SCADA Gateway Installation and Configuration Manual MNE-00020-03 · Issue 3 · May 2017
Contact Information Tait Communications Corporate Head Office Tait Limited P.O. Box 1645 Christchurch New Zealand For the address and telephone number of regional offices, refer to our website: www.taitradio.com Copyright and Trademarks All information contained in this document is the property of Tait Limited. All rights reserved.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Scope of Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.3 Synchronizing the Secondary SCADA Gateway Database . . . . . . . . . . 27 4 Administrating the SCADA Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.1 Logging on to the SCADA Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.2 Logging on to the SCADA Gateway as ‘root’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.3 Self-Signed SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Scope of Manual This SCADA Gateway Installation and Configuration Manual provides information on installing and configuring a SCADA gateway in a Tait DMR Tier 3 trunked network when operating with the Q9391NC software version 2.04 or later.
Publication Record Issue 6 Preface Publication Date Description 1 June 2015 First release. SCADA gateway version 1.00. 2 December 2016 Updated for SCADA gateway version 1.04 and later ■ Section 1.3 Tait TN9300 DMR Trunked Network updated ■ Section 2.1 Before You Start updated ■ Section 2.2 Installing the SCADA Gateway on the DMR Node Controller updated ■ Section 2.3.1 Obtaining the Host ID for Requesting the License File updated ■ Section 2.4 Recovering the DMR Node updated ■ Section 2.
Issue 3 Publication Date May 2017 SCADA Gateway Installation and Configuration Manual © Tait Limited May 2017 Description Updated for SCADA gateway version 1.06 and later ■ Terminology: ‘Dip line’ changed to ‘DIP connection’ throughout ■ Section 2.2.2 Solaris updated ■ Section 3.2 Logging on to the SCADA Gateway WebUI added ■ Section 3.3.3 Configuring the SCADA Gateway updated ■ Section 4.5 Changing the ‘root’ and ‘taitnet’ Passwords updated ■ Section 4.
1 Introduction 1.1 Overview The Tait SCADA gateway solution delivers reliable, scalable and secure two-way wireless communications between a SCADA control system and the outstation devices on electricity distribution networks. Built on the Tait DMR Tier 3 trunked network, a SCADA gateway and TD9300 Data Terminals are added that pass messages between the SCADA control system and remote outstation devices (RTUs).
1.2 SCADA Gateway Components 1.2.1 SCADA Gateway The Tait SCADA gateway provides the interface between the SCADA control system and the DMR network. Its primary function is to control the transfer of messages from the SCADA control system to SCADA outstation devices. As it has detailed knowledge of the current network load, it can queue and prioritize SCADA messages to and from the SCADA outstation devices, ensuring reliable communications under both normal and fault conditions.
2 Installation The SCADA gateway application runs on the CentOS operating system. The SCADA gateway can be deployed using either the Kontron CG2300 server, the Dell R230/R220, the Aleutia R50, or as a virtual machine on a Sun Netra X3-2 server. (Note that the Sun Netra X3-2 server is no longer available for new deployments (replaced by Kontron CG2300) but is still supported for deploying the SCADA gateway to operating DMR networks.
SCADA gateway license(s) can be obtained only after the SCADA gateway software has been installed. 2.1.1 High Availability When installing an HA system, the following rules should be applied: 1. The Active IP address for the SCADA gateways should be different from the Active IP address for the DMR nodes. 2. The SCADA gateway(s) should access the active IP address of the DMR HA nodes regardless of whether or not they are co-hosted. 3.
Notice The Dell R230 server can only be booted up by a USB type 3.0 flash drive. When installing software on a Dell R230, please make sure your flash drive is compliant. The internet can provide tips on how to recognise a USB 3.0 flash drive (e.g. sometimes it has a blue insert). If problems arise, please contact Tait Technical Support for CD/DVD ROM installation instructions. 2.2.2 Solaris DMR 1. Back up the DMR node controller database. 2.
a. If you can find the following sub-directories, then please proceed to step 9: README installvm startup vmnetconf app packages vbox waitforvmtoboot installapp rebootvm vm b. If cdrom0 is the only sub-directory you can observe, please enter: cd /cdrom/cdrom0 (press Enter) 9. Find the network interface that will be used for the Virtual Machine; type: ifconfig –a Look at the result and find the network interface which contains the node’s IP address.
Netmask and default gateway MUST be the same as that used by the DMR node controller. Enter the following: ./vmnetconf The Virtual Machine will automatically reboot after applying the required changes. Test if address assignments are successful by pinging the Virtual Machine from the DMR node controller. Enter: ping A succesful ping will return: is alive 12.
