Onguard 7.6 Userguides ControllerEncryption

7.
6
Encryption for Controllers User
Guide
Lenel® OnGuard® 7.6 Encryption for Controllers User Guide
This guide is item number DOC-1200, revision 10.012, October 2019.
© 2019 United Technologies Corporation. All rights reserved.
Lenel®, OnGuard®, Prism®, BlueDiamond™, and UltraView® are registered trademarks or trademarks of
UTC Fire & Security Americas Corporation, Inc. LenelS2 is a part of Carrier.
All trademarks are the property of their respective owners.
Information in this document is subject to change without notice. No part of this document may be reproduced
or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the prior
express written permission of UTC Fire & Security Americas Corporation, Inc., which such permission may
have been granted in a separate agreement (i.e., end user license agreement or software license agreement for
the particular application).
Non-English versions of Lenel documents are offered as a service to our global audiences. We have attempted
to provide an accurate translation of the text, but the official text is the English text, and any differences in the
translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be used in
accordance with the terms of that agreement.
Crystal Reports for Windows is a trademark of Business Objects, S.A.
Integral and FlashPoint are trademarks of Integral Technologies, Inc.
Portions of this product were created using LEADTOOLS ©1991-2011, LEAD Technologies, Inc. ALL
RIGHTS RESERVED.
Active Directory, Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle International Corporation.
Other product names mentioned may be trademarks or registered trademarks of their respective companies
and are hereby acknowledged.
Product Disclaimers and Warnings
THESE PRODUCTS ARE INTENDED FOR SALE TO, AND INSTALLATION BY, AN EXPERIENCED
SECURITY PROFESSIONAL. LENELS2 CANNOT PROVIDE ANY ASSURANCE THAT ANY PERSON
OR ENTITY BUYING ITS PRODUCTS, INCLUDING ANY "AUTHORIZED DEALER", IS PROPERLY
TRAINED OR EXPERIENCED TO CORRECTLY INSTALL SECURITY RELATED PRODUCTS.
LENELS2 DOES NOT REPRESENT THAT SOFTWARE, HARDWARE OR RELATED SERVICES MAY
NOT BE HACKED, COMPROMISED AND/OR CIRCUMVENTED. LENELS2 DOES NOT WARRANT
THAT SOFTWARE, HARDWARE OR RELATED SERVICES WILL WORK PROPERLY IN ALL
ENVIRONMENTS AND APPLICATIONS AND DOES NOT WARRANT ANY SOFTWARE,
HARDWARE OR RELATED SERVICES AGAINST HARMFUL ELECTROMAGNETIC
INTERFERENCE INDUCTION OR RADIATION (EMI, RFI, ETC.) EMITTED FROM EXTERNAL
SOURCES. THE ABILITY OF SOFTWARE, HARDWARE AND RELATED SERVICES TO WORK
PROPERLY DEPENDS ON A NUMBER OF PRODUCTS AND SERVICES MADE AVAILABLE BY
THIRD PARTIES OVER WHICH LENELS2 HAS NO CONTROL INCLUDING, BUT NOT LIMITED TO,
INTERNET, CELLULAR AND LANDLINE CONNECTIVITY; MOBILE DEVICE AND RELATED
OPERATING SYSTEM COMPATABILITY; OR PROPER INSTALLATION, CONFIGURATION AND
MAINTENANCE OF AUTHORIZED HARDWARE AND OTHER SOFTWARE.
LENELS2 MAY MAKE CERTAIN BIOMETRIC CAPABILITIES (E.G., FINGERPRINT, VOICE PRINT,
FACIAL RECOGNITION, ETC.), DATA RECORDING CAPABILITIES (E.G., VOICE RECORDING),
AND/OR DATA/INFORMATION RECOGNITION AND TRANSLATION CAPABILITIES AVAILABLE
IN PRODUCTS LENELS2 MANUFACTURES AND/OR RESELLS. LENELS2 DOES NOT CONTROL
THE CONDITIONS AND METHODS OF USE OF PRODUCTS IT MANUFACTURES AND/OR
RESELLS. THE END-USER AND/OR INSTALLER AND/OR RESELLER/DISTRIBUTOR ACT AS
CONTROLLER OF THE DATA RESULTING FROM USE OF THESE PRODUCTS, INCLUDING ANY
RESULTING PERSONALLY IDENTIFIABLE INFORMATION OR PRIVATE DATA, AND ARE SOLELY
RESPONSIBLE TO ENSURE THAT ANY PARTICULAR INSTALLATION AND USE OF PRODUCTS
COMPLY WITH ALL APPLICABLE PRIVACY AND OTHER LAWS, INCLUDING ANY
REQUIREMENT TO OBTAIN CONSENT. THE CAPABILITY OR USE OF ANY PRODUCTS
MANUFACTURED OR SOLD BY LENELS2 TO RECORD CONSENT SHALL NOT BE SUBSTITUTED
FOR THE CONTROLLER'S OBLIGATION TO INDEPENDENTLY DETERMINE WHETHER CONSENT
IS REQUIRED, NOR SHALL SUCH CAPABILITY OR USE SHIFT ANY OBLIGATION TO OBTAIN
ANY REQUIRED CONSENT TO LENELS2.
For more information on warranty disclaimers and product safety information, please check https://
firesecurityproducts.com/en/policy/product-warning or scan the following code:
Table of Contents
CHAPTER 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
TLS Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
TLS Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
AES Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
AES Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Considerations for Legacy Controller Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CHAPTER 2 TLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configure TLS Encryption Using a Default Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Install the Default TLS Certificate on the OnGuard Communication Server . . . . . . . . . . . . . . . . . . . . . 12
Set TLS Encryption in System Administration and on the Access Panel (Controller) . . . . . . . . . . . . . . . 12
Verify the Access Panel (Controller) is Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configure TLS Encryption Using a Custom Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install the Custom TLS Certificate on the OnGuard Communication Server . . . . . . . . . . . . . . . . . . . . . 14
Enable TLS Encryption in System Administration and Load the Customer TLS Certificate on the
Access Panel (Controller) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Verify the Access Panel (Controller) is Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Disable TLS Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
CHAPTER 3 AES Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

System/Segment Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Configure Controllers for AES Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Master Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
AES Configuration for Access Series Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Automatic Key Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Encryption for Controllers User Guide 5

Table of Contents
Set Up AES Encryption in a New Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Setup AES Encryption in an Existing System/Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Switch to a New Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Swap Encrypted Controllers in the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Disable AES Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Mark an Encrypted Controller Back Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Manually Update Master Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Degrade a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Move an Encrypted Controller into a Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Move an Encrypted Controller While Creating an Encrypted Segment . . . . . . . . . . . . . . . . . . . . . . . . . 23
Manual Key Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using the Lenel Controller Encryption Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Setup AES Encryption in a New Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Switch to a New Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Swap Encrypted Controllers in the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Disable AES Encryption for a Legacy Series Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Mark an Encrypted Controller Back Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Move an Encrypted Controller into a Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Move an Encrypted Controller While Creating an Encrypted Segment . . . . . . . . . . . . . . . . . . . . . . . . . 28
CHAPTER 4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
TLS Encryption Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
AES Encryption Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Connection Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Upgrading and Degrading Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Master Key Updates in Automatic Key Management System/Segments . . . . . . . . . . . . . . . . . . . . . . . . . 33
Encryption Status in Alarm Monitoring and Reported Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Offline Due to an AES Encryption Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Online with a Connection Mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 Encryption for Controllers User Guide

CHAPTER 1 Overview
Data security for encrypted connections between OnGuard and Lenel access controllers is provided
by the following options:
• Transport Layer Security (TLS)
• Advanced Encryption Standard (AES)
This document describes encryption options for Access Series, X-Series, and Legacy Series
controllers.
Series Controllers AES Option TLS Option
Legacy LNL-500, LNL-1000, LNL-2000 Yes No

Series
Access LNL-2210, LNL-2220, LNL-2240-RS4, Yes Yes

Series LNL-3300, LNL-3300-ACUXL, LNL-3300-GCM,
LNL-3300-M5, LNL-4420
X-Series LNL-X2210, LNL-X2220, Yes Yes

LNL-X3300, LNL-X4420
TLS Encryption
TLS protocol uses certificates (asymmetric cryptography) to authenticate the other party (server and
controller). Once the host authenticates the controller, they exchange a symmetric key to encrypt the
rest of the data transmission during the session. The encryption uses the AES standard. The session
keys are generated using the TLS certificates on the controller and server. One of the benefits of TLS
is it provides AES encryption without the need to pre-load and manage AES encryption keys.
TLS Certificates
TLS (Transport Layer Security) certificates, also known as Secure Socket Layer (SSL) certificates,
are installed on web servers and clients to create a secure encrypted connection between the server

Overview
and the client.

