Connecting System Builder

Before you start commissioning you must first connect System Builder (SB) to the system. Use a USB PC Node adapter to connect over RS-485 or an EG to connect over Ethernet or Wi-Fi.

To establish a successful connection, select the job name (to connect to the trunk) or a gateway/bridge (to connect to a spur) in the tree, click sb icon connection settings Connection Settings, and select the Connection Type:

Serial RS-485

The Connection Details section lists the available USB COM ports and shows the port status.
sb machine connection settings serial

TCP Ethernet

The Connection Details section lists the available EGs configured with TCP IP addresses, port numbers and box numbers and shows the port status. The default port number is 50000.
sb machine connection settings tcp

UDP Ethernet

The Connection Details section allows you to select the Domain, Type, Interface, IP address and Port number. The default is IPv6 multicast service address: ff12:4479:6e61:6c69:7465, Port 52145.
sb machine connection settings udp

for security reasons, the UDP Multicast default service address is being deprecated. To connect to Ethernet devices, click the Insert Devices from Network icon and select Discover Network > Discover Devices over Ethernet (This will find Ethernet devices even when SB is disconnected).
Ethernet Trunk

The Ethernet Trunk Connection Settings page lists the available EGs configured with TCP/IP addresses, port numbers and box numbers and shows the port status. The default port number is 50000. This connection is only available after EG commissioning is complete.

sb connection settings ethernet trunk

Adding an IPv4 port

If you want to create a TCP connection to the EG instead of using a serial connection or UDP IPv6 multicast connection, you can add a TCP IPv4 port and make the gateway into a server.

Add an IPv4 port:
  1. Plug in a PC Node to the USB port on your PC and then to the RS-485 port on the device.

  2. Connect SB to the device via the RS-485 network serial port.

  3. Click, the Port Editor tab.

  4. Set Static IP to True.

  5. Enter an IP address for the EG (e.g., 192.168.1.50).

  6. Click sb icon add port Add and select sb icon port ipv4 IPv4 Port.

  7. Configure the IPv4 Port with the following settings:

    Port Flags

    Port type

    DyNet2

    Connection

    Trunk

    Mode

    Server

    Area zero transmit

    Disabled

    Port Number

    50001

    Sign on at start up

    Enabled

    Protocol

    TCP

    sb ports ipv4
  8. Press F12 or click sb icon save to device Save to Device.

  9. Click sb icon send device reset Send Device Reset.

  10. After the device reboots, reconnect SB with a TCP connection.

    sb machine connection settings tcp trunk

Connection status

You can connect your PC to any device in a single spur network; however, for multi-spur networks System Builder (SB) needs to know if it is physically connected to the trunk or to the spur to ensure that it can correctly address devices. In multi-spur networks the following icons in the tree show which part of the network SB is connected to:

  • sb icon connect SB is currently connected to this trunk or spur

  • sb icon connected above SB is connected at a level above this spur

  • sb icon connected below SB is connected at a level below this trunk

  • sb icon disconnect SB is NOT currently connected to this trunk or spur

sb connected spur
Spur example

SB shows the connection status in the lower right corner: sb connection status spur

sb connected trunk
Trunk example

SB shows the connection status in the lower right corner: sb connection status trunk

SB can connect to a trunk or spur in the system without physically changing how the PC is plugged in. Check that the physical connection matches the view in the tree. Errors in address translation may occur in your system if you change configuration or add devices whilst being connected to a different level/bridge than intended.

Creating a Site CA Certificate

The site CA certificate (Site Private Key) is created in SB and is then used to sign and upload a device site certificate to the PDDEG-S gateways and to Ethernet devices. When SB has a Site CA certificate, it shows a sb icon ca cert green lock icon at job level in the System and Building views.

SB shows the same sb icon ca cert green lock icon next to a PDDEG-S or Ethernet device when a device site certificate has been uploaded. This enables SB/SM and Ethernet devices to securely connect to the PDDEG-S via TLS TCP.

If the lock icon on an EG shows a sb icon ca cert warning warning icon, check the tooltip as it will indicate one of the following:

  • Device site certificate is configured but site CA used to sign the device certificate is not found on this machine. System Builder will be unable to securely connect to this device. Ensure correct site CA certificate is imported into this machine with the Tools menu, sb icon manage certificate Set Site CA Certificate option.

  • Device site certificate is configured but doesn’t match Site CA configured in job. System Builder will be unable to securely connect to this device. An updated device site certificate should be signed and uploaded to the device.

  • The Site CA certificate is stored on your PC, not in the job file. To allow another PC to commission the same site you must securely send the job file, the site CA certificate, and the password.

  • Having a lock icon in SB, a gateway, or a device simply means you have created and uploaded a certificate. You still need to configure the secure connections (via the sb icon bridge wizard Bridge Configuration Wizard) and save to device before you can connect securely.

  • For more information, refer to topics Commissioning > Ethernet Bridge > Secure Ethernet to RS-485 and Commissioning > Ethernet Bridge > Secure Ethernet to Ethernet.

Create/Import Site CA Certificate:
  1. Select Tools > sb icon manage certificate Set Site CA Certificate to open the Site Certificate Selection window.

  2. If starting a new job, click the Create button to create a new site certificate.

    1. After creating a new site certificate, you will be prompted to Export the Site Certificate and save it in a secure location.

    2. For additional security when exporting the site certificate, you must enter a password. This password will be required by anyone importing the site certificate into another machine.

  3. If someone has already started commissioning any of the devices and already created a site certificate, then they will need to export the certificate from their machine. You can then import the site certificate and enter the password into any machines used to commission or connect to secure Ethernet devices.

    sb site certificate selection

System Hardening

The proprietary DyNet communication over IP networks may or may not contain any additional security measures. Therefore, physical access to the system should be restricted to authorized persons only, and segregated from other Ethernet networks.

To mitigate the risk of unauthorized access to a system, it is important that during commissioning, site-specific information is stored securely and only shared with relevant project stakeholders.

System hardening must be performed on every system before handover to the customer. Ensure that you secure all system connections and interfaces as much as possible. To complete commissioning, the commissioning engineer must disable all connectivity except that required and remove default credentials.

System Hardening checklist:
  1. Back up databases.

  2. Install gateways and controllers in a secure enclosure/distribution board/room.

  3. Make the data cabling physically inaccessible except to authorized persons, as much as possible.

  4. Use a VLAN or separate cables to segregate the control network from corporate IP networks.

  5. Use a secure connection or VPN where possible for connections to Integrated systems.

  6. Delete unnecessary System Manager user accounts and carefully manage necessary accounts.

  7. Delete unnecessary Ethernet gateways user accounts.

  8. Enable CGI (only) user authentication on interfaces.

  9. Implement LDAP + StartTLS for user authentication on relevant devices, where possible.

  10. Remove unnecessary user permissions.

  11. Implement complex user passwords in interfaces (8-12 Characters).

  12. Implement complex user passwords in gateways (> 20 character fully random, that is not shared by any other gateway).

  13. Disable UDP default multicast port.

  14. Disable UDP default unicast port.

  15. Disable WebSocket if not used.

  16. Remove unnecessary protocols and disable unnecessary features such as FTP and Telnet.

  17. Disable unnecessary ports.

  18. Install security certificates in gateways to establish TLS TCP connections, where possible.

  19. Install security certificates on the server/client machines to use HTTPS connections where possible.

  20. Install 802.1X certificates to enable 802.1X (https://en.wikipedia.org/wiki/IEEE_802.1X)

For more information, refer to the Dynalite System Hardening Guide.