Professional Documents
Culture Documents
6
Encryption for Controllers User
Guide
Lenel® OnGuard® 7.6 Encryption for Controllers User Guide
This guide is item number DOC-1200, revision 10.012, October 2019.
© 2019 United Technologies Corporation. All rights reserved.
Lenel®, OnGuard®, Prism®, BlueDiamond™, and UltraView® are registered trademarks or trademarks of
UTC Fire & Security Americas Corporation, Inc. LenelS2 is a part of Carrier.
All trademarks are the property of their respective owners.
Information in this document is subject to change without notice. No part of this document may be reproduced
or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the prior
express written permission of UTC Fire & Security Americas Corporation, Inc., which such permission may
have been granted in a separate agreement (i.e., end user license agreement or software license agreement for
the particular application).
Non-English versions of Lenel documents are offered as a service to our global audiences. We have attempted
to provide an accurate translation of the text, but the official text is the English text, and any differences in the
translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be used in
accordance with the terms of that agreement.
Crystal Reports for Windows is a trademark of Business Objects, S.A.
Integral and FlashPoint are trademarks of Integral Technologies, Inc.
Portions of this product were created using LEADTOOLS ©1991-2011, LEAD Technologies, Inc. ALL
RIGHTS RESERVED.
Active Directory, Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle International Corporation.
Other product names mentioned may be trademarks or registered trademarks of their respective companies
and are hereby acknowledged.
Product Disclaimers and Warnings
THESE PRODUCTS ARE INTENDED FOR SALE TO, AND INSTALLATION BY, AN EXPERIENCED
SECURITY PROFESSIONAL. LENELS2 CANNOT PROVIDE ANY ASSURANCE THAT ANY PERSON
OR ENTITY BUYING ITS PRODUCTS, INCLUDING ANY "AUTHORIZED DEALER", IS PROPERLY
TRAINED OR EXPERIENCED TO CORRECTLY INSTALL SECURITY RELATED PRODUCTS.
LENELS2 DOES NOT REPRESENT THAT SOFTWARE, HARDWARE OR RELATED SERVICES MAY
NOT BE HACKED, COMPROMISED AND/OR CIRCUMVENTED. LENELS2 DOES NOT WARRANT
THAT SOFTWARE, HARDWARE OR RELATED SERVICES WILL WORK PROPERLY IN ALL
ENVIRONMENTS AND APPLICATIONS AND DOES NOT WARRANT ANY SOFTWARE,
HARDWARE OR RELATED SERVICES AGAINST HARMFUL ELECTROMAGNETIC
INTERFERENCE INDUCTION OR RADIATION (EMI, RFI, ETC.) EMITTED FROM EXTERNAL
SOURCES. THE ABILITY OF SOFTWARE, HARDWARE AND RELATED SERVICES TO WORK
PROPERLY DEPENDS ON A NUMBER OF PRODUCTS AND SERVICES MADE AVAILABLE BY
THIRD PARTIES OVER WHICH LENELS2 HAS NO CONTROL INCLUDING, BUT NOT LIMITED TO,
INTERNET, CELLULAR AND LANDLINE CONNECTIVITY; MOBILE DEVICE AND RELATED
OPERATING SYSTEM COMPATABILITY; OR PROPER INSTALLATION, CONFIGURATION AND
MAINTENANCE OF AUTHORIZED HARDWARE AND OTHER SOFTWARE.