The same TLS certificate must be installed on both the Communication Server and the access panel
(controller). Session keys for encryption are generated using the default or customer-generated
certificate on the controller.
Certificate authenticity is verified by the Communication Server and the controller establishing a
“TLS handshake” prior to sending communication data. When establishing a TLS handshake, the
controller’s certificate signature is verified by the server against the operating system’s certificate.
For more information, refer to Chapter 2: TLS Configuration on page 11.
AES Encryption
AES is a symmetric encryption algorithm (also known as Rijandael and published as FIPS PUB 197)
that uses the same 128-bit key for both encrypting and decrypting communications data between the
OnGuard Communication Server and a Lenel controller. Master keys are used to encrypt data packets
that transfer a session key to the controller. Session keys are used to encrypt any data that is
communicated between OnGuard and Lenel access controllers, except for the transfer of new session
keys.
AES Encryption Keys

The Advanced Encryption Standard (AES) requires that both sender and receiver use the same
encryption key. 128-bit keys are used in the encryption between the OnGuard Communication Server
and a Lenel controller.
Master keys are used to encrypt data packets that transfer a session key to the controller. Master keys
are the crux of the encryption process. Both ends of the connection, the controller and host
(Communication Server), must agree on the master key being used to achieve a connection.
Two master keys exist in the system and controllers: master key 1 and master key 2. Only one master
key, the active master key, is in use at a given time. The other master key is inactive.
IMPORTANT: It is important to keep master key values secure. These values are shared
secretly between the controllers and OnGuard, and allow an encrypted
connection to be made. Since the AES algorithm is public, all parties that have
access to the key can encrypt and decrypt the data. Master key values should
not be shared with anybody who is not involved in their management. They
should not be written down or electronically stored in locations that are not
secure.
Session keys are used to encrypt any data that is communicated between OnGuard and Lenel access
controllers, except for the transfer of new session keys. Session keys are automatically generated by
OnGuard when a connection is established with a controller. Session keys are internal to the system
and never exposed.
For more information, refer to Chapter 3: AES Configuration on page 17.
Considerations for Legacy Controller Encryption

Legacy controllers require specific firmware to support AES encryption.

AES Encryption
Firmware Types
Controller firmware changes required to support encryption have increased the firmware size. This
firmware cannot be loaded into controllers that contain 128 KB flash chips. There are many
controllers in the field that contain 128 KB flash chips. As such, two versions of firmware are now
being released. One set, referred to as AES firmware, supports encryption. The other set, referred to
as plain firmware, does not. The two sets of firmware are identical in all other respects, supporting all
of the same features.
Either version of firmware can be loaded into a controller with a 256 KB chip while only plain
firmware can be loaded into a controller with a 128 KB chip.
Determine Firmware Type. You can determine the type of firmware a controller has by using the
Lenel Controller Encryption Configuration Utility, Alarm Monitoring, or System Administration
applications. The Lenel Controller Encryption Configuration Utility displays the firmware revision in
the main window. Alarm Monitoring displays the firmware revision in the System Status window or
controller Properties dialog. Finally, System Administration displays the firmware revision in the
Diagnostics form of the Access Panels folder.
If the controller contains AES firmware, “.aes” is shown as part of the firmware revision, as in
“3.054.aes”.
Recommendations for Downloading Firmware. Firmware can be downloaded to a controller using

OnGuard or the Lenel Controller Encryption Configuration Utility. It is recommended that you use
OnGuard to download firmware for existing controllers and the utility for new controllers or
hardware swaps.
Flash Chip Size for Legacy Controllers

AES firmware can only be downloaded to controllers with 256 KB chips. All LNL-2000 controllers
have 256 KB chips while LNL-1000 and LNL-500 controllers manufactured prior to February 2003
do not; they contain 128 KB chips. Refer to the following guidelines for replacing chips on these
controllers:
• All LNL-500 controllers can have their chips replaced
• LNL-500 controllers shipped with serial numbers 6352 and higher already have 256 KB chips
• LNL-1000 controllers with serial numbers above 710 can have their chips replaced
• LNL-1000 controllers with serial numbers 710 and below cannot accept a 256 KB chip
• LNL-1000 controllers with serial numbers 12862 and higher already contain 256 KB chips
Determine Flash Chip Size. In addition to looking at the serial number on the controller, you can
determine the flash chip size of a controller using the Lenel Controller Encryption Configuration
Utility, Alarm Monitoring, or System Administration applications. The Lenel Controller Encryption
Configuration Utility displays the flash size in the main window. Alarm Monitoring displays the flash
chip size in controller Properties dialog. Finally, System Administration displays the flash chip size in
the Diagnostics form of the Access Panels folder.
Notes: By default, OnGuard automatically downloads AES firmware to controllers with 256
KB chips, when a firmware download is requested.
OnGuard automatically downloads plain firmware to controllers with 128 KB chips
when a firmware download is requested.

Overview
Encryption DIP Switch Settings for Legacy Controllers

If a controller has AES firmware and DIP switch 8 is ON, the controller requires an encrypted
connection. If a controller has AES firmware and DIP switch 8 is OFF, then encryption is optional;
the host can connect with a plain or encrypted connection. Thus, turning DIP switch 8 ON is not
necessary for encryption but enhances security by forcing encrypted connections.
Determine DIP Switch Settings. You can determine the current DIP switch settings using the Lenel
Controller Encryption Configuration Utility, Alarm Monitoring, or System Administration
applications. The Lenel Controller Encryption Configuration Utility displays the DIP switch settings
in the main window. Alarm Monitoring displays the DIP switch settings in the controller Properties
dialog. Finally, System Administration displays the DIP switch settings in the Diagnostics form of the
Access Panels folder.
Recommendations for DIP Switch Settings. It is recommended that DIP switch 8 be turned ON
after the initial master key updates are made for a given controller. In manual key management mode,
this would be after the Lenel Controller Encryption Configuration Utility has been used to load the
initial master keys. In automatic key management mode, this would be after the controller has been
configured for an encrypted connection and the administrator has verified that an encrypted
connection has been achieved.
Note: The controller only reads DIP switch settings when it is powered up. If DIP switch
settings are changed, the controller must go through a power cycle before the changes
are recognized in the system.

CHAPTER 2 TLS Configuration
Configuring TLS encryption includes the following:

• Installing the TLS certificate on the OnGuard Communication Server (same certificate as is
installed on the controller)
• Enabling TLS encryption in OnGuard System Administration and on the access panel
(controller)
Configure TLS Encryption Using a Default Certificate
Prerequisites
1. Establish unencrypted communications to the controller
a. In the OnGuard Alarm Monitoring application, verify that the access panel (controller) is
visible and online.
2. Verify that default certificates are available.
a. Navigate to the certificates folder in the OnGuard install directory (example: ..\Program
Files(x86)\OnGuard\Certificates).
b. Locate the following files:
• Mercury_ca-cert.crt - for controllers with default certificates
• Mercury_CertRootCA1024.crt - for certificates with 1024 keys
• Mercury_CertRootCA2048.crt - for certificates with 2048 keys
• Mercury_rootca.crt - root certificate authority (CA)
• 4096Mercury_CertRootCA4096.crt - for certificates with 4096 keys
3. Verify that the access panel (controller) firmware is revision 1.240 or later.
4. Know the username and password to log into the access panel (controller) configuration web
page.

TLS Configuration
Install the Default TLS Certificate on the OnGuard Communication

Server
1. Identify the certificate on the controller by accessing the certificate information on the
configuration web page:
a. In System Administration, select Access Control > Access Panels.
b. Select an Access Series controller form.
c. On the Location sub-tab, click Configuration Web Page.
d. Log in using your user name and password.
e. Click Load Certificate to view the certificate information.
2. On the Communication Server, locate the certificate that matches the certificate on the controller.
3. Using Windows Explorer, double-click a certificate file to display the Certificate dialog.
4. Click Install Certificate. The Certificate Import Wizard is displayed.
5. Click Next. Options for Certificate Store are displayed.
Note: If prompted, store the certificate on the Local Machine (not for user).
6. Select the Place all the certificates in the following store radio button.
7. For the Certificate store, click Browse.
8. Select Trusted Root Certification Authorities.
9. Click OK.
10. Click Next.
11. Click Finish.
Note: If a Security Warning is displayed, click Yes to install the certificate.

