Kaspersky IoT Secure Gateway 100
2.0
English

Contents

Configuring the gateway

Configuration of data transfer from the OPC UA server to the MQTT broker via Kaspersky IoT Secure Gateway 100 consists of the following steps:

  1. Generating an encryption key and certificates for connection over the OPC UA protocol

    An

    encryption key
    and
    certificates
    must be generated if a secure
    OPC UA
    connection is used.

  2. Configuring nodes for data transfer over the OPC UA protocol on the OPC UA server

    You can read about the OPC UA protocol specification on the developer's website. Kaspersky IoT Secure Gateway 100 version 2.0 supports OPC UA protocol version 1.04.

  3. Generating an encryption key and certificates for connection over the MQTT protocol

    You will need to generate an encryption key and certificate for the

    MQTT
    client, and prepare a file containing the
    certificate chain
    that was used to sign the server certificate.

  4. Configuring the Kaspersky IoT Secure Gateway 100 settings for transferring data from the OPC UA server to the MQTT broker

    Detailed instructions related to this step are provided in this Help section.

In this Help section

Extracting and inserting a microSD memory card

Location of files on the microSD memory card

Connecting to the network and configuring network settings

Configuring a connection over the OPC UA protocol

Configuring a connection over the MQTT protocol
Page top
[Topic 213340]

Extracting and inserting a microSD memory card

The microSD card is installed in the microSD slot on the Siemens SIMATIC IOT2040 device and contains the following files:

  • configuration files with the settings of Kaspersky IoT Secure Gateway 100
  • Kaspersky IoT Secure Gateway 100 health log files
  • file with information about third-party code

To access these files, you need to extract the microSD card from the device and connect it to a computer that has a Linux operating system installed. To continue gateway operations, you should re-insert the microSD card into the device.

The Siemens SIMATIC IOT2040 device should be powered off before you extract and install the microSD memory card.

To extract and then re-insert the microSD memory card:

  1. Open the right-side cover of the device.
  2. Move the memory card slot tab downwards and open it.
  3. Extract the microSD card.
  4. Put the microSD card back, close the tab and move it upwards.

    Using the microSD memory card

    Extracting and inserting a microSD memory card

Page top

[Topic 240117]

Location of files on the microSD memory card

To change the settings of Kaspersky IoT Secure Gateway 100, you will need to extract the microSD card from the microSD slot of the Siemens SIMATIC IOT2040 device, connect the microSD card to a computer running a Linux operating system, change the contents of the configuration files, and re-insert the microSD card into the device.

The microSD memory card includes five partitions (see the figure below):

Page top
[Topic 240542]

Connecting to the network and configuring network settings

To connect a device to an external and internal network, you must establish physical connections (using an RJ45 cable) and configure the external and internal network settings if necessary.

Physical connection to the network

To connect Kaspersky IoT Secure Gateway 100 to a data transfer network:

  1. Connect the network cable of the internal network (where the OPC UA server resides) to the PN/IE LAN X2 P1 port of the device.
  2. Connect the network cable of the external network (where the
    MQTT broker
    resides) to the PN/IE LAN X1 P1 port of the device.

    Layout of Ethernet ports on the Siemens SIMATIC IOT2040 device

Automatically obtaining network settings

By default, Kaspersky IoT Secure Gateway 100 is delivered with a dynamic (DHCP) configuration for the internal and external network. To automatically receive network settings in this configuration, there must be a configured DHCP server residing in the same network.

If there is no DHCP server or if you do not want to use dynamic configuration of the network, use a static configuration of the network.

Configuring static network settings

To configure static settings for the external and internal network:

  1. Create two separate configuration files named dhcpcd.conf on the microSD card:
    • One for the external network in the directory /etc on the HW-ENW partition;
    • One for the internal network in the directory /etc on the HW-INW partition.
  2. In the dhcpcd.conf files, define the network settings according to the dhcpd documentation.

