BACnet/SC Management - Metasys - LIT-12012116 - Server - Metasys UI - 7.0

Johnson Controls System Configuration Tool (JCT) Help

Product name
Metasys UI
Document type
User Guide
Document number
LIT-12012116
Version
7.0
Revision date
2023-09-01

What is the BACnet/SC Management feature?

You can manage your BACnet/SC certificates and set the communication mode of your Ethernet devices with the BACnet/SC Management feature. The BACnet/SC Management feature is available in both Metasys UI and JCT. For more information about the BACnet/SC workflow, FAQs, and troubleshooting information, refer to BACnet/SC Workflow Technical Bulletin (LIT-12013959) .

Who can access the BACnet/SC Management feature?

Only administrators can access the BACnet/SC Management feature. You require the Metasys BACnet/SC license for Servers to use this feature.

How do I access the BACnet/SC Management feature?

  1. Open the User menu.
  2. Click Network Security.
  3. Click BACnet/SC Management.
  4. In the Device Connection window, enter your credentials, then tap or click LOG IN.
    Note: When the connection is made, the information about the connection is displayed left of the IMPORT OPERATIONAL CERTIFICATE(S) button. You can open the Device Connection window any time by selecting the Connected to link.

What is the layout of the BACnet/SC Management feature?

The following figure and table outline the layout of the BACnet/SC Management feature.
Figure 1. BACnet/SC Management
Table 1. BACnet/SC Management callouts
Number Name Description
1 Devices Manage all your Ethernet devices and their respective certificates from this tab. This is the default tab.
2 Actions Request certificates, import signing certificates, delete unused signing certificates, and set the BACnet/IP communication mode in the Actions menu.
3 Settings Contains basic site information, including the Secure Port Number, SC Primary Hub URI, and SC Failover Hub URI.
4 Filter Filter your list of devices by network device, model, mode, or expiration date.
5 Data columns Shows the devices listed by:
  • Icon: see What do the icons in the BACnet/SC Management feature represent?
  • Expiration Date: If the device has no operational certificate, the expiration date refers to the signing certificate, if present. Click on the expiration date to view Certificate Details.
  • Status:
    • Normal: BACnet/SC is supported and the device is online
    • Not Supported: BACnet/SC is not supported by the device
    • Offline: device is offline
    See also What does a grayed out row mean?
  • Item: name and FQR of the device
  • Model: model name of the device
    Note: JCI Family Device shows if a field controller has never communicated with the supervisory device.
  • Firmware Version
    Note: JCI Family Device shows if a field controller has never communicated with the supervisory device.
  • Mode: see What do the different BACnet/IP communication modes mean?
  • Certificate Signing Request: date of a pending Certificate Signing Request, if applicable

You can resize the columns in the column header.

6 Import Operational Certificate(s) Click this button to import operational certificates.
Note: You must first request at least one certificate in the Actions menu before you can import operational certificates. See How do I request a certificate? for more information about requesting a certificate.
7 Refresh icon Click this icon to refresh the content and see changes that result from the actions performed in the dashboard. The summary does not dynamically refresh information such as the online or offline status of devices.
8 Pagination Click on the arrows to go to another page, if applicable.

What do the icons in the BACnet/SC Management feature represent?

The icons are a visual representation of the expiration status of a certificate. The following table outlines the different icons.
Table 2. BACnet/SC Management feature icons
Icon Icon description
The device's operational certificate expires soon.
The device has only a signing certificate present and no operational certificate. The expiration date shown is for the signing certificate, if there is only one signing certificate present. If there are multiple signing certificates present, the value in the Expiration Date column shows Multiple.
The device's operational certificate is present.
The device's operational certificate expires soon, but there is a pending request for a new certificate.
An operational certificate is not available, but the device has a pending request to get an operational certificate.
The device does not support operational certificates.
The operational certificate for the device has expired.
No icon There is no operational certificate.

What does a grayed out row mean?

Devices that you cannot perform any actions on appear grayed out and you cannot select them. For example, a row is grayed out if the software version does not support BACnet/SC or if the device is offline. Move your cursor over the row to see why you cannot select the device.

What is the difference between an operational certificate and a signing certificate?

BACnet/SC requires that all devices in the BACnet/SC infrastructure have an operational certificate assigned to them to safeguard secure communication. You must request an operational certificate for all your devices to use the BACnet/SC communication mode. See How do I request a certificate? for detailed steps. When the request is completed, import the operational certificates. See How do I import operational certificates? for detailed steps. Operational certificates have an expiration period. You must renew operational certificates before they expire by requesting and importing them again.

