Crestron 3 Series Скачать руководство пользователя страница 24

Страница: 24 / 68

•

3-Series Control Systems

Reference Guide – DOC. 7150B

Certificate Management

Security certificates for 802.1X and other security protocols can be added,

removed, and managed from the console.
The control system supports five types of certificates:

•

Root: The Root certificate is used by the control system to validate the

network's authentication server. 3-Series control systems have a variety

of Root certificates, self-signed by trusted CAs (Certificate Authorities),

that are preloaded into the device. Root certificates must be self-signed.

•

Intermediate: The Intermediate store holds non self-signed certificates

that are used to validate the authentication server. These certificates are

provided by the network administrator if the network does not use

self-signed Root certificates.

•

Machine: The machine certificate is an encrypted PFX file that is used by

the authentication server to validate the identity of the control system.

The machine certificate will be provided by the network administrator,

along with the certificate password.

NOTE:

Only one machine certificate may be stored on the control system

for 802.1X.

•

WebSocket: A WebSocket certificate is used to validate the network’s

authentication server via the WebSocket (WSS) protocol.

•

User: The User store holds additional certificates not used in the 802.1X

standard.

Certificates can also be managed using the Security Certificates function in

Crestron Toolbox. For more information, refer to the Crestron Toolbox help file.

Certificate Requirements

3-Series control systems support all standard X.509v3 certificates that use the

following:

•

RSA key with length 2048, 3072, or 4096 bits

•

Hash Algorithms using SHA-1, SHA-256, SHA-384, or SHA-512

Содержание 3 Series

Страница 1: ...3 Series Control Systems Reference Guide Crestron Electronics Inc ...

Страница 2: ... that cover Crestron products are listed at www crestron com legal patents Certain Crestron products contain open source software For specific information visit www crestron com legal open source software Crestron the Crestron logo 3 Series 3 Series Control System Crestron Studio Crestron Toolbox Crestron XiO Cloud SIMPL and VT Pro e are either trademarks or registered trademarks of Crestron Elect...

Страница 3: ...TCP IP Connection 8 Time and Date Settings 9 Authentication 10 Enable Authentication 10 User and Group Management 10 User Group Rights 13 Password Management 14 Login Behavior 15 Session Timeout Functions 17 Blocked User Functions 18 Blocked IP Address Functions 18 Certificate Management 20 Certificate Requirements 20 Add a Certificate 21 TLS SSL 21 Server Certificates 22 802 1X 26 Firmware Update...

Страница 4: ... IP Table Configuration 37 Run Multiple Programs 40 Run Programs from External Storage 41 Master Slave Mode 42 Definitions 42 Master Slave Configuration 43 Functional Behavior 45 Auto Update Mechanism 46 Configure the Auto Update Mechanism 46 Manifest File 47 Results File 55 Error Handling 57 Connect to Crestron XiO Cloud Service 58 Claim a Single Device 58 Claim Multiple Devices 59 Appendix A Res...

Страница 5: ... range of features including Scalable hardware that supports a broad range of space types and architectures One system running multiple programs SNMP and BACnet IP support to seamlessly communicate and integrate with IT HVAC BMS and security systems Crestron XiO Cloud service connected Full network security protocols including 802 1X AES and Active Directory service For more information on Crestro...

Страница 6: ...Crestron Toolbox software SIMPL Debugger SIMPL Windows SIMPL Sharp Pro VT Pro e software All tools and utilities may be downloaded from www crestron com Support For more information on the features and functions of each tool refer to its embedded help file NOTE Access to software downloads and other files is reserved for Authorized Crestron dealers Crestron Service Providers CSPs and Crestron part...

Страница 7: ...iables that are retained after the loss of electrical power while volatile memory is lost Flash Memory Flash memory for a 3 Series control system contains the following components Operating system puf file SIMPL and SIMPL Sharp Pro programs SIMPL programming modules The files that reside in flash memory confirm to a flat directory structure The following table details the overall file system 3 Ser...

Страница 8: ...b pages are stored in external memory the pages reside in the RM 2 HTML directory Storing programs and web pages in external memory gives them precedence over files stored in internal flash memory For example if different programs are stored in both internal flash and external memory the program in external memory will run when the system is booted SDRAM Volatile Volatile SDRAM is used by the oper...

