#NR0V1 : Get mbEDGE ready on my router

Application-Note: #NR0V1 : Get mbEDGE ready on my router

Related Documents:

  • https://nodered.org/docs/user-guide/

This application describes how to setup mbEDGE SD-Card, enable Node-RED and access the Node-RED Flow and Dashboard. Also with access on LAN or Web2Go.


You will find the following chapters here:

1. What is mbEDGE

2. mbEDGE SD-Card

3. Enable your mbEDGE on your Router

4. Access Node-RED

5. Open TCP/UDP Ports in Firewall for Node-RED

6. SD-Card Key Management

7. Update your mbEDGE Software

8. Status Information of mbEDGE


 

1. What is mbEDGE

 

mbEDGE is a software package provided on a SD-Card. You can use mbEDGE on every mbNET, mbNET.rokey or mbXLINK with Hardwareversion HW:03 or higher. mbEDGE is provided in two versions:

  • mbEDGE.start

In this version you can use Node-Red with preselected nodes.

  • mbEDGE.advanced

In this version you can use everything from mbEDGE.start and additional your own Node-RED nodes and User-Docker-Container.

You will find your version on your License-card.

Find more information on our website mbEDGE

Back to Begin


 

2. mbEDGE SD-Card

 

The SD Card consists of two areas:

  • Application folder
  • User folder

Both area’s combined in an encrypted container, so the information on the card are secured. The card has 3 possibilities to decrypt (open and make it readable/writable) the container. We are calling them Keystorages.

From Factory the Keystorages are set as follow:

Keystorage 1

Initial Key (CID# of the SD Card)

Keystorage 2

-empty-

Keystorage 3

-empty-

 

The CID# is not a secret and can be used by everybody to open the encrypted container. But since it is from Factory, there are no protectable information’s stored.

Here are the procedures and descriptions of the two usecases we see:

mbEDGE is used the first time in mbNET

The mbEDGE option must be enabled on the mbNET, otherwise the mbEDGE Card will not be detected.

After inserting the card, the mbNET detects the mbEDGE card. the mbNET reads the CID# of the SD-card and opens the encrypted container to enable write privileges on the keystorage partitions. If Keystorage areas 2 and 3 are empty, it starts generating an unique key from its Secure Element module and stores this key into Keystorage 2. After then it deletes Keystorage 1. After this time, ONLY this particular mbNET is able to open the encrypted folder and read/write data.

Generate your Backup-Key:

Since only the mbNET would be able to open the container, you must be sure to access your data, whenever the mbNET is not available anymore (f.e. broken). To generate a Backup-Key, goto the Administration Website of the mbNET and select “Extras > IoT > Key Management”. Here you can enter your Backup-Key (you need your Licensecode provided with the mbEDGE Card!) and apply this key to Keystorage 3. After this, your Key OR the mbNET can access the card.

Move your mbEDGE from mbNET-1 to mbNET-2

First of all, you need to have a Backup-Key. If not, you must generate one in mbNET-1. If mbNET-1 is not available anymore, there is no chance to access the card anymore.

If you have your Backup-Key, insert the card into mbNET-2. Goto the Administration Website of the mbNET and select “Extras > IoT > Key Management”. It will tell you that it is not able to access the card and ask for the backup-key. Insert your backup-key and it will open the card. Now you have two possibilities:

  1. Run the mbEDGE with that Backup-Key temporarily. You have to re-insert the backup-key after every reboot
  2. Generate a new Keystorage 2 with the Secure element of mbNET-2 and store it permanent. This is selectable on the Website.

 

 

Factory

After first time usage

Keystorage 1

Initial Key (CID# of the SD Card)

-empty-

Keystorage 2

-empty-

mbNET Key from Secure Element

Keystorage 3

-empty-

Optional User Back-Up key

 

Conclusion:

  1. There is no protection against copying the card. So everybody is able to copy the card before using it the first time. We don’t see this as an issue, as the B2B business is aware of any copying piracy.

  2. If you don’t have your backup-key, you can NOT access your data when losing the mbNET or want to use it in a different mbNET. Therefore it is recommended to create your backup-key with the first installation.

Back to Begin


 

3. Enable your mbEDGE on your Router

 

The mbEDGE Service is disabled by default on the router. You need to enable this service before using it.

Enabling mbEDGE Service through mbCONNECT24

Add your router to your mbCONNECT24 project. If you select a Firmware > 6.0.4 or mbNET.rokey/mbXLINK, a new menu called "IoT" will appear:

or in Advanced View:

1. Enable your IoT Service:

If you have an advanced mbEDGE license, you can also enable "Docker Management" if needed for your own Docker conatiners. If you are unsure, disable!

