Open

Release notes | 10.2

Open

Table of contents

1. Introduction

These release notes provide information about the latest features of iProtect, including required software versions and hardware installation and operating manuals.

2. System requirements

This chapter lists the required hardware and software for iProtect, including the licensing scheme of iProtect upgrades.

2.1 Supported servers

Below is a list of existing servers that can be updated to Ubuntu 20.04:

• TKH KP10

• DELL KP13

• DELL KP23

• DELL KP24

• DELL KP43

• DELL KP44

• IPT-S24

• IPH-S24

• IPH-S44

• IPH-S10

2.2 Hardware specification

The hardware specification depends on many variables, so the required specification is customer specific.

Guide lines for 2500 card users and 250 readers and 5 concurrent users*.

2.3 Software

The minimum required operating system version for iProtect

For iProtect 10.02 with Ubuntu 20.04, there is a TKH repository with all needed files for installing and maintaining the setup files.

The operating system can be downloaded from Ubuntu's default repository.

On request there is an option to install iProtect without an internet connection but is not recommended !

2.4 License

From iProtect version 10.01 onwards, the licensing mechanisms have changed. The iProtect licensing has been brought in line with the Sense licensing scheme.

A license is now defined by a Product ID. By activating this license (Product ID) on a specific server, a valid license for that server is generated. The license can also be deactivated and transferred to another server via this Product ID. The activation and deactivation can be done both online and off-line.

2.5 Browser support

All tests are done with default browser settings, if some functionalities require changes to the settings, this will be mentioned in the specific manual. The following browsers are supported in iProtect:

3. End of support

• The Alphatronics ML intrusion panel. Advised: replace by UNii intrusion panel.

• Recogtech Palm reader

4. iProtect server and application

This chapter describes the additions and/or changes of the application.

Highlights

• Sense connection changed.

• API is changed (login).

• New (online) installation procedure.

• New server dashboard named: cockpit.

• New operating system.

• Improved security for operating system and iProtect application.

• New features

• Maintenance

4.1 Sense support

The implementation of Sense connection is changed. Only a secure connection (SSL) is possible.

4.2 API

Connecting to iProtect via the API is more strict and has had some security improvements.
On request, a new API document is available.

• Session token in URL no longer supported

• Protection for Cross-Site Request Forgery.

4.3 Cockpit

A new interface has been added to manage the server. Server-related functions are therefore removed from the traditional Maintenance page. The traditional Maintenance page remains available for settings specific to the iProtect application.
Cockpit is the server administration tool sponsored by Red Hat, focused on providing a modern look and user friendly interface to manage and administer servers. The most common used functions are briefly explained in the following chapters.

More information can be found at: Cockpit

Location: Browse to: https://IP-ADDRESS/cockpitpanel (admin user login required)

4.3.1 Firewall

Firewall is now present by default.

Location: Cockpitpanel | Network | Firewall

4.3.1 System time

This funtion is removed from the Maintenance page and moved to cockpit.

Select the time to change the current settings (time zone).

Location: Cockpitpanel | Overview | Configuration

4.3.2 Restart server

This funtion is removed from the Maintenance page and moved to cockpit.

Location: Cockpitpanel | Overview

4.3.3 Maintenance page

The "classic" Maintenance page or server box is also directly available within Cockpit.

Location: Cockpitpanel | Serverbox (atlas user login required)

4.4 Security updates

Security updates and settings have been applied in many areas. These are described in the chapters below.

Highlights

The security of iProtect has been increased on several places the most important are:

• Java update to 64bit

• Library updates

• Security update connection with Sense

• Time limiter on procedures

• CRSF attack protection

• Removed settings from serverbox which are moved to cockpit

• Samba share password is stored encrypted

4.4.1 Security settings

4.4.1.1 Cross-site request forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. It's also known as XSRF, “Sea Surf”, Session Riding, and Hostile Linking. The system administrator is able to enable/disable this protection.

Location: Installation | Settings | Server parameters tab: Database

4.4.1.1 Security setting: HTA enable

HTA is nowadays seen as a security risk. The system administrator is able to enable/disable this functionality.

Location: Installation | Settings | Server parameters tab: Database

4.4.1.3 Media element

A HTML media element has a new setting: Execute script allowed. E.g. iFrames will not execute when this checkbox is disabled, Only users with correct database rights are allowed to change this setting.

Location: General | Settings | Media element

4.4.1.4 Time between next execution

Each procedure has a new option “time between next execution (hh:mm:ss)”. This feature was added to prevent anyone (or a system) from performing this procedure multiple times within a specified amount of time when not allowed, or to prevent damage to ancillary systems.

