Allegion Developer Portal
Allegion Developer Portal
| REVISION CONTROL RECORD | |||
|---|---|---|---|
| VER | DATE | DESCRIPTION OF CHANGE | AUTHOR |
| 0.1 | 3/4/2018 | Initial draft | Anirban Paul |
| 0.2 | 3/28/2018 | Final draft | Anirban Paul |
| 0.3 | 1/23/2019 | Edited draft for grammar and format | A. Clark |
Table of Contents
1.1 Abbreviations 3
1.2 Purpose 3
1.3 Background 3
1.4 Benefits 3
2.1 Feature Overview 4
2.2 ENGAGE Alliance Partner Host Implementation 5
2.2.1 To Set New Access Point Configuration 5
2.2.2 To Verify New Access Point Configuration was Set 5
2.2.3 To Delete a New Access Point Configuration 5
2.2.4 To Confirm New Access Point Configuration Switch 6
3.1 Set a New Access Point Configuration 7
3.2 Verify New Access Point Configuration 9
3.3 Delete New Access Point Configuration 11
3.4 Verify New Access Point Configuration Switch 15
| Abbreviations Used in This Document | |
|---|---|
| AP | Access Point |
| ENGAGE | Connectivity Platform Technology |
| JSON | Java Script Object Notation |
| Config | Device Configuration |
| DB | Database |
This document provides the rationale behind the implementation of the Access Point Login Update feature, a base level understanding of how the feature works, why our ENGAGE Alliance Partners may want to use it, and outlines the specifics of the communication protocol.
This enables our ENGAGE Alliance Partners to update the Access Point login of an ENGAGE device from a host without the need to visit each device installed at the customer site.
Most large-scale institutions such as hospitals, commercial and government offices have an IT organization that manages the network security of all its employees and/or tenants.
A major part of the network security is the periodic (90 days/ 3 months), compulsory upgrade of the login credentials. This is an accepted security practice across all major, global organizations.
For these large organizations, the networked ENGAGE devices (NDE/LE/CTE/RURM) come under the purview of their respective IT team. ENGAGE devices are best managed with the accepted, periodic of login credentials.
Previously, the only method to update the access point login credential of a networked offline lock, was to visit the door on which the lock/device was installed and change the access point login credential using a mobile application provided by the ENGAGE Alliance Partner.
This method takes about 10 to 15 minutes for a single lock/device. A site containing 1000 locks/devices can utilize an estimated 20 man-days to complete the single round of updates.
Planned, quarterly updates can burden an organization for up to 80 man-days annually.
This new feature allows a host to update login credentials on all the locks/devices simultaneously. The elimination of site visits and nearly 80 man-days of annual activity can be realized in immediate savings of time and effort for the organization’s IT team.
This feature is applicable to all ENGAGE devices that operate in Networked Offline Mode.
Updates to the Alliance Partner host are required as outlined in the document.
NOTE: This new feature is supported beginning with the ENGAGE Release 6.1 version.
New Access Point Config JSON is only supported when TLS and HMAC are enabled.
ENGAGE enabled networked offline locks phone home once in 24 hours (configurable) to push current lock configuration, download database and upload audits.
The host can send the new Access Point configuration for changing the login credential during this time.
Figure 1 shows the new Access Point Configuration JSON.
| Tag | Short Tag | Type/Length (ASCII bytes) | Value | Device Exclusions |
|---|---|---|---|---|
| New Access Point Config | apCfgNew | String/6 | N/A | SC |
| New AP Config Enable | apCfgNewEn | String/1 | “T” = enables new Access Point Config | SC |
| “F” = disables new Access Point Config (default option) | SC | |||
| New SSID | ssidNew | String/32 | Max 32 characters | SC |
| New AP Password | psswdNew | String/64 | Max 64 characters | SC |
| New User Name | usrNmNew | String/16 | Max 16 characters | SC |
| New Wi-Fi Security | wifiSecNew | String/7 | “prsnl”, “entrprs”, “open”, “wep” | SC |
| Config Start Time | apNewCfgStrtTm | String /14 | “YYYYMMDDHHMMSS” | SC |
A WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0000) is logged by the device, if New Access Point Configuration is successfully accepted. The device pushes the updated configuration during the next phone home cycle.