2. Set the Node-RED User to access the Node-RED Editor

Select the "Arrow-Button" from your IoT menu and the following settings will be displayed:

  • Add or Edit the "Device User" for enabling Node-RED. By default the "admin" user is enabled for Node-RED which is called "IoT- Flows & Dashboards"
  • You can add Tags for data exchange between mbCONNECT24 and Node-RED
  • Add Firewall Rules to open ports for Node-RED. By default every network-socket node inside Node-RED has only access from inside to outside. So any "listener-socket" you are creating inside Node-RED is not accesible from LAN/WAN. For example a OPC-UA Server will not be accessible from LAN/WAN unless you release the OPC-UA Server-Port here in this ruleset. Select Portnumber and Protocol UDP or TCP.
  • The Docker Daemon (Runtimer for the IoT-Services and Node-RED) needs his own IP-Address shown under "Network". It is by default: 172.16.0.1/24. If this is in conflict with your other network settings, please change it to your prefered set.

3. Transfer your configuration to your Router

If your router will come online, the IoT menu will show if your Flows or Dashboards are available through Web2GO.

 

If you are NOT using mbCONNECT24: Enabling mbEDGE Service on your Router directly

Goto Administration Website of the mbNET and select “System > User". Select the Edit Button for the user you want to have access to Node-RED.

Enable access to Flows and/or Docker Management.

Goto Administration Website of the mbNET and select “Extras > IoT > Control". Select the Edit Button on the right upper corner.

Enable the Docker Service on the following menu.

Next step enable the "Flows and Dashboards" and/or the "Docker Management". The "Flows and Dashboard" is needed for running the pre-installed Node-RED services (needed for mbEDGE.start). So if you use mbEDGE.start enable "Flows and Dashboards". If you need to manage your own (mbEDGE.advanced) enable "Docker Management". For mbEDGE.advanced you can enable both.

ONLY when mbEDGE.advanced

mbEDGE.start or mbEDGE.advanced

When you are ready with these settings, apply your changes.

The mbEDGE Service will start now. This may take a few minutes in the first time. Please be patient.

When the green dot at "Daemon" appears, the Service is running. The "Flows and Dasboards" are ready if the Link Buttons appear black instead of gray.

Back to Begin


 

4. Access Node-RED

 

You can access Node-RED through mbCONNECT24 mbWeb2Go or directly on the router. With Node-RED you can edit your Flows or access the Dashboards of Node-RED applications. If you are not familiar with this, please refer to the Node-RED documentation mentioned in the beginning of this documentation.

Access Node-RED Flows from mbCONNECT24

If your router is online, the direct links from your IoT service will appear green:

Click on "Flows" to access the Node-RED.

 

Access Node-RED Flows on your Router

Goto Administration Website of the mbNET and select “Extras > IoT > Control". Click on the Link Button "Flows".

 

Another Website will open with an Login. Enter the username you selected for access Node-RED in the user management.

 

Access Node-RED Dashboards from mbCONNECT24

If your router is online, the direct links from your IoT service will appear green:

Click on "Dashboard" to access the Node-RED.

Access Node-RED Dashboards on your Router

Goto Administration Website of the mbNET and select “Extras > IoT > Control". Click on the Link Button "Dashboard".

Another Website will open with your Dashboards created through your Flows. There now user login needed. The Dashboards are accessible without user creditentals.

Example:

Go ahead with the next application note Hello World.

 

Back to Begin


 

5. Open TCP/UDP Ports in Firewall for Node-RED

 

If you are using Nodes which will need incoming network traffic (like OPC-UA Server, TCP-Sockets, Web-Sockets) you need to open this ports in the Firewall.

Goto Administration Website of the mbNET and select “Extras > IoT > Security". Click on the Link Button "Firewall Settings for Node-RED".

Enter your Portnumber you want to open. You can separate with comma.

Save and apply your changes.

Back to Begin


 

6. SD-Card Key Management

 

Please first refer to chapter 2. to understand the SD-Card and Key architecture.

Goto Administration Website of the mbNET and select “Extras > IoT > Key Management".

Backup-Key:

The status will show you two options "Created" or "Empty". Created means, that already a Backup-Key is created and stored. To created a new key, click on the Edit button.

Select the Action "Change Backup-Key" or "Delete-Backup-Key". With both action you need to enter your License Code provided with your License Card.

The minimum characters for the Backup-Key is 8.

Active Key Storage:

The status will show you two options "Device" or "Backup-Key". "Device" means that the mbEDGE is using the Key from Secure Element of the Router. This key cannot be seen! "Backup-Key" means it is using the given Backup-Key.

Notice: apply the changes in left appeared box

Back to Begin


 

7. Update your mbEDGE Software

 

Goto Administration Website of the mbNET and select “Extras > IoT > Firmware".

If current and latest available Version differs, you are able to upgrade the firmware. Please DO NOT POWER DOWN during the update!

To start the upgrade, click on the button "upgrade".

Attention: Node-RED and all other containers will shut down!

 

8. Status Information of mbEDGE

 

Goto Administration Website of the mbNET and select “Status > IoT".

Here you can check if the Service is running or not

  • gray dot: Service is not running
  • orange dot: Service is starting
  • green dot: Service is running
  • red dot: Service is not running during an error

With the button you can manually Stop and Start the Service.

Below the Logging line it shows informations from the Service which are useful for support case.

 

Back to Begin