BACnet/SC also requires that all devices have at least one signing certificate associated with it. Normally, a site uses one signing certificate, but BACnet/SC supports a second signing certificate for each device to facilitate switch-over to a different certificate. The signing certificates are used by a device to determine if it should trust the operational certificate presented to it by other devices that want to connect to it. All devices on the site have a copy of the same one or two signing certificates, so that they can mutually trust each other. The request for operational certificates automatically includes a request for a signing certificate. See How do I request a certificate? for detailed steps. When the request is completed, import the signing certificate. See How do I import a signing certificate? for detailed steps.
Note: It is best practice to import the signing certificate before the operational certificates.

How do I enable BACnet/SC for my devices on a site that supports BACnet/SC?

The general flow of events to enable BACnet/SC is as follows:
  1. Open the BACnet/SC Management feature in Metasys UI or JCT.
  2. Open the Settings tab and provide the common site data. See How do I specify the Secure Port Number?, How do I specify the SC Primary Hub?, and How do I specify the SC Failover Hub? for details.
  3. Obtain certificate signing requests from each device, as described in How do I request a certificate? and obtain signed certificates from the local CA.
  4. Import the signing certificate used for the site, as described in How do I import a signing certificate?
  5. Import the operational certificates, as described in How do I import operational certificates?
  6. Set the communication mode to BACnet/SC, as described in How do I set the BACnet/IP communication mode?
For more details on the workflow and different use cases, refer to BACnet/SC Workflow Technical Bulletin (LIT-12013959) .

How do I request a certificate?

  1. Click the Devices tab, if it is not already open.
  2. Select one or more devices that you want to request a certificate for. To see a full list of devices click FILTER > Network Device > All Devices.
    Note: You can select a maximum of 50 devices at a time.
  3. Click ACTIONS > Request Certificate(s).
  4. If you select devices that already have a Certificate Signing Request (CSR) pending, choose to overwrite or keep the existing CSR.
    Note: If you select Overwrite and proceed, you generate a new CSR, which replaces the pending CSR and invalidates any operational certificate that is based on the pending CSR. If you select Keep existing, any devices that have a pending CSR are excluded, as if they were never selected. These devices are counted in the No Action Taken results at the Confirmation stage of the request process.
  5. Complete the Request Certificates parameters and click REQUEST.
    Note: Domain Name is an optional field. You can append a domain name to the auto-generated common name. The presence of the Domain Name in the common name of the device may be required by a Public Key Infrastructure (PKI) in order for the PKI to sign the CSR. For example, if the device name is MAC00108D0B94AE and the Domain Name field is blank, the auto-generated common name in the CSR is "MAC00108D0B94AE". If you enter jci.com in the Domain Name field, the common name in the CSR is "MAC00108D0B94AE.jci.com".
  6. Click the DOWNLOAD CSR(S) button to download a .zip file that contains the CSRs. The CSRs are in a Privacy Enhanced Mail (PEM) format, each is put in their own file and all the files are zipped into a single .zip file. The .zip file is stored in the default path the browser uses, typically the Downloads folder in the users profile folder on the computer. The file name follows this format: Certificate Signing Requests_mm_dd_year_hh_mm_ss.zip.
  7. Submit the .zip file to the Certificate Authority (CA) that is responsible for signing the certificates.
    Note: There may be multiple .zip files, as one CSR covers 50 devices only.

How do I import a signing certificate?

  1. Click the Devices tab, if it is not already open.
  2. Select one or more devices that you want to import a signing certificate for.
    Note: You can select a maximum of 50 devices at a time.
  3. Click ACTIONS > Import Signing Certificate.
  4. Click Choose File and go to the .pem file that you want to import.
  5. Confirm that the file is from a trusted source and click IMPORT AND APPLY.

How do I import operational certificates?

Note: Normally, when you import a certificate to a device that already has one, the new certificate will be signed by the same CA as the old certificate and no special steps are needed. This is because the expiration time period on a CA certificate is 20 or more years. However, if the certificate to be imported has been signed by a new CA, the new CA should be distributed to every device that is using BACnet/SC on the site prior to importing any certificates signed by it. This is to prevent communication disruption between devices that will not trust the new CA. If you want to import a certificate to a device that is talking BACnet/IP, you can either put the CA down first by importing the signing certificate or just perform the import of the operational certificates, as this automatically adds the CA if it does not exist on the device yet.
To import operational certificates, complete the following steps:
  1. Click the IMPORT OPERATIONAL CERTIFICATE(S) button in the upper right of the BACnet/SC Management widget.
  2. Click Choose File and go to the .zip file that you want to import.
    Note: The .zip file can contain a maximum of 50 operational certificates. The import fails if the number of operational certificates in the .zip file exceeds 50.
  3. Confirm that the file is from a trusted source and click IMPORT AND APPLY. Certificates that pass the validation checks are then automatically assigned to the specified device.
  4. Wait about 30 seconds before you set the communication mode to Secure Connect Only Mode.

