Certificate Management - Metasys - LIT-12011964 - MS-SCTRMOT-0 - MS-SCTSWO-0 - MS-SCTSWO-6 - Bulb controller - Metasys System Configuration Tool - 13.2

Metasys SCT: System Configuration Tool Help

Product
Building Automation Systems > Building Automation Systems > Metasys System Configuration Tool
Document type
User Guide
Document number
LIT-12011964
Version
13.2
Revision date
21/01/2020

Certificate Management is an option in SCT that you use to manage trusted certificates that are stored in network engines. Enhancements at Metasys Release 8.1 provided for improved security by enabling encrypted communication between Metasys servers and network engines. These enhancements included the option to configure encrypted and trusted communication for the SCT, Metasys servers (ADS/ADX/OAS/ODS), all network engines, Metasys UI, and Launcher. Then, starting at Release 9.0, encrypted and trusted communication is available between the Metasys server and network engines. The Site Security Level attribute in the Site object controls this capability. For details, refer to the ADS/ADX Commissioning Guide (LIT-1201645) .

When you install or upgrade a Metasys site to Release 8.1 or later, self-signed certificates are installed for the ADS/ADX/OAS/ODS and network engines by default. Self-signed certificates for network engines have three-year durations; for Metasys servers, certificates are valid until the year 2039. Once devices are installed or upgraded, Metasys system communication is encrypted. If a customer is satisfied with encrypted communications, no Certificate Management steps are required. System components come online and communicate as they would at any Metasys software release.

Optionally, if trusted communications is desired, the customer's IT department can generate trusted certificates or obtain trusted certificates from a Certificate Authority (CA) for the Metasys server and network engines. You use IIS Manager in the operating system to manage trusted certificates for the Metasys server. You use the Certificate Management option in SCT to manage trusted certificates for network engines. Trusted certificates that contain wildcards (for example, *.jci.com) are not permitted for the Metasys server and network engines.

Note: If you are implementing certificate management on an existing Metasys system, keep in mind that adding a trusted certificate may require you to add a domain name to the original host name of a server or engine. This action requires you to rename all data in the Metasys historical databases. You can perform the renaming operation within SCT, but be aware that this procedure requires intensive database operations that significantly prolong a system upgrade. Therefore, be sure to allocate extra time if you are renaming historical data as part of an upgrade to Metasys Release 9.0. For details about renaming a network engine, refer to the Download section in Metasys® SCT Help (LIT-12011964) .

The connection status currently active on the computer is indicated by a security shield icon that appears on the Metasys SMP and SCT login windows, and SMP and SCT UI main screens. If the site or engine is using trusted certificates, a green shield icon with a checkmark appears. If the site or engine is using self-signed certificates, an orange shield icon with an exclamation mark appears. And finally, if the certificate chain to the site or engine is broken, the certificate is misnamed, or the certificate has expired, a red shield icon with an X appears. The Metasys UI login screen does not indicate the active connection status.

To help you remember when server certificates installed on network engines expire, the Site object has an attribute called Certificate Renewal Reminder. This attribute regulates when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before operators are notified daily that an engine certificate is about to expire. For example, if you use the default period of 60 days, and a server certificate on a network engine expires on January 1, beginning on November 1, an event requiring acknowledgment is sent to operators once a day or until the self-signed certificate is renewed or a new trusted certificate is installed.

The sections that follow describe how to manage security certificates for network engines with SCT 12.0 and later, including how to request, upload, and download certificates. You also use Certificate Management to add each Metasys server certificate so that SCT can push the server's root certificate to network engines. Without the root certificate, network engine communication to the Metasys server works, but it is untrusted. For setting up root, intermediate, and server certificates on a Metasys server (ADS, ADX, ODS, or NxE85), refer to the appropriate document: Metasys® Server Installation and Upgrade Instructions (LIT-12012162) , ODS Installation and Upgrade Instructions (LIT-12011945) , or NxE85 Installation and Upgrade Instructions (LIT-12011530) .

From Metasys Release 10.1, network engines require additional security certificates to be stored locally on the devices. This includes SCT’s root CA certificate. Network engines require the certificates to maintain an Encrypted and Trusted status for communication. Therefore, from Metasys Release 10.1, when you include certificates in a download, all of the certificates stored in the SCT archive are transferred to a network engine. After you complete the download, in the Devices tab of Certificate Management, the additional certificates are listed in the Details section for a network engine.

Note: If you remove a certificate from an SCT archive, and then include certificates in an upload from a device that has a copy of the deleted certificate, the certificate is restored in the SCT archive. To permanently delete a certificate, remove it from the SCT archive and then perform a download to all devices with certificates included.

Figure 1 shows an example of the Certificate Management window in SCT. Open it by clicking Tools > Certificate Management. The window has a Certificates tab that includes details about each certificate in the archive. From this window, you can request, export, or delete a certificate. You can also replace an existing certificate with a self-signed certificate.

Figure 1. Certificate Management Main Screen

The following table explains each column in the Certificates window. Click inside a column header to sort the column.

Table 1. Description of Certificates Table
Column Name Description

Status

A security shield icon that indicates the connection status afforded by the certificate.

Green shield with tick icon: encrypted and trusted

Orange shield with exclamation mark icon: encrypted and self-signed

Red shield with cross icon: encrypted, but either the certificate chain to the site or engine is broken, the certificate has a name mismatch, or the certificate has expired.

Checkbox Icon

A check box to select the device that you want to work with.

Issued To

The name of the device to which the certificate is issued.

Type

The type of certificate: root, intermediate, or server.

Device

The device to which the certificate is bound (single or multiple for intermediate and root certificates).

Expiration

The date on which the certificate expires. The certificate management tool highlights all certificates that will expire within the number of days specified by the Certificate Renewal Period attribute of the Site object (or have already expired). Also, the Certificate Renewal Period attribute in the Site object controls when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before the operator is notified daily that a certificate is about to expire. This attribute is synchronized to all child devices. Certificate Renewal Period applies only to devices at Release 8.1 or later.

Details

A clickable arrow that opens an expanded panel with more detailed information about the certificate.