*Node configuration

Owned by Tom Polman
Last updated: Jun 19, 2023 by Arnout van Wanrooij
8 min read

Configuration Article | CA-20231906-AA-01

iProtect Access / Security | Video | Configuration Aurora |

 

When the INVR software is hosted on the main iProtect server:

  1. In the iProtect™ Aurora menu, go to “Installation” > “Hardware” > “Line”.

  2. Click on the “Search” button.

  3. In the browse window, right-click on the line to which the node should be added and select “Add node”. The details pane will open.

  4. Select the following specifications

  • Node type : “iNVR”

  • Max disk usage : 80 (recommended)

  • Active : (mark field)

  • HTTP port : 4040 (default value)

  • HTTPS port: 443 (default value) (available from iProtect version 10.01)

  • IP address : The iProtect™ server IP address from which the server is connected to access control substations (Pluto, ipu-8, Polyx, etc)

  • GUI IP address : The IP address from which iProtect™ clients should retrieve pictures. During local use, the IP address used by the GUI to connect to the INVR server. If an additional external connection is also in place (e.g. across a router), a host name instead of an IP address can be used. A DNS system should be used to allow the GUI to connect to the INVR. If no DNS is available, this name could also be configured in the local host list in all clients; To do this, go to: c:\windows\system32\driversetc\hosts and open it in notepad. At the bottom of the list, add the IP address that you use to access iProtect™ Aurora (can be a router address) and enter the same host name as configured in iProtect™ Aurora.

Click on “Save”.

 

When the INVR software is hosted on a dedicated iProtect INVR server:

The dedicated iProtect INVR server must use the same iProtect version as the iProtect main server. a iProtect license is however not required, since only the INVR process will be used.

Synchronize iprotectjava.key

  1. Download the keystore from the iProtect main server

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Standby > Download > Keystore

    3. Extract the *.taz file en retrieve the iprotectjava.key

  2. Upload the iprotectjava.key to the dedicated INVR server

    1. On the INVR server replace the file with SFTP in folder:

      1. iProtect version 10.01 and lower: /home

      2. iProtect version 10.02 and higher: /home/atlas

  3. Restart the JAVA processes:

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Services > General > Restart user interface

Synchronize certificates (for iProtect version 10.02 and higher)

From iProtect version 10.02 and higher we only support video images over https. Video images will than only be shown when the certificate of the dedicated INVR server is recognized/ has the same CA as the iProtect main server. If the certificate for the iProtect main server is provided by the customer the certificate for the dedicated INVR server must also be provided by the customer (same CA).

If the iProtect main system is in “OwnCA” mode than the iProtect main server must provide this certificate.

  1. Create certificate CSR on the dedicated INVR server

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Certificate > Configuration

    3. At option, select: Create CSR certificate request

    4. At certificate, enter the necessary certificate details, at the Subject Alternative Names field enter the IP-addresses and/ or DNS names (comma separated) used by the GUI to connect to the dedicated INVR server

    5. Click: iProtect > Certificate > Download, and click: CSR certificate request to download the CSR

  2. Let the customer sign the CSR in case the customer provides the certificates, or sign the CSR on the iProtect main server:

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Certificate > Configuration

    3. At Upload CSR: Upload the CSR file. a check will be performed and when OK the certificate will be signed, a download button will appear

    4. Click the download button, the signed certificate and the public root certificate will be downloaded in a *.zip file

  3. Install the certificate on the iProtect dedicated INVR server:

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Certificate > Configuration

    3. At option, Install certificate: Select the downloaded *.zip, and click post

    4. A check will be performed, when OK the activate button will be shown

    5. Click the activate button to activate the certificate

Create INVR node

  1. In the iProtect™ Aurora menu, go to “Installation” > “Hardware” > “Line”.

  2. Click on the “Search” button.

  3. In the browse window, right-click on the line to which the node should be added and select “Add node”. The details pane will open.

  4. Select the following specifications

  • Node type : “iNVR”

  • Max disk usage : 80 (recommended)

  • Active : (mark field)

  • HTTP port : 4040 (default value)

  • HTTPS port: 443 (default value) (available from iProtect version 10.01)

  • IP address : The iProtect™ dedicated INVR server IP address

  • GUI IP address : The IP address from which iProtect™ clients should retrieve pictures. During local use, the IP address used by the GUI to connect to the INVR server. If an additional external connection is also in place (e.g. across a router), a host name instead of an IP address can be used. A DNS system should be used to allow the GUI to connect to the INVR. If no DNS is available, this name could also be configured in the local host list in all clients; To do this, go to: c:\windows\system32\driversetc\hosts and open it in notepad. At the bottom of the list, add the IP address that you use to access the iProtect™ Aurora dedicated INVR server (can be a router address) and enter the same host name as configured in iProtect™ Aurora for the dedicated INVR server.