2. Switch to root user by entering1: su k1w1 3. Stop the volume management by entering: /etc/init.d/volmgt stop 4. Move out of the CDROM directory and unmount the DVD: a. If the DVD ROM directory is /cdrom: cd / && umount /cdrom b. If the DVD ROM directory is /cdrom/cdrom0: cd / && umount /cdrom/cdrom0 5. Start the volume management by entering: /etc/init.d/volmgt start 6. Eject the CD either by pressing the eject button on the DVD drive, or by using the following command: eject cdrom 2.
2.3.2 Uploading the license 1. To install the license file on the SCADA gateway, go to the SCADA gateway web browser and select Settings > Local Parameters then click Edit. 2. At the License file field, click Upload > Choose file to select a license file, then click Open. 3. Once the license file has uploaded, the SCADA gateway will check if the license is valid. 2.4 Recovering the DMR Node 2.4.
./installvm clean This will remove the Virtual Machine, and thus the SCADA gateway, and should place the node in the same state it was in prior to installation of the Communications Server 2. If Step 1 is unsuccessful, it is necessary to remove the Virtual Machine manually: use ssh to log into the node as user taitnet, and then: VBoxManage controlvm Q9361VM poweroff VBoxManage unregistervm Q9361VM –delete Now uninstall the startup script: rm -f /etc/rc3.
If you are authorized to use this system, you must do so in compliance with all laws, regulations, conduct rules, and company security policies applicable to this system. This system, including any hardware components, software, work stations, and storage spaces, is subject to monitoring and search without advance notice. Users should have no expectation of privacy in their use of any aspect of this system.” 2.6 Creating Your Custom Web Login Script It is recommended that you create a login script.
3 Configuration Configure the DMR node for SCADA gateway operation first, before configuring the SCADA gateway itself. 3.1 Configuring the DMR Node Controller For successful SCADA gateway operation on a DMR Network, the node must first be updated and configured with the correct firmware version and license keys. This must be done before installing the components required to interface to the TD9300 data terminals and SCADA outstations.
partition elsewhere in the list, select the row that will be below the partition you wish to add and click Insert. d. Select a partition class from the drop-down list. (This must have been previously created in Subscribers > Partition Classes, see Step 2). e. In the Start and End boxes, enter the range of channel ID numbers for the channels that will belong to the partition. f. Click Save. 4. Assign an appropriate service area for all TD9300 data terminals: a.
d. Enter a prefix number. The fleet will be part of this prefix. e. If the network uses MPT1343 numbering, follow these steps: ■ Enter the number of units and the number of groups for allocation to the fleet. ■ Click Find Space. The node calculates values for the FIN and FGN fields ■ If desired, you can edit the calculated values (these will be checked when you click Save). f. If the network uses ANN numbering, follow these steps. ■ Select the fleet size (Large, Small, or Mini). ■ Click Find Space.
8. Add the DMR addresses of the TD9300 data terminals and the SCADA master DIP connection to the fleet created in Step 6. a. Select Subscribers > Fleets and then click the fleet that the data terminals will belong to. b. Click the Units tab and then click Add. The Add Unit page appears. c. Enter the terminal number. This must be a number that lies within the number range assigned to the fleet. If you add multiple terminals, they will be numbered starting from this number. d.
■ 3.3 Internet Explorer (Version 7 and above) Configuring a Primary SCADA Gateway Use this section to configure a primary SCADA gateway. The primary SCADA gateway is the gateway with the highest High Availability priority (lowest priority number) in the network. 3.3.1 Creating a Division 1. Log on to the SCADA gateway WebUI using the following login credentials: username: taitnet password: tait 3.3.2 2. Select Network > Divisions and click Add. 3.
3.3.3 10. Select the SCADA protocol that is in use from the drop down menu, and enter the SCADA address of the RTU to which the TD9300 data terminal is connected. If only IP is being used, select None. 11. In the Port field, enter the TCP port number. 12. Click Save. 13. Repeat Step 2 to Step 12 as required. Configuring the SCADA Gateway 1. Select Settings > Local Parameters and click Edit. 2. In the General area, enter the name of the SCADA gateway. 3.
a. Response delay is the time, in milliseconds, that the gateway should wait for a response to a message from a data terminal, or its connected equipment, to reply to a request. b. Queue message timeout is the length of time a message will be queued before timing out when the gateway is busy. 3.3.4 13. In the SCADA area, select the protocol to use and the default port number to be monitored for communications from all/any data terminals. 14.
3.4 Configuring a Secondary SCADA Gateway Use this section to configure a secondary SCADA gateway. The primary SCADA gateway must already be configured and online. 3.4.1 Configuring the SCADA Gateway 1. Select Settings > Local Parameters and click Edit. 2. In the General area, enter the name of the SCADA gateway. 3.
c. The gateway needs to be rebooted to apply the changes. To reboot the gateway, connect to it by SSH and login as root (see Section 4.1 and Section 4.2). Issue the command reboot. If the SCADA gateway is running on a CentOS DMR node this will also reboot the DMR node. 3.4.3 Synchronizing the Secondary SCADA Gateway Database 1. Select Settings > Local Parameters and click Edit. 2. Set the mode to Online. 3. The State displayed in the status bar should be Standby. 4.