LENELS2 MAY MAKE CERTAIN BIOMETRIC CAPABILITIES (E.G., FINGERPRINT, VOICE PRINT,
FACIAL RECOGNITION, ETC.), DATA RECORDING CAPABILITIES (E.G., VOICE RECORDING),
AND/OR DATA/INFORMATION RECOGNITION AND TRANSLATION CAPABILITIES AVAILABLE
IN PRODUCTS LENELS2 MANUFACTURES AND/OR RESELLS. LENELS2 DOES NOT CONTROL
THE CONDITIONS AND METHODS OF USE OF PRODUCTS IT MANUFACTURES AND/OR
RESELLS. THE END-USER AND/OR INSTALLER AND/OR RESELLER/DISTRIBUTOR ACT AS
CONTROLLER OF THE DATA RESULTING FROM USE OF THESE PRODUCTS, INCLUDING ANY
RESULTING PERSONALLY IDENTIFIABLE INFORMATION OR PRIVATE DATA, AND ARE SOLELY
RESPONSIBLE TO ENSURE THAT ANY PARTICULAR INSTALLATION AND USE OF PRODUCTS
COMPLY WITH ALL APPLICABLE PRIVACY AND OTHER LAWS, INCLUDING ANY
REQUIREMENT TO OBTAIN CONSENT. THE CAPABILITY OR USE OF ANY PRODUCTS
MANUFACTURED OR SOLD BY LENELS2 TO RECORD CONSENT SHALL NOT BE SUBSTITUTED
FOR THE CONTROLLER'S OBLIGATION TO INDEPENDENTLY DETERMINE WHETHER CONSENT
IS REQUIRED, NOR SHALL SUCH CAPABILITY OR USE SHIFT ANY OBLIGATION TO OBTAIN
ANY REQUIRED CONSENT TO LENELS2.
For more information on warranty disclaimers and product safety information, please check https://
firesecurityproducts.com/en/policy/product-warning or scan the following code:
Table of Contents
CHAPTER 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
TLS Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
TLS Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
AES Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
AES Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Considerations for Legacy Controller Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CHAPTER 4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
TLS Encryption Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
AES Encryption Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Connection Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Upgrading and Degrading Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Master Key Updates in Automatic Key Management System/Segments . . . . . . . . . . . . . . . . . . . . . . . . . 33
Encryption Status in Alarm Monitoring and Reported Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Offline Due to an AES Encryption Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Online with a Connection Mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Data security for encrypted connections between OnGuard and Lenel access controllers is provided
by the following options:
• Transport Layer Security (TLS)
• Advanced Encryption Standard (AES)
This document describes encryption options for Access Series, X-Series, and Legacy Series
controllers.
TLS Encryption
TLS protocol uses certificates (asymmetric cryptography) to authenticate the other party (server and
controller). Once the host authenticates the controller, they exchange a symmetric key to encrypt the
rest of the data transmission during the session. The encryption uses the AES standard. The session
keys are generated using the TLS certificates on the controller and server. One of the benefits of TLS
is it provides AES encryption without the need to pre-load and manage AES encryption keys.
TLS Certificates
TLS (Transport Layer Security) certificates, also known as Secure Socket Layer (SSL) certificates,
are installed on web servers and clients to create a secure encrypted connection between the server
AES Encryption
AES is a symmetric encryption algorithm (also known as Rijandael and published as FIPS PUB 197)
that uses the same 128-bit key for both encrypting and decrypting communications data between the
OnGuard Communication Server and a Lenel controller. Master keys are used to encrypt data packets
that transfer a session key to the controller. Session keys are used to encrypt any data that is
communicated between OnGuard and Lenel access controllers, except for the transfer of new session
keys.
IMPORTANT: It is important to keep master key values secure. These values are shared
secretly between the controllers and OnGuard, and allow an encrypted
connection to be made. Since the AES algorithm is public, all parties that have
access to the key can encrypt and decrypt the data. Master key values should
not be shared with anybody who is not involved in their management. They
should not be written down or electronically stored in locations that are not
secure.
Session keys are used to encrypt any data that is communicated between OnGuard and Lenel access
controllers, except for the transfer of new session keys. Session keys are automatically generated by
OnGuard when a connection is established with a controller. Session keys are internal to the system
and never exposed.
For more information, refer to Chapter 3: AES Configuration on page 17.
Firmware Types
Controller firmware changes required to support encryption have increased the firmware size. This
firmware cannot be loaded into controllers that contain 128 KB flash chips. There are many
controllers in the field that contain 128 KB flash chips. As such, two versions of firmware are now
being released. One set, referred to as AES firmware, supports encryption. The other set, referred to
as plain firmware, does not. The two sets of firmware are identical in all other respects, supporting all
of the same features.
Either version of firmware can be loaded into a controller with a 256 KB chip while only plain
firmware can be loaded into a controller with a 128 KB chip.