How do I delete unused signing certificates?

Important: The deletion of the optional second signing certificate on a device can cause loss of communication with other devices that have operational certificates signed by it.
  1. Click the Devices tab, if it is not already open.
  2. Select one or more devices that you want to delete an unused signing certificate from.
  3. Click ACTIONS > Delete Unused Signing Certificate (s).
  4. Click DELETE.

How do I view certificate details?

To view certificate details, click on the expiration date of device in the Expiration Date column on the Devices tab of the BACnet/SC Management feature. The Certificate Details window contains details about all certificates in that device, including the operational certificate and its immediate signing CA, and if applicable, one other signing CA in use on the site. The operational certificate of a device is nested under its immediate signing certificate.
Note: The SKID is the unique ID of a certificate.

How do I set the BACnet/IP communication mode?

  1. Wait about 30 seconds after the certificate import before you set the communication mode.
  2. Click the Devices tab, if it is not already open.
  3. Select one or more devices that you want to set the BACnet/IP communication mode for.
  4. Click ACTIONS > Set BACnet IP Communication Mode.
  5. Choose a mode for the selected devices and click APPLY.
Note: Setting the BACnet/IP communication mode can disrupt communication on your site and devices may go offline briefly. Expect some downtime when you set the BACnet/IP communication mode for your devices.
Note: It is best practice to first turn on Dual SC and IP Mode on targeted supervisory devices, then turn on Secure Connect Only Mode on equipment controllers. You can then optionally change supervisory devices to Secure Connect Only Mode if all devices that they interact with also communicate with Secure Connect Only.

Do I have to follow a particular order when setting the BACnet/IP communication mode to BACnet/SC for different devices?

  1. Click the Devices tab, if it is not already open.
  2. Select your engines.
  3. Click ACTIONS > Set BACnet IP Communication Mode.
  4. Set your engines to Dual SC and IP Mode, so that they can communicate in both modes, and click APPLY.
  5. Repeat step 1 and then select your IP equipment controllers.
  6. Click ACTIONS > Set BACnet IP Communication Mode.
  7. Set your equipment controllers to Secure Connect Only Mode and click APPLY.
  8. Repeat step 1 and select the engines that you want to set to BACnet/SC.
  9. Click ACTIONS > Set BACnet IP Communication Mode.
  10. Set the engines to Secure Connect Only Mode and click APPLY.
    Important: To turn on Secure Connect Only Mode on an engine, you must ensure that all equipment controllers that are mapped to that engine are communicating in Secure Connect Only Mode and that any other engines communicating with the engine that you want to change are in Secure Connect Only Mode or Dual SC and IP Mode.

What do the different BACnet/IP communication modes mean?

You can choose from three different BACnet/IP communication modes for your devices. The following table outlines the available modes:
Table 3. BACnet/IP communication modes
Modes Definition Supported devices
Secure Connect Only Mode BACnet Secure Connect (BACnet/SC) is an addendum to the BACnet protocol. BACnet/SC is a secure, encrypted datalink layer for IP infrastructures.

ADS, ADX, OAS, NAE85, LCS85,

M4-CGE04060-0,

M4-CGE09090-0,

M4-CGE09090-0H,

M4-CVE03050-0P,

MS-FAC4911-0,

MS-VMA1930-0,

SNE, SNC, and NAE55xx-3x

Dual SC and IP Mode Devices set to this mode can communicate through BACnet/SC to devices that support BACnet/SC and they can communicate through BACnet/IP to devices that support BACnet/IP only.

How do I configure my BACnet/SC settings with the BACnet/SC Management feature?

Use the Settings tab of the BACnet/SC Management feature to configure key BACnet/SC settings that are automatically used by all Metasys devices, either within five minutes after you save the settings, or when the devices come online.

How do I specify the Secure Port Number?