    Sample configuration file defining the settings for an external or internal network:

    static ip_address=192.168.1.177/23

    static routers=192.168.1.1

  3. Save the changes.
Page top
[Topic 224295]

Configuring a connection over the OPC UA protocol

Kaspersky IoT Secure Gateway 100 receives data from the OPC UA server residing within the internal enterprise network over the OPC UA protocol, which is described by the OPC Unified Architecture specification. You can read about the OPC UA protocol specification on the developer's website. Kaspersky IoT Secure Gateway 100 supports OPC UA protocol version 1.04.

In this Help section

Securing a connection over the OPC UA protocol

Configuring data acquisition over the OPC UA protocol

Parameters description in the OpcUaClientSettings-0.json configuration file

Special considerations when configuring OPC UA security settings
Page top
[Topic 224290]

Securing a connection over the OPC UA protocol

To use a secure connection between the OPC UA client and the OPC UA server:

  1. Copy the OPC UA client certificate to the directory /app/Core/pki/certs/transfer/opc_ua/client on the HW-IDS partition of the microSD card.
  2. Copy the OPC UA server certificate to the directory /app/Core/pki/certs/transfer/opc_ua/client on the HW-IDS partition of the microSD card.
  3. Copy the private encryption key of the OPC UA client to the directory /app/Core/pki/private/transfer/opc_ua/client on the HW-IDS partition of the microSD card.

Data can also be transmitted over the OPC UA protocol without using an encrypted connection. However, a secure connection between the OPC UA client and the OPC UA server cannot be ensured without encryption. It is not recommended to use an unsecured operating mode for Kaspersky IoT Secure Gateway 100.

Page top
[Topic 240930]

Configuring data acquisition over the OPC UA protocol

To configure data acquisition using the OPC UA protocol:

  1. Create the OpcUaClientSettings-0.json configuration file.
  2. In the OpcUaClientSettings-0.json file, specify the OPC UA settings and their values in accordance with JSON syntax.
  3. Put the configuration file into the directory /app/Core/config/transfer/opc_ua/client on the HW-IDS partition of the microSD card.

Sample configuration file:

OpcUaClientSettings-0.json

{

"id": 0,

"name": "Kaspersky IoT Secure Gateway 100 OPC UA Client",

"description": "Collects data from CNC by Kaspersky IoT Secure Gateway 100",

"url": "opc.tcp://192.168.177.7:4840",

"readingCycle": 1,

"security": {

"mode": "SignAndEncrypt",

"policy": "Basic256Sha256",

"clientPkiData": {

"certificate": "opc-ua-client.crt",

"privateKey": "opc-ua-client.key"

},

"trustList": ["opc-ua-server.crt"]

},

"userCredentials":

{

"username": "KISG100",

"password": "0R20jN#yZd~zaLKe?2J#@~|YC"

},

"heartbeat": {

"id": 0,

"name": "Heartbeat",

"timeout": 60

},

"nodes": [

{

"id": 1,

"name": "Temperature",

"nodeId": "ns=1;s=VariableTemperature"

},

{

"id": 2,

"name": "Speed",

"nodeId": "ns=2;i=2045"

}

]

}

To edit files in JSON format, we recommend using a text editor that supports JSON syntax highlight. This will help avoid potential errors (for example, unbalanced braces).

Page top

[Topic 240931]

Parameters description in the OpcUaClientSettings-0.json configuration file

The required parameters should be explicitly defined. The other parameters are optional. For optional parameters that are not included in the configuration file, the default value prescribed by the OPC UA protocol may be used.

Parameters in the OpcUaClientSettings-0.json file

Parameter name

Required parameter

Description

Possible values and notes

id

Yes

ID of the OPC UA client that receives data from the OPC UA server.

0.

The value of this parameter must match the value of the receivingHubId parameter in the GuideSettings-0.json configuration file.

name

Yes

Name of the OPC UA client that receives data from the OPC UA server.

<OPC UA client name>.

Example: Kaspersky IoT Secure Gateway 100 OPC UA Client.

description

 

Description of the OPC UA client that receives data from the OPC UA server.

<OPC UA client description>.

Example: Collect data from CNC by Kaspersky IoT Secure Gateway 100.

url

Yes

OPC UA server address.

