Z-Wave Secure Inclusion

zwave
doorlock
Tags: #<Tag:0x00007f6cf0645cd0> #<Tag:0x00007f6cf06458e8>

(Zachary Christiansen) #22

Thanks! I got it working.


(Håvard) #23

Is this included now or do I still have to download?
(I have the Secure Inclusion Mode set at “Entry Control Devices” in my Z-wave serial controller.)


(Chris Jackson) #24

It is not currently included in the snapshot version.


(autoit) #25

Sorry to ask the same stuff again but just to confirm I got this right:

  • secure inclusion is not yet possible on stable/public version
  • if I want to use it right away I should download the snapshot
  • it will be part of the public version soonish
  • even though Paper UI (in Z-Wave Thing settings) has an option for secure inclusion it shouldn’t be used/doesn’t work yet

What if I have securely included a device earlier through different software, will this device not work with the current Z-Wave binding at all or is this just about the inclusion process itself?


(Adam Edwards) #26

if I want to use it right away I should download the snapshot

No. The snapshot still does not have the security built-in. You must download the jar file from here and add it to your addons directory (and remove the built in binding through karaf).

even though Paper UI (in Z-Wave Thing settings) has an option for secure inclusion it shouldn’t be used/doesn’t work yet

Correct. You really should be using habmin for any zwave inclusion, secure or insecure.

What if I have securely included a device earlier through different software, will this device not work with the current Z-Wave binding at all or is this just about the inclusion process itself?

If you switch bindings, this is the breaking change that Chris has referenced. Your previously included devices will not work when switching to the security-included zwave binding. While you won’t have to exclude and re-include them, you will have to delete each thing and re-initialize the devices.

Chris or anyone is welcome to correct anything that I have not explained clearly or incorrectly. :slight_smile:


(autoit) #27

Thanks for the clarification. I had this idea that secure inclusion, once done, would be independent from the software layer that speaks to the controller, but it looks like there’s more to it than that. ´

I wonder why Habmin should be used over Paper UI? It seems like they could both use the same process for inclusion these days (based on just what I’m seeing, no idea what’s going on behind the scenes).

I think it would be beneficial to mention the current state of secure inclusion in documentation/UI, so that there would be no possibility for someone to think they are using secure communications while they actually aren’t.


(Chris Jackson) #28

Security is handled in the binding - not in the controller, so it’s down to the binding software to handle this.

HABmin provides more information on the progress than PaperUI which provides no feedback. Other than that it’s the same for inclusion. However, I would strongly recommend HABmin for configuring devices as it better handles configuration. PaperUI will update all parameters on a device which can cause a lot of network traffic (especially a problem in battery devices).


(jd) #29

Pardon the pun I think I have myself in a bind… I have a Yale 220YRD lock that is recognized in the 2.3.0 version but not in this 2.2.0.xxxx interim binding.

So I can get it to show up properly and add items etc. but not operate the lock in 2.3.0.xxxx. The attribute “Using Security” check box was a grey “?”.

In this 2.2.0.xxx version you guys are using successfully it only show up in Things as a generic “Z-Wave Node 5” Thing.

Any ideas on how to fix or do I need to wait for the Snapshot?


(jd) #30

Ok updated latest Snapshot to see:

 203 | Active   |  80 | 2.3.0.201802031138     | ZWave Binding

Took the excluded the lock successfully then removed the USB controller. Included it using Habmin and getting this log error

SECURITY_ERROR Invalid state! Secure inclusion has not completed and we are not in inclusion 
 mode. Aborting

I’ve got it in High Power Inclusion and Security Inclusion mode is set to “Entry Control Devices”.


(jd) #31

Went back to that above interim build and the Yale lock still no workie workie…all my other devices are solid though. Even got Alexa to work…y’all are awesome!!!

Is the code in the .jar file modular enough that I can grab the 2.3.0 Yale lock stuff and put in into this interim 2.2.xxxx build? Kind of a shadetree java guy (aka. unreliably dangerous).


(Chris Jackson) #32

I doubt going back to an older version will work given there haven’t really been any changes in the security handler for a long time. I would suggest to look at the debug logs and try and work out what’s wrong - going backwards isn’t ultimately going to work :wink:


(jd) #33

OK thanks got it showing up with the Using Security attribute as green now. So I had the latest SNAPSHOT from the other day with the 2.2.0xxx .jar file earlier which didn’t work. I dropped in the .jar file from above (or here).

Now I just have to figure out how to add it as an item correctly. ON/OFF doesn’t work but no errors. Not sure what command the lock is expecting…


(Håvard) #34

I’m struggling trying to securely include my door lock (IdLock). I see this in the log:

2018-02-05 17:51:15.933 [INFO ] [alization.ZWaveNodeInitStageAdvancer] - NODE 26: SECURITY_INC State=FAILED, Reason=GET_SCHEME

a previous attempt after exluding and including again (using habmin) gave me this:

2018-02-05 17:37:57.847 [INFO ] [mmandclass.ZWaveSecurityCommandClass] - NODE 24: Using Scheme0 Network Key for Key Exchange since we are in inclusion mode.

2018-02-05 17:38:18.270 [INFO ] [alization.ZWaveNodeInitStageAdvancer] - NODE 24: SECURITY_INC State=FAILED, Reason=SET_KEY

any pointer to what I should try next? (I’ve already tried excluding and adding 6 or so times, network inclusion is set to high)


(Håvard) #36

I finally got my lock included. I had to change the z-wave network security key to make it work


(Danny Cohn) #37

@chris, I’m trying to use the alarm_raw channel for the YRD210 to detect user code entry. It appears that the snapshot JAR linked in this thread does not have the latest database. Is there any chance you could recompile the binding with the latest DB so that we can use that channel?


(Chris Jackson) #38

Correct - it’s not completely up to date. However the YRD210 was last updated in the database in December, and these changes are in the binding, so for this device, it is up to date.

I note that the database for the YRD210 does not have this channel currently defined.


(Danny Cohn) #39

Interesting. I was looking at this device instead, since it also says that it applies to the YRD210. Is that correct? If so, how can I use that device definition instead?


(Chris Jackson) #40

The changes requested there are not approved - as per the comments at the bottom I’m not (yet) convinced that we can have a single entry for all these devices and this needs to be justified before we screw every bodies locks up.

You can’t select the definitions - it’s selected based on data your device provides.


(Danny Cohn) #41

This makes sense. I appreciate your responses. I’m new but very eager. Maybe I should request access to the device DB and add the alarm_raw enhancement to the active YRD210 definition. Does this sound like a good idea to you? I won’t waste my time and yours if you know off the top of your head that you wouldn’t approve the change.

Thanks


(Chris Jackson) #42

Sure - it’s fine - no problem. You should now have edit access…