Страница 9: ...le tool in Crestron Toolbox via one of the supported communication protocols Console commands are grouped logically Issuing the help command from the console responds with various command categories Issuing the help all command responds with a list of all exposed console commands for the device The same command may be listed in more than one category Commands are case insensitive and can be entere...

Страница 10: ...tem USB communication with a PC via the COMPUTER port on the control system requires Crestron Toolbox software Ethernet communication via SSH or SSL TLS USB Connection To connect to the control system via USB 1 Connect the COMPUTER USB port of the control system to the USB port of a computer with a USB A to B cable 2 Open Crestron Toolbox software 3 Click the pencil icon at the bottom left of any ...

Страница 11: ...stron device The serial number is a seven digit number not beginning with 60 or 65 that may contain letters The serial number is printed on a sticker affixed to the device 6 Enter the following advanced authentication parameters for the device if required Username Enter the username required to authenticate device communications Password Enter the password required to authenticate device communica...

Страница 12: ... system as described in USB Connection on page 6 5 Issue the following commands DHCP 0 OFF Turns off DHCP so that manually configured network information is used IPADDRESS 0 xxx xxx xxx xxx Sets the IP address of the control system to the specific address where xxx xxx xxx xxx is the four octets that comprise the IP address IPMASK 0 xxx xxx xxx xxx Sets the IP mask of the control system to the spe...

Страница 13: ...ne Syntax timezone LIST zone o For zone enter the three digit code for the time zone o Use the LIST parameter to print a list of all time zones and their codes in the console Example timezone 014 3 Issue the SNTP START command to synchronize the internal clock with an SNTP server Syntax SNTP START SERVER address PERIOD time o For SERVER enter the address in dot decimal notation of the SNTP server ...

Страница 14: ...dministrator account The control system cannot be accessed without this information after an administrator account has been created 3 Issue the reboot command to reboot the device with the new authentication settings After rebooting the control system will prompt for the administrator account username and password before a connection is allowed Authentication settings can also be configured using ...

Страница 15: ...hen a local user is removed the user is also removed from any local groups Add Local Group To add a local group to the control system issue the ADDGROUP command Syntax ADDGROUP N groupname L accesslevel o N Specifies the name of the local group that will be created o L Specifies the access level for the local group A Administrator P Programmer O Operator U User C Connection only Example ADDGROUP N...

Страница 16: ...e access level for the Active Directory group A Administrator P Programmer O Operator U User C Connection only Example ADDDOMAINGROUP N ADProgs L P NOTE The control system cannot create or remove a group from the Active Directory service but it can grant an access level to an existing Active Directory group All users of the Active Directory group inherit the access level set for the group Certain ...

Страница 17: ...ve Directory user from a local group issue the REMOVEUSERFROMGROUP command Syntax REMOVEUSERFROMGROUP N username G groupname o N Specifies the name of the local or Active Directory user o G Specifies the name of the local group Example REMOVEUSERFROMGROUP N jsmith1 G CresProgs User Group Rights The control system architecture supports multiple user groups either locally or from the Active Director...

Страница 18: ...ystem issue the SETPASSWORDRULE command Syntax SETPASSWORDRULE ALL NONE LENGTH minPasswordLength MIXED DIGIT SPECIAL o ALL All password rules are applied o NONE No password rules are applied o LENGTH Specifies the minimum password length By default the minimum password length is six characters o MIXED Specifies that the password must contain a lower and upper case character o DIGIT Specifies that ...

Страница 19: ... a user fails to authenticate against console within the maximum attempts allowed the transport protocol used to attempt the connection is blocked For USB transport the transport is blocked for 5 seconds after the maximum logon attempt is reached If the user tries again after 5 seconds and continues to fail the block time is doubled The block time continues to be doubled until a successful logon o...

Страница 20: ...gin csusers jsmith1 Password PRO3 After an administrator adds an Active Directory user or group to the control system the name and SID of the user or group is stored in the control system When an Active Directory user attempts to authenticate against the console the console in turn uses the user credentials to authenticate against the Active Directory service If the Active Directory authentication...

