KNX Secure
Summary
- To work with KNX Secure devices, a workaround is required. 1Home Server currently does not support KNX Secure, affecting both KNX IP Secure and KNX Data Secure.
- ETS programming of KNX Secure actuators using the 1Home Server KNX IP interface is possible only if you disable KNX Secure on the actuator. See how-to disable KNX Secure for the entire device for details.
- Using KNX Secured actuator's group objects (i.e. secure group addresses) with the 1Home Server is possible only if they are configured as "plain" (i.e. not secured). See how-to configure disable KNX Secure for a specific group object.
Table of contents
What is KNX Secure
KNX devices that support KNX Secure have the ability to encrypt and decrypt KNX telegrams on the KNX Network. In order for KNX Secure to encrypt/decrypt traffic, all devices that communicate between each other, must support KNX Secure.
You can identify KNX Secure-enabled devices in your ETS project by the blue shield icon next to the device. Blue shield icon indicates KNX Secure is enabled on this device.
The 1Home Server currently does not support KNX Secure. It is however still possible to interact with KNX Secure-ready devices, however certain features might not be supported. Please review the table below for details.
KNX secure commissioning | Group object secured | 1Home Server IP Interface ETS programming support | 1Home Server group object interaction | |
---|---|---|---|---|
1 | Enabled | Yes | No | No |
2 | Enabled | No | No | Yes |
3 | Disabled | No | Yes | Yes |
- Case 1: This is the default case, if you have only KNX Secure devices in your project and perform no changes to accommodate the 1Home Server. The 1Home Server will not be able to interact with your KNX installation.
- Case 2: Disabling KNX Secure for a specific group object (group address) will make it possible for the 1Home Server to interact with this group address.
- Case 3: Disabling KNX Secure entirely on the device will make it possible for the 1Home Server to program the KNX device via ETS as well as interact with all the group objects (group addresses) on the device.
How-to disable KNX Secure
For the entire device
To disable KNX Secure on a device:
In ETS, open the device's properties
Under
Secure Commissioning
selectDeactivated
If you have previously downloaded the configuration to the device, you must perform a full download again in order to remove the security certificate from the device.
If during device import you have entered the device's certificate or have already programmed the device previously using KNX Secure Commissioning activated, then:
- In the project's settings, under
Security
, delete the device's certificate from the project. - Warning: having
Secure Commissioning
deactivated and not removing the device certificate will cause a "long frame support" related error when attempting to use ETS to program the device with the the 1Home Server KNX IP Interface. See known issue ETS long frame support error for details.
- In the project's settings, under
For a specific group object
When you have a KNX Secure device with Secure Commissioning
Activated
all device's group objects that have a linked group address are secured.
Group objects have KNX Secure enabled when linked to a Group Address
When linking the group address to other devices (e.g. push button), it will remain secured, unless it is linked to a device that does not support KNX Secure. When linking to a group object that doesn't support KNX Secure, you are presented with a warning.
Linking a secured group address to an unsecured group object will disable KNX Secure for that particular group address.
If in your project, you don't have a non-KNX Secure device, you can use a (non-KNX Secure) dummy device to link group addresses to in order to disable KNX Secure for particular group addresses. Here is how:
- In your ETS project, add a dummy device. We suggest Gira's Dummy device (application:
large dummy application 900201
). - Open your KNX Secure device.
- From your KNX Secure device group object that you wish to disable secure mode, link the associated group address to your dummy device. Make sure that the length of the group address matches (1 bit to 1 bit, 1 byte to 1 byte, etc.).
- ETS will warn you that you will disable KNX Secure for this group address and that you will need to reprogram the KNX Secure device to apply the change. Click
Ok
. - You will now see that the group object on the KNX Secure actuator doesn't have the KNX Secure icon anymore.
- Re-program your actuator to apply the changes.
- Note: If you have KNX Secure enabled on your device, you will need to use a 3rd party KNX IP Interface and not the 1Home Server. The 1Home Server doesn't support programming KNX Secure devices. In order to use the 1Home Server to program the device, please read the How-to disable KNX Secure for the entire device guide.
Known issues
ETS APDU length error
You receive an error message relating to an APDU length issue when using the 1Home Server as an IP interface when programming a KNX Secure device, such as:
Download(Part): Failed This operation requires an APDU length of 34 bytes, but only 15 is available due to the capabilities of the bus interface.
Screenshot of ETS error relating to APDU length.
This error is caused by using the 1Home Server KNX Secure commissioning which the 1Home Server at this time doesn't support. Please follow the guide on How-to disable KNX Secure for the entire device in order to fix this issue.
ETS long frame support error
You receive an error message relating to long frame support when using the 1Home Server as an IP interface when programming a KNX Secure device, such as:
The requested operation requires that the local interface, the remote device and any couples in between support long frames.
Screenshot of ETS error relating to long frame support.
This is caused by not removing the KNX Secure device certificate from your ETS project. This occurs even if you have Secure Commissioning
Deactivated
. Please follow the guide on How-to disable KNX Secure for the entire device in order to fix this issue.