In case the new Access Point Coniguration JSON is invalid, WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0003) is logged.
To disable a new AP configuration before it takes effect, the host needs to send a JSON with tag “apCfgNewEn” = “F”. WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0001) is logged by the device.
At time = “apCfgNewStrtTm” set by the host, the device switches over from the current AP Configuration to the New AP Configuration. The device sets the new AP configuration as the current AP Configuration and sets tag “apCfgNewEn” = “F” (i.e. clear/disable New Access Point Config). During the switch, the device logs WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E Audit Data: 0002). The device uses the new configuration the next time it phones home.
Any time after the new AP configs are set, if the HMAC and or TLS are turned off, the device clears the new AP configs and logs WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E Audit Data: 0001).
New Access Point Config is invalid if invalid JSON tag/size/data or out of boundary values for “apCfgNewStrtTm” is sent.
If the switch time (change from current AP settings to new AP settings) is missed due to a device being powered off or reset or power cycle, the device switches to the new AP config on the next power up. This is true only if the device retains time on power up. If the device loses time on power up, the device clears the new AP configs and logs WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E Audit Data: 0001).
If using WEP as a WiFi security type, kyIndx (WEP Key Index) is deprecated and always considered to be of value 1.
Perform the following steps, to set new AP configuration:
During the next phone home, get the current configuration from the lock.
Confirm if the dvcProfile block in the Lock Configuration, contains extension key “NewAPCfg” with value = 1.
Send new AP configuration with relevant values as per figure 1 as part of Config during Database download.
While sending the updated database (if any), include an updated value for the “dbDwnLdTm” tag to request the next phone home happens within 10 minutes (Optional step).
Perform the following steps to verify the new AP configuration:
After Step 4 in the Section Set New Access Point Configuration, get audits from the Lock.
Verify WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0000) was logged. This audit indicates that the new AP configuration was accepted successfully by the lock.
During the next phone home (after 10 minutes), get the configuration from the lock. Verify if the new AP configuration was received along with other lock configuration parameters (Optional step).
Perform the following steps to delete a new AP configuration that was set previously:
During the next phone home, get the current configuration from the lock.
Send new AP configuration with tag “apCfgNewEn” = “F” as part of Config during Database download.
While sending the updated database (if any), include an updated value for the “dbDwnLdTm” tag so the next phone home happens within 10 minutes (Optional step).
Get audits from the Lock.
Verify WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0001) was logged. This audit indicates that the new AP configuration was successfully deleted by the lock.
During the next phone home after 10 minutes, get the configuration from the lock. Verify that no new AP configuration was received along with other lock configuration parameters (Optional step).
NOTE: Deleting a New AP configuration is only applicable before new AP configuration switch time.
Perform the following steps, to confirm the new AP configuration switch:
During the previous phone home, while sending the updated database (if any), include an updated value for the “dbDwnLdTm” tag which is after “apCfgNewStrtTm” time (i.e. “dbDwnLdTm” > “apCfgNewStrtTm”).
During the “dbDwnLdTm” confirm that the lock can connect to the host using the new AP configuration parameters.
Get configuration from the Lock.
Verify that no new AP configuration was received along with other lock configuration parameters.
Verify that current AP configuration is same as previously set new AP configuration.
Get audits from the Lock.
Verify WIFI_NEW_AP_UPDATE audit (Audit Event = 0x0B0E, Audit Data: 0002) was logged. This audit indicates that the new AP configuration was successfully switched by the lock.
For API’s used by the ENGAGE Device during phone home refer to the Software Alliance Member API Integration Application Note.
STEP 1: Configuration reported from the lock during phone home. Verify "key": "NewAPCfg" and "value":"1".