Click on “Save”.

 

When the INVR software is hosted on a Windows server:

The Windows INVR installer must be the same iProtect version as the iProtect main server.

Synchronize iprotectjava.key

  1. Download the keystore from the iProtect main server

    1. Login to the maintenance page of the iProtect main server

    2. Click: iProtect > Standby > Download > Keystore

  2. Install the INVR service with the iprotectjava.key on the Windows server

    1. Put the iprotect.key.sun.taz file in the same folder as the INVR for Windows installer file

    2. Run the INVR for Windows installer, the iprotectjava.key will be automatically installed

Do not change the name of the iprotect.key.sun.taz file, otherwise the installation of the iprotectjava.key will failed.

Synchronize certificates (for iProtect version 10.02 and higher)

From iProtect version 10.02 and higher we only support video images over https. Video images will than only be shown when the certificate of the dedicated INVR server is recognized/ has the same CA as the iProtect main server. If the certificate for the iProtect main server is provided by the customer the certificate for the dedicated INVR server must also be provided by the customer (same CA).

If the iProtect main system is in “OwnCA” mode than the iProtect main server must provide this certificate.

Creating certificate CSR file on the windows INVR server

To create the certificate for the Windows INVR software we will use the tool “Keystore explorer”

1.Download and install “Keystore explorer” from KeyStore Explorer

  1. Start keystore explorer

  1. Click: Create new keystore

 

  1. Select PKCS#12, and click OK

 

  1. Right click and select Generate key pair

 

  1. Leave on default (RSA) and click OK

 

  1. Change validity end to the desired end date and Click add extensions

 

  1. Click use standard template, select CA, than OK

 

  1. Click the green + and add extension Subject Alternative Name, click OK

 

10. Add all DNS names/ addresses that are used to connect to the INVR host system and click OK

 

11.Set certificate settings, as desired (the printscreen is a example)

 

12. Click OK until the dialogue is closed, when asked for “Enter Alias”, tomcat must be filled. click OK

When asked for the password, at default this must be changeit (*can be different if desired)

 

13. Right click on just created keypair and select: Generate CSR

 

14. Set the location where the file is saved and click OK



Signing process of the certificate CSR file and creating .keystore file.

 

  1. Let the customer sign the CSR in case the customer provides the certificates, or sign the CSR on the iProtect main server:

  2. Login to the maintenance page of the iProtect main server

  3. Click: iProtect > Certificate > Configuration

  4. At Upload CSR: Upload the CSR file. a check will be performed and when OK the certificate will be signed, a download button will appear

  5. Click the download button, the signed certificate and the public root certificate will be downloaded in a *.zip file

  6. Install the certificate on the Windows INVR server:

    1. Extract the iprotect-signed-csr.zip file

    2. Import the “signed-csr.crt” file by right clicking the certificate and selecting: Import CA Reply > From File

    3. Import all root and intermediate certificates to complete the chain, by right clicking the certificate and selecting: Import Edit Certificate Chain > Append Certificate

    4. Check certificate, by right clicking the certificate and selecting: View Details > Certificate Chain Details

    5. If all is OK, save this certificate as .keystore in the INVR home folder. Default location: c:\iNVR\home\.keystore (replace the default .keystore file)

    6. Restart the INVR service

      1. Start services.msc

      2. Restart the INVR process, by right clicking the service and than click “restart”

*If the password for the certificate is other than changeit, than this should be adjusted in the file: C:\iNVR\home\atlas\iprotect\catalina_base\conf\server.xml

Create INVR node

  1. In the iProtect™ Aurora menu, go to “Installation” > “Hardware” > “Line”.

  2. Click on the “Search” button.

  3. In the browse window, right-click on the line to which the node should be added and select “Add node”. The details pane will open.

  4. Select the following specifications

  • Node type : “iNVR”

  • Max disk usage : 80 (recommended)

  • Active : (mark field)

  • HTTP port : 4040 (default value)

  • HTTPS port: 4443 (available from iProtect version 10.01)

  • IP address : The iProtect™ dedicated INVR server IP address

  • GUI IP address : The IP address from which iProtect™ clients should retrieve pictures. During local use, the IP address used by the GUI to connect to the INVR server. If an additional external connection is also in place (e.g. across a router), a host name instead of an IP address can be used. A DNS system should be used to allow the GUI to connect to the INVR. If no DNS is available, this name could also be configured in the local host list in all clients; To do this, go to: c:\windows\system32\driversetc\hosts and open it in notepad. At the bottom of the list, add the IP address that you use to access the iProtect™ Aurora Windows INVR server (can be a router address) and enter the same host name as configured in iProtect™ Aurora for the Windows INVR server.

Note that in this setup, the HTTPS port setting is port 4443 instead of 443.

Click on “Save”.