Having contacted @chris I have been informed that this device is listed in the z-wave database. I still do not understand why it is generating those errors. Any suggestions would be most welcome. I am using OpenHAB 1.8.3.
See my last comment on GH - it’s in the OH2 database (which is where the issue was raised), but it’s not in the OH1 database. It just needs to be exported from the database and added to a pull request in GH.
If you’re happy to do a PR, that would be great, but if you’re unsure how to do this I’ll do it - just let me know.
Hi Chris, I am somewhat versed in GH and doing/reviewing/approving PRs, but I am not knowledgeable about the way OH and your database have been developed. In my daily job I code in R, Python and some LISP, never Java. I can give it a go, though, if I figure out the artefacts that need to be touched. Happy to try, thank you for the pointer.
This will provide two lists - one is the actual file - it goes into the /database/fibaro folder in the zwave binding. The other part at the top needs to go into the products.xml file which is in the /database folder.
I get an error, however. Any idea what is causing it?
2017-03-24 09:23:10.451 [ERROR] [.o.b.z.i.p.c.ZWaveCommandClass] - NODE 8: Error instantiating command class 0x98
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_111]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_111]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_111]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_111]
at org.openhab.binding.zwave.internal.protocol.commandclass.ZWaveCommandClass.getInstance(ZWaveCommandClass.java:247) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.commandclass.ZWaveCommandClass.getInstance(ZWaveCommandClass.java:210) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.serialmessage.ApplicationUpdateMessageClass.handleRequest(ApplicationUpdateMessageClass.java:96) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.ZWaveController.handleIncomingRequestMessage(ZWaveController.java:231) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.ZWaveController.handleIncomingMessage(ZWaveController.java:204) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.ZWaveController.access$6(ZWaveController.java:199) [bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.ZWaveController$ZWaveInputThread.run(ZWaveController.java:1247) [bundlefile:na]
Caused by: java.lang.IllegalStateException: NODE 8: node wants to use security but key is not set
at org.openhab.binding.zwave.internal.protocol.commandclass.ZWaveSecurityCommandClass.<init>(ZWaveSecurityCommandClass.java:342) ~[bundlefile:na]
at org.openhab.binding.zwave.internal.protocol.commandclass.ZWaveSecurityCommandClassWithInitialization.<init>(ZWaveSecurityCommandClassWithInitialization.java:77) ~[bundlefile:na]
... 11 common frames omitted
I see! I suppose this is related to the other issue, that is that I have not found a way to know which devices have been included in the secure mode, and which have not. I wonder if seeing this error is a reliable indicator that a device has been included insecurely.
I think that seeing this error is a reliable way to say that NO devices are securely included. If the key hasn’t been set, and that’s a global setting, then it likely means that no devices can use security.
@chris, this is very helpful and explains why I have never seen any signs of secured inclusion on my network. I also had no idea that the z-wave key had to be set, somehow. I assumed this was an automated function of the z-wave protocol.
Is there a way to use Habmin, or any part of the binding config, to set the key? I use the Aotec Z-Stick Gen5 and I have not seen any options pertaining to the key. I use Habmin (thank you!) to configure every device parameter, but again, I have not seen security key options anywhere.
Many thanks for helping me unravel the z-wave security complexity.
Thank you, Chris. I had a look at the openhab.cfg looking for any signs of z-wave binding security key options but I cannot see any. Could you, please, let me know what settings let’s me provide a key for secure inclusions?
I respectfully disagree on this point. Having security on by default with reasonable auto-generated keys is always better than having no security.
For example, think of https and imagine what would happen if users had to generate their own keys to establish connections—hardly anyone would use it. A key derived from something like /dev/urandom is fine for most uses, and for whom it is not, hardware-based key generators exist. In case someone reading this now thinks “But what about servers? Surely admins set the keys on them?” even that is not the case. Automated KMS (Key Management Service) are normally in charge of that, and for smaller installs there are popular techniques like the LetsEncrypt implementation of the IETF ACME protocol, supported by EFF, precisely to ensure automated key and certificate generation, leading to more, rather than less security.
In summary, I strongly believe that having z-wave default to having secure inclusion would be a good thing for everyone, especially for the future of z-wave reputation, which I am sure will suffer as first attacks become more prevalent. I trust my opinion might help you, as the maintainer of a very prominent z-wave technology, in some of your future decision making.
Sorry - I’m not really sure. As I’ve said elsewhere I’ve never used these options. Do a search for OH1 Schlage on the forum - there’s a long thread about this. As said earlier, I never managed to get this to work well for me so I completely re-implemented security on OH2.
Maybe, but your question was if it was default in the protocol - the protocol (ie the stick) does not handle security - it’s all done in the binding.
Default keys might be ok, but if you autogenerate a key, then you’re pretty much guaranteed to lock yourself out if you don’t know where it’s set! My OH2 implementation does exaclty this and many people lock themselves out when they reset something and the key changes.
Sorry - https security is completely different issue.
Personally, I do not use ZWave security unless you have locks, or other such secure systems, but it’s up to you. It will generate a lot more traffic on the network, and the chance of timeouts etc is significantly increased. The function is provided - it’s up to users to understand its use and configure their system as they like.
On OH2, this is the default - autogenerated key, but only used for security devices.