Determine Firmware Type. You can determine the type of firmware a controller has by using the
Lenel Controller Encryption Configuration Utility, Alarm Monitoring, or System Administration
applications. The Lenel Controller Encryption Configuration Utility displays the firmware revision in
the main window. Alarm Monitoring displays the firmware revision in the System Status window or
controller Properties dialog. Finally, System Administration displays the firmware revision in the
Diagnostics form of the Access Panels folder.
If the controller contains AES firmware, “.aes” is shown as part of the firmware revision, as in
“3.054.aes”.
Determine Flash Chip Size. In addition to looking at the serial number on the controller, you can
determine the flash chip size of a controller using the Lenel Controller Encryption Configuration
Utility, Alarm Monitoring, or System Administration applications. The Lenel Controller Encryption
Configuration Utility displays the flash size in the main window. Alarm Monitoring displays the flash
chip size in controller Properties dialog. Finally, System Administration displays the flash chip size in
the Diagnostics form of the Access Panels folder.
Notes: By default, OnGuard automatically downloads AES firmware to controllers with 256
KB chips, when a firmware download is requested.
OnGuard automatically downloads plain firmware to controllers with 128 KB chips
when a firmware download is requested.
Determine DIP Switch Settings. You can determine the current DIP switch settings using the Lenel
Controller Encryption Configuration Utility, Alarm Monitoring, or System Administration
applications. The Lenel Controller Encryption Configuration Utility displays the DIP switch settings
in the main window. Alarm Monitoring displays the DIP switch settings in the controller Properties
dialog. Finally, System Administration displays the DIP switch settings in the Diagnostics form of the
Access Panels folder.
Recommendations for DIP Switch Settings. It is recommended that DIP switch 8 be turned ON
after the initial master key updates are made for a given controller. In manual key management mode,
this would be after the Lenel Controller Encryption Configuration Utility has been used to load the
initial master keys. In automatic key management mode, this would be after the controller has been
configured for an encrypted connection and the administrator has verified that an encrypted
connection has been achieved.
Note: The controller only reads DIP switch settings when it is powered up. If DIP switch
settings are changed, the controller must go through a power cycle before the changes
are recognized in the system.
Prerequisites
1. Establish unencrypted communications to the controller
a. In the OnGuard Alarm Monitoring application, verify that the access panel (controller) is
visible and online.
2. Verify that default certificates are available.
a. Navigate to the certificates folder in the OnGuard install directory (example: ..\Program
Files(x86)\OnGuard\Certificates).
b. Locate the following files:
• Mercury_ca-cert.crt - for controllers with default certificates
• Mercury_CertRootCA1024.crt - for certificates with 1024 keys
• Mercury_CertRootCA2048.crt - for certificates with 2048 keys
• Mercury_rootca.crt - root certificate authority (CA)
• 4096Mercury_CertRootCA4096.crt - for certificates with 4096 keys
3. Verify that the access panel (controller) firmware is revision 1.240 or later.
4. Know the username and password to log into the access panel (controller) configuration web
page.
Note: If prompted, store the certificate on the Local Machine (not for user).
6. Select the Place all the certificates in the following store radio button.
7. For the Certificate store, click Browse.
8. Select Trusted Root Certification Authorities.
9. Click OK.
10. Click Next.
11. Click Finish.
Note: For environments with a variety of Lenel controllers, consider loading all five (5)
Mercury certificates and then restart the LS Communication Server once.
13. To view the installed certificate(s) in the Certification Manager list, click the Start button, then
type certmgr.msc in the search field and press Enter.
Note: The access panel (controller) is now indicated as offline in the OnGuard Alarm
Monitoring application.
8. In the System Administration application, click the Location sub-tab for the controller selected
in step 2.
9. Click Configuration Web Page to launch the page in a browser. (You may also access this page
by going to the device IP address from within the browser.)
10. Click the link to go to the login page and log in using your user name and password.
Note: If DIP switch 1 is ON, the default user name and password is used (admin, password). If
DIP switch 1 is off, use the login that was programmed in the device.
11. Click Login.
12. From the left side menu, select Host Comm to display the Host Communication page.
13. Set Data Security to TLS Required.
Prerequisites
1. Establish unencrypted communications to the controller
a. In the OnGuard Alarm Monitoring application, verify that the access panel (controller) is
visible and online.
