Managing security access on base stations on a self-hosted ThingPark Enterprise platform
Authentication is the process that verifies that the base stations connecting to the ThingPark Enterprise platform are those that claim to access the platform. Thus, only authenticated base stations will be able to connect to the platform. This security measure prevents not authorized base station or any network element from malicious access.
A ThingPark Enterprise component named Key Installer, provides the base station with its X.509 certificate. The certificate is then used by the base station to establish the connection to the IPsec link, which represents a secure link between the base station and ThingPark Enterprise.
The workflow for a Self-hosted platform is as follows:
The use of IPsec to secure the base station access to ThingPark Enterprise backend is an optional feature in a self-hosted ThingPark Enterprise architecture. It can be disabled if the backhaul network by base stations and ThingPark Enterprise backend is already safe, for instance within the same LAN of the customer enterprise without going through internet.
Managing the security certificate on a self-hosted ThingPark Enterprise platform
If you are entitled to an Administrator role or to a Base Stations Manager role, then you can modify the security settings of a base station.
Select Base Stations.
On the List tab, click the name of the base station for which you want to check the authentication.
Select the Advanced tab, and go to SECURITY.
-> The base station security information appears as follows:
In Base station certificate, click REGENERATE.
-> A message is displayed asking you if you want to complete this action.
When you regenerate a new X.509 certificate of a base station, the previous certificate is revoked, and a new certificate is generated. If you launch this action, a message is displayed on your screen as follows:
When the old certificate is revoked and replaced by a new one, the base station loses connection to the ThingPark Enterprise backend. The interruption duration is 5 minutes if the LRR version is 2.4.88 or higher (30 minutes for LRR versions < 2.4.88).
To avoid service disruption, regenerating the security certificate of a base station should be limited to the case when the current certificate has been corrupted/compromised.
Deactivation of the IPsec functionality
The IPsec functionality is optional on the self-hosted ThingPark Enterprise platform. We recommend that you deactivate the IPsec only in the cases where the network is already considered secured for instance by another VPN encryption solution that prevents third parties from reading your data as it passes between the local and internet networks.
To deactivate the base stations encryption and authentication settings through the Cockpit configuration, contact your System Integrator.