Страница 21: ...ets the idle time limit Change Session Timeout Duration To change the duration for the logon session timeout issue the SETLOGOFFIDLETIME command Syntax SETLOGOFFIDLETIME minutes o minutes The duration in minutes that must elapse before the console logs off an idle user Entering 0 disables the user from being logged off automatically The default value is infinite o No parameter Displays the current...

Страница 22: ...sue the REMBLOCKEDUser command Syntax REMBLOCKEDUser name o name Enter the user account that will be removed from the blocked list o No parameter Lists all blocked user accounts Example REMBLOCKEDUser jsmith1 Blocked IP Address Functions When a user reaches the maximum number of login attempts over an Ethernet connection the client s IP address is blocked Change Lock out Time To change the duratio...

Страница 23: ...address that will be blocked o No parameter Lists all blocked IP addresses Example ADDBLOCKEDip 255 255 255 255 Remove IP Address from Blocked List To remove an IP address from the blocked list manually issue the REMBLOCKEDip command Syntax REMBLOCKEDip ipaddress o ipaddress Enter the IP address that will be removed from the blocked list o No parameter Lists all blocked IP addresses Example REMBLO...

Страница 24: ...ot use self signed Root certificates Machine The machine certificate is an encrypted PFX file that is used by the authentication server to validate the identity of the control system The machine certificate will be provided by the network administrator along with the certificate password NOTE Only one machine certificate may be stored on the control system for 802 1X WebSocket A WebSocket certific...

Страница 25: ... Sockets Layer SSL TLS SSL is a protocol that provides a secure channel for communication between two machines The secure channel is transparent and passes data through unchanged The data is encrypted between the client and the server but the data the one end writes is exactly what the other end reads NOTE 3 Series control systems only support TLS SSL over TCP IP TLS SSL is set to off by default a...

Страница 26: ...e to authenticate various control system components including the web server One of the following three server side certificate types may be used A self signed certificate that is generated by the control system A CA Certificate Authority signed certificate and signing chain that are loaded onto the control system An externally requested and signed certificate signing chain and private key that ar...

Страница 27: ...ertificate request is rejected E Email address By default a certificate request for a certificate with a 2048 bit RSA signature is requested The CSR request csr file is saved automatically to the Sys directory of the control system Obtain the Certificate The exact procedures required to obtain a CA signed certificate differ depending on the CA but in all cases it is necessary to submit the request...

Страница 28: ...control system via SSH or Crestron Toolbox 4 Issue the delete Sys rootCA_cert cer and delete Sys srv_cert cer commands to delete any existing certificate files 5 Issue the move User rootCA_cert cer Sys and move User srv_cert cer Sys commands to move the new certificate files to the Sys directory Enable TLS SSL with the CA Signed Certificate To enable TLS SSL with the CA signed certificate 1 Issue ...

Страница 29: ...l system 3 Connect to the control system via SSH or Crestron Toolbox 4 Issue the delete Sys rootCA_cert cer delete Sys srv_cert cer and delete Sys srv_key pem commands to delete any existing certificate files 5 Issue the move User rootCA_cert cer Sys move User srv_cert cer Sys and move User srv_key pem Sys commands to move the new certificate files to the Sys directory Enable TLS SSL with the Exte...

Страница 30: ...n should be enabled for most applications 3 Issue the 8021XMEThod password certificate command to select the secure password method or the certificate method depending on the network administrator s requirement 4 If the certificate method was selected issue the CERTIFicate ADD MACHINE Certificate_Name Certificate_UID Password command to add the machine certificate supplied by the network administr...

Страница 31: ...icates the network administrator will provide a certificate that must be uploaded to the control system manually using the CERTIFicate ADD Certificate_Store Certificate_Name Certificate_UID command If the certificate is self signed enter ROOT for Certificate_Store If the certificate is not self signed enter INTERMEDIATE for Certificate_Store 7 If required issue the 8021XDOMain Domain Name command ...

Страница 32: ...e to https www crestron com register To perform a firmware update 1 Download the latest device firmware puf file at www crestron com Support 2 Use an SFTP client to transfer the firmware puf file to the control system s firmware directory 3 Issue the PUF filename command in the control system console where filename is the complete filename of the puf file NOTE Firmware updates can be scheduled usi...

