Page tree
Skip to end of metadata
Go to start of metadata

You can optionally enhance the security of your SmartServer using the built-in signed security certificate, or by providing your own custom signed security certificate.  You can also change, recover, and reset passwords.

There is also a video on the SmartServer IoT Training Videos page that describes the tabs of the Configuration UI for the SmartServer IoT.  Click here for the Configuration UI Tour video.

This section consists of the following:

Enhancing Security

You can install the SmartServer IoT in a private network, with or without an internet connection.  You can also install the SmartServer in the DMZ of an IP router or connect it directly to the Internet.  To prevent exposure to malicious attacks, you can also install the SmartServer on a VPN.   You can secure the communication between any web browser clients and the SmartServer using certificates.  Certificates use a public and private key pair to encrypt communication from a web browser to the SmartServer.  Certificates may be self-signed or signed.  Self-signed certificates are signed and validated by the SmartServer.  Self-signed certificates provide encryption, but they do not authenticate that you are communicating with the SmartServer you intended to communicate with.  You can authenticate the SmartServer by using a signed certificate where the certificate is validated by an external certificate authority.  When using a signed certificate, you can use a signed certificate included with the SmartServer, or for enhanced security you can provide your own custom signed certificate.

The following sections describe the various network architecture scenarios, how to access a SmartServer from the Internet, and the use of both self-signed and signed certificates along with DDNS.

Private Networks

The following figure illustrates an isolated private network and another one connected to the Internet, but without external access to the SmartServer.

Within the private network, a DHCP server that is typically part of a network address translation (NAT) router assigns non-routable IP addresses to devices, typically within the following IP address ranges:

10.0.0.0 → 10.255.255.255
172.16.0.0 → 172.31.255.255
192.168.0.0 → 192.168.255.255

Only the external-facing interface of the router is assigned a routable IP address, which may be dynamically or statically allocated by the service provider.

To access a SmartServer from within a private network, use one of the methods described in Connecting to Your SmartServer.

By default, the SmartServer is configured to use self-signed certificates, and therefore when trying to establish a secure connection to a SmartServer, a browser will always indicate the connection is insecure, as shown below.  However, you can safely proceed to the web page.

A typical use-case is illustrated below, where a SmartServer is connected to a private network, which uses a cellular connection to the Internet, and where the SmartServer can be accessed over the internet.

To access a SmartServer located in a private network from the Internet, network address translation (NAT) is used.  With NAT, traffic that arrives at the external interface of the NAT router is forwarded to the internal SmartServer on a port by port basis. Each type of NAT router has a different method to set up port forwarding.  Following is an example from a Netgear router:

You can forward any of the following ports to a SmartServer.  You can use the SSH port for console access, the SFTP port for file transfer access, the HTTPS port for web browser access, and the MQTT port for IAP access.

Service NameProtocolExternal Inbound Port  Forwarded to SmartServer Port
SSHTCP2222
SFTPTCP2222
HTTPSTCP443443
MQTTTCP88838883

For enhanced security, only open those ports absolutely necessary for operation, leaving everything else blocked from external access.  For extra enhanced security, and only accept traffic from specific IP addresses.  

Note: If you have multiple SmartServers in the same private network, use different external inbound ports for each.

For simplified setup, use a router or modem that connects to the Internet using a fixed routable public IP address supplied by the service provider.  This address becomes the public facing external address of the SmartServer. Most cellular providers will be able to supply fixed IP address SIM cards either directly, or through third party suppliers.  

Some routers support NAT loopback, which is where a local SmartServer can be accessed from inside the private network using its external address or name.

The internet connection may also be DSL or fiber-based as illustrated below.

The external address, a DNS entry in the customer domain in question or a local hosts file entry can be used to reference the SmartServer's external address. However, this will not resolve the security issues associated with using self-signed certificates when accessing the SmartServer, especially from the Internet.

Signed Certificates and DDNS

The SmartServer supports DDNS (dynamic DNS) and signed certificates, where a SmartServer can be referenced by a fully qualified domain name (FQDN) that matches its signed certificate. The combination of the two facilitates secure connections to the SmartServer, from outside the private network and also from inside, if NAT loopback is available.

The following figure illustrates an example use-case with cellular connection:

Note: The default signed certificate included with the SmartServer requires an Internet connection to authenticate the certificate with a public certificate authority.  If you are using the SmartServer on a private network that is not connected to the Internet, you can use your own signed certificates that is validated by a certificate authority within your private network. See Customer Certificates for details.