<network protocol>://<host>:<port>.

Example: opc.tcp://192.168.177.7:4840.

Port 4840 is used by default.

readingCycle

No

Gateway data read frequency (in seconds).

1.

Integer no less than 0.

0 is a special value signifying the use of the maximum frequency available to the client and server.

security

Yes

OPC UA client security parameter
block. Contains the mode, policy, and trustList parameters, and the clientPkiData parameter block.
  • {mode, policy, clientPkiData, trustList} parameter block.
  • null.

The security parameter block is used to configure the communication modes, security policies, utilized certificates and encryption keys for the

digital signature
and data
encryption
.

If you do not need to configure the security parameters, enter null in the security block. The security mode will be set to None in this case.

mode

No

Mode for managing the security of the client application connection.
  • Sign mode means that the connection requires a digital signature for data.
  • SignAndEncrypt mode means that the connection requires both a digital signature and data encryption.
  • None mode means that the connection does not require a digital signature or data encryption. It is not recommended to use this mode because it does not ensure a secure connection between the OPC UA client and the OPC UA server.
  • Any mode means that the connection will use any of the listed modes that are supported by the server: Sign, SignAndEncrypt, None.

policy

No

Name of the

security policy
used on the OPC UA server.
  • Basic128Rsa15
  • Basic256
  • Basic256Sha256
  • None
  • Any policy means that any of the listed policies can be used (if supported by the server).

The None security policy is the most compatible with various types of data sources for an OPC UA connection.

clientPkiData

No

Parameter block containing the certificate and private encryption key of the OPC UA client for an encrypted connection.

{certificate, privateKey} parameter block.

The clientPkiData parameter block must be completed even if the None value is set for the mode and policy fields.

For secure communication over OPC UA, you will need to create a private encryption key and certificate and add them to the client and server configuration. When generating certificates for a connection between a client (Kaspersky IoT Secure Gateway 100) and the OPC UA server, make sure that the certificates comply with the following requirements:

  • The settings of encryption keys and certificates are compliant with the selected security policy.
  • DER or PEM format is used for certificates and encryption keys of the client.
  • For the client certificate, the Subject Alt Name field contains the value URI:urn:aprotech:KISG100:OpcUaClient.

certificate

No

Certificate file name.

opc-ua-client.crt.

privateKey

No

Private encryption key file name.

opc-ua-client.key.

trustList

No

Array containing the names of trusted certificate files.
  • [opc-ua-server.crt] – one or more names of trusted certificate files for the OPC UA server.
  • AllowAll – allows a connection to the OPC UA server without verifying its certificate.

If the OPC UA server configuration prescribes the use of a custom list of trusted certificates, add the client certificate to this list. If certificate verification is not required, enter the AllowAll value for this parameter.

userCredentials

No

Parameter block containing the account credentials of the OPC UA client on the OPC UA server.
  • {username, password} parameter block containing the user account credentials.
  • null is indicated if you want to allow an anonymous connection of the OPC UA client to the OPC UA server. In this case, you do not need to provide values for the username and password.

username

No

Name of the user account for authorization on the OPC UA server.

<username>.

password

No

Password of the user account for authorization on the OPC UA server.

<password>.

heartbeat

No

This parameter block is generated by the OPC UA client. It contains the parameters for the Kaspersky IoT Secure Gateway 100 heartbeat signal.
  • {id, name, timeout} parameter block.
  • null.

If you do not add the heartbeat parameter or if you enter the null value, heartbeat signals will not be sent.

id

No

Data node ID.

0.

name

No

Data node name.

<heartbeat node name>.

Example: Heartbeat.

timeout

No

Interval (in seconds) between the generation of heartbeat signals.

60.

An integer no less than 0 must be entered. The default value is 30.

nodes

Yes

Parameter block for data nodes.

{id, name} parameter block.

Completed for each data node. The ID and name of data nodes are required for building routes and transmitting data from the OPC UA server to the MQTT broker.

id

Yes

ID of the outbound port.