2. Generate the following custom certificates for the applicable controller types (see table below):
• Root certificate authority (CA) for the OnGuard Communication Server (.crt file)
• Certificate for the access panel (.crt file)
• Private Key for the access panel (.pem file)
3. Verify that the access panel (controller) firmware is revision 240 or higher.
4. Know the username and password to log into the access panel (controller) configuration web
page.
Note: If prompted, store the certificate on the Local Machine (not for user).
4. Select the Place all the certificates in the following store radio button.
5. For the Certificate store, click Browse.
6. Select Trusted Root Certification Authorities.
7. Click OK.
8. Click Next.
9. Click Finish.
Note: The access panel (controller) is now indicated as offline in the OnGuard Alarm
Monitoring application.
8. In the System Administration application, click the Location sub-tab for the controller selected
in step 2.
9. Click Configuration Web Page to launch the page in a browser. (You may also access this page
by going to the device IP address from within the browser.)
10. Click the link to go to the login page and log in using your user name and password.
Note: If DIP switch 1 is ON, the default user name and password is used (admin, password). If
DIP switch 1 is off, use the login that was programmed in the device.
11. Click Login.
12. From the left side menu, select Host Comm to display the Host Communication page.
13. Set Data Security to TLS Required.
b. In the Load Certificate section, browse for the custom certificate and private key.
c. Click Load certificate files.
16. From the left side menu, select Apply Settings. The controller reboots.
17. Repeat steps 2 through 16 for each access panel (controller).
Configuring OnGuard for AES encryption requires the proper user permissions. Verify the proper
permissions are set on the Access Control sub-tab of the System Permission Groups form in the Users
folder of System Administration.
Configure the following for AES encryption in System Administration:
1. Controller encryption for the system or segment
2. Encryption for the Lenel controller
3. Master keys
System/Segment Configuration
The Controller Encryption form/sub-tab of the System Options folder and the Segments form in
System Administration is used to:
• Configure the system or segment for AES encryption (automatic or manual)
• Enter master keys for encryption
• Export master keys to a text file
• Activate inactive keys (manual encryption only)
Notes: The system/segment the controller belongs to must first be configured for encryption in
order for the Encryption sub-tab on the Access Panels form to display.
When a segment is created, all encryption-related configuration data is automatically
copied from the source segment to the new segment. This allows for a smooth operation
when encrypted controllers are moved from the source segment to the new segment.
The master key values and active master key remain the same. Thus, the controllers do
not need any updates. If desired, you can modify the master keys in the new segment
after the segment creation process is completed.
If an encrypted controller is manually moved from one segment to another, the
controller must be updated if the master key values in the two segments differ. This is
handled automatically when the new segment is an automatic key management
segment. If the new segment is a manual key management segment, the administrator
must coordinate the segment move and manually update the master keys in the
controller.
For more information regarding system configuration, refer to the Controller Encryption form in the
System Options Folder chapter in the System Administration User Guide.
For more information regarding segment configuration, refer to the Controller Encryption sub-tab in
the Segments Folder chapter in the System Administration User Guide.
Note: The Encryption sub-tab is displayed after the system or segment is configured for
encryption on the Controller Encryption form/sub-tab of the System Options folder and
the Segments form in System Administration. Options on the Encryption sub-tab are not
available if TLS encryption is selected on the Options sub-tab.
Description Automatically transfer master key values Manually transfer master keys from
from OnGuard to the controllers over the OnGuard to the controllers using a
existing connection. When encryption is first host machine (typically a laptop
enabled, the master key is transferred over computer) that is connected to the
the existing plain (unencrypted) connection. controller using a secure, local
After encryption is enabled, subsequent connection such as a short serial
transfers are made over the existing cable. The host machine uses the
encrypted connection. Lenel Controller Encryption
Configuration Utility to transfer
master key values.
Visit each No - master key updates are made Yes - the administrator must visit
controller? automatically. each controller to manually transfer
master key values.
What are the A plain connection is used the first time a Manual management is more
security master key is transferred to a given secure because master keys are
concerns? controller. An intruder who intercepts this never transferred over a standard
packet could then use the master key to (open network) OnGuard
decrypt the initial packet containing a connection.
session key. This session key could then be
used to decrypt the remaining packets for
that session.
The master key could also be used to
establish a connection with the controller.
