BACnet/SC.
- Click .
- Set the engines to Secure Connect
Only Mode and click APPLY.Important: To turn on Secure Connect Only Mode on an engine, you must ensure that all equipment controllers that are mapped to that engine are communicating in Secure Connect Only Mode and that any other engines communicating with the engine that you want to change are in Secure Connect Only Mode or Dual SC and IP Mode.
What do the different BACnet/IP communication modes mean?
Modes | Definition | Supported devices |
---|---|---|
Secure Connect Only Mode | BACnet Secure Connect (BACnet/SC) is an addendum to the BACnet protocol. BACnet/SC is a secure, encrypted datalink layer for IP infrastructures. |
ADS, ADX, OAS, NAE85, LCS85, M4-CGE04060-0, M4-CGE09090-0, M4-CGE09090-0H, M4-CVE03050-0P, MS-FAC4911-0, MS-VMA1930-0, SNE, SNC, and NAE55xx-3x |
Dual SC and IP Mode | Devices set to this mode can communicate through BACnet/SC to devices that support BACnet/SC and they can communicate through BACnet/IP to devices that support BACnet/IP only. |
How do I configure my BACnet/SC settings with the BACnet/SC Management feature?
Use the Settings tab of the BACnet/SC Management feature to configure key BACnet/SC settings that are automatically used by all Metasys devices, either within five minutes after you save the settings, or when the devices come online.
How do I specify the Secure Port Number?
- Open the Settings tab.
- In the Secure Port
Number field, enter the secure port number. Note: Normally, the secure port number is the default port number (1443), but if the port has to be different, enter the number of the port that you want to use for secure web socket communication for BACnet/SC. This port is used by all Johnson Controls devices that are not acting as a hub for accepting a direct connection from another device. Normally, the same port number is used by the Primary Hub and by the Failover Hub, but it is not required.
- Click SAVE to
distribute the settings to all devices on the site that are not overriding the
global settings. Note: The distribution of the settings can take up to five minutes after you click Save. Check the SC Network Port object on any device to see if the settings have been distributed. The attributes in the SC Network Port object to check are JCI SC Primary Hub URI, JCI SC Failover Hub URI, and Secure Port Number. If these values did not get sent after waiting five minutes, you can change a different global setting that will force the values to be sent. For example, changing the Certificate Renewal Period in the Site object forces the global data to be reissued.
How do I override the global settings?
- Open the Network Port Object for the NAE or the Network Port Object Mapper object under a Field Device Mapper.
- In the Detail widget, go to the Use Site Settings attribute and set it to FALSE.
How do I specify the SC Primary Hub?
You can specify the SC Primary Hub in two ways from the BACnet/SC Management window.
- Open the Settings tab.
- In the SC Primary Hub URI field, select the required device from the list.
- Click SAVE. The port number from the Secure Port Number field is automatically appended to the host name or IP address, along with a / at the end.
- Open the Settings tab.
- Enter the host name or IP address of a device that can act as
an SC Primary Hub on the site. Note: If you enter the details manually, the entry must conform to URI syntax: wss://[IP address or host name]:, optionally followed by the secure port number and /. For example: wss://10.x.xx.xxx:1443/. For third-party devices, the entry can also be followed by a path. If you include a path, you must also include a port number. For example: wss://xxx.xxx.xxx.xxx/443/hub
How do I specify the SC Failover Hub?
You can specify the SC Failover Hub in two ways from the BACnet/SC Management window.
- Open the Settings tab.
- In the SC Failover Hub
URI field, select the required device from the list. Note: Your SC Failover Hub cannot be the same as your SC Primary Hub.
- Click SAVE. The port number from the Secure Port Number field is automatically appended to the host name or IP address, along with a / at the end.
- Open the Settings tab.
- Enter the host name or IP address of a device that can act as
an SC Failover Hub on the site. Note: If you enter the details manually, the entry must conform to URI syntax: wss://[IP address or host name]:, optionally followed by the secure port number and /. For example: wss://10.x.xx.xxx:1443/. For third-party devices, the entry can also be followed by a path. If you include a path, you must also include a port number. For example: wss://xxx.xxx.xxx.xxx/443/hub
How can I determine the expiration status of my certificates?
Both the operational certificates and the longer-lived signing certificates can expire. You can use the information displayed on the Devices tab of the BACnet/SC Management feature to determine the status of your certificates.
For engines and field controllers you can also open the Device object or Mapper Device object and go to the Detail widget to see information about the operational certificate status.
Will I receive a reminder before my certificates expire?
How do I renew operational certificates?
All operational certificates can expire. To avoid communication disruption, you must renew operational certificates before they expire. If the CA remains the same, you renew certificates in the same way as you create initial certificates, but you do not need to configure the common site data in the Settings again. If the CA has changed, you must update the signing certificates before you renew operational certificates to avoid loss of communication between devices.
How do I renew a signing certificate?
- Complete a certificate request, as described in How do I request a certificate?
- If the site already has two different signing certificates distributed to the devices, you must delete the unused signing certificate from the devices, as described in How do I delete unused signing certificates?, because a site can have a maximum of two signing certificates only.
- After the local CA signed the certificates, import the signing certificate, as described in How do I import a signing certificate?
Is the BACnet/SC Management feature supported on all devices?
The BACnet/SC Management feature is supported on desktop only.