IPROTECT - Release notes 10.02
Table of contents
- 1 Table of contents
- 2 1. Introduction
- 3 2. System requirements
- 4 3. End of support
- 5 4. iProtect server and application
- 5.1 4.1 Sense support
- 5.2 4.2 API
- 5.3 4.3 Cockpit
- 5.3.1 4.3.1 Firewall
- 5.3.2 4.3.1 System time
- 5.3.3 4.3.2 Restart server
- 5.3.4 4.3.3 Maintenance page
- 5.4 4.4 Security updates
- 5.4.1 4.4.1 Security settings
- 5.4.1.1 4.4.1.1 Cross-site request forgery (CSRF)
- 5.4.1.2 4.4.1.1 Security setting: HTA enable
- 5.4.1.3 4.4.1.3 Media element
- 5.4.1.4 4.4.1.4 Time between next execution
- 5.4.1.5 4.4.1.5 Certificates in iProtect
- 5.4.1.6 4.4.1.6 Session management
- 5.4.1.7 4.4.1.7 System users
- 5.4.1 4.4.1 Security settings
- 5.5 4.5 New features
- 5.5.1 4.5.1 Confirm office mode
- 5.5.2 4.5.2 Boot behavior
- 5.5.3 4.5.3 Cosmos access, multi select on interaction type
- 5.5.4 4.5.4 Mitsubishi elevator - communication speed up
- 5.5.5 4.5.5 Download pdf
- 5.5.6 4.5.6 Rijkspas - User moves from CMS to Hub
- 5.5.7 4.5.7 User interface - Display error message
- 5.5.8 4.5.8 System user - Expire date
- 5.6 4.6 Maintenance
1. Introduction
These release notes provide information about the latest features of iProtect, including required software versions and hardware installation and operating manuals.
2. System requirements
This chapter lists the required hardware and software for iProtect, including the licensing scheme of iProtect upgrades.
2.1 Supported servers
Below is a list of existing servers that can be updated to Ubuntu 20.04:
TKH KP10
DELL KP13
DELL KP23
DELL KP24
DELL KP43
DELL KP44
IPT-S24
IPH-S24
IPH-S44
IPH-S10
2.2 Hardware specification
The hardware specification depends on many variables, so the required specification is customer specific.
Guide lines for 2500 card users and 250 readers and 5 concurrent users*.
Version | CPU | Ram | Disk |
10.00 | 2.0 Ghz dual core | 8 GB | >= 500GB |
10.01 | 2.0 Ghz dual core | 8 GB | >= 500GB |
10.02 | >= 2.0 Ghz dual core | 16 GB | >= 500GB |
10.03 | >= 2.0 Ghz dual core | 16 GB | >= 500GB |
Test system (small) | 1.6 Ghz dual core | 4 GB | 100GB |
For large systems (>1000 readers, >20 concurrent users), a minumum of 32GB internal memory and 8 cores is recommended. *
Depending of the use of images (keymaps, photo’s), the diskspace should be checked.
2.3 Software
The minimum required operating system version for iProtect
iProtect version | O.S. | iProtect setup | Internet connection required |
10.02 | Ubuntu 20.04 LTS | >= V3.0 | Yes, for installation and updates |
For iProtect 10.02 with Ubuntu 20.04, there is a TKH repository with all needed files for installing and maintaining the setup files.
The operating system can be downloaded from Ubuntu's default repository.
It is highly recommended to ensure that iProtect is connected to the internet during installation. Permanent access to the internet is of course possible, but temporary internet access for updating the security packages is also possible.
On request there is an option to install iProtect without an internet connection but is not recommended !
2.4 License
From iProtect version 10.01 onwards, the licensing mechanisms have changed. The iProtect licensing has been brought in line with the Sense licensing scheme.
A license is now defined by a Product ID. By activating this license (Product ID) on a specific server, a valid license for that server is generated. The license can also be deactivated and transferred to another server via this Product ID. The activation and deactivation can be done both online and off-line.
