Index | Prev | Next

Security update 1 changes to Station Copier usage

In the 2013 NiagaraAX update releases (e.g. AX-3.7u1), station password storage changed to become much more secure. Now, in some cases you may need to edit a saved station database (config.bog file) before installing it (copying it) to a remote platform using the Station Copier.

NoteFor any station copied from a host running AX-3.8, config.bog file edits are unnecessary. Such files are saved in a more “portable format” than when using an 2013 update release. Therefore, the following sections apply to hosts running 2013 “update releases” only.

NoteFor more details on the changed password storage in the 2013 “update 1” releases (e.g. AX-3.7u1), as well as additional AX-3.8 changes, refer to the document NiagaraAX 2013 Security Updates. Included is information regarding system upgrades and usage of the platform Distribution File Installer, as well as details related to the platform Station Copier.

When config.bog edits are not needed

Edits to a config.bog file are not needed for any AX-3.8 station copy. For a AX-3.7u1 station copy, if you want to simply re-install a saved copy back to the same source host that you copied it from (using the Station Copier), typically no edits to the station config.bog file are needed. This also applies to a previous station copy made using a pre-update NiagaraAX release (AX-3.7, AX-3.6, or AX-3.5), or after.

  • In the first case, when the remote AX-3.7u1 or later host (typically JACE) starts up the newly copied station, it automatically converts all the passwords in the station to the newer storage formats, and immediately re-saves that station (config.bog file) in its file space.

    Now, if you use the Station Copier to save that station back to your Workbench, that station database (config.bog file) has all passwords stored in the updated, more secure formats.

  • In the second case, the saved AX-3.7u1 station database (config.bog file) already has passwords stored in the updated formats. Providing that you re-install it to the same JACE host that you saved it from, no edits to that config.bog file are necessary.

    The two exceptions to this are as follows:

    • If after you saved that station, a “clean dist” file was installed on that JACE, and you then installed (or re-installed) an update (e.g. AX-3.7u1) or later release. In this case, note all the “client passwords” in the saved config.bog (e.g., the Password property of the ClientConnection under each NiagaraStation, or the Password of the OutgoingAccount under the EmailService) are no longer valid, even if the JACE hardware is the same. In this case you can simply re-enter all the client passwords and re-save that station.

    • If that JACE had since been “downgraded” to a pre-update release, e.g. AX-3.7 or AX-3.6. In this case, that station will not successfully start (as its software doesn’t know how to handle the new password storage formats). Before this station is usable on any such host, you need to edit its config.bog file offline in Workbench, re-entering all password property values—both “client passwords” and all station User passwords (under UserService).

When config.bog edits are needed

Before the 2013 update releases such as AX-3.7u1, you could use the Station Copier to copy/save a station from one host, and install/copy it to another different (but similar) host, all without any issues. This same ability returned in AX-3.8, providing that the saved station was running AX-3.8.

However, in the AX-3.7u1 update release, because of the different station password storage methods, the following scenarios typically require you to perform some offline editing of the saved station file (config.bog) first, that is before using the Station Copier to install/copy it to other different platforms.

  • When the saved station is to be replicated on multiple updated (e.g. AX-3.7u1) hosts.

    In this case, although all station User passwords (under UserService) will be working (they are considered “portable”), all the “client passwords” in the station will not work (unless installed back to the original host). Examples of these passwords are the Password property of the ClientConnection under each NiagaraStation, or the Password of the OutgoingAccount under the EmailService.

    These passwords in the config.bog will not work because they are encrypted based on files in the platform’s !security folder that are different (and unique) to each JACE controller.

    For related details, refer to the NiagaraAX 2013 Security Updates engineering notes document, including section “Making modifications to archived station files”.

  • When a station saved with Workbench AX-3.7u1 or later is to be installed on any host running a “pre-update” release, e.g. AX-3.7 or AX-3.6. Again, in this case the station will not successfully start (as its software doesn’t know how to handle the new password storage formats).

    Before this station is usable on any such host, you need to edit its config.bog file offline in Workbench, re-entering all password property values—both “client passwords” and all station User passwords (under UserService).

Index | Prev | Next

Copyright © 2000-2014 Tridium Inc. All rights reserved.