<id>.

name

Yes

Name of the outbound port. This name must match the destination port name of one of the

MQTT topics
indicated in the topics parameter block in the MqttPublisherSettings-0.json configuration file.

<node name>.

Example: Temperature.

To correctly transfer data from the OPC UA server to the MQTT broker, you need to map the OPC UA

data nodes
to their corresponding MQTT topics. The name value is used for mapping.

 

nodeId

Yes

Data node ID.

<namespace>, <nodeID>.

ns

Yes

ID of the OPC UA server namespace.

<namespace>.

nodeId

Yes

ID of the data node in the OPC UA server namespace.

<nodeID>.

Two types of IDs are possible:

  • s (string) – string value for the data node ID. For example, "nodeId": "ns=1;s=Variable temperature".
  • i (numeric) – numerical value for the data node ID. For example, "nodeId": "ns=2;i=2045".

Page top

[Topic 240932]

Special considerations when configuring OPC UA security settings

Kaspersky IoT Secure Gateway 100 does not establish a connection over the OPC UA protocol in the following cases:

  • The server does not have a certificate, and an unsafe connection is not allowed.
  • The trustList parameter lacks a defined server certificate, and the AllowAll value is not set.
  • The client certificate, server certificate or encryption keys do not comply with the settings of the selected security policy.

The OPC UA server and client establish an unsafe connection in the following cases:

  • The null value is set for the security and userCredentials settings blocks, and the server supports this type of connection.
  • The Any value is set for the mode and policy fields, and the server offers the choice for an unsafe connection.

Any weakening of the security settings reduces the security of the connection. For example, the following settings reduce the security of a connection over the OPC UA protocol:

  • Use of the null value for the security settings block will result in the use of a connection without encryption and without a signature.
  • Use of the AllowAll value for the trustList field disables server certificate verification.
  • Use of the null value for the userCredentials settings block disables the capability to connect to a server by using a username and password.
  • The Basic128Rsa15 and Basic256 values for the policy field are considered to be obsolete in the OPC UA version 1.4 protocol specification because the SHA-1 hashing algorithm is no longer considered to be secure.
  • Use of the None value for the policy or mode fields will result in the following:
    • use of a connection without encryption and without a data signature;
    • transmission of a plaintext password to the server.
Page top
[Topic 240935]

Configuring a connection over the MQTT protocol

Kaspersky IoT Secure Gateway 100 forwards data to the MQTT broker over the MQTT protocol. You can read the MQTT protocol specification on the developer's website. Kaspersky IoT Secure Gateway 100 version 2.0 supports MQTT protocol version 3.1.1.

In this Help section

Securing a connection over the MQTT protocol

Configuring data transmission over the MQTT protocol

Parameters description in the MqttPublisherSettings-0.json configuration file

Special considerations when generating names of MQTT topics

Required actions when an MQTT broker certificate is revoked
Page top
[Topic 224293]

Securing a connection over the MQTT protocol

To securely transmit data over the MQTT protocol:

  1. Copy the file containing the certificate chain of the MQTT client (a chain can consist of one leaf certificate of the client) to the directory /app/Core/pki/certs/transfer/mqtt/publisher on the HW-IDS partition of the microSD card.
  2. Copy the file containing the certificate chain that was used to form the digital signature to the directory /app/Core/pki/certs/transfer/mqtt/publisher on the HW-IDS partition of the microSD card.
  3. Copy the file of the private encryption key of the MQTT client to the directory /app/Core/pki/private/transfer/mqtt/publisher on the HW-IDS partition of the microSD card.

The certificates and encryption keys used by the MQTT client must be in PEM format. The key length of the client certificate must be at least 2048 bits.

Page top
[Topic 240937]

Configuring data transmission over the MQTT protocol

To configure data transmission over the MQTT protocol:

  1. Create the MqttPublisherSettings-0.json file.
  2. In the MqttPublisherSettings-0.json file, specify the MQTT settings and their values in accordance with JSON syntax.
  3. Put the configuration file into the directory /app/Core/config/transfer/mqtt/publisher on the HW-IDS partition of the microSD card.