Страница 33: ...following about the PLOG If a soft reboot is performed any pending messages are written to the latest log file and zipped into one file On reboot the zipped file at Sys Plog CurrentBoot is moved to Sys Plog PreviousBoot During subsequent reboots the zipped file from Sys Plog PreviousBoot is moved to SYS Plog ZippedLogs for storage The control system logs errors as long as there are not over 250 me...

Страница 34: ...g as expected Fatal An event has occurred that prevents the program from running Message Format Each error message has the following format Level Message Level The message level Message A description of the message Some error messages have a suffix with additional information in parenthesis Level Application App Date Time Message Example Info TLDM exe 2019 02 07 11 58 45 Router got Connected When ...

Страница 35: ...ded error level and above The default setting is Notice OK Info Notice Warning Error Fatal o A Appends the contents of the audit log to the system log NOTE Audit logging must be turned on to use this feature For more information refer to Audit Logging on page 32 o I address Sets the remote server IP address for the system log in dot decimal notation or as an ASCII string containing the server host...

Страница 36: ...to log commands by access level ADMIN Logs administrator level commands PROG Logs programmer level commands OPER Logs operator level commands USER Logs user level commands ALL Logs all commands NONE Logs no commands o REMOTESYSLOG Writes to the remote syslog server only Example AUDITLogging ON ADMIN OPER Example log output 2018 11 30T07 02 44 08 00 EVENT COMMAND SHELL 172 30 255 255 USER admin AUD...

Страница 37: ...n mode by issuing the isolatenetworks ON command Devices on the Control Subnet do not have any resources on the LAN side For example if a touch screen with a SmartObjects technology object requiring network access is installed on the Control Subnet operating in isolation mode the object will not work Devices on the LAN do not have access to any devices on the Control Subnet Crestron Toolbox also d...

Страница 38: ...strator account The password must be at least six characters CAUTION Do not lose the username and password for the administrator account The control system cannot be accessed without this information after an administrator account has been created 3 Issue the reboot command to reboot the device with the new authentication settings 4 Create other users and assign them to groups as needed For more i...

Страница 39: ...ion on how these components work together Public LAN Control Subnet Diagram The firewall rules permit entry to only the traffic that is listened to by the CPU As a result a port scan will only show ports that are listened to by the CPU Users can set up manual port forwarding rules to make custom connections to the devices on the Control Subnet For more information refer to Appendix B Port Forwardi...

Страница 40: ...lowed All outbound traffic is allowed Inbound from LAN User defined User defined Allows manual port forwarding to devices on Control Subnet Firewall Rules in Isolation Mode Under normal operating procedures the firewall on the control system router behaves as follows Control System Firewall Rules Isolation Mode DIRECTION PORT S RULE DESCRIPTION Inbound from LAN 20 21 To CPU FTP if enabled Inbound ...

Страница 41: ... control system IP Table Configuration Programs running on the control system that use Ethernet to communicate between the control system and network enabled devices require an IP table The IP table allows the control system to identify and communicate with Ethernet equipment on an IP network Each controlled Ethernet device has an IP table which is also known as a master list The master list speci...

Страница 42: ...ame D device_id C cipport P program U RoomId o cipid The ID of the CIP node in hexadecimal format o ip_address name The IP address in dot decimal notation or the name of the site for DNS lookup o D device_id The device ID in the device redirection table in hex must be less than 256 o C cipport The CIP port number for the connection must be greater than 256 o P program The program number on the con...

Страница 43: ... greater than 256 o P program The program number on the control system that uses the device default is 1 o U RoomId The room ID used for communication with a Crestron Virutal Control server max length is 32 characters valid values are A Z and 0 9 Example REMPEER 13 255 255 255 255 D 134 C 458 P 3 U AVF469 Load IP Table To load a program specific DIP file from removable media to the Sys directory o...

Страница 44: ...hen programs are started and stopped individually For example if the programmer stops all programs and restarts Program 10 before Program 1 Program 10 registers the device first There are exceptions to this rule as some devices slots and ports can be registered by multiple programs Refer to the following table to determine whether a particular control system slot or port is exclusive can only be r...