12. After the certificate is installed, restart the LS Communication Server.
Note: For environments with a variety of Lenel controllers, consider loading all five (5)
Mercury certificates and then restart the LS Communication Server once.
13. To view the installed certificate(s) in the Certification Manager list, click the Start button, then
type certmgr.msc in the search field and press Enter.
Set TLS Encryption in System Administration and on the Access Panel

(Controller)
1. In the OnGuard System Administration application, select Access Control > Access Panels.
2. Select an Access Series controller form.
3. Click the Options sub-tab.
4. Click Modify.
5. Select the TLS encryption check box.
6. Click OK to save the change.
7. Acknowledge the warning that download will be required to implement the change.
Note: The access panel (controller) is now indicated as offline in the OnGuard Alarm
Monitoring application.
8. In the System Administration application, click the Location sub-tab for the controller selected
in step 2.

Configure TLS Encryption Using a Default Certificate
9. Click Configuration Web Page to launch the page in a browser. (You may also access this page
by going to the device IP address from within the browser.)
10. Click the link to go to the login page and log in using your user name and password.
Note: If DIP switch 1 is ON, the default user name and password is used (admin, password). If
DIP switch 1 is off, use the login that was programmed in the device.
11. Click Login.
12. From the left side menu, select Host Comm to display the Host Communication page.
13. Set Data Security to TLS Required.
Note: Do not enable Peer Certificate.

14. Click Accept.
15. From the left side menu, select Apply Settings. The controller reboots.
16. Repeat steps 2 through 15 for each access panel (controller).
Verify the Access Panel (Controller) is Online

1. In the OnGuard Alarm Monitoring application, select View > System Status > System Status
Tree.
2. Locate the access panels (controllers) and verify the status icon indicates an encrypted, online
connection.

TLS Configuration
Configure TLS Encryption Using a Custom Certificate
Prerequisites
1. Establish unencrypted communications to the controller
a. In the OnGuard Alarm Monitoring application, verify that the access panel (controller) is
visible and online.
2. Generate the following custom certificates for the applicable controller types (see table below):
• Root certificate authority (CA) for the OnGuard Communication Server (.crt file)
• Certificate for the access panel (.crt file)
• Private Key for the access panel (.pem file)
Controller Type RSA Key Length SHA
LNL-2210, LNL-2220 1024 sha1

LNL-3300, LNL-3300-M5
LNL-2240-RS4
LNL-3300-ACUXL, LNL-3300-GCM
LNL-4420 2048 sha256
LNL-X2210, LNL-X2220, LNL-X3300, 3072 bit (default) sha256 (default)

LNL-X4420 (maximum 4096 bit) (maximum sha384)
3. Verify that the access panel (controller) firmware is revision 240 or higher.
4. Know the username and password to log into the access panel (controller) configuration web
page.
Install the Custom TLS Certificate on the OnGuard Communication

Server
1. Using Windows Explorer on the Communication Server, double-click a root certificate authority
file to display the Certificate dialog.
2. Click Install Certificate. The Certificate Import Wizard is displayed.
3. Click Next. Options for Certificate Store are displayed.
Note: If prompted, store the certificate on the Local Machine (not for user).
4. Select the Place all the certificates in the following store radio button.
5. For the Certificate store, click Browse.
6. Select Trusted Root Certification Authorities.
7. Click OK.
8. Click Next.
9. Click Finish.
Note: If a Security Warning is displayed, click Yes to install the certificate.

10. After the certificate is installed, restart the LS Communication Server.
11. To view the installed certificate in the Certification Manager list, click the Start button, then type
certmgr.msc in the search field and press Enter.

Configure TLS Encryption Using a Custom Certificate
Enable TLS Encryption in System Administration and Load the

Customer TLS Certificate on the Access Panel (Controller)
2. Select an Access Series controller form.
3. Click the Options sub-tab.
4. Click Modify.
5. Select the TLS encryption check box.
7. Acknowledge the warning that download will be required to implement the change.
Note: The access panel (controller) is now indicated as offline in the OnGuard Alarm
Monitoring application.
8. In the System Administration application, click the Location sub-tab for the controller selected
in step 2.
9. Click Configuration Web Page to launch the page in a browser. (You may also access this page
by going to the device IP address from within the browser.)
10. Click the link to go to the login page and log in using your user name and password.
Note: If DIP switch 1 is ON, the default user name and password is used (admin, password). If
DIP switch 1 is off, use the login that was programmed in the device.
11. Click Login.
12. From the left side menu, select Host Comm to display the Host Communication page.
13. Set Data Security to TLS Required.
Note: Do not enable Peer Certificate.

14. Click Accept.
15. From the left side menu, click Load Certificate.
a. Navigate to the Load Certificate web page.
b. In the Load Certificate section, browse for the custom certificate and private key.
c. Click Load certificate files.
16. From the left side menu, select Apply Settings. The controller reboots.
17. Repeat steps 2 through 16 for each access panel (controller).
Verify the Access Panel (Controller) is Online

1. In the OnGuard Alarm Monitoring application, select View > System Status > System Status
Tree.
2. Locate the access panels (controllers) and verify the status icon indicates an encrypted, online
connection.

TLS Configuration
Disable TLS Encryption

2. Select the controller (TLS encryption is only available for LNL-X2210, LNL-X2220, LNL-
X3300, LNL-X4420, LNL-2210, LNL-2220, LNL-3300, LNL-4420, LNL-3300-M5, LNL-
2240-RS4, LNL-3300-ACUXL, and LNL-3300-GCM controllers).
3. On the Options sub-tab, deselect the TLS encryption check box.
5. Acknowledge the warning that a download is required to implement the change.

CHAPTER 3 AES Configuration
Configuring OnGuard for AES encryption requires the proper user permissions. Verify the proper
permissions are set on the Access Control sub-tab of the System Permission Groups form in the Users
folder of System Administration.
Configure the following for AES encryption in System Administration:
1. Controller encryption for the system or segment
2. Encryption for the Lenel controller
3. Master keys
System/Segment Configuration
The Controller Encryption form/sub-tab of the System Options folder and the Segments form in
System Administration is used to:
• Configure the system or segment for AES encryption (automatic or manual)
• Enter master keys for encryption
• Export master keys to a text file
• Activate inactive keys (manual encryption only)
Notes: The system/segment the controller belongs to must first be configured for encryption in
order for the Encryption sub-tab on the Access Panels form to display.
When a segment is created, all encryption-related configuration data is automatically
copied from the source segment to the new segment. This allows for a smooth operation
when encrypted controllers are moved from the source segment to the new segment.
The master key values and active master key remain the same. Thus, the controllers do
not need any updates. If desired, you can modify the master keys in the new segment
after the segment creation process is completed.
If an encrypted controller is manually moved from one segment to another, the
controller must be updated if the master key values in the two segments differ. This is
handled automatically when the new segment is an automatic key management
segment. If the new segment is a manual key management segment, the administrator

AES Configuration
must coordinate the segment move and manually update the master keys in the
controller.
For more information regarding system configuration, refer to the Controller Encryption form in the
System Options Folder chapter in the System Administration User Guide.
For more information regarding segment configuration, refer to the Controller Encryption sub-tab in
the Segments Folder chapter in the System Administration User Guide.
Configure Controllers for AES Encryption

Controllers are configured for AES encryption on the Encryption sub-tab of the following Access
Panels forms in System Administration:
• LNL-500, LNL-1000
• LNL-2000, LNL-2210, LNL-2220, LNL-2240-RS4
• LNL-3300, LNL-3300-ACUXL, LNL-3300-GCM, LNL-3300-M5
• LNL-4420
• LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420
Note: The Encryption sub-tab is displayed after the system or segment is configured for
encryption on the Controller Encryption form/sub-tab of the System Options folder and
the Segments form in System Administration. Options on the Encryption sub-tab are not
available if TLS encryption is selected on the Options sub-tab.
Master Key Management

Controllers come from the factory with factory default master key values stored in non-volatile
EEPROM memory permanently soldered to the circuit board. When a controller is configured for
encryption within the OnGuard system, these factory default values are replaced. Although there is no
mechanism available for obtaining master key values from a controller, they can be updated using
master key management.
Master keys are managed (configured and activated) in the OnGuard System Administration
application. Settings are system-wide for non-segmented installations and per segment for segmented
installations.
Considerations for Choosing the Type of Key Management
Automatic Key Management Manual Key Management
Description Automatically transfer master key values Manually transfer master keys from
from OnGuard to the controllers over the OnGuard to the controllers using a
existing connection. When encryption is first host machine (typically a laptop
enabled, the master key is transferred over computer) that is connected to the
the existing plain (unencrypted) connection. controller using a secure, local
After encryption is enabled, subsequent connection such as a short serial
transfers are made over the existing cable. The host machine uses the
encrypted connection. Lenel Controller Encryption
Configuration Utility to transfer
master key values.