2.5 Browser support
All tests are done with default browser settings, if some functionalities require changes to the settings, this will be mentioned in the specific manual. The following browsers are supported in iProtect:
Browser | Version |
---|---|
Google Chrome | >= 101 |
Mozilla Firefox | >= 78.15 ESR release |
Mozilla Firefox | >=101 |
Microsoft Edge | >=101 |
3. End of support
The Alphatronics ML intrusion panel. Advised: replace by UNii intrusion panel.
Recogtech Palm reader
4. iProtect server and application
This chapter describes the additions and/or changes of the application.
Highlights
Sense connection changed.
API is changed (login).
New (online) installation procedure.
New server dashboard named: cockpit.
New operating system.
Improved security for operating system and iProtect application.
New features
Maintenance
4.1 Sense support
The implementation of Sense connection is changed. Only a secure connection (SSL) is possible.
Video management server | Supported version |
---|---|
Sense | >= 2.6.13 |
4.2 API
Connecting to iProtect via the API is more strict and has had some security improvements.
On request, a new API document is available.
Session token in URL no longer supported
Protection for Cross-Site Request Forgery.
4.3 Cockpit
A new interface has been added to manage the server. Server-related functions are therefore removed from the traditional Maintenance page. The traditional Maintenance page remains available for settings specific to the iProtect application.
Cockpit is the server administration tool sponsored by Red Hat, focused on providing a modern look and user friendly interface to manage and administer servers. The most common used functions are briefly explained in the following chapters.
More information can be found at: Cockpit
Location: Browse to: https://IP-ADDRESS/cockpitpanel (admin user login required)
4.3.1 Firewall
Firewall is now present by default.
Location: Cockpitpanel | Network | Firewall
4.3.1 System time
This funtion is removed from the Maintenance page and moved to cockpit.
Select the time to change the current settings (time zone).
Location: Cockpitpanel | Overview | Configuration
4.3.2 Restart server
This funtion is removed from the Maintenance page and moved to cockpit.
Location: Cockpitpanel | Overview
4.3.3 Maintenance page
The "classic" Maintenance page or server box is also directly available within Cockpit.
Location: Cockpitpanel | Serverbox (atlas user login required)
4.4 Security updates
Security updates and settings have been applied in many areas. These are described in the chapters below.
Highlights
The security of iProtect has been increased on several places the most important are:
Java update to 64bit
Library updates
Security update connection with Sense
Time limiter on procedures
CRSF attack protection
Removed settings from serverbox which are moved to cockpit
Samba share password is stored encrypted
4.4.1 Security settings
4.4.1.1 Cross-site request forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. It's also known as XSRF, “Sea Surf”, Session Riding, and Hostile Linking. The system administrator is able to enable/disable this protection.
Location: Installation | Settings | Server parameters tab: Database
4.4.1.1 Security setting: HTA enable
HTA is nowadays seen as a security risk. The system administrator is able to enable/disable this functionality.
Location: Installation | Settings | Server parameters tab: Database
4.4.1.3 Media element
A HTML media element has a new setting: Execute script allowed. E.g. iFrames will not execute when this checkbox is disabled, Only users with correct database rights are allowed to change this setting.
Location: General | Settings | Media element
4.4.1.4 Time between next execution
Each procedure has a new option “time between next execution (hh:mm:ss)”. This feature was added to prevent anyone (or a system) from performing this procedure multiple times within a specified amount of time when not allowed, or to prevent damage to ancillary systems.
Location: General | Settings | Procedure
4.4.1.5 Certificates in iProtect
To improve handling and security, changes are implemented to the iProtect certificates:
The option to have a self signed certificate has been removed.
A unique root certificate per iProtect system is now generated, this root certificate can be managed in the maintenance page.
The certificates for Pluto and ApolloN devices are now created by the iProtect system.
By thrusting the root certificate of the iProtect system, also the Pluto and ApolloN device websites are thrusted.