Can random Yes - Random master key generation is Yes - Random master key
key likely the best option in systems using generation can be used in manual
generation be automatic key management. Key transfers key management systems, as well.
used? to the controllers are made automatically by The export function can be used to
the OnGuard system. The administrator export the key so that it can be
does not have to be concerned with the manually transferred to the
actual master key value. controllers using the Lenel
Controller Encryption Configuration
Utility. For more information on
exporting master keys, refer to the
System Options Folder or
Segments Folder chapter in
System Administration.
Master Key Entry. OnGuard supports three forms of master key entry: random master key
generation, pass phrase entry, and manual master key entry. For information about the Master Key
Entry dialog, refer to the System Options Folder or Segment Folder chapter in the System
Administration User Guide.
• Random Master Key Generation
This mode of master key entry is the default and the simplest option to select when the Master
Key Entry dialog displays. To use the random master key generation mode, simply click OK
when the dialog displays.
• Pass Phrase Entry
With pass phrase mode, the administrator enters a phrase or sentence between 1 and 255
characters. The pass phrase is automatically turned into a 128-bit master key by the OnGuard
system.
– Choosing a Pass Phrase Entry
It is strongly recommended that pass phrases be at least 50 characters in length for security
reasons.
Furthermore, a pass phrase should be hard to guess, even by someone who knows you well,
but easy for you to remember. A “shocking nonsense” phrase is generally the best; meaning
a short phrase or sentence that is odd enough for you to remember but is illogical and not
associated with you.
You may wish to use a pass phrase entry when working with manual key management
systems. Since the pass phrase is easy to remember, there is no need to write it down or
export the resulting master key from the OnGuard system. You can manually enter it into
both OnGuard and the Lenel Controller Encryption Configuration Utility.
Note: If a pass phrase is lost, the 128-bit master key that was generated from it can always be
exported from the OnGuard system.
• Manual Key Entry
With manual key entry mode, the administrator enters a 128-bit master key. The value is entered
as a 32 digit hexadecimal number such as, “70E6E026E7AA7BD16679D5B9A8F1AF1E”.
An administrator may wish to use manual key management if a segment is being configured for
encryption and the administrator wants to use the same keys that were used in other segments.
These keys can be exported from one segment and manually entered in the new segment.
Master Key Updates. Master key exposure is extremely low over encrypted connections. The master
key is only used to encrypt an initial session packet in which a random session key is transferred to
the controller. All other packets in a given session are encrypted using that session key.
Even installations that wish to protect against an intruder intercepting packets over a long period of
time while trying to break the encryption do not need to switch master keys often. Every six months
or one year is a reasonable time frame to address such concerns. If this type of attack is not a concern,
the master keys do not need to be changed at all.
Note: The master key can be switched at any time if there is concern that it has been
compromised.
When a master key change is desired, the inactive master key value is first updated in the controllers
and in the OnGuard system. Once this process is complete, the inactive master key is activated. Over
the life of an installation, master key 1 will sometimes be the active master key and other times be the
inactive master key. This is also true of master key 2.
For more information on master key management, refer to Automatic Key Management Procedures
on page 21 and Manual Key Management Procedures on page 24.
Note: For more information, refer to “Configure Automatic Encryption and Set Keys” in the
System Options Folder or Segments Folder chapter in the System Administration User
Guide.
2. Complete the following for each controller:
a. Verify each controller has the latest AES firmware. It may be necessary to first configure the
controller (in OnGuard) for a plain connection and download the firmware. Note that the
controller must have a 256 KB chip before AES firmware can be downloaded.
b. For a Legacy Series controller, verify that DIP switch 8 is OFF.
c. Configure the controller for an encrypted connection. For more information, refer to the
Access Panels Folder chapter in the System Administration User Guide.
d. For a Legacy Series controller, DIP switch 8 can be turned ON if desired after verification
has been made that an encryption connection has been made.
With automatic key management, however, note that new master key values are sent to the controller
over the standard access control system connection when key changes are made. When encryption is
first turned on, this is going to be done over a plain connection. On subsequent key changes, the new
keys are transferred over the existing encrypted connection.