{
"dvcProfile":
{
"baseType":"nde",
"key":"NewAPCfg",
"value":"1"
},
"battV":
{
"main":"5.87",
"li":"2.99"
},
"fwVer":
{
"main":"01.03.11",
"credRdr":"01.02.10",
"ble":"01.02.10",
"wifi":"01.05.10",
"mainBl":"00.01.03",
"credRdrBl":"00.01.01"
},
"wifiStngs":
{
"ssid":"01.03.11",
"psswd":"\@113G10N",
"usrNm":"Br549",
"wifiSec":"entrprs",
"encrypt":"wep",
"kyIndx":4,
"dscvryTyp":"ipAddr",
"scrCnn": "http",
"ip":"196.23.43.113",
"dns":"firstChoice",
"altDNS":"secondChoice"
},
"lckPrmtrs":
{
"nm":"corner office",
"mdl": "sf",
"lckSn":"1122334455",
"mnSn":"2233445566",
"mfgDt":"20140607113022",
"daysInUse":145,
"hwVer":"c1",
"type":"strm",
"relock":1,
"doorProp":20,
"ada":30,
"firstManIn":0,
"dstEnable":0,
"dstStart": "3022",
"dstEnd": "B012",
"battFail": "sec",
"rtcTime": "20140527140629",
"dbDwnLdTm":"20140528020000"
},
"rdrPrmtrs":
{
"bprEn": "T",
"crSn":"4455667788",
"mfgDt":"20140607113522",
"daysInUse":145,
"hwVer":"c1"
}
}
STEP 2: Send new AP configuration with relevant values as part of Config during Database download.
(OPTIONAL) Set next phone home to happen after 10 minutes.
{
"config":{
"battFail":"sec",
"proxConfGE4001":"T",
"rtcTime":"20140424152753",
"iClsUID40b":"T",
"bprEn":"T",
"proxConfHID":"T",
"uid15693":"T",
"name":"sw555",
"mi14443":"T",
"uid14443":"F",
"proxConfGECASI":"T",
"dstStart":"12b0",
"ada":"30",
"proxConfAWID":"T",
"proxConfGE4002":"F",
"doorProp":"20",
"relock":"3",
"noc14443":"T",
"mdl":"unknown",
"dstEnd":"2230",
"firstManIn":"false",
"dstEnable":"false",
"fwUrl":""
},
"apCfgNew":{
"apCfgNewEn":"T",
"ssidNew":"02.04.12",
"psswdNew":" G10N\@113",
"usrNmNew":"Cr649",
"wifiSecNew":"entrprs",
"apCfgNewStrtTm":"20140527160629"
},
"dbDwnLdTm": "20140527141629",
"nxtDbVerTS": "0x8d16386bfaec212"
}
STEP 1: Get audits after DB download. Verify WIFI_NEW_AP_UPDATE audit logged.
{
“audits”:
{
"event":"B0E0000",
"time":"20140527140640"
},
“nxtDbVerTS”:" 0x8d16386bfaec212"
}
STEP 2: (OPTIONAL) Verify Configuration reported from the lock during next phone home after 10 minutes.