To enable signed certificates, follow these steps:

  1. Ensure that the SmartServer has a good internet connection by pinging a know site such as google.com from a console connection.

    See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.

  2. Using a web browser, open the SmartServer Configuration page as described in Configure Your SmartServer.

  3. Click System at the top of the page.

  4. Click Enable Signed Certificates so that a check mark appears next to it.



    Once you enable signed certificates, the SmartServer will automatically update its DDNS entry for the hostname printed on the label on the bottom of your SmartServer appended with echelon.cloud, checking every 30 minutes if the SmartServer's external address has changed. If an external address change is detected, the SmartServer will update DDNS accordingly, allowing for network reconfiguration if required. The SmartServer automatically renews the signed certificates with a certificate authority every 90 days.

    Note: Even though DDNS is supported, the use of non-fixed IP address SIM cards for cellular connections may cause frequent communication disruptions because the external address may change as frequently as once a minute.  Any change to the SmartServer's external IP address requires some time to be reflected in the global DNS.  Frequent external IP address changes can cause complete loss of external access
  5. Refer to the SmartServer by its registered FQDN within the global DNS to provide secure access. The registered FQDN consists of the hostname concatenated with .echelon.cloud as shown in this example:

    smartserver-17q3jd2.echelon.cloud

  6. You can manually update the SmartServer's DDNS entry from a console connection having logged in as root (see Logging into the SmartServer in the Connect to Your SmartServer section for more information) using the following command. The update will require some time to propagate through the global DNS:
    /sbin/aws-update

  7. To verify the correct DNS entry for the SmartServer, ping <smartserver hostname>.echelon.cloud and compare this to the result of the dig command shown below, which you can use to find the SmartServer's external address from a console connection.
    dig myip.opendns.com @resolver1.opendns.com

Once you have enabled signed certificates and the FQDN DNS entry has been updated to reflect the external address of the SmartServer, you can check the validity of the certificate installation using one of the many available public services such as https://www.geocerts.com/ssl-checker as shown below.

SSL Server Certificate

Common Name: smartserver-abcdefg.echelon.cloud
Issuing CA: Let's Encrypt Authority X3
Organization:
Valid: August 17, 2020 to November 15, 2020
Key Size: 4096 bits

Subject Alternative Names (SANs)

smartserver-17q4rsx.echelon.cloud

Certificate Expiration

This certificate will expire in 87 days.

Certificate Common Name (CN) and Hostname Match?

The hostname (smartserver-17q4rsx.echelon.cloud) matches the certificate and the certificate is valid.

DNS, etc.

smartserver-abcdefg.echelon.cloud resolves to 555.199.202.99.

Server type: nginx/1.10.3 (Ubuntu)

Certificate Chain Complete?

All of the correct Intermediate CA Certificates are installed. Your SSL certificate is installed correctly and should be supported in all the major web browsers without problems.

Common Name: smartserver-abcdefg.echelon.cloud
Organization:
Valid: August 17, 2020 to November 15, 2020
Issuer: Let's Encrypt Authority X3

Common Name: Let's Encrypt Authority X3
Organization: Let's Encrypt
Valid: March 17, 2016 to March 17, 2021
Issuer: DST Root CA X3

Common Name: DST Root CA X3
Organization: Digital Signature Trust Co.
Valid: September 30, 2000 to September 30, 2021
Issuer: DST Root CA X3

DMZs, Direct Connections and VPNs

In addition to using NAT and a private network, you can connect a SmartServer to a NAT routers DMZ or directly access it as shown below.

Alternatively, you can use a  VPN to connect a remote SmartServer to your internal network. For example, a cellular provider may be able to supply a VPN connection from the external edge of their network to a VPN server in the remote network (as would be typical for AWS usage). Therefore, a single VPN can support all the SmartServers attached to the cellular provider's network, and none would be exposed to attacks from the public Internet as illustrated below.

Customer Certificates

You can use your own signed certificates to further improve security, and to support signed certificates without Internet access. In this case, you do not need to set Enable Signed Certificates in the SmartServer Configuration page, as described in the section Signed Certificates and DDNS.

To use your own signed certificates, follow these steps:

  1. Place your signed certificates in a suitably named directory within /var/apollo/data/certs as shown in the figure below.