When you want to switch master keys, simply modify the system/segment and modify the active
master key value. By default, a new random key will be generated. Alternatively, you can use a pass
phrase or manual entry. The system will seamlessly transfer the new master key to all encrypted
controllers in the system/segment (the next time a controller comes physically online if it is currently
physically offline) and switch to an encrypted connection using it.
If a controller has been marked offline and missed the last two key updates, or was not configured for
encryption when it was last marked online, you need to manually update the master key or degrade
the connection in order for the controller to come physically back online.
If you believe the controller has only missed a single master key update or you are uncertain, mark the
controller back online and select “No” when the message box asks if the next connection can be
downgraded.
If the controller remains offline with an encryption error after several minutes, it must have missed
more than one key update. You will need to manually update the master key or degrade the
connection.
Degrade a Connection
If you have already marked the controller back online in the steps above, modify it and select ‘Allow
next connection to be downgraded’. Otherwise, when the controller is marked back online, select
“Yes” when the message box asks if the next connection can be downgraded. OnGuard will attempt to
downgrade the connection, transfer the currently active master key, and switch to the proper
encrypted connection.
Note: For a Legacy Series controller, if DIP Switch 8 if currently ON, downgrading the
connection may not be successful. If the controller remains offline with an encryption
error after several minutes, DIP Switch 8 must be turned OFF at the controller. Once
OnGuard synchronizes and switches to a proper encrypted connection, DIP Switch 8
can be turned back ON.
Note: It is recommended that both master keys in the segment be changed from their default
values. If master key 2 is left with its factory default value, this leaves a potential
security hole.
3. For each controller for which an encrypted connection is desired:
a. Physically go to the controller. Start the Lenel Controller Encryption Configuration Utility
and connect to the controller.
b. Verify the controller has the latest AES firmware. If not, download it. Note that the
controller must have a 256 KB chip before AES firmware can be downloaded.
c. Update master key 1 with the value configured (in step 1). If you modified master key 2,
update this key as well. Note that master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively wish to use a pass
phrase that they remember and may not wish to use the export function.
d. For a Legacy Series controller, turn DIP switch 8 ON to require an encrypted connection.
This is recommended for the tightest security.
e. Place the controller on its standard connection that will be used in the access control system.
4. For each controller updated in step 3:
a. Configure the controller (in OnGuard) for an encrypted connection.
b. Place the controller online.
Note: For more information, refer to Access Panels Folder chapter in the System
Administration User Guide.
Note: It is recommended that both master keys in the segment be changed from their default
values. If master key 2 is left with its factory default value, this leaves a potential
security hole.
3. Verify each controller has the latest AES firmware. If not, download it. Note that the controller
must have a 256 KB chip before AES firmware can be downloaded.
4. For each controller that an encrypted connection is desired:
a. Physically go to the controller. Start the Lenel Controller Encryption Configuration Utility
and connect to the controller.
b. Update master key 1 with the value configured (in step 1). If you modified master key 2,
update this key as well. Note that master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively wish to use a pass
phrase that they remember and may not wish to use the export function.
c. For a Legacy Series controller, turn DIP switch 8 ON to require an encrypted connection.
This is recommended for the tightest security.
d. Place the controller on its standard connection that will be used in the access control system.
Note: For more information, refer to the Lenel Controller Encryption Configuration Utility
located on the OnGuard Supplemental Materials media.
5. For each controller setup/updated for encryption in step 4:
a. Configure the controller (in OnGuard) for an encrypted connection.
b. Verify the controller is online an encrypted connection is achieved.
Note: For more information, refer to Access Panels Folder chapter in the System
Administration User Guide.
Note: For more information, refer to the Lenel Controller Encryption Configuration Utility
located on the OnGuard Supplemental Materials media and the Access Panels Folder
chapter in the System Administration User Guide.
3. Complete the following (in OnGuard) for each controller:
a. Configure the controller in OnGuard for an encrypted connection.
b. Verify the controller is online an encrypted connection is achieved.
To activate the inactive key without changing its value, the system/segment simply needs to be
modified and the inactive key needs to be made the active key. All encrypted controllers in that
system/segment should remain online with an encrypted connection.
IMPORTANT: Do not update the active master key. If this is done, the controller will remain
offline until the configuration change is made in the access control system to
activate that key.
