Introduction

This quick guide discusses the security settings available on the Irisys Vector units that you may need to configure in order to ensure that your Vector devices are not maliciously accessed.

In order to access these settings, you must first make an initial connection to the Vector unit; see separate guide: Irisys Vector 4D - Making a Setup Connection.

 

Security Settings

Once you are connected to your Vector, the security settings are accessed via the ‘Settings’ tab, then ‘Security’:

If connected to a Vector via an Estate Manager connection, make sure you select the ‘Live View’ option to make changes.
Always take extra care when remotely changing any of these settings – an incorrect setting could leave your Vector device offline which will require a site visit to rectify!

Note the help text shown on the right of this tab, if required.

 

Web Interface Password

The web interface password is required when accessing the device via a direct web browser connection. It is required to prevent access to the devices configuration and any malicious changes from being made. The username is always admin, but the password will be written down on the label on the back of any new devices, but on older devices it was always 'installer'.

The username is fixed, but the password can be changed, if required, using this tab. 

Note that remote connection to the Vector device via an Estate Manager connection is unaffected by changing this password.

 

Device Web API Key

When producing software to retrieve count data and interact with the Vector directly, API requests are restricted by this API key. Therefore, if you wish to communicate directly to the Vector this API key must be incorporated in each function call that you use.

See the API documentation for more details.

You can generate a fresh key here by clicking the button provided. This might be required if someone’s access to a device needed to be withdrawn or disabled, or if the key had been compromised.

Remember: if you change the Device Web API Key any software which uses it to communicate with the Vector will need to be updated with the new key value.

 

Security Certificate Authority

A security certificate authority (often referred to as a CA) is a root level certificate that belongs to an entity that signs (authenticates), stores, and issues digital certificates.

The device uses it to know whether a given certificate (ones you upload, or ones that the device connects to, for example, an MQTT broker) is trustworthy. There are already many certificates on the device by default that are known trusted ones, for example, 'GoDaddy' - the website hosting service.

A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

If you use your own security certificate authority, then you should upload it here.

When uploading a key and cert, choose one of the following:

  • “Default” (overwrites the default cert used for HTTPS, cannot be deleted only overwritten).

    • if a cert for which the device does not have the full trust chain (e.g. an AWS IoT cert) is uploaded as Default, then it will successfully upload and prompt the user to restart, but upon restart the cert, not being fully trusted, will have been replaced with a new self-signed one.

  • “Custom” (uploads in addition to default) and choose a name for it.

 

Custom Security Certificates

The Custom Security Certificates are specific to the device - they provide the solution to getting a secure connection between your devices and our IoT platform.

Note there are known issues configuring Security Certificates to work with the AWS IoT platform, and you will most likely see an error relating to AWS.
For correct operation with AWS ensure your Vector is running firmware version 165, or above. Available from here.
  1. Click [Select Private Key] to select the file location of the private key, then click [Select Certificate] to select the file location of the certificate.
  2. Click "Custom" selection and enter a name for this cert pair.
  3. Click [Upload] to upload the two files.
Once uploaded, a list of available certificates is shown.

Other than the default, these can be deleted if desired.

If a cert with a duplicate name is uploaded, it will overwrite that previous one.
Once a certificate is uploaded, the choice of cert to use for MQTT is given under the “TLS Enabled” option. Naturally, it defaults to “Default”.

HTTPS Only

Ticking this check box (and saving) forces communications with the Vector to be over HTTPS rather than regular HTTP. This might be required in some security conscious environments.  

 

Authenticated communications

Ticking this check box (and saving) forces password authentication when using the installed RIFT exe software. By default the RIFT exe allows connection to a Vector without requiring password entry, and is a good way to access a device locally when the password required for website login has been forgotten, but by ticking this box, this will not be possible.

This may be required for some security conscious environments but care should be taken to ensure passwords are not forgotten for future settings changes.

 

Saving

Before navigating away from the device, click the ‘Save’ button to complete any changes.

 

Notes on Web API Usage

Use of this API key is beyond the scope of this document, and programmers are directed to the built in REST API documentation which is accessed via the web interface:

Note that the REST API used to communicate directly with the Vector is the same REST API that is built into Estate Manager. It is therefore possible to produce software which can work with or without Estate Manager, with very few changes required between each method.

We have some code examples on how to integrate with both the REST API (and the HTTP Push and MQTT functionality stored online at the GitHub repository. Go to: https://github.com/IrisysUK