  1. Open the Settings tab.
  2. In the Secure Port Number field, enter the secure port number.
    Note: Normally, the secure port number is the default port number (1443), but if the port has to be different, enter the number of the port that you want to use for secure web socket communication for BACnet/SC. This port is used by all Johnson Controls devices that are not acting as a hub for accepting a direct connection from another device. Normally, the same port number is used by the Primary Hub and by the Failover Hub, but it is not required.
  3. Click SAVE to distribute the settings to all devices on the site that are not overriding the global settings.
    Note: The distribution of the settings can take up to five minutes after you click Save. Check the SC Network Port object on any device to see if the settings have been distributed. The attributes in the SC Network Port object to check are JCI SC Primary Hub URI, JCI SC Failover Hub URI, and Secure Port Number. If these values did not get sent after waiting five minutes, you can change a different global setting that will force the values to be sent. For example, changing the Certificate Renewal Period in the Site object forces the global data to be reissued.

How do I override the global settings?

You can override global settings for devices individually.
  1. Open the Network Port Object for the NAE or the Network Port Object Mapper object under a Field Device Mapper.
  2. In the Detail widget, go to the Use Site Settings attribute and set it to FALSE.

How do I specify the SC Primary Hub?

You can specify the SC Primary Hub in two ways from the BACnet/SC Management window.

If the SC Primary Hub is , complete the following steps:
  1. Open the Settings tab.
  2. In the SC Primary Hub URI field, select the required device from the list.
  3. Click SAVE. The port number from the Secure Port Number field is automatically appended to the host name or IP address, along with a / at the end.
If the SC Primary Hub is , complete the following steps:
  1. Open the Settings tab.
  2. Enter the host name or IP address of a device that can act as an SC Primary Hub on the site.
    Note: If you enter the details manually, the entry must conform to URI syntax: wss://[IP address or host name]:, optionally followed by the secure port number and /. For example: wss://10.x.xx.xxx:1443/. For third-party devices, the entry can also be followed by a path. If you include a path, you must also include a port number. For example: wss://xxx.xxx.xxx.xxx/443/hub

How do I specify the SC Failover Hub?

You can specify the SC Failover Hub in two ways from the BACnet/SC Management window.

If the SC Failover Hub is , complete the following steps:
  1. Open the Settings tab.
  2. In the SC Failover Hub URI field, select the required device from the list.
    Note: Your SC Failover Hub cannot be the same as your SC Primary Hub.
  3. Click SAVE. The port number from the Secure Port Number field is automatically appended to the host name or IP address, along with a / at the end.
If the SC Failover Hub is , complete the following steps:
  1. Open the Settings tab.
  2. Enter the host name or IP address of a device that can act as an SC Failover Hub on the site.
    Note: If you enter the details manually, the entry must conform to URI syntax: wss://[IP address or host name]:, optionally followed by the secure port number and /. For example: wss://10.x.xx.xxx:1443/. For third-party devices, the entry can also be followed by a path. If you include a path, you must also include a port number. For example: wss://xxx.xxx.xxx.xxx/443/hub

How can I determine the expiration status of my certificates?

Both the operational certificates and the longer-lived signing certificates can expire. You can use the information displayed on the Devices tab of the BACnet/SC Management feature to determine the status of your certificates.

For engines and field controllers you can also open the Device object or Mapper Device object and go to the Detail widget to see information about the operational certificate status.

Will I receive a reminder before my certificates expire?

Yes, you will receive certificate expiration reminders that start x days before a certificate expires for a device and then daily until you renew the certificate. The reminder takes the form of an alarm in System Activity, Alarm Manager, and Alarm Monitor. Use the Certificate Renewal Period property of the Detail widget of the Site Object to configure the launch of the reminders.
Note: A change to the setting is automatically distributed to every site device.

How do I renew operational certificates?

All operational certificates can expire. To avoid communication disruption, you must renew operational certificates before they expire. If the CA remains the same, you renew certificates in the same way as you create initial certificates, but you do not need to configure the common site data in the Settings again. If the CA has changed, you must update the signing certificates before you renew operational certificates to avoid loss of communication between devices.

How do I renew a signing certificate?

Important: To avoid disruption in communication, all devices on the site should have the new signing certificate added to them before any devices have their operational certificates updated and signed by the new signing certificate.
  1. Complete a certificate request, as described in How do I request a certificate?
  2. If the site already has two different signing certificates distributed to the devices, you must delete the unused signing certificate from the devices, as described in How do I delete unused signing certificates?, because a site can have a maximum of two signing certificates only.
  3. After the local CA signed the certificates, import the signing certificate, as described in How do I import a signing certificate?
When the new signing certificate is on all devices, you can import new operational certificates that were signed by the new signing certificate.

Is the BACnet/SC Management feature supported on all devices?

The BACnet/SC Management feature is supported on desktop only.