Pluto and ApolloN devices do LPR requests from the INVR now over websocket.
iProtect keeps the Pluto and ApolloN certificates up to date, by sending a new certificate before it expires.
In the iProtect maintenance page it is now shown what type of certificate is used for the iProtect website
OwnCA: The default certificate is used for the iProtect website, this certificate is generated from the unique root certificate.
OfficialCA: A client specific certificate, generated from a “CSR” is active
The certificates are now also included in the backup. So when restoring a backup this will also reinstall the certificates.
This also applies to systems with a standby server. So be sure to also include any used IP-address or DNS name in the SAN of the master iProtect server
Explanation:
iProtect has got a his own Certificate Authority (ownCA) (with is own automatically created unique root certificate) which can issue multiple digital certificates. So iprotect uses CA certificates and not self-signed certificates. These certificates are issued by the own CA that is installed on the iProtect server.
The issued certificates are used for Pluto, ApolloN and the INVR controllers. OSDP over IP can also use these CA certificates.
Location: Maintenance page | iProtect | Certificate | Configuration
4.4.1.6 Session management
If from a system user the password-, login name-, or 2FA seed is changed, all sessions of that system user will be closed. The exception is if you change something for yourself, all your own sessions will be closed, except for the application in which you made the change.
Location: Installation | System user
4.4.1.7 System users
From the security perspective, system permissions for system users have been adjusted. This is to limit the rights to the database. It is not possible anymore to have a user group for regular and installer users with full database rights.
User groups for administrator users are allowed to have full database rights
User groups for regular users that have full database rights will be adjusted on update to >= Version 10.02.11, a default set of database rights will be implemented
For installers the User group Role “Installer” can be selected, that will have a set of database rights suitable for installers
If desired it is allowed to change the generated database rights for regular and installer users, full database rights will however not be possible
Location: Installation | Authorization | User group | Data column authorization
4.5 New features
This chapter provides information concerning new features.
4.5.1 Confirm office mode
When a door/reader is set to office mode , and the door is not opened in within time X, the door/reader will switch back to automatic operation. Time X is the longest door opening time defined by the Unlock time or Alternate unlock time ( longest time) + Extra door open time.
Location: Installation | Hardware | Reader | tab: General | Confirm office mode
4.5.2 Boot behavior
Normally a system is setup with the behavior that a door is closed while booting. In special cases it is desirable that a door is open during power-up. If door open during boot is desired, select this option "door open during power-up"
Location: Installation | Hardware | Reader | tab: Door security | Door open during power-up
4.5.3 Cosmos access, multi select on interaction type
If multiple readers are selected and all off the readers are suitable for Cosmos access the multiselect option is available.
Location: Installation | Hardware | Reader
4.5.4 Mitsubishi elevator - communication speed up
There is an improvement made for the elevator connection. In the past the reaction time could be up to 5 seconds, now the reaction time is stable approx. 0,5 sec. with no network delays.
4.5.5 Download pdf
Due to limitations, it was not possible in the past to save every report in PDF format. Now in every report in the browser there is a button (top right) available to download the report in PDF format.
4.5.6 Rijkspas - User moves from CMS to Hub
At a Rijkspas system it is possible that a card that was imported in the "CMS way" is later again imported in the "HUB way. If this occurs then the link synchronized item will be removed automatically.
4.5.7 User interface - Display error message
If the user interface is temporarily not available (Error Code: 503) a new page is shown.
In this page two links will be available, Maintenace page and Cockpitpanel.
4.5.8 System user - Expire date
If the option is chosen to expire passwords, it no longer applies to the root password (so the root password never expires). It still gives you the option to change it, but it won't expire because otherwise you won't be able to use your root login anymore.
4.6 Maintenance
Changed and improved labels/translations (general).
HTA tool, import of multiple mail addresses.
Add authorization template to system user.
Speed up, access when card is not known in controller.
Change of default max. temperature setting for Orion. Now 60 degrees.
Firewall rules are now part of the backup.
Pre-selection presence reports fixes.
Multiple small issues fixed.