KNX secure - initial implementation

Hi there,
I am adding support for KNX secure to the existing KNX binding. KNX security is basically split in two different aspects:

  • KNX IP Secure protects the traffic between openHAB and your KNX installation. It requires either a KNX Secure Router or a Secure IP Interface with security features enabled in ETS tool.
  • KNX data secure protects the content of messages on the KNX bus. In a KNX installation, both classic and secure group addresses can coexist. You need devices that support data secure and configure this in ETS tool.

The Github issue on this is out there for quite a while, issue #8872. Prerequisite for the implementation was to switch to the lastest release of the Calimero library, done in OH3.2 release.

As a first step, KNX secure implementation is there as a PR #12434. It has been tested in production with an Enertex IP Secure interface (secure tunnel).

I could need some help testing this on other devices, especially I am lacking experience with secure routers (in router mode, not tunnel mode). Any support would be appreciated, please feel free to comment into the Github issue.

Thank you!


Hi Holger,
I was struggeling with this binding a few month ago.
I’ve just tried this binding again on OH3.2 (RasPi4B) and it is working with my MDT SCN-IP000.03 secure IP Gateway, that is providing 4 dedicated tunnel to KNX.
Just “TUNNEL”, the IP address, default port and a free tunnel address from the gateway.

Finally going to install OpenHAB thanks to your work! Here’s hoping you’ll finish full secure data support soon!! :partying_face:


I’m currently trying to integrate my MDT KNX Secure Gateway into an OpenHAB setup.
I was able to identify my routerBackboneKey in the secure report of ETS but I’m struggling to find the values for tunnelUserPassword and tunnelDeviceAuthentication. I presume that those are more device specific. My device provides 4 tunnels each of them shows a different “Password” in the attribute window of ETS. I’m not sure which one this password is and where to find the last piece of information.
Any help where I could find the information would be appreciated.

For reference this is the manual to my device:

Thanks for the implementation of this feature I’m more then happy to help and support this.

Hi @nilres,

you can configure SECURE_TUNNEL mode for your IP interface. As the device not a router, there is no need to configure a SECURE_ROUTER and routerBackbone key.

You can pick one of the tunnels and use it for openHAB. You need 3 parameters:

  • tunnelDeviceAuthentication is set in the properties of the IP interface itself, check for a tab “IP” and a description “Authentication Code”.
  • tunnelUserPasswort is set in ETS in the properties of the tunnel (below the IP interface you will see the different tunnels listed) denoted as “Password”.
  • tunnelUserId is a number which is not directly visible in ETS, but can be looked up in keyring export or deduced (typically 2 for the first tunnel of a device, 3 for the second one, …)

The passwords are not easy to find in ETS, especially as there are two different passwords for the device itself (commissioning password and authentication code), and additionally a password for each of the tunnels (which is only shown after you select the specific tunnel).

Good luck!

If you experience any trouble, please do not hesitate to report.

Thanks for your support @holgerf. In the end it was some try and error to figure out which tunnelUserId maps to which password. After I figured it out the connection worked and I was also able to add a device and switch on some lights through openhab in my knx installation. Thanks for all the work you have put into this.

Greetings from the Bremen region :wink:

1 Like

Is anybody using the MDT SCN-IP000.03 IP Interface? Is it stable with Openhab and KNX secure.