4 Administrating the SCADA Gateway The SCADA gateway runs on CentOS or the Solaris operating system (which is a variant of UNIX), depending on your server type. This chapter tells you how to carry out basic maintenance and operational tasks by logging onto the SCADA gateway and using the operating system command line interface. Note that, whilst still supported, Solaris-based servers are no longer available. 4.
4.3 Self-Signed SSL Certificates When your browser connects to the SCADA gateway’s WebUI for the first time, it raises a security warning. Normally, secure web sites have a security certificate issued by a trusted Certification Authority. This is to foil attempts by rogue web sites to pretend to be something they are not. The SCADA gateway creates a self-signed certificate when the SCADA gateway or its firmware is installed.
1. Click ‘I Understand the Risks’. 2. Click ‘Add Exception’. 3. The Location field includes details specific to your SCADA gateway. Without changing the default values, click ‘Confirm Security Exception’. 4. A secure connection to the SCADA gateway WebUI will be enabled in the browser.
4.3.2 Internet Explorer Users Windows 8 and Internet Explorer For Windows 8, before following the procedure listed below for installing the certificate, you should make the SCADA gateway a trusted site: 1. Open Internet Options from the Control Panel. 2. Select the Security tab. 3. Click ‘Trusted sites’ then click the Sites button. 4. Add the SCADA gateway’s IP address to Trusted Sites. 5. Apply and close Internet Options. 6. Open Internet Explorer then follow the process.
Windows 7 and Internet Explorer 32 2. Click ‘Certificate error’. The following screen is displayed: 3. Click ‘View certificates’. The Certificate popup with General tab is displayed: 4. Click ‘Install Certificate...’ and then follow the Certificate Import Wizard to install the certificate. Proceed to the end without changing the default values. When the Security Warning window appears, click Yes.
4. Click Next and Finish. When the Security Warning window appears, click Yes. Internet Explorer must be restarted before the changes take effect. The security certificate is added to a specific computer name. If you add the certificate to the computer, but then access the SCADA gateway WebUI by entering the active SCADA gateway address or name, the certificate error message will appear again. 4.3.
4.4 Using the Certificate from a Certification Authority (CA) By default, the SCADA gateway generates its own self-signed certificate. This provides privacy by allowing traffic to be encrypted, but does not provide authentication. The result is that your browser displays a warning when connecting to the WebUI.
Assuming that the server certificate file to be uploaded is called serverscadagw1.crt, and the associated private key file is called serverscadagw1.key (if a CSR file was generated and submitted to the CA then there will not be a key file), to load a new certificate and associated private key file: 1. Select Files > Backups on the SCADA gateway WebUI and click Upload. 2. Click Choose File. 3. Select the server-scadagw1.crt file to upload and click Open. 4. An upload progress window will be displayed.
Tait engineers will need the root password to provide support. If you change the root password, please ensure that you do not forget it. 4.6 Stopping/Starting the SCADA Gateway Software Login to the SCADA gateway as the root user. To stop the SCADA gateway enter: service scadagw stop To start the SCADA gateway enter: service scadagw start If the SCADA gateway is running or the software is hung, you can restart it by entering: service scadagw restart 4.7 Changing to a Local Time Zone 4.7.
a. Correct the date and time using the date command where is a string of numbers representing the month, day, hour, minute and second, for example date 10061424.40 sets the date to October 6, 2:24:40 pm: date OR b. If using an NTP server, use the ntpdate command, where is the IP address of a contactable local NTP server: ntpdate This command checks the NTP server time, and sets the local server time (when run as root). 3.
d. Execute the commands (where is the timezone name): rtc -z rtc -c 2. Shutdown and restart the machine. The recommended command to shutdown and restart is: shutdown -y -i6 -g0 (Note that shutdown -y -i5 -g0 will shutdown the system, but will not restart it.) 3. Check the date/time by executing the date command: date This should display the correct date and time for the newly set timezone (see example in step 4). If not login as root, then: EITHER a.
If changes are made to scadagw.cfg on one SCADA gateway it needs to be edited on all SCADA gateways in the network, and a backup of the settings should be taken after any edits. The release notes for a scadagw version should be checked for any changes to the settings included in this file. 1. Connect to the SCADA gateway using SSH (Section 4.1). Ensure you are logged in as the taitnet user (not root). 2. Save a backup of the scadagw.cfg file using the command: cp /home/taitnet/scadagw/scadagw.