3. Connect the controller using its standard access control system connection. The controller should
come back online with an encrypted connection using the currently active master key. Note that if
possible, controllers marked logically offline in the access control system should be updated as
well. This will allow them to easily be marked back online in the future.
4. After every controller has been updated, activate the inactive key in the access control system/
segment. If the new key value was set in the access control system in step 1, this is all that is
needed. Otherwise, enter the new key value in addition to making the inactive key is made active.
After the inactive key is made active, the access control system should begin making encrypted
connections to the controllers using the newly activated master key.
Note: For a Legacy Series controller, if it is not possible for an authorized person to load keys
into the new controller prior to bringing it online, the controller in OnGuard must be
changed to a plain connection and DIP switch 8 must be turned OFF at the controller.
Later, you can establish an encrypted connection by following the steps in Enable AES
Encryption for an Existing Controller in an Encrypted System/Segment on page 26.
Notes: In OnGuard systems, controllers are disabled for encryption on the Encryption sub-tab
of the Access Panel form.
Segments are disabled for encryption on the Controller Encryption sub-tab of the
Segments form.
Systems are disabled for encryption on the Controller Encryption form of the System
Options folder.
Note: These steps can be done in either order. However, once either step is done, the controller
will be offline with a controller encryption error - master key mismatch, until the other
step is done.
Connection Errors
There are three types of AES encryption connection errors that can occur: the controller does not
support encryption, the controller requires an encrypted connection, and a master key mismatch.
When any of the errors occur, OnGuard may still be able to connect with a connection mismatch (that
is either an upgraded or downgraded connection). For more information refer to AES Connection
Mismatch on page 32 and Upgrading and Degrading Connections on page 32.
Manual Key Management. In manual key management system/segments, you can either configure
the controller for a plain connection or manually update the controller to support encryption
(download AES firmware to the controller using a plain connection and then transfer the master
keys). The most secure way to operate is to manually update the controller.
If a manual key management system/segment is not configured to allow downgraded connections, the
controller will remain offline in an error state, until the error is corrected.
If a manual key management system/segment is configured to allow downgraded connections, you
may also get a controller connection mismatch error stating that the system degraded to a plain
connection due to no controller encryption support.
Notes: In each of these cases, OnGuard tries to “upgrade” to an encrypted connection. If the
system is able to bring the controller online, a connection mismatch is reported. Security
is not compromised since an encrypted connection even with a factory default master
key is no less secure than the configured plain connection.
If none of the master keys exist in the controller, the controller remains offline with a
connection error. This includes the currently active master key in the system/segment,
the currently inactive master key in the system/segment, and the default master keys.
• A physical controller swap is made with a new controller that supports encryption but does not
have the proper master keys loaded into it.
• An encrypted controller was marked logically offline when master key updates were made.
Therefore, the controller does not have the latest key updates. If it is marked back online, the
keys will not match.
Notes: If a controller is online with a connection mismatch error and the system/segment is
then changed so that downgraded connections are not allowed, the system drops the
degraded connection and displays a master key mismatch error if the original problem
was a key mismatch. However, if the original problem was that the controller does not
support encryption, the controller will return to that error.
If the system upgrades the connection (due to the controller requiring encryption), then
changing the degraded connections setting has no bearing. Turning it on or off does not
change the system status.
Upgrade Connections
Upgraded connections are always attempted when a controller requires encryption but has been
configured in OnGuard for a plain connection.
System/segments attempt upgraded connections in the following order:
1. If the system/segment is configured for encryption, an upgraded connection is attempted using
the current active master key.
2. If the system/segment is configured for encryption, an upgraded connection is attempted using
the current inactive master key.
3. An upgraded connection is attempted using the factory default value for master key 1.
4. An upgraded connection is attempted using the factory default value for master key 2.
Degrade Connections
Degraded connections are attempted when there is a connection error due to a controller not
supporting encryption or due to a master key mismatch.
Note: In automatic key management system/segments, when encryption is first enabled for a
controller, the system automatically configures the controller for a downgraded
connection. This is because the active master key must be downloaded to the controller
prior to the encrypted connection being achieved.
For a controller that is currently online, the key transfer process normally completes within seconds.
For a controller that is currently offline, the key transfer process waits until the next time the
controller comes online.