{
"dvcProfile":
{
"baseType":"nde",
"key":"NewAPCfg",
"value":"1"
},
"battV":
{
"main":"5.87",
"li":"2.99"
},
"fwVer":
{
"main":"01.03.11",
"credRdr":"01.02.10",
"ble":"01.02.10",
"wifi":"01.05.10",
"mainBl":"00.01.03",
"credRdrBl":"00.01.01"
},
"wifiStngs":
{
"ssid":"01.03.11",
"psswd":"\@113G10N",
"usrNm":"Br549",
"wifiSec":"entrprs",
"encrypt":"wep",
"kyIndx":4,
"dscvryTyp":"ipAddr",
"scrCnn": "http",
"ip":"196.23.43.113",
"dns":"firstChoice",
"altDNS":"secondChoice"
},
"apCfgNew":{
"apCfgNewEn":"T",
"ssidNew":"02.04.12",
"psswdNew":" G10N\@113",
"usrNmNew":"Cr649",
"wifiSecNew":"entrprs",
"apCfgNewStrtTm":"20140527160629"
},
"lckPrmtrs":
{
"nm":"corner office",
"mdl": "sf",
"lckSn":"1122334455",
"mnSn":"2233445566",
"mfgDt":"20140607113022",
"daysInUse":145,
"hwVer":"c1",
"type":"strm",
"relock":1,
"doorProp":20,
"ada":30,
"firstManIn":0,
"dstEnable":0,
"dstStart": "3022",
"dstEnd": "B012",
"battFail": "sec",
"rtcTime": "20140527140629",
"dbDwnLdTm":"20140528020000"
},
"rdrPrmtrs":
{
"bprEn": "T",
"crSn":"4455667788",
"mfgDt":"20140607113522",
"daysInUse":145,
"hwVer":"c1"
}
}
STEP 1: Verify Configuration reported from the lock during next phone home.
{
"dvcProfile":
{
"baseType":"nde",
"key":"NewAPCfg",
"value":"1"
},
"battV":
{
"main":"5.87",
"li":"2.99"
},
"fwVer":
{
"main":"01.03.11",
"credRdr":"01.02.10",
"ble":"01.02.10",
"wifi":"01.05.10",
"mainBl":"00.01.03",
"credRdrBl":"00.01.01"
},
"wifiStngs":
{
"ssid":"01.03.11",
"psswd":"\@113G10N",
"usrNm":"Br549",
"wifiSec":"entrprs",
"encrypt":"wep",
"kyIndx":4,
"dscvryTyp":"ipAddr",
"scrCnn": "http",
"ip":"196.23.43.113",
"dns":"firstChoice",
"altDNS":"secondChoice"
},
"apCfgNew":{
"apCfgNewEn":"T",
"ssidNew":"02.04.12",
"psswdNew":" G10N\@113",
"usrNmNew":"Cr649",
"wifiSecNew":"entrprs",
"apCfgNewStrtTm":"20140527160629"
},
"lckPrmtrs":
{
"nm":"corner office",
"mdl": "sf",
"lckSn":"1122334455",
"mnSn":"2233445566",
"mfgDt":"20140607113022",
"daysInUse":145,
"hwVer":"c1",
"type":"strm",
"relock":1,
"doorProp":20,
"ada":30,
"firstManIn":0,
"dstEnable":0,
"dstStart": "3022",
"dstEnd": "B012",
"battFail": "sec",
"rtcTime": "20140527140629",
"dbDwnLdTm":"20140528020000"
},
"rdrPrmtrs":
{
"bprEn": "T",
"crSn":"4455667788",
"mfgDt":"20140607113522",
"daysInUse":145,
"hwVer":"c1"
}
}
STEP 2: Send new AP configuration with tag “apCfgNewEn” = “F” as part of Config during Database download.
(OPTIONAL) Set next phone home to happen after 10 minutes.
{
"config":{
"battFail":"sec",
"proxConfGE4001":"T",
"rtcTime":"20140424152753",
"iClsUID40b":"T",
"bprEn":"T",
"proxConfHID":"T",
"uid15693":"T",
"name":"sw555",
"mi14443":"T",
"uid14443":"F",
"proxConfGECASI":"T",
"dstStart":"12b0",
"ada":"30",
"proxConfAWID":"T",
"proxConfGE4002":"F",
"doorProp":"20",
"relock":"3",
"noc14443":"T",
"mdl":"unknown",
"dstEnd":"2230",
"firstManIn":"false",
"dstEnable":"false",
"fwUrl":""
},
"apCfgNew":{
"apCfgNewEn":"F"
},
"dbDwnLdTm": "20140527142629",
"nxtDbVerTS": "0x8d16386bfaec212"
}
STEP 3: Get audits after DB download. Verify WIFI_NEW_AP_UPDATE audit logged.