Configure Controllers for AES Encryption
Considerations for Choosing the Type of Key Management
Automatic Key Management Manual Key Management
Visit each No - master key updates are made Yes - the administrator must visit
controller? automatically. each controller to manually transfer
master key values.
What are the A plain connection is used the first time a Manual management is more
security master key is transferred to a given secure because master keys are
concerns? controller. An intruder who intercepts this never transferred over a standard
packet could then use the master key to (open network) OnGuard
decrypt the initial packet containing a connection.
session key. This session key could then be
used to decrypt the remaining packets for
that session.
The master key could also be used to
establish a connection with the controller.
Can random Yes - Random master key generation is Yes - Random master key
key likely the best option in systems using generation can be used in manual
generation be automatic key management. Key transfers key management systems, as well.
used? to the controllers are made automatically by The export function can be used to
the OnGuard system. The administrator export the key so that it can be
does not have to be concerned with the manually transferred to the
actual master key value. controllers using the Lenel
Controller Encryption Configuration
Utility. For more information on
exporting master keys, refer to the
System Options Folder or
Segments Folder chapter in
System Administration.
Master Key Entry. OnGuard supports three forms of master key entry: random master key
generation, pass phrase entry, and manual master key entry. For information about the Master Key
Entry dialog, refer to the System Options Folder or Segment Folder chapter in the System
Administration User Guide.
• Random Master Key Generation
This mode of master key entry is the default and the simplest option to select when the Master
Key Entry dialog displays. To use the random master key generation mode, simply click OK
when the dialog displays.
• Pass Phrase Entry
With pass phrase mode, the administrator enters a phrase or sentence between 1 and 255
characters. The pass phrase is automatically turned into a 128-bit master key by the OnGuard
system.
– Choosing a Pass Phrase Entry
It is strongly recommended that pass phrases be at least 50 characters in length for security
reasons.
Furthermore, a pass phrase should be hard to guess, even by someone who knows you well,
but easy for you to remember. A “shocking nonsense” phrase is generally the best; meaning
a short phrase or sentence that is odd enough for you to remember but is illogical and not
associated with you.

AES Configuration
You may wish to use a pass phrase entry when working with manual key management
systems. Since the pass phrase is easy to remember, there is no need to write it down or
export the resulting master key from the OnGuard system. You can manually enter it into
both OnGuard and the Lenel Controller Encryption Configuration Utility.
Note: If a pass phrase is lost, the 128-bit master key that was generated from it can always be
exported from the OnGuard system.
• Manual Key Entry
With manual key entry mode, the administrator enters a 128-bit master key. The value is entered
as a 32 digit hexadecimal number such as, “70E6E026E7AA7BD16679D5B9A8F1AF1E”.
An administrator may wish to use manual key management if a segment is being configured for
encryption and the administrator wants to use the same keys that were used in other segments.
These keys can be exported from one segment and manually entered in the new segment.
Master Key Updates. Master key exposure is extremely low over encrypted connections. The master
key is only used to encrypt an initial session packet in which a random session key is transferred to
the controller. All other packets in a given session are encrypted using that session key.
Even installations that wish to protect against an intruder intercepting packets over a long period of
time while trying to break the encryption do not need to switch master keys often. Every six months
or one year is a reasonable time frame to address such concerns. If this type of attack is not a concern,
the master keys do not need to be changed at all.
Note: The master key can be switched at any time if there is concern that it has been
compromised.
When a master key change is desired, the inactive master key value is first updated in the controllers
and in the OnGuard system. Once this process is complete, the inactive master key is activated. Over
the life of an installation, master key 1 will sometimes be the active master key and other times be the
inactive master key. This is also true of master key 2.
For more information on master key management, refer to Automatic Key Management Procedures
on page 21 and Manual Key Management Procedures on page 24.
AES Configuration for Access Series Controllers

AES encryption is configured from the controller’s configuration web page.
1. In OnGuard System Administration, in the Access Panels folder, click Configuration Web
Page. This page will launch in a browser. (You may also access this page by going to the device
IP address from within the browser.)
2. Click the link to go to the login page. Log in using your user name and password. If DIP switch 1
is ON, then the default user name and password is used (admin, password). If DIP switch 1 is
off, use the login that was programmed in the device. Click Login.
3. To configure the host, click Host Comm.
4. In the Data Security field, enter the AES encryption master key.
5. When you have finished, click Apply Settings, Apply Settings, Reboot, and then Log Out.
6. To configure the master key in OnGuard, go to Master Key Entry on page 19.

Automatic Key Management Procedures

With automatic key management, OnGuard is responsible for coordinating the master key values
between controllers and the OnGuard system. Master keys are loaded/transferred to controllers
automatically from the OnGuard system. Normally, the Lenel Controller Encryption Configuration
Utility is not used.
Set Up AES Encryption in a New Installation

Refer to Setup AES Encryption in an Existing System/Segment on page 21. Be sure to place the
controller online at the end of step 2.
Setup AES Encryption in an Existing System/Segment

Follow this procedure if you are initially setting up encryption in an existing system/segment (where
the controllers are online with OnGuard using a plain connection).
This entire procedure is completed in the OnGuard system. You do not need to visit each Legacy
Series controller unless you need to reset DIP switches.
1. Configure the system/segment for automatic key management encryption and generate a value
for master key 1.
Note: For more information, refer to “Configure Automatic Encryption and Set Keys” in the
System Options Folder or Segments Folder chapter in the System Administration User
Guide.
2. Complete the following for each controller:
a. Verify each controller has the latest AES firmware. It may be necessary to first configure the
controller (in OnGuard) for a plain connection and download the firmware. Note that the
controller must have a 256 KB chip before AES firmware can be downloaded.
b. For a Legacy Series controller, verify that DIP switch 8 is OFF.
c. Configure the controller for an encrypted connection. For more information, refer to the
Access Panels Folder chapter in the System Administration User Guide.
d. For a Legacy Series controller, DIP switch 8 can be turned ON if desired after verification
has been made that an encryption connection has been made.
Enable Encryption for Controllers in Encrypted System/Segments

Refer to step 2 in Setup AES Encryption in an Existing System/Segment on page 21 if you are
introducing a new controller to an encrypted system/segment or you have an existing controller in an
encrypted system/segment that previously used a plain connection.
Switch to a New Master Key

Master key exposure is extremely low over the encrypted connections. The master key is only used to
encrypt an initial session packet in which a random session key is transferred to the controller. All
other packets in a given session with the controller are encrypted using that session key.
time while trying to break the encryption do not need to switch master keys very often. Every six
months or one year is probably a reasonable time frame to address such concerns. If this type of attack
is not a concern, the master keys do not need to be changed at all.

AES Configuration
With automatic key management, however, note that new master key values are sent to the controller
over the standard access control system connection when key changes are made. When encryption is
first turned on, this is going to be done over a plain connection. On subsequent key changes, the new
keys are transferred over the existing encrypted connection.
When you want to switch master keys, simply modify the system/segment and modify the active
master key value. By default, a new random key will be generated. Alternatively, you can use a pass
phrase or manual entry. The system will seamlessly transfer the new master key to all encrypted
controllers in the system/segment (the next time a controller comes physically online if it is currently
physically offline) and switch to an encrypted connection using it.
Swap Encrypted Controllers in the Field

It is sometimes necessary to replace a controller in the field with a new controller. If the “old”
controller is configured for encryption, the master key values for that controller must be loaded into
the new controller prior to bringing the new controller online with the OnGuard system. With
automatic encryption, that is impossible. One of two methods can be used to get around this problem;
manually update the master keys or allow OnGuard to automatically transfer the active master key
over a plain connection.
Manually Transfer Master Keys Over an Encrypted Connection

To temporarily operate in manual key management mode, refer to Swap Encrypted Controllers in the
Field on page 22. This procedure will instruct you on how transfer the active master key from the
system/segment to the controller.
Automatically Transfer Master Keys Over a Plain Connection

To automatically transfer the active master key over a plain connection:
1. For a new Legacy Series controller, Turn DIP switch 8 OFF.
2. In the OnGuard system, configure the controller for a plain connection.
3. When the controller comes back online with the OnGuard system, verify that it has the latest
AES firmware. If not, download it.
4. Configure the controller for an encrypted connection in the OnGuard system. The system will
transfer the active master key and switch to an encrypted connection with the controller.
5. If desired, turn DIP Switch 8 ON at the Legacy Series controller.
Disable AES Encryption

To disable AES encryption for a controller, segment, or system:
– For a Legacy Series controller, make sure DIP switch 8 is OFF at every controller before
disabling encryption.
– For an Access Series controller, make sure the Data Security field is clear in the
configuration web page.
Otherwise, when encryption is disabled in the OnGuard system, an encryption error occurs.
Mark an Encrypted Controller Back Online

If the controller has only missed a single master key update (and still contains the other master key),
OnGuard will automatically transfer the currently active master key and switch to a proper
connection when you mark an encrypted controller back online.

