The Security tab is used for managing key entries and device certificates for KNX Secure.
This function allows the export of complete key datasets from the associated project so that they can be used in a visualization, for example, or to archive them additionally (outside of the project).
•A password for securing the security relevant data in the export file is required for this and it is requested before the export (it will be not encrypted the file itself, but the security relevant data in this file with the password).
•The same password guidelines apply as for the project password.
Devices which support KNX Secure require additional information for this. It is provided by the KNX manufacturers along with these devices.
•The contents of a device certificate include the serial number (6 characters) and the factory key (16 characters) of a KNX Secure device, yielding a 24 character string when they are put together.
•The assignment of a device certificate or of the factory key contained in it to a device in the project is ultimately transferred via the serial number (see point 3).
The following information is displayed in the table in ETS.
Unique Device Hardware ID
Initial key from the factory; different for every KNX Secure device.
3.PA/IA and the name of the device
This field is initially blank after import of the certificate. When a device is used in a project and is initially downloaded, there is a comparison of the SN read from the device with those from the device certificates. When there is a match, the PA/IA or the name of the device is then visible here.
•Deleting certificates (when selected; multiple selection is also possible)
•Details on the topic of KNX Secure as well as the keys displayed here can be found here.
The project password of this project needs to be set when containing certificates; if not an an dialog appears to enter it.
The necessary data from device certificates can be provided to ETS in two ways and appear then in the display above.
AImporting/ adding in the project area
BImport while downloading to the corresponding device in the project
In both cases, a corresponding dialog appears in which a manual input option (A) allows the device certificate to be input (22 character*) or on downloading the device (B) directly the factory key (16 character*). As an option, via an (integrated) WEB camera by means of a QR code which allows import of one to several device certificates. (A)
•Different certificates imported one after the other with the same serial number, but different factory keys (which is actually a problem with the creation of the certificates); the last factory key imported is always the one that is used.
•Different certificates imported one after the other with the same serial number, but different factory keys (which is actually a problem with the creation of the certificates); ETS then uses the same factory key n times for different devices (which is transparent for ETS but less so for the security of the system).
Backing up Certificates
Certificates (or, more accurately, at least the factory key) must be backed up in addition to the ETS project. The form used for this depends on how these are provided by the KNX device manufacturer (e.g. in printable form in a folder).
•If a project is lost – one which contained KNX Secure devices – then the ones saved there and those currently used by ETS as well as the factory keys of devices are also lost. For a reconfiguration or re-installation, (KNX Secure) devices must be reset locally using “Master Reset” (just as for normal projects without KNX Secure devices). When this takes place, the original factory key once again becomes active for KNX Secure devices (previously, these were keys provided by ETS).
•The original factory key is then (again) used for re-downloading or renewed commissioning.
•Deletion is disabled if on the the corresponding device an secure download was performed (initial Factory Key needs to be preserved for ETS, e.g. for reprogramming after device - reset)
|*||The dialog input format is Base32, according to the specification e.g. the 22 characters of an certificate requires 36 Base32 characters (22*8/5 = 36), spread over six input blocks of six characters. Entering of 0 and 1 as an Base32 character is not possible (to prevent a mix- up with capital "O" or "I")|