{
“audits”:
{
"event":"B0E0001",
"time":"20140527140640"
},
“nxtDbVerTS”:" 0x8d16386bfaec212"
}
STEP 4: (OPTIONAL) Verify Configuration reported from the lock during next phone home after 10 minutes. No New AP Configuration should be reported.
{
"dvcProfile":
{
"baseType":"nde",
"key":"NewAPCfg",
"value":"1"
},
"battV":
{
"main":"5.87",
"li":"2.99"
},
"fwVer":
{
"main":"01.03.11",
"credRdr":"01.02.10",
"ble":"01.02.10",
"wifi":"01.05.10",
"mainBl":"00.01.03",
"credRdrBl":"00.01.01"
},
"wifiStngs":
{
"ssid":"01.03.11",
"psswd":"\@113G10N",
"usrNm":"Br549",
"wifiSec":"entrprs",
"encrypt":"wep",
"kyIndx":4,
"dscvryTyp":"ipAddr",
"scrCnn": "http",
"ip":"196.23.43.113",
"dns":"firstChoice",
"altDNS":"secondChoice"
},
"lckPrmtrs":
{
"nm":"corner office",
"mdl": "sf",
"lckSn":"1122334455",
"mnSn":"2233445566",
"mfgDt":"20140607113022",
"daysInUse":145,
"hwVer":"c1",
"type":"strm",
"relock":1,
"doorProp":20,
"ada":30,
"firstManIn":0,
"dstEnable":0,
"dstStart": "3022",
"dstEnd": "B012",
"battFail": "sec",
"rtcTime": "20140527140629",
"dbDwnLdTm":"20140528020000"
},
"rdrPrmtrs":
{
"bprEn": "T",
"crSn":"4455667788",
"mfgDt":"20140607113522",
"daysInUse":145,
"hwVer":"c1"
}
}
STEP 1: During phone home set next phone home to happen after configuration switch time.
{
"dbDwnLdTm": "20140527171629",
"nxtDbVerTS": "0x8d16386bfaec212"
}
STEP 2: Verify Configuration reported from the lock during next phone home after configuration switch time. No New AP Configuration should be reported. Verify current AP configuration is same as New AP configuration set previously.
{
"dvcProfile":
{
"baseType":"nde",
"key":"NewAPCfg",
"value":"1"
},
"battV":
{
"main":"5.87",
"li":"2.99"
},
"fwVer":
{
"main":"01.03.11",
"credRdr":"01.02.10",
"ble":"01.02.10",
"wifi":"01.05.10",
"mainBl":"00.01.03",
"credRdrBl":"00.01.01"
},
"wifiStngs":
{
"ssid":"02.04.12",
"psswd":" G10N\@113",
"usrNm":"Cr649",
"wifiSec":"entrprs",
"encrypt":"wep",
"kyIndx":4,
"dscvryTyp":"ipAddr",
"scrCnn": "http",
"ip":"196.23.43.113",
"dns":"firstChoice",
"altDNS":"secondChoice"
},
"lckPrmtrs":
{
"nm":"corner office",
"mdl": "sf",
"lckSn":"1122334455",
"mnSn":"2233445566",
"mfgDt":"20140607113022",
"daysInUse":145,
"hwVer":"c1",
"type":"strm",
"relock":1,
"doorProp":20,
"ada":30,
"firstManIn":0,
"dstEnable":0,
"dstStart": "3022",
"dstEnd": "B012",
"battFail": "sec",
"rtcTime": "20140527140629",
"dbDwnLdTm":"20140528020000"
},
"rdrPrmtrs":
{
"bprEn": "T",
"crSn":"4455667788",
"mfgDt":"20140607113522",
"daysInUse":145,
"hwVer":"c1"
}
}
STEP 3: Get audits after DB download. Verify WIFI_NEW_AP_UPDATE audit logged.
{
“audits”:
{
"event":"B0E0002",
"time":"20140527171630"
},
“nxtDbVerTS”:" 0x8d16386bfaec212"
}