If a controller has been marked offline and missed the last two key updates, or was not configured for
encryption when it was last marked online, you need to manually update the master key or degrade
the connection in order for the controller to come physically back online.
If you believe the controller has only missed a single master key update or you are uncertain, mark the
controller back online and select “No” when the message box asks if the next connection can be
downgraded.
If the controller remains offline with an encryption error after several minutes, it must have missed
more than one key update. You will need to manually update the master key or degrade the
connection.
Manually Update Master Keys

For more information, refer to the “Load or Update Master Keys” in the Lenel Controller Encryption
Configuration Utility User Guide, located on the OnGuard Supplemental Materials media.
Degrade a Connection
If you have already marked the controller back online in the steps above, modify it and select ‘Allow
next connection to be downgraded’. Otherwise, when the controller is marked back online, select
“Yes” when the message box asks if the next connection can be downgraded. OnGuard will attempt to
downgrade the connection, transfer the currently active master key, and switch to the proper
encrypted connection.
Note: For a Legacy Series controller, if DIP Switch 8 if currently ON, downgrading the
connection may not be successful. If the controller remains offline with an encryption
error after several minutes, DIP Switch 8 must be turned OFF at the controller. Once
OnGuard synchronizes and switches to a proper encrypted connection, DIP Switch 8
can be turned back ON.
Move an Encrypted Controller into a Segment

This procedure applies to encrypted controllers that are moved into an automatic key management
segment.
When a controller configured for encryption is moved to a new automatic key management segment,
it is up to OnGuard to synchronize the master keys in the controller with the new segment. With that
in mind, all you need to do is move the controller to the new segment in the OnGuard system.
Move an Encrypted Controller While Creating an Encrypted Segment

When a new segment is created and a source segment selected, OnGuard copies the encryption values
from the source segment into the new segment. Thus, if controllers are moved from the source
segment during the segment creation process, encryption operations are not impacted for those
controllers.

AES Configuration
Manual Key Management Procedures

With manual key management, the administrator is responsible for coordinating the master key values
between controllers and the OnGuard system. This involves loading master keys into the controller(s)
and configuring OnGuard to use an encrypted connection with the active master key. Master keys can
be loaded into controllers using the Lenel Controller Encryption Configuration Utility. Later, if you
want to switch keys, you need to visit the controller(s), update the inactive key, and then configure
OnGuard to begin using the new key.
Using the Lenel Controller Encryption Configuration Utility

For instructions on using the Lenel Controller Encryption Configuration Utility, refer to the OnGuard
Supplemental Materials media. The application and manual are located in an .MSI file, which must be
installed.
If the utility is already installed on a computer, start the Lenel Controller Encryption Configuration
Utility and select either the utility or the user guide.
For more information, refer to “Using OnGuard in the Supported Operating Systems” in the
Installation Guide.
Setup AES Encryption in a New Installation

Follow this procedure if you are initially setting up encryption in a new system/segment (where none
of the controllers are online with the OnGuard system).
For more information, refer to “Configure Manual Encryption and Set Keys” in System Options
Folder or Segments Folder chapter in the System Administration User Guide.
1. Configure the system/segment (in OnGuard) for manual key management encryption.
2. Generate a value for master key 1. By default, a random value is generated for the master key.
Alternatively, a pass phrase or manual entry can be chosen.
Note: It is recommended that both master keys in the segment be changed from their default
values. If master key 2 is left with its factory default value, this leaves a potential
security hole.
3. For each controller for which an encrypted connection is desired:
a. Physically go to the controller. Start the Lenel Controller Encryption Configuration Utility
and connect to the controller.
b. Verify the controller has the latest AES firmware. If not, download it. Note that the
controller must have a 256 KB chip before AES firmware can be downloaded.
c. Update master key 1 with the value configured (in step 1). If you modified master key 2,
update this key as well. Note that master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively wish to use a pass
phrase that they remember and may not wish to use the export function.
d. For a Legacy Series controller, turn DIP switch 8 ON to require an encrypted connection.
This is recommended for the tightest security.
e. Place the controller on its standard connection that will be used in the access control system.
4. For each controller updated in step 3:
a. Configure the controller (in OnGuard) for an encrypted connection.
b. Place the controller online.

c. Verify an encrypted connection is achieved.
Note: For more information, refer to Access Panels Folder chapter in the System
Set Up AES Encryption in an Existing System/Segment

Follow this procedure if you are initially setting up encryption in an existing system/segment (where
the controllers are online with OnGuard using a plain connection).
1. Configure the system/segment (in OnGuard) for manual key management encryption.
2. Generate a value for master key 1. By default, a random value is generated for the master key.
Alternatively, a pass phrase or manual entry can be chosen.
Note: It is recommended that both master keys in the segment be changed from their default
values. If master key 2 is left with its factory default value, this leaves a potential
security hole.
3. Verify each controller has the latest AES firmware. If not, download it. Note that the controller
must have a 256 KB chip before AES firmware can be downloaded.
4. For each controller that an encrypted connection is desired:
b. Update master key 1 with the value configured (in step 1). If you modified master key 2,
update this key as well. Note that master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively wish to use a pass
phrase that they remember and may not wish to use the export function.
c. For a Legacy Series controller, turn DIP switch 8 ON to require an encrypted connection.
This is recommended for the tightest security.
d. Place the controller on its standard connection that will be used in the access control system.
Note: For more information, refer to the Lenel Controller Encryption Configuration Utility
located on the OnGuard Supplemental Materials media.
5. For each controller setup/updated for encryption in step 4:
a. Configure the controller (in OnGuard) for an encrypted connection.
b. Verify the controller is online an encrypted connection is achieved.
Note: For more information, refer to Access Panels Folder chapter in the System
Enable Encryption for a New Controller in an Encrypted System/Segment

Follow this procedure if you have a system/segment previously enabled for encryption and you want
to enable encryption for a new controller.
1. Physically go to the controller. Start the Lenel Controller Encryption Configuration Utility and
connect to the controller.
2. Verify the controller has the latest AES firmware. If not, download it. Note that the controller
3. Load the keys currently configured for the system/segment.
4. For a Legacy Series controller, turn DIP switch 8 ON to require an encrypted connection.

AES Configuration
5. Connect the controller to the OnGuard system.

6. Complete the following (in OnGuard) for each new controller:
a. Configure the controller for an encrypted connection.
b. Place the controller online.
c. Verify an encrypted connection is achieved.
Enable AES Encryption for an Existing Controller in an Encrypted System/

Segment
Follow this procedure if you have a system/segment previously enabled for encryption and you want
to enable encryption for a controller (that already exists in that system/segment).
1. Verify the controller has the latest AES firmware. If not, download it using the OnGuard system.
The controller must have a 256 KB chip before AES firmware can be downloaded.
2. Complete the following at each controller:
b. The Controller Encryption Configuration Utility window displays. Load the keys currently
configured for the system/segment.
c. For a Legacy Series controller, turn the controller’s DIP switch 8 ON to require an encrypted
connection. This is recommended for tight security.
d. Reconnect the controller to the OnGuard system.
Note: For more information, refer to the Lenel Controller Encryption Configuration Utility
located on the OnGuard Supplemental Materials media and the Access Panels Folder
chapter in the System Administration User Guide.
3. Complete the following (in OnGuard) for each controller:
a. Configure the controller in OnGuard for an encrypted connection.
b. Verify the controller is online an encrypted connection is achieved.
Switch to a New Master Key

Master key exposure is extremely low over the encrypted connections. The Master key is only used to
encrypt an initial session packet in which a random session key is transferred to the controller. All
other packets in a given session with the controller are encrypted using that session key.
time while trying to break the encryption do not need to switch master keys very often. Every six
months or one year is a reasonable time frame to address such concerns. If this type of attack is not a
concern, the master keys do not need to be changed at all.
The master key can be switched at any time if there is concern that it has been compromised.
Activating the Inactive Key without Changing Its Value

The very first time a key switch is made, the administrator may wish to simply use the master key 2
value that was initially setup in the system and in the controllers.
Additionally, on subsequent key switches, the administrator may not be concerned with generating a
new key value, but simply may want to switch to the other master key value previously configured.
This may be done if they simply want to vary the master key value periodically without going to the
trouble of making it unique with each change.

