Index | Prev | Next

Setting up a secure hub

A secure primary or failover hub accepts connections from remote devices, usually remote controllers. One or two certificates in the hub authenticate server connections and encrypt these messages.
Prerequisites: You are working in Workbench on a PC or laptop computer connected to a remote controller station on a BACnet network. The bacnet palette is open. A client certificate for this node exists and you know where to find the issuer certificate.
  1. To add a secure hub, expand Config > Drivers > BacnetNetwork > BacnetComm and double-click Network.
    The Network (Bacnet Network Layer) Property Sheet opens.
    Image
  2. In the bacnet palette, expand NetworkPorts, select ScHubPort, add it to this Property Sheet, enter a name for this ScHubPort in the Name window that opens, and click OK.
    The system adds the ScHubPort component to the Property Sheet.
    Image
  3. Expand ScHubPort and enter the Network Number.
    The driver automatically generates the Vmac Address (visible when you expand Link).
  4. To assign the operational (client) certificate, click Link, click Credentials, expand Credentials and select the certificate’s alias from the Alias drop-down list.
    The hub’s operational certificate is used to make a local connection from a node that hosts the hub function.
    The Credentials properties open.
    Image
  5. To assign an issuer certificate (CA), expand Issuer Certificate1, click the folder icon to the right of Issuer Certificate, use the File Chooser to select the exported public certificate for the Secure Connect site CA certificate and click Open.
    An issuer certificate is an exported Secure Connect site CA certificate without its private key. This certificate verifies a remote device’s authenticity when it makes a connection to the hub.
  6. To specify the behavior of the node that hosts the hub towards incoming and outgoing direct connections, double-click Link in the Nav tree and expand Node Switch.
    The Node Switch properties expand.
    Image
  7. Set Accept Enabled and the Initiate Enabled to true as needed and click Save.
    This configures the node that hosts the hub to accept and/or initiate direct connections.

    Notice that Fault Cause displays a message indicating that no BACnet/SC user is associated with this SC port. You will fix this condition shortly.

  8. To enable the hub function, double-click HubFunction in the Nav tree click or expand HubFunction, set Enabled to true and click Save.
    Again, Fault Cause indicates that no BACnet/SC user is associated with this SC port.
  9. To associate a user, right-click HubFunction and select Actions > Add Sc User.
    This action simultaneously adds a BACnetSC_ScHubPort user to the UserService and configures this user’s Authenticator property with the ORD that points to the secure hub port you just configured.
    Image

    To access the Property Sheet shown, expand Config > Services > UserService and double-click BACnetSC_ScHubPort.

    This is a machine user required by BACnet Secure Connect. This user’s sole purpose is to associate an incoming request with a secure connect port. Do not configure this user as you would an administrator or other human user. It must not have any permissions in the station.

Related Links

  • Adding a hub function to a Secure Connect port
  • Configuring the WebService
  • Enabling a secure hub connection
  • Setting up a failover hub
  • BACnet/SC (Secure Connect) (Parent Topic)

    • Index | Prev | Next