    As an example, with signed certificates enabled, the contents of /etc/nginx/sites-enabled/certs.conf are as follows for smartserver-17q4rsx.echelon.cloud:

    # ======= SSL keys - CA Signed ======
    ssl_certificate         /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/fullchain.pem;
    ssl_certificate_key     /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/privkey.pem;
    ssl_dhparam             /var/apollo/data/certs/smartserver-17q4rsx.echelon.cloud/dhparams.pem;
    # ===================================

    The expected names of signed certificate files are fullchain.pem and privkey.pem, which are soft links to the actual files. The expected names of self-signed certificate files are server.crt and server.key, which are not soft-links.

  2. Edit /etc/nginx/sites-enabled/certs.conf to reflect your own certificates.

  3. Restart nginx from a console connection using the following command, or simply reboot your SmartServer:
    sudo systemctl restart nginx

    See Connecting to Your SmartServer for information regarding connecting to the SmartServer using the console.

  4. Populate your own DNS to reflect the SmartServer’s hostname and chosen domain such that it matches the certificate common name.

Managing Passwords

You can change, manage, and reset the SmartServer system and CMS user passwords. The SmartServer system password is used to log into the SmartServer Configuration page as well as the system console. The CMS user password is used to log into the SmartServer CMS. 

With SmartServer 3.2 and higher

If the CMS user password matches the system password, then changing the system password will also change the CMS password. If the CMS user password does not match the system password, then changing the system password will not change the CMS password. Changing the CMS user password does not affect the system password, but influences the effects of system password changes.

To change both the apollo system and CMS apollo user passwords, see Changing the System Password.

To change the CMS apollo user password only, or other CMS user passwords, see Changing User Passwords.

See also Managing Customer and User Accounts for additional user routines.

Changing the System Password

To change both the apollo system and CMS apollo user passwords, follow these steps:

  1. Open the SmartServer Configuration page as described in Configure Your SmartServer.

  2. Click System at the top of the page.



  3. Click Change Password.

  4. Enter the following information:

    • Current Password
    • New Password
    • Confirm New Password



  5. Click Change Password.

Changing User Passwords

The CMS Apollo Owner user account is available by default as the primary CMS user with the SmartServer IoT. You can create other CMS user accounts and assign passwords to them as described in Managing Customer and User Accounts

To change the CMS apollo user password (or other CMS user passwords) using the CMS Users widget, follow these steps:

  1. Open the Users widget in the CMS.

  2. Click the action button () and select the Change Password action for the user.



  3. Enter the appropriate password information in Current Password, New Password, and Repeat Password.

    • The Repeat Password and New Password entries must match. 
    • Enabling the Show Passwords feature () displays the disguised password characters.



  4. Click Save to store the new password.

  5. Optionally, you can change the system password to match the new CMS password.

Resetting Passwords

You can reset the password for another CMS user if your user account is specified as an Owner user.  To reset a password for another CMS user, follow these steps:

  1. Open the Users widget in the CMS.

  2. Click the action button () for the user.

  3. Click Reset Password.



  4. Confirm the reset operation by clicking Yes on the Confirmation dialog box. 



  5. A message appears indicating that a password was sent to the user’s email address.

Restoring a Lost CMS Password Using Email

You can enable email password recovery for a CMS user.  To enable email password recovery, follow these steps:

  1. Configure an SMTP server as described in Configure Your SmartServer.

  2. Enter a valid email address for the user as described in Managing Customer and User Accounts.

To restore the password for a CMS user with email recovery enabled, follow these steps:

  1. Enter your login name on the SmartServer CMS login page.



  2. Click the Forgot Password button.



  3. Check your email for a message providing a new password and use it to log in.

Restoring the Factory System Password with the Connect Button

Starting with SmartServer 2.6, you can enable system password recovery using the SmartServer Connect button (see Using the LEDs and Buttons section for more information).  When enabled, you can restore the factory system password by holding down the Connect button for 20 seconds.  This resets the password to the factory default as specified on the label on the bottom of the SmartServer.  The SmartServer indicates it is resetting the password by changing the Ready LED to red and blinking it at a fast rate. When the password reset is completed, the Ready LED will change to blue and the SmartServer IoT will initiate an immediate reboot.  Password recovery is enabled by default.  To disable this feature, select the Password Recovery option. 

Warning: If this option is disabled, a lost password will require the SmartServer to be replaced.
  1. Open the SmartServer Configuration page as described in Configure Your SmartServer.

  2. Click System at the top of the page.



  3. Clear the Allow Password Reset via the SmartServer Connect Button box.


  • No labels