To activate the inactive key without changing its value, the system/segment simply needs to be
modified and the inactive key needs to be made the active key. All encrypted controllers in that
system/segment should remain online with an encrypted connection.
Updating the Value of the Inactive Key and Making it Active

The following procedure can be used to switch master keys while using a new master key value.
1. If you want the access control system to randomly generate the new key, the first step is to
modify the inactive key value in the access control system/segment and generate a new random
key. Do not activate this key yet.
Alternatively, if you want to use a pass phrase or manually pick a key, the inactive key value can
be updated as the first step, or can be updated later. Note that the master key values can be
exported from the access control system to a file. The Controller Encryption Configuration
Utility supports loading keys from a file. To cut down on possible key exposure, a user may also
wish to user a pass phrase that they remember and may not wish to use the export function.
2. Visit each controller configured for encryption and connect it to the Controller Encryption
Configuration Utility. Update the inactive master key.
IMPORTANT: Do not update the active master key. If this is done, the controller will remain
offline until the configuration change is made in the access control system to
activate that key.
3. Connect the controller using its standard access control system connection. The controller should
come back online with an encrypted connection using the currently active master key. Note that if
possible, controllers marked logically offline in the access control system should be updated as
well. This will allow them to easily be marked back online in the future.
4. After every controller has been updated, activate the inactive key in the access control system/
segment. If the new key value was set in the access control system in step 1, this is all that is
needed. Otherwise, enter the new key value in addition to making the inactive key is made active.
After the inactive key is made active, the access control system should begin making encrypted
connections to the controllers using the newly activated master key.
Swap Encrypted Controllers in the Field

It is sometimes necessary to replace a controller in the field with a new controller. If the “old”
controller is configured for encryption, the master key values for that controller must be loaded into
the new controller, prior to bringing the new controller online with the OnGuard system.
For more information, refer to the Lenel Controller Encryption Configuration Utility located on the
OnGuard Supplemental Materials media.
1. Do not connect the new controller to OnGuard yet.
2. Start the Lenel Controller Encryption Configuration Utility and connect to the controller.
3. Verify the controller has the latest AES firmware. If not, download it. Note that the controller
4. Load both master key values from the system/segment into the new controller. Note that both key
values can be exported from the access control system into a file (generally on a diskette) and
then loaded from that file into the Lenel Controller Encryption Configuration Utility.
Alternatively, you can memorize a pass phrase to load into the keys.
5. Connect the new controller to the OnGuard system. It should come online with an encrypted
connection using the current active master key.

AES Configuration
Note: For a Legacy Series controller, if it is not possible for an authorized person to load keys
into the new controller prior to bringing it online, the controller in OnGuard must be
changed to a plain connection and DIP switch 8 must be turned OFF at the controller.
Later, you can establish an encrypted connection by following the steps in Enable AES
Encryption for an Existing Controller in an Encrypted System/Segment on page 26.
Disable AES Encryption for a Legacy Series Controller

If you want to disable encryption for a Legacy Series controller, segment, or system make sure DIP
switch 8 is OFF at every controller before disabling encryption. Otherwise, when encryption is
disabled in the OnGuard system, an encryption error occurs.
Notes: In OnGuard systems, controllers are disabled for encryption on the Encryption sub-tab
of the Access Panel form.
Segments are disabled for encryption on the Controller Encryption sub-tab of the
Segments form.
Systems are disabled for encryption on the Controller Encryption form of the System
Options folder.
Mark an Encrypted Controller Back Online

When it is time to mark an encrypted controller back online, make sure it has the latest key updates
before placing it online. For more information, refer to the “Load or Update Master Keys” in the
Lenel Controller Encryption Configuration Utility User Guide, located on the OnGuard Supplemental
Materials media.
Move an Encrypted Controller into a Segment

Complete these procedures to move an encrypted controller into a manual key management segment.
• Move the controller to the new segment in the OnGuard system.
• If the same values for the master keys are used in all segments, no other steps are required. If
the master key values (1 or 2) are different in the old and new segment, you need to visit any
controller that is being moved and using the Lenel Controller Encryption Configuration
Utility, transfer the master key values from the new segment to the controller.
Note: These steps can be done in either order. However, once either step is done, the controller
will be offline with a controller encryption error - master key mismatch, until the other
step is done.
Move an Encrypted Controller While Creating an Encrypted Segment

When a new segment is created and a source segment selected, OnGuard copies the encryption values
from the source segment into the new segment. Thus, if controllers are moved from the source
segment during the segment creation process, encryption operations are not impacted for those
controllers.

CHAPTER 4 Troubleshooting
TLS Encryption Troubleshooting
Icon Status Connection Possible Cause and Suggested Action
Online Encrypted None
Offline Connection • TLS encryption settings do not match.

cannot be Verify that the TLS encryption check box is
established selected on the Options sub-tab for the appropriate
controller in System Administration > Access
Control > Access Panels and that on the
configuration web page for the same controller, the
Data Security option is set to TLS Required.
• TLS certificate signatures do not match.
Verify that the same TLS certificate is installed on
both the Communication Server and the access
panel (controller).
• TLS certificates cannot be found.
Verify TLS certificates are in the correct store
(Trusted Root Certification Authorities).
Offline Communication Verify network connections.

Lost

Troubleshooting
AES Encryption Troubleshooting
Connection Errors
There are three types of AES encryption connection errors that can occur: the controller does not
support encryption, the controller requires an encrypted connection, and a master key mismatch.
When any of the errors occur, OnGuard may still be able to connect with a connection mismatch (that
is either an upgraded or downgraded connection). For more information refer to AES Connection
Mismatch on page 32 and Upgrading and Degrading Connections on page 32.
Controller Does Not Support Encryption

A controller encryption error stating the controller does not support encryption occurs when the
controller is configured for encryption in OnGuard but does not have AES firmware.
In this situation, a connection cannot be made without compromising security. By default, OnGuard
will not attempt to make a different type of connection.
Automatic Key Management. In automatic key management segment/systems, however, the

administrator can individually configure controllers to attempt degraded connections by selecting the
Allow next connection to be downgraded check box in the Access Panels Folder, Encryption sub-
tab of System Administration. This can be useful for physical hardware swaps or when a controller
has been marked logically offline and does not have the latest master key updates. For more
information refer to the Access Panels Folder chapter in System Administration.
Manual Key Management. In manual key management system/segments, you can either configure
the controller for a plain connection or manually update the controller to support encryption
(download AES firmware to the controller using a plain connection and then transfer the master
keys). The most secure way to operate is to manually update the controller.
If a manual key management system/segment is not configured to allow downgraded connections, the
controller will remain offline in an error state, until the error is corrected.
If a manual key management system/segment is configured to allow downgraded connections, you
may also get a controller connection mismatch error stating that the system degraded to a plain
connection due to no controller encryption support.
Controller Requires Encrypted Connection (Legacy Controller)

A controller encryption error stating the controller requires an encrypted connection occurs when a
controller is configured for a plain connection in the OnGuard system, but the controller requires
encryption (has AES firmware and DIP switch 8 is ON).
To correct this problem, you can either configure the controller for encryption or disable the
encryption requirement by setting DIP switch 8 OFF at the controller.
This error occurs when:
• A new a controller is configured for a plain connection, but the controller requires encryption
(has AES firmware and DIP switch 8 is ON)
• An encrypted controller is online with an encrypted connection, but the administrator changes
the configuration to a plain connection.
• A controller is configured for a plain connection and is currently online with a plain connection.
Then, a physical controller swap is made where the new controller requires encryption.
• A controller that supports encryption is configured for a plain connection and is currently online
with a plain connection. Then, DIP switch 8 is turned ON.