Страница 45: ... with external storage ports On system boot or a hardware reset the control system checks for any programs in external memory if installed before checking in internal flash To configure running programs from external storage use the Compact Flash function in Crestron Toolbox For more information refer to the Crestron Toolbox help file ...

Страница 46: ...s between control systems over Ethernet For more information refer to the SIMPL Windows or SIMPL Sharp Pro help files Definitions Depending on the control system s communications capabilities a control system may function as a Cresnet master an Ethernet master or an Ethernet slave NOTE A 3 Series control system cannot be slaved to a 2 Series control system Cresnet Master When the control system is...

Страница 47: ...ation or the name of the site for DNS lookup Example ADDMASTER 1E PRO3 IH Remove Master Entry To remove a master entry from the IP table use the REMMASTER command Syntax REMMASTER cipid ip_address name o cipid The ID of the CIP node in hexadecimal format o ip_address name The IP address in dot decimal notation or the name of the site for DNS lookup Example REMMASTER 1E PRO3 IH View Master IP Table...

Страница 48: ... For example if the count is set to 6 the slave would revert back to normal roughly a minute after the first response rejection This command can be used in a scenario where a particular IP address is active but does not have a program that listens to that ID Slave Connection Timeout To set the default timeout setting for slave connection use the ETHSLVCONNTIMEOUT command Syntax ETHSLVCONNTIMEOUT T...

Страница 49: ...rating mode The following behavior is dependent on whether a master IP table entry exists when booting the system No master IP table entry is present when booting the system o Adding a master IP table entry enables the slave to start connecting to the master Once the slave is connected all user programs stop executing and the device enters into slave mode o Stopping the program on the master does ...

Страница 50: ...e AUENABLE ON command 2 Issue the AUMANIFESTURL URL command to set the URL for the remote manifest file where URL is the URL of the manifest file in the following format http or ftp username password hostname or ip port path file 3 Issue the AUPOLLINTERVAL INTERVAL_IN_MINUTES command to set how often the control system polls the update server for updates NOTE Control systems round up to the neares...

Страница 51: ...t Parameters The control system uses the following top level parameters to determine which associated actions apply to it in order to initiate the auto update mechanism At least one of these parameters must be defined and they may contain wildcards for partial matching A control system matches all specific values before taking the associated action NOTE All keywords are case insensitive Controller...

Страница 52: ...d by a colon Examples A control system with an Ethernet to Cresnet bridge at IP ID 03 that contains an EX gateway on Cresnet leg 1 at ID A0 with a dim switch at RFID 04 would have a path of E03 C1 A0 R and a device ID property of 04 An EX gateway located on Ethernet at ID 05 has a path of E and a device ID of 05 The following top level parameter is optional and is not necessary to complete the aut...

Страница 53: ...update file puf or zip project Standard VTZ project file config Text file containing a list of console commands to be executed UserProgram Indicates a user program Description of Manifest Parameters ControllerHostName This parameter indicates the hostname of the control system The controller must support wildcard characters and where matches x number of characters and matches exactly one character...

Страница 54: ...control system a combination of deviceId and deviceModel indicates what device needs to get updated The deviceModel always needs to be specified since this parameter indicates the class of device and the corresponding plugin that handles the update If deviceId is set to any all devices of the type specified by deviceModel will be updated DeviceId Multiple devices that share the same type are often...

Страница 55: ...me is not defined then the device to be updated is connected to the controller Cresnet device internal gateway o If the deviceHostname is then all devices will be updated as defined by the deviceModel parameter in one of the following three ways All gateways will be updated All specific devices connected to internal external gateways will be updated All Cresnet devices of a specified type connecte...

Страница 56: ...deviceHostname Room101 panel deviceModel TSW 760 deviceId QA controlSystemHostname 192 186 1 1 logFolder sftp xxabet xx2 html Office TouchPanel results fileToUpdate fileUrl sftp xxabet xx2 html Office TouchPanel xx puf fileHashUrl sftp xxabet xx2 html Office TouchPanel firmwareHash txt fileType firmware whenToDownload Friday 23 00 whenToApplyUpdate now deviceHostname Room101 panel deviceModel TSW ...

