In AX-3.8, station security continues with improvements over prior releases, including the “update 1” release for AX-3.7 (in this document “AX-3.7u1”).
In AX-3.8, the definition of “strong passwords” is now configurable for any station. A new “Password Strength” container under the station’s UserService has separate properties to specify the minimum numbers of characters in a valid password, including total number (length), upper case, lower case, digits, and special characters. This container effectively replaces the previous “Require Strong Password” (boolean property) of the UserService, where minimum requirements for strong passwords was fixed—and not especially strong. For details, see Strong password notes.
AX-3.8 uses the same improved station password storage first introduced in AX-3.7u1 (and also “update 4” releases for AX-3.6 and AX-3.5). However, AX-3.8 Workbench platform tools to copy/transfer stations and make backups were improved to make station archives more “portable” among multiple hosts. An update to the standalone NiagaraAX 2013 Security Updates document describes these AX-3.8 changes, along with continuing considerations that apply when upgrading a system running a release prior to AX-3.7u1 (or AX-3.6u4 or AX-3.5u4) to AX-3.8.
In AX-3.8, required user permissions to acknowledge alarms were reduced. For details, see Alarm ack permission notes.
Station security features introduced in the original AX-3.7 release continue in the AX-3.8 release. You can require users to reset their password upon next logon, define periodic password expirations (prompting users to change their passwords), and specify a “password history” limit to prevent reuse of old passwords. By default, “strong passwords” in a UserService are in effect, with default minimum values of password length 10, upper case 1, lower case 1, digits (numerals) 1, and special characters 0 (none). The Workbench “New Station” wizard uses these particular defaults; however, once a station is created you can change its definition of strong passwords if needed.
Finally, as in AX-3.7, most NiagaraAX hosts can be configured for secure, encrypted (SSL or TLS) connections for all types of Niagara access, including station (Fox) connections, browser access, or platform connections. Note this PKI certificate-based server authentication occurs before station login, and is SSL encrypted. In an SSL connection attempt, if a user “rejects” an untrusted or unknown certificate at the warning, the Niagara login dialog is never reached. For complete details, refer to the NiagaraAX SSL Connectivity Guide.
Copyright © 2000-2014 Tridium Inc. All rights reserved.