Sample configuration file:

MqttPublisherSettings-0.json

{

"id": 0,

"name": "Kaspersky IoT Secure Gateway 100 MQTT Publisher",

"description": "Transfer data to MQTT Broker by Kaspersky IoT Secure Gateway 100",

"clientId": "KISG100",

"serverUri": "ssl://192.168.188.8:8883",

"security": {

"clientPkiData": {

"certificate": "mqtt-publisher.crt",

"privateKey": "mqtt-publisher.key"

},

"trustStore": ["ca-bundle.crt"]

},

"userCredentials":{

"username": "KISG100",

"password": "4vRXE84zsCy8bLQcZi2HH82TmC"

},

"lastWill": {

"topicName": "LastWill",

"message": "LastMessage"

},

"keepAlive": 800,

"qualityOfService": 1,

"topics": [

{

"id": 0,

"name": "Heartbeat",

"topicName": "Heartbeat"

},

{

"id": 1,

"name": "Temperature",

"topicName": "Temperature"

},

{

"id": 2,

"name": "Speed",

"topicName": "Speed"

}

]

}

To edit files in JSON format, we recommend using a text editor that supports JSON syntax highlight. This will help avoid potential errors (for example, unbalanced braces).

Page top

[Topic 240939]

Parameters description in the MqttPublisherSettings-0.json configuration file

The required parameters should be explicitly defined. The other parameters are optional. For optional parameters that are not included in the configuration file, the default value prescribed by the MQTT protocol may be used.

Parameters in the MqttPublisherSettings-0.json file

Parameter name

Required parameter

Description

Possible values and notes

id

Yes

ID of the MQTT client that will send data to the MQTT broker.

0.

The value of this parameter must match the value of the sendingHubId parameter in the GuideSettings-0.json configuration file.

name

Yes

Name of the MQTT client that will send data to the MQTT broker.

<MQTT Publisher name>.

Example: Kaspersky IoT Secure Gateway 100 MQTT Publisher.

description

No

Description of the MQTT client that will send data to the MQTT broker.

<MQTT Publisher description>.

Example: Transfer data to MQTT Broker by Kaspersky IoT Secure Gateway 100.

clientId

No

Unique identifier of the MQTT client.

1.

The internal architecture of Kaspersky IoT Secure Gateway 100 involves interaction between a receiving hub and a sending hub. The id parameter is linked to the sending hub. The clientId parameter is linked to the MQTT protocol requirements and determines the ID of the MQTT client within this protocol.

The clientId value must be unique among all clients connected to the MQTT broker.

serverUri

Yes

Address of the server that the MQTT client will connect to.

<scheme>://<host>:<port>.

Example: ssl://192.168.188.8:8883.

ssl is an architecture-prescribed scheme for querying a resource.

8883 is the default port.

security

Yes

Parameter block for configuring a secure connection. Contains the clientPkiData and trustStore parameter blocks.

{clientPkiData, trustStore} parameter block.

The security parameter block is used to configure the certificates and encryption keys for the digital signature and data encryption.

clientPkiData

Yes

Parameter block containing the names of the certificate and private encryption key files of the MQTT client for an encrypted connection.

{certificate, privateKey} parameter block.

certificate

Yes

Name of the file containing the certificate chain to the MQTT client certificate.

mqtt-publisher.crt.

privateKey

Yes

Private encryption key file name.

mqtt-publisher.key.

The key length must be at least 2048 bits.

trustStore

Yes

Array that includes the name of the file containing the certificate chain to the MQTT broker certificate.

ca-bundle.crt.

Name of the file containing the certificate chain to the certificate of the Certification Authority that signed the MQTT broker certificate.

userCredentials

Yes

Parameter block responsible for authentication of the MQTT client on the server.
  • {username, password} parameter block containing the user account credentials.
  • null is indicated if you want to allow an anonymous connection of the MQTT client to the MQTT broker. In this case, you do not need to fill in the username and password fields.

username

No

Name of the user account for authorization on the MQTT server.

<username>.

password

No

Password of the user account for authorization on the MQTT server.

<password>.

lastWill

No

Parameter block for configuring a message informing that the client was improperly disconnected (LWT message).