Страница 57: ...t fileType firmware whenToDownload Sunday 2 00 ControllerHostName Crestron PRO3 deviceHostname Crestron EXGateway deviceId 10 deviceModel CLW LDIMEX logFolder sftp xxabet xx2 html Office PRO3 results fileToUpdate fileUrl sftp xxabet xx2 html Office PRO3 CLWFirmware zip fileHashUrl sftp xxabet xx2 html Office PRO3 CLWHash txt fileType firmware whenToDownload Sunday 2 00 ControllerHostName Crestron ...

Страница 58: ...e If not the control system skips to step 8 4 The control system downloads the hash file associated with the given action If the hash file matches the hash cached on the control system the control system skips to step 8 5 The control system downloads the update file 6 The control system applies the update file as directed Retries are defined in the Error Handling section starting on page 57 7 The ...

Страница 59: ...es the results files If any locations are inaccessible to the control system for example a downed server then failure results are recorded in the client s error log If the results location is accessible a failure result is indicated in the results file and is uploaded to the results location Description of Results File Parameters Use the following parameters inside the result files to identify the...

Страница 60: ...ctions A sequence of sub action results that are associated with the main action taken by the client o command The console command executed by the client o commandResult The result text returned to the console when executing a console command Sample Results File The following is an example of a results file for a 3 Series Control System PRO3 puf file automatic update ControllerHostName Crestron PR...

Страница 61: ...ame on the next polling interval Cannot connect to the server device The client cannot connect to the server or the device o Check that the server or the device is currently accessible and then retry connecting to the server or the device on the next polling interval A control system can handle errors in different ways depending on the component being updated and the dependencies between the compo...

Страница 62: ...re they may be managed by the service Devices may be claimed individually or as a group For information on creating environments managing devices and managing users with the Crestron XiO Cloud service refer to the Crestron XiO Cloud User Guide Doc 8214 Claim a Single Device To claim a single device 1 Record the MAC address and serial number of the device The MAC address and serial number are label...

Страница 63: ...twork that has access to the Internet wait 15 minutes and then try again 6 Click X to close the dialog box The hostname of the claimed device is displayed in the device tree under the group Unassociated Devices Unassociated Devices The device may now be managed and assigned to a group Claim Multiple Devices To claim multiple devices 1 Record the MAC address and serial number of each device as a co...

Страница 64: ...name For example if adding a custom device name to the first example above the formatting would be 00 10 73 8b 81 b6 17284712 custom device name 2 Save the CSV file to a location that may be accessed by the computer used to access the Crestron XiO Cloud service 3 In the Crestron XiO Cloud service click the ENVIRONMENT menu button to display a drop down menu Environment Drop Down Menu 4 Click Claim...

Страница 65: ...s of each device is displayed NOTE If an error message is displayed stating that a device does not exist connect that device to a network that has access to the Internet wait 15 minutes and then try again 7 Click X to close the dialog box The hostnames of the claimed devices appear in the device tree under the group Unassociated Devices Unassociated Devices The devices may now be managed and assig...

Страница 66: ...estron Toolbox via USB USB is the only valid connection type to recover a control system 5 Once the device has been discovered use the Text Console tool in Crestron Toolbox to check for a prompt The standard device prompt should display NOTE Repeat steps 1 5 if the first attempt does not correct the issue If the control system is still unresponsive contact Crestron technical support for assistance...

Страница 67: ...outer Setup Page Example Use external port numbers that are not commonly used The actual number is not important it simply must match the entry in the mobile app configuration Note the exception on the policy file support If the XPanel web browser is used open port 843 under External Port Open ports that are required only For example if mobile applications or XPanel applications are used open only...

Страница 68: ...Crestron Electronics Inc Reference Guide DOC 7150B 15 Volvo Drive Rockleigh NJ 07647 2029865 Tel 888 CRESTRON 05 19 Fax 201 767 7576 Specifications subject to www crestron com change without notice ...

Результаты поиска

Содержание 3 Series

Отзывы:

Бренды по названию

Популярные бренды

Crestron 3 Series, Справочное руководство

Результаты поиска

Содержание 3 Series

Отзывы:

Бренды по названию

Популярные бренды