If there are pending master key updates for any controllers configured for encryption and marked
logically online in an automatic key management system/segment, any subsequent master key
modifications are disallowed by the system. The previous update must complete before a subsequent
update can be done.
Note: Operators must have permission to view encryption information, otherwise the standard
icon for a plain connection displays in Alarm Monitoring regardless of the type of
connection used.
• Whether a controller is offline due to an encryption problem. This is indicated via separate icons
on the system status and map views, as well as reported events, current device status text, and
through additional text that can be viewed in the Properties dialog.
• Whether a controller is online but the current connection does not match the configured
connection. This is indicated via separate icons on the system status and map views, as well as
reported events, current device status text, and through additional text that can be viewed in the
Properties dialog.
The following icons display in the System Status window and as default state icons in the map view
for the access controller group:
Access Online Plain or the user None or request permission from the
does not have System Administrator.
permission to
Dialup know the type
access
Dialup
access
Access Online Does not match Determine possible cause and correct
configuration the encryption type or key mismatch.
For more information, refer to Online
Dialup with a Connection Mismatch on
access page 35.
Access Offline AES encryption View the error and correct the
problem encryption setting or key mismatch. For
more information, refer to Offline Due to
Dialup
an AES Encryption Problem on
access
page 35.
• Encrypted with inactive master key due to active master key mismatch - indicates an encrypted
connection was configured but could not be achieved with the current active master key due to a
key mismatch. OnGuard was able to get the controller online by using the inactive master key.
• Encrypted with default master key due to active master key mismatch - indicates an encrypted
connection was configured but could not be achieved with the current active master key due to a
key mismatch. OnGuard was able to get the controller online by using the factory default master
key.
A C
Access Series controllers Certificate, install TLS
AES configuration ...................................20 customer-generated on controller ..........14
AES encryption on Communication Server ......................12
configuration
controllers ...........................................18 D
system options folder and DIP switch
segments form ..............................17 AES encryption
considerations for Legacy Series .............8 Legacy Series controllers .................10
definition......................................................8 settings
DIP switch settings determining .........................................10
Access Series controllers ..................10 recommendations ...............................10
enable in encrypted system .....................26 Disable encryption
enable in system/segment .......................21 AES ......................................................22, 28
enable new controller in TLS .............................................................16
encrypted segment .............................25
enable new controller in E
encrypted system................................25
Encryption, see ATS encryption or
encrypted controller
TLS encryption ..............................................7
mark as back online .....................22, 28
Errors
move into a segment....................23, 28
connection
move while creating an
AES mismatch ....................................32
encrypted segment .................23, 28
TLS mismatch ....................................29
keys required ...............................................8
controller does not support
Legacy Series controller
encryption ...........................................30
configuration.......................................20
Legacy Series controller requires
Legacy, Access, and X-Series
encrypted connection ........................30
controller options .................................7
master key mismatch ...............................31
set up
existing system/segments ...........21, 25
new installations...........................21, 24 F
Automatic key management ............................19 Firmware, Legacy Series controller
errors...........................................................31 download recommendations .....................9
types .............................................................9
determining ...........................................9
L
Legacy Series controllers
DIP switch settings encryption ..............10
firmware types ............................................9
flash chip size .............................................9
Lenel Controller Encryption
Configuration Utility ..................................24
M
Manual key
entry ............................................................20
management ..............................................22
errors ....................................................31
move an encrypted controller
into a segment.....................................28
while creating an encrypted
segment .........................................28
swap encrypted controllers in the
field ......................................................27
switch to a new master key .....................26
Master key
changing.....................................................20
frequency .............................................20
configuration .............................................18
entry dialog................................................19
management ..............................................18
choosing automatic or manual .........18
mismatch error ..........................................31
random generation ...................................19
storage ........................................................18
P
Pass phrase entry ................................................19
choosing .....................................................19
S
Segmentation, enabling AES encryption
for
existing controller ....................................26
new controller in new segment ..............21
Swap encrypted controllers in the
field ................................................................22
Switch to a new master key .............................21
T
TLS encryption
certificates required ...................................7
configuration .............................................11
certificate on Lenel controller..........14
certificate on server ...........................12
Lenel controllers ................................12
definition......................................................7