Notes: In each of these cases, OnGuard tries to “upgrade” to an encrypted connection. If the
system is able to bring the controller online, a connection mismatch is reported. Security
is not compromised since an encrypted connection even with a factory default master
key is no less secure than the configured plain connection.
If none of the master keys exist in the controller, the controller remains offline with a
connection error. This includes the currently active master key in the system/segment,
the currently inactive master key in the system/segment, and the default master keys.
Master Key Mismatch

A controller encryption error with master key mismatch means the controller is configured for and
supports encryption, but the active master key value in OnGuard does not match the value in the
controller. OnGuard will attempt to downgrade the connection only if downgraded connections are
allowed in the configuration.
To correct this problem, update the master key values in OnGuard or controller.
Manual Key Management System/Segments. In manual key management systems/segments,

master key mismatch errors occur when:
• The master key loaded into the controller and OnGuard do not match.
• The wrong master key (1 or 2) is updated in OnGuard or the controller.
• A new master key is activated in the OnGuard system, but the controller is not updated.
• The active master key is updated in OnGuard and the controller is placed back on the standard
OnGuard connection without OnGuard being updated.
• Encryption is enabled for a controller (in a segment) prior to loading the master keys into that
controller.
• A physical controller swap is made where the new controller supports encryption (like the old
controller) but the master key values were not loaded into the new controller.
• An encrypted controller does not receive master key updates while it is offline. When the
controller is marked back online, a connection problem occurs.
Notes: If the manual key management system/segment is configured to allow downgraded

connections, the system/segment attempts to degrade the connection. If successful, the
system/segment reports a connection mismatch error with details that depend on the
type of connection that was made.
If a manual key management system/segment is not configured to allow downgraded
connections, the controller will remain offline in an error state, until the error is
corrected.
Automatic Key Management System/Segments. In automatic key management segments, master

key mismatch connections are automatically corrected, whenever possible. If a controller continues to
have a master key mismatch error, it is because OnGuard has not tried to degrade the connection or
the controller does not contain the inactive master key or factory default master key (1 or 2).
To correct this problem on a Legacy Series controller, configure the controller to allow the next
connection to be downgraded, and/or set DIP switch 8 OFF at the controller. When OnGuard achieves
a degraded plain connection, it will automatically correct the connection by transferring the active
master key to the controller and switching to an encrypted connection with the active master key. At
this point, DIP switch 8 can be set ON, if desired.
This situation occurs when:

Troubleshooting
• A physical controller swap is made with a new controller that supports encryption but does not
have the proper master keys loaded into it.
• An encrypted controller was marked logically offline when master key updates were made.
Therefore, the controller does not have the latest key updates. If it is marked back online, the
keys will not match.
AES Connection Mismatch

A connection mismatch error means a connection was made between the controller and the OnGuard
system, however the connection was made by upgrading or downgrading the connection. For more
information, refer to Upgrading and Degrading Connections on page 32.
To correct this problem, both OnGuard and the controller must agree on the type of connection that is
to be made (encrypted with the same master key or plain).
Notes: If a controller is online with a connection mismatch error and the system/segment is
then changed so that downgraded connections are not allowed, the system drops the
degraded connection and displays a master key mismatch error if the original problem
was a key mismatch. However, if the original problem was that the controller does not
support encryption, the controller will return to that error.
If the system upgrades the connection (due to the controller requiring encryption), then
changing the degraded connections setting has no bearing. Turning it on or off does not
change the system status.
Upgrading and Degrading Connections

Each time a connection error occurs, OnGuard tries to upgrade or degrade the connection regardless
of how the error occurred. In order for the system to degraded connections, it must be configured to
allow downgraded connections. Automatic key management systems/segments are configured to
allow downgraded connections on an individual controller basis. Manual key management systems/
segments are configured to allow downgraded connections on a system/segment wide basis. No
special configurations are required for upgrading connections.
Upgrade Connections
Upgraded connections are always attempted when a controller requires encryption but has been
configured in OnGuard for a plain connection.
System/segments attempt upgraded connections in the following order:
1. If the system/segment is configured for encryption, an upgraded connection is attempted using
the current active master key.
2. If the system/segment is configured for encryption, an upgraded connection is attempted using
the current inactive master key.
3. An upgraded connection is attempted using the factory default value for master key 1.
4. An upgraded connection is attempted using the factory default value for master key 2.
Degrade Connections
Degraded connections are attempted when there is a connection error due to a controller not
supporting encryption or due to a master key mismatch.

Notes: Manual key management system/segments must be configured to allow downgraded

connections for the system/segment to degrade a connection.
Individual controllers in automatic key management system/segments must be
configured to allow downgraded connections for the system/segment to degrade a
connection.
System/segments attempt degraded connections in the following order:

1. A degraded connection is attempted using an encrypted connection with the inactive master key.
2. A degraded connection is attempted using an encrypted connection with the factory default value
for master key 1.
3. A degraded connection is attempted using an encrypted connection with the factory default value
for master key 2.
4. If the controller does not require an encrypted connection, a degraded connection is attempted
using a plain connection.
Manual Key Management System/Segments. For manual key management system/segments,

encryption degradation is configured on a system/segment wide basis. This option should not be
heavily used; it reduces the security that manual key management provides. However, an
administrator may choose to use this option when initially setting encryption up to ensure smooth
operation while becoming familiar with the process. An alternative to using this option is to
temporarily change the configuration (for a controller having problems) in OnGuard from an
encrypted connection to a plain connection.
Automatic Key Management System/Segments. For automatic key management systems/

segments, encryption degradation is configured on a per controller basis in the Encryption sub-tab of
the Access Panels form in System Administration. When degradation is allowed, it is automatically
cleared when the system gets the controller online. This is because in automatic key management,
once the controller does come online over a degraded connection, the system automatically
downloads the current active master key to the controller and switches to the proper configured
encrypted connection (unless the controller does not contain AES firmware). Thus, configured
degradation is only used for the next connection with the controller.
Note: In automatic key management system/segments, when encryption is first enabled for a
controller, the system automatically configures the controller for a downgraded
connection. This is because the active master key must be downloaded to the controller
prior to the encrypted connection being achieved.
Master Key Updates in Automatic Key Management System/Segments

In automatic key management system/segments, OnGuard automatically transfers the active master
key when encryption is first enabled on a given controller or whenever a master key change is made
at the system/segment level.
Between the time the configuration change is made and the new master key is successfully transferred
to a given controller, the previous connection is kept with that controller. During this time, the system
indicates there is a pending key update for the controller on the Encryption tab of the LNL-X2210,
LNL-X2220, LNL-X3300, LNL-X4420, LNL-3300, LNL-3300-M5, LNL-2220, LNL-2210, LNL-
2000, LNL-1000, or LNL-500 Access Panel tab (in System Administration). This status can also be
seen in the controller’s Properties dialog in Alarm Monitoring. The Master Key Update Pending
field displays with a value of “True”.

Troubleshooting
For a controller that is currently online, the key transfer process normally completes within seconds.
For a controller that is currently offline, the key transfer process waits until the next time the
controller comes online.
If there are pending master key updates for any controllers configured for encryption and marked
logically online in an automatic key management system/segment, any subsequent master key
modifications are disallowed by the system. The previous update must complete before a subsequent
update can be done.
Encryption Status in Alarm Monitoring and Reported Events

Alarm Monitoring indicates the following encryption-related statuses:
• Whether the current connection to a Lenel controller is plain or encrypted. This is indicated via
separate icons on the system status and map views as well as through additional text that can be
viewed in the Properties dialog (right-clicking a Lenel controller and selecting Properties).
Note: Operators must have permission to view encryption information, otherwise the standard
icon for a plain connection displays in Alarm Monitoring regardless of the type of
connection used.
• Whether a controller is offline due to an encryption problem. This is indicated via separate icons
on the system status and map views, as well as reported events, current device status text, and
through additional text that can be viewed in the Properties dialog.
• Whether a controller is online but the current connection does not match the configured
connection. This is indicated via separate icons on the system status and map views, as well as
reported events, current device status text, and through additional text that can be viewed in the
Properties dialog.
The following icons display in the System Status window and as default state icons in the map view
for the access controller group:
Icon Controller Status Connection Action
Access Online Plain or the user None or request permission from the
does not have System Administrator.
permission to
Dialup know the type
access
Access Online Encrypted None
Dialup
access
Access Online Does not match Determine possible cause and correct
configuration the encryption type or key mismatch.
For more information, refer to Online
Dialup with a Connection Mismatch on
access page 35.
Access Offline Connection Verify network connections.