Location: General | Settings | Procedure

4.4.1.5 Certificates in iProtect

To improve handling and security, changes are implemented to the iProtect certificates:

• The option to have a self signed certificate has been removed.

• A unique root certificate per iProtect system is now generated, this root certificate can be managed in the maintenance page.

• The certificates for Pluto and ApolloN devices are now created by the iProtect system.

  • By thrusting the root certificate of the iProtect system, also the Pluto and ApolloN device websites are thrusted.

  • Pluto and ApolloN devices do LPR requests from the INVR now over websocket.

  • iProtect keeps the Pluto and ApolloN certificates up to date, by sending a new certificate before it expires.

• In the iProtect maintenance page it is now shown what type of certificate is used for the iProtect website

  • OwnCA: The default certificate is used for the iProtect website, this certificate is generated from the unique root certificate.

  • OfficialCA: A client specific certificate, generated from a “CSR” is active

• The certificates are now also included in the backup. So when restoring a backup this will also reinstall the certificates.

  • This also applies to systems with a standby server. So be sure to also include any used IP-address or DNS name in the SAN of the master iProtect server  

Explanation:
iProtect has got a his own Certificate Authority (ownCA) (with is own automatically created unique root certificate) which can issue multiple digital certificates. So iprotect uses CA certificates and not self-signed certificates. These certificates are issued by the own CA that is installed on the iProtect server.

The issued certificates are used for Pluto, ApolloN and the INVR controllers. OSDP over IP can also use these CA certificates.

Location: Maintenance page |  iProtect | Certificate | Configuration

4.4.1.6 Session management

If from a system user the password-, login name-, or 2FA seed is changed, all sessions of that system user will be closed. The exception is if you change something for yourself, all your own sessions will be closed, except for the application in which you made the change.

Location: Installation | System user

4.4.1.7 System users

From the security perspective, system permissions for system users have been adjusted. This is to limit the rights to the database. It is not possible anymore to have a user group for regular and installer users with full database rights.

• User groups for administrator users are allowed to have full database rights

• User groups for regular users that have full database rights will be adjusted on update to >= Version 10.02.11, a default set of database rights will be implemented

• For installers the User group Role “Installer” can be selected, that will have a set of database rights suitable for installers

• If desired it is allowed to change the generated database rights for regular and installer users, full database rights will however not be possible

Location: Installation | Authorization | User group | Data column authorization

4.5 New features

This chapter provides information concerning new features.

4.5.1 Confirm office mode

When a door/reader is set to office mode , and the door is not opened in within time X, the door/reader will switch back to automatic operation. Time X is the longest door opening time defined by the Unlock time or Alternate unlock time ( longest time) + Extra door open time.

Location: Installation | Hardware | Reader | tab: General | Confirm office mode

4.5.2 Boot behavior

Normally a system is setup with the behavior that a door is closed while booting. In special cases it is desirable that a door is open during power-up. If door open during boot is desired, select this option "door open during power-up"

Location: Installation | Hardware | Reader | tab: Door security | Door open during power-up

4.5.3 Cosmos access, multi select on interaction type

If multiple readers are selected and all off the readers are suitable for Cosmos access the multiselect option is available.

Location: Installation | Hardware | Reader

4.5.4 Mitsubishi elevator - communication speed up

There is an improvement made for the elevator connection. In the past the reaction time could be up to 5 seconds, now the reaction time is stable approx. 0,5 sec. with no network delays.

4.5.5 Download pdf

Due to limitations, it was not possible in the past to save every report in PDF format. Now in every report in the browser there is a button (top right) available to download the report in PDF format.

4.5.6 Rijkspas - User moves from CMS to Hub

At a Rijkspas system it is possible that a card that was imported in the "CMS way" is later again imported in the "HUB way. If this occurs then the link synchronized item will be removed automatically.

4.5.7 User interface - Display error message

If the user interface is temporarily not available (Error Code: 503) a new page is shown.
In this page two links will be available, Maintenace page and Cockpitpanel.

4.5.8 System user - Expire date

If the option is chosen to expire passwords, it no longer applies to the root password (so the root password never expires). It still gives you the option to change it, but it won't expire because otherwise you won't be able to use your root login anymore.

4.6 Maintenance

• Changed and improved labels/translations (general).

• HTA tool, import of multiple mail addresses.

• Add authorization template to system user.

• Speed up, access when card is not known in controller.

• Change of default max. temperature setting for Orion. Now 60 degrees.

• Firewall rules are now part of the backup.

• Pre-selection presence reports fixes.

• Multiple small issues fixed.