{topicName, message} parameter block.

The client can specify the LWT message when connecting to the MQTT broker for the first time. The MQTT broker will store this message until it detects an improper disconnection of the client. Upon detection of an improper connection, it will send the LWT message to all clients that have subscribed to this type of message. The MQTT broker does not send this message when the client is properly disconnected.

topicName

No

Name of the MQTT topic that determines the information channel where the LWT message will be published.

<topicName>.

Example: LastWill.

message

No

Contents of the LWT message.

<message>.

Example: LastMessage.

keepAlive

No

Period of time that the MQTT broker can wait to receive a message from the MQTT client before terminating the connection due to inactivity.

800.

The default value is 120.

Available values: 065535.

If the keepAlive value is equal to zero, the server will not be obligated to disconnect a client based on inactivity of the client.

If the server deems a client to be inactive or if the client is not responding to queries, the server can disconnect the client at any time, irrespective of the keepAlive value provided by the client.

qualityOfService

No

Parameter defining a guarantee to send messages.

1.

Agreement between the message sender (publisher) and message recipient (subscriber) that defines a guarantee to deliver a specific message. The MQTT specification defines the following three levels of qualityOfService:

  • 0 is no more than one time: the client publishes messages without verifying whether they are delivered to the broker. Messages may be lost or duplicated.
  • 1 is at least one time: the broker confirms delivery. Messages may be duplicated, but delivery is guaranteed.
  • 2 is exactly one time: message delivery is guaranteed, and any potential duplication is eliminated.

The default value is 1.

topics

Yes

Array from the parameter blocks of MQTT topics.

Array of [{id, name, topicName}] parameter blocks.

A separate parameter block in the array is completed for each MQTT topic.

id

Yes

ID of the destination port.

<id>.

Example: 0.

name

Yes

Name of the destination port. This name must match the outbound port name of one of the OPC UA server data nodes indicated in the nodes parameter block in the OpcUaClientSettings-0.json configuration file.

<name>.

Example: Temperature.

To correctly transfer data from the OPC UA server to the MQTT broker, you need to map the MQTT topics to their corresponding OPC UA data nodes. The name value is used for mapping.

topicName

Yes

Name of the MQTT topic.

<topicName>.

Example: Heartbeat.

See also: Special considerations when generating names of MQTT topics.

Page top

[Topic 240940]

Special considerations when generating names of MQTT topics

When filling in the values for topicName, please adhere to the following guidelines:

  • Wildcard characters cannot be used in the names of MQTT topics. We also do not recommend using the $ character in the names of MQTT topics.
  • The name of an MQTT topic cannot be blank (it must contain at least one character).
  • The names of MQTT topics are case sensitive.
  • The names of MQTT topics can contain a blank space character.
  • MQTT topics that are separated by only a / character at the beginning or end of the name are considered to be different MQTT topics.
  • An MQTT topic name consisting of only a / character is permitted.
  • The name of an MQTT topic must not contain the null character (NUL).
  • Names of MQTT topics are UTF-8 strings of size that does not exceed 65535 bytes.
Page top
[Topic 240941]

Required actions when an MQTT broker certificate is revoked

When an MQTT broker certificate is revoked, you will need to obtain a new certificate from the MQTT broker administrator and replace the revoked certificate. If you do not do this, Kaspersky IoT Secure Gateway 100 will trust both the revoked certificate and the new certificate until the revoked certificate expires. This could lead to a situation in which a connection established over a secure channel is not actually secure.

To use a new MQTT broker certificate instead of a revoked certificate:

  1. In the /app/Core/pki/certs/transfer/mqtt/publisher directory on the HW-IDS partition of the microSD card, delete the file indicated in the trustStore parameter of the MqttPublisherSettings-0.json configuration file.
  2. In the trustStore parameter of the MqttPublisherSettings-0.json configuration file, specify the name of the new certificate file.
  3. Copy the new certificate file to the /app/Core/pki/certs/transfer/mqtt/publisher directory on the HW-IDS partition.

Page top

[Topic 246545]