problem
Dialup
access

Icon Controller Status Connection Action
Access Offline AES encryption View the error and correct the
problem encryption setting or key mismatch. For
more information, refer to Offline Due to
Dialup
an AES Encryption Problem on
access
page 35.
Offline Due to an AES Encryption Problem

If a controller is offline due to an encryption problem, Alarm Monitoring does the following, in
addition to showing the proper icon:
• Alarm Monitoring displays an encryption error in the current device status for the controller.
• A controller encryption error event is reported. Associated text in the event indicates the details
of the error.
• If the controller’s Properties dialog is brought up in Alarm Monitoring, the details of the error
can also be viewed.
The details of the error will be one of the following:
• Controller requires an encrypted connection - indicates a plain connection has been configured
but the controller requires an encrypted connection.
• Controller does not support encryption - indicates an encrypted connection has been configured
but the controller does not support encryption.
• Master key mismatch - indicates the master key configured in OnGuard does not match the key
that is in the controller
Online with a Connection Mismatch

OnGuard only attempts to get a controller online with a non-configured connection if the controller is
configured to allow the next connection to be downgraded (in automatic key management system/
segments) or the system/segment is configured to allow downgraded connections (in manual key
management system/segments).
When a controller is online, but the connection was degraded and thus does not match the configured
connection, Alarm Monitoring does the following in addition to showing the proper icon:
• Displays “encryption connection mismatch” in the current device status for the controller.
• Reports a controller connection mismatch event. Associated text in the event indicates the details
of the mismatch.
If the controller’s Properties dialog is brought up in Alarm Monitoring, the details of the mismatch
can seen and will be one of the following:
• Degraded to plain connection due to master key mismatch - indicates an encrypted connection
was configured but could not be achieved due to a key mismatch. OnGuard degraded to a plain
connection to get the controller online.
• Degraded to plain connection due to no controller encryption support - indicates an encrypted
connection was configured but could not be achieved because the controller does not support
encryption. OnGuard degraded to a plain connection to get the controller online.
• Controller requires an encrypted connection - indicates a plain connection was configured, but
the controller requires an encrypted connection. OnGuard was able to get the controller online by
using an encrypted connection.

Troubleshooting
• Encrypted with inactive master key due to active master key mismatch - indicates an encrypted
connection was configured but could not be achieved with the current active master key due to a
key mismatch. OnGuard was able to get the controller online by using the inactive master key.
• Encrypted with default master key due to active master key mismatch - indicates an encrypted
connection was configured but could not be achieved with the current active master key due to a
key mismatch. OnGuard was able to get the controller online by using the factory default master
key.

Index
A C
Access Series controllers Certificate, install TLS
AES configuration ...................................20 customer-generated on controller ..........14
AES encryption on Communication Server ......................12
configuration
controllers ...........................................18 D
system options folder and DIP switch
segments form ..............................17 AES encryption
considerations for Legacy Series .............8 Legacy Series controllers .................10
definition......................................................8 settings
DIP switch settings determining .........................................10
Access Series controllers ..................10 recommendations ...............................10
enable in encrypted system .....................26 Disable encryption
enable in system/segment .......................21 AES ......................................................22, 28
enable new controller in TLS .............................................................16
encrypted segment .............................25
enable new controller in E
encrypted system................................25
Encryption, see ATS encryption or
encrypted controller
TLS encryption ..............................................7
mark as back online .....................22, 28
Errors
move into a segment....................23, 28
connection
move while creating an
AES mismatch ....................................32
encrypted segment .................23, 28
TLS mismatch ....................................29
keys required ...............................................8
controller does not support
Legacy Series controller
encryption ...........................................30
configuration.......................................20
Legacy Series controller requires
Legacy, Access, and X-Series
encrypted connection ........................30
controller options .................................7
master key mismatch ...............................31
set up
existing system/segments ...........21, 25
new installations...........................21, 24 F
Automatic key management ............................19 Firmware, Legacy Series controller
errors...........................................................31 download recommendations .....................9
types .............................................................9
determining ...........................................9

Index
Flash chip size, Legacy Series

controllers .......................................................9
determining .................................................9
L
Legacy Series controllers
DIP switch settings encryption ..............10
firmware types ............................................9
flash chip size .............................................9
Lenel Controller Encryption
Configuration Utility ..................................24
M
Manual key
entry ............................................................20
management ..............................................22
errors ....................................................31
move an encrypted controller
into a segment.....................................28
while creating an encrypted
segment .........................................28
swap encrypted controllers in the
field ......................................................27
switch to a new master key .....................26
Master key
changing.....................................................20
frequency .............................................20
configuration .............................................18
entry dialog................................................19
management ..............................................18
choosing automatic or manual .........18
mismatch error ..........................................31
random generation ...................................19
storage ........................................................18
P
Pass phrase entry ................................................19
choosing .....................................................19
S
Segmentation, enabling AES encryption
for
existing controller ....................................26
new controller in new segment ..............21
Swap encrypted controllers in the
field ................................................................22
Switch to a new master key .............................21
T
TLS encryption
certificates required ...................................7
configuration .............................................11
certificate on Lenel controller..........14
certificate on server ...........................12
Lenel controllers ................................12
definition......................................................7

Index

LenelS2
1212 Pittsford-Victor Road
Pittsford, New York 14534 USA
Tel 866.788.5095 Fax 585.248.9185
www.lenelS2.com
docfeedback@lenelS2.com

Onguard 7.6 Userguides ControllerEncryption

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Onguard 7.6 Userguides ControllerEncryption

Uploaded by

Copyright:

Available Formats

7.

CHAPTER 2 TLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

CHAPTER 3 AES Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Encryption for Controllers User Guide 5

Set Up AES Encryption in a New Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 Encryption for Controllers User Guide

Series Controllers AES Option TLS Option

Legacy LNL-500, LNL-1000, LNL-2000 Yes No

Access LNL-2210, LNL-2220, LNL-2240-RS4, Yes Yes

X-Series LNL-X2210, LNL-X2220, Yes Yes

Encryption for Controllers User Guide 7

and the client.

AES Encryption Keys

Considerations for Legacy Controller Encryption

8 Encryption for Controllers User Guide

Recommendations for Downloading Firmware. Firmware can be downloaded to a controller using

Flash Chip Size for Legacy Controllers

Encryption for Controllers User Guide 9

Encryption DIP Switch Settings for Legacy Controllers

10 Encryption for Controllers User Guide

Configuring TLS encryption includes the following:

Configure TLS Encryption Using a Default Certificate

Encryption for Controllers User Guide 11

Install the Default TLS Certificate on the OnGuard Communication

Note: If a Security Warning is displayed, click Yes to install the certificate.

Set TLS Encryption in System Administration and on the Access Panel

12 Encryption for Controllers User Guide

Note: Do not enable Peer Certificate.

Verify the Access Panel (Controller) is Online

Encryption for Controllers User Guide 13

Configure TLS Encryption Using a Custom Certificate

Controller Type RSA Key Length SHA

LNL-2210, LNL-2220 1024 sha1

LNL-4420 2048 sha256

LNL-X2210, LNL-X2220, LNL-X3300, 3072 bit (default) sha256 (default)

Install the Custom TLS Certificate on the OnGuard Communication

Note: If a Security Warning is displayed, click Yes to install the certificate.

14 Encryption for Controllers User Guide

Enable TLS Encryption in System Administration and Load the

Note: Do not enable Peer Certificate.

Verify the Access Panel (Controller) is Online

Encryption for Controllers User Guide 15

Disable TLS Encryption

16 Encryption for Controllers User Guide

Encryption for Controllers User Guide 17

Configure Controllers for AES Encryption

Master Key Management

Considerations for Choosing the Type of Key Management

Automatic Key Management Manual Key Management

18 Encryption for Controllers User Guide

Considerations for Choosing the Type of Key Management

Automatic Key Management Manual Key Management

Encryption for Controllers User Guide 19

AES Configuration for Access Series Controllers

20 Encryption for Controllers User Guide

Automatic Key Management Procedures

Set Up AES Encryption in a New Installation

Setup AES Encryption in an Existing System/Segment

Enable Encryption for Controllers in Encrypted System/Segments

Switch to a New Master Key

Encryption for Controllers User Guide 21

Swap Encrypted Controllers in the Field

Manually Transfer Master Keys Over an Encrypted Connection