|
|
The features on this page require a GENESIS64 Advanced license and are not available with GENESIS64 Basic SCADA . |
|
|
The features on this page require a GENESIS64 Advanced license and are not available with GENESIS64 Basic SCADA . |
To enable BACnet Secure Connect communication the following settings has to be made:
- Port Settings:
o Channel Type: BACnet/SC
- BACnet/SC Settings:
o Primary Hub URI: wss://172.16.0.110:47908/hfc
It is an address where the secured WebSocket endpoint is waiting for connections.
o Operations Certificate: <thumbprint of generated certificate>
o CA Certificates: <one or more thumbprints of CA certificates>
Note: The thumbprints will be inserted when you select certificates from offered lists.
In this case, the user will not always see the wanted certificates because they were installed in a different folder than the offered ones.
On the other hand, the user can add the Thumbprints like a string (copy & paste).
A valid Operational Certificate which is generated using certificates of a CA (Certification Authority) is needed.
The implementation uses Windows Certificate Store. Thus, if you generate certificates or receive them from a customer as files, they must be "installed" to the Windows Certificate Store. It is typically done by a double-click on the "Certificate". It is then installed using the following button:
Important note:
Here the certificate’s thumbprint in second tab of the dialog can be seen. It can be copied here and pasted into the configuration page:
"Thumbprint is used for searching Certificate Store for a certificate. Thus, the certificate MUST be installed before it is used.
BACnet/SC requires a Private Key in P8 format to be passed unencrypted to BACnAPI stack.
The certificate store to keep this sensitive information must be used again. To install the certificate with the private key we use a PFX file. It is the "Personal Information Exchange" file in PKCS #12 format.
This file must contain an exportable private key and the following checkbox must be checked to allow BACnet Point Manager to get the Private Key from the certificate.
The highlighted password was used when the key file was generated.
There are more ways how to get certificates and their keys.
One of the ways is to use self-signed certificates. It means that the other site generates certificates using its own CA (Certification Authority) and provides us with the following:
CA Certificate
Operational Certificate
Private Key file
Then it is needed to:
Use CA Certificate as it is
Create a PFX file from the Operational Certificate and Private Key file
"OpenSSL" ((https://www.openssl.org/) is used. It is and open-source toolkit for SSL/TLS protocols and a general-purpose cryptography library.
The package can be downloaded here: https://wiki.openssl.org/index.php/Binaries
It contains the "OpenSSL" utility that can be used for certificate operations.
We use these commands in a batch file. The result of the batch are CA and Operational Certificates that can be installed to Windows Certificate Store.
And then they can be used in BACnet/SC configuration.
::Create Private Key for CA certificate
openssl genrsa -des3 -out ca.key 2048
::Create CA Certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
::Create a private key file for Operational Certificate
openssl genrsa -out Operational.key 2048
::Create Cert Request
openssl req -new -out Operational.csr -key Operational.key
::Sign Operational Certificate by the CA certificate
openssl x509 -req -in Operational.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out Operational.crt -days 3650
::Create .pfx from certificate and key
openssl pkcs12 -export -out Operational.pfx -inkey Operational.key -in Operational.crt