Hi there,
I am adding support for KNX secure to the existing KNX binding. KNX security is basically split in two different aspects:
KNX IP Secure protects the traffic between openHAB and your KNX installation. It requires either a KNX Secure Router or a Secure IP Interface with security features enabled in ETS tool.
KNX data secure protects the content of messages on the KNX bus. In a KNX installation, both classic and secure group addresses can coexist. You need devices that support data secure and configure this in ETS tool.
The Github issue on this is out there for quite a while, issue #8872. Prerequisite for the implementation was to switch to the lastest release of the Calimero library, done in OH3.2 release.
As a first step, KNX secure implementation is there as a PR #12434. It has been tested in production with an Enertex IP Secure interface (secure tunnel).
I could need some help testing this on other devices, especially I am lacking experience with secure routers (in router mode, not tunnel mode). Any support would be appreciated, please feel free to comment into the Github issue.
Hi Holger,
I was struggeling with this binding a few month ago.
I’ve just tried this binding again on OH3.2 (RasPi4B) and it is working with my MDT SCN-IP000.03 secure IP Gateway, that is providing 4 dedicated tunnel to KNX.
Just “TUNNEL”, the IP address, default port and a free tunnel address from the gateway.
ThanX!
Frank
I’m currently trying to integrate my MDT KNX Secure Gateway into an OpenHAB setup.
I was able to identify my routerBackboneKey in the secure report of ETS but I’m struggling to find the values for tunnelUserPassword and tunnelDeviceAuthentication. I presume that those are more device specific. My device provides 4 tunnels each of them shows a different “Password” in the attribute window of ETS. I’m not sure which one this password is and where to find the last piece of information.
Any help where I could find the information would be appreciated.
you can configure SECURE_TUNNEL mode for your IP interface. As the device not a router, there is no need to configure a SECURE_ROUTER and routerBackbone key.
You can pick one of the tunnels and use it for openHAB. You need 3 parameters:
tunnelDeviceAuthentication is set in the properties of the IP interface itself, check for a tab “IP” and a description “Authentication Code”.
tunnelUserPasswort is set in ETS in the properties of the tunnel (below the IP interface you will see the different tunnels listed) denoted as “Password”.
tunnelUserId is a number which is not directly visible in ETS, but can be looked up in keyring export or deduced (typically 2 for the first tunnel of a device, 3 for the second one, …)
The passwords are not easy to find in ETS, especially as there are two different passwords for the device itself (commissioning password and authentication code), and additionally a password for each of the tunnels (which is only shown after you select the specific tunnel).
Good luck!
If you experience any trouble, please do not hesitate to report.
Thanks for your support @holgerf. In the end it was some try and error to figure out which tunnelUserId maps to which password. After I figured it out the connection worked and I was also able to add a device and switch on some lights through openhab in my knx installation. Thanks for all the work you have put into this.
Hy i am trying to configure secure router mode but without any luck can you give more explanation also about your topology and how to find that backbone key ? thank you
Hi @stamate_viorel, do you have ETS available? If yes, open you project, go to reports, project security. It should contain your router. The first line will show a tool key and an authentication code. Pick the authentication code. The report may also show a few tunnels - those would be relevant if you choose secure tunneling.
Overall, the secure routing might not be tested very well, since I do not have access to a router. Tunneling is known to work fine.
If you want, you could set the log levels to DEBUG or TRACE for KNX binding and calimero library from the console
Hi, I have possibly similar issue with knx secure routing.
I have exported keychain from ETS 6 and put into config/misc folder of OH5. So far it seems to work. The Gateway - MDT IP-Router SCN-IP100.03 with latest firmware. My problem is, althougt knx device (actors, sensors) gets online, OH cannot reach the devives with their group-adresses when the router is set to filter group an physical adresses, which is the recommended setup of the router for data secure operation. When the router is set to unfiltered for both cases it work propperly. Has anybody an idea what is the reason of that behaviour? Is that still not completely/correct implemented in the knx-binding or is the the “normal” behaviour for OH5 and I have to accept?
Thanks a lot!
I think this is the expected behaviour, as the ETS has no knowledge of openHAB being there, it isn’t able to properly set up the filter to allow openHAB to communicate with KNX Secure, because the filters block it.
Yes, this is the reason of the behaviour, which is correct so fas as ETS does not know about Openhab as a visualisation device outside of the knx/ETS topology. As far as I have now collected further information this needs to be solved by introducing a dummy device into ETS which contents all necessary group adresses needed by Openhab. There are various video tutorials you can see how to setup these dummy device.
So far my test installation with currently 2 MDT IP-Routers (SCN-IP100.03) commisuĂoned secure by ETS 6 work properly with OpenHAB 5.0. Setup in OH is as shown in subsequent screenshots.
The “only” issue I have is, that during restart of OH, the configuration of the IP-Gateways switches automatically from “secure router” to “router”! (2 identicat IP-Routers for two Knx-Lines are installed and act as Routers with IP-backbone). As a consequence, all installed knx devices will stay offline as no secure communication is possible. After manual switching back to “secure router” system works properly again until next restart.
Has someone an idea what is the reason for this effect and what has to be changed to get that solved?
Thanks for your hints in advance.