Calls license values from the DMR Node, e.g. if the DMR node is licensed for 1 DIP call and 1 packet data call then MaxCalls: 1 should be entered. NetworkDevice Sets the network device for the SCADA gateway to use. LogAgeLimit The number of seconds to keep log files for, Default = 1209600 (14 days). LogNumberLimit The number of log files to allow before the oldest is deleted. Default = 99. On installs that have limited HDD space (VM installs using installers prior to v1.
5 Uploading SCADA Gateway Firmware From time to time you will need to upgrade the SCADA gateway firmware, which you can do online by uploading the firmware file. This will provide the benefits of receiving new features and software fixes. Refer to the Release Notes supplied with each new firmware release for any special instructions that might be required for that particular upgrade. 5.1 5.2 Uploading a New Firmware Version 1. Using a web browser, login to the SCADA gateway. 2.
5.3 Reverting to an Earlier Firmware Version The procedure in "Upgrading the SCADA Gateway to a New Firmware Version" can also be used to revert to a previous version of the firmware. When the SCADA gateway firmware is upgraded, the old firmware is not overwritten. Simply select the firmware version to which you wish to revert. IMPORTANT - On a CentOS DMR co-hosted installation do not attempt to downgrade from 01.04.02 to any earlier version.
6 Backing up/Restoring Configuration Files It is good practice to back up your configuration files on a regular basis. This is especially important when changes are made, such as adding new data terminals, or editing configuration parameters. The SCADA gateway and terminal configuration settings are automatically backed up, but it is also a good idea to periodically perform a manual backup, particularly when a lot of changes have been made to the configuration parameters.
selection dialog and open the backup to restore. Once the file is uploaded it will appear in the list of files available to restore. 4. 44 Click the check box to select the row of the file and then click Restore and confirm.
Appendix 1: Transferring an ISO Image to a USB Flash Drive ISO images can be transferred to a USB flash drive using either Win32DiskImager or another tool such as Rufus, both of which are documented here. The advantage of Rufus over Win32DiskImager is that when the USB flash drive has been written to, the USB flash drive is still able to be read from and written to under Windows. This allows the user to add any additional scripts, configuration files etc. to the USB flash drive.
3. Run the Rufus program. 4. Check that the Device in the first drop down list is the same as the USB flash drive. 5. Click on the CD icon next to the drop down list containing ‘FreeDOS’. This will open a dialog box to enable the selection of the ISO file to be written to the USB flash drive. 6. Select the ISO file and click Open, which takes you back to Rufus.
7. When ready to start the writing process, click Start. 8. A dialog box will appear to confirm that a write operation is to be carried out. At this point double check that the correct device is being written to and then click OK. Depending on how large the ISO file is and the write speed of the USB flash drive, it could take from less than a minute to half an hour or more to complete the write process.
1.2 9. The progress of the USB flash drive write is displayed as follows: 10. When the USB flash drive write has finished, the Cancel button will change to a Close button. Click Close to complete the process. 11. Remember to safely eject the USB flash drive before physically removing it from the PC. Using Win32DiskImager 1. To create a USB flash drive with CentOS or SCADA gateway software, first download and install the Win32DiskImager application. 2.
4. Check that the drive letter in the Device drop down list is the same as the USB flash drive. If you get this wrong, you could erase the wrong disk. 5. Click on the folder icon for the Image file. 6. Change the file filter from Disk Images (*.img *.IMG) to *.* 7. Select the desired iso file and click Open. 8. When ready to proceed, click Write.
9. A Confirm overwrite dialog will appear which gives you a last chance to abort the process. Click Yes to continue. 10. The writing to the USB flash drive will begin and, depending on the quality/speed of the USB flash drive, this could take some time. 11. When the write has completed, a completion dialog will appear. Click OK. 12. Close the Win32DiskImager program. 13.
Appendix 2: Adding an Alternate Interface in CentOS CentOS uses configuration files for each interface to be configured. These configuration files are stored in /etc/sysconfig/network-scripts/ with filenames ifcfg-, e.g. ifcfg-eth0:2. To enable the sub-interface on the first Ethernet port (interface eth0:2) for the SCADA gateway: 1. Login as the root user: su - 2. Edit the file /etc/sysconfig/network-scripts/ifcfgeth0:2 using the command nano /etc/sysconfig/networkscripts/ifcfg-eth0:2 3.
Tait Software License Agreement This Software License Agreement ("Agreement") is between you (“Licensee”) and Tait Limited (“Tait"). By using any of the Software items embedded and pre-loaded in the related Tait Designated Product, included on CD, downloaded from the Tait website, or provided in any other form, you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this Agreement, do not install or use any of the Software.
solely in connection with Licensee's use of the Designated Products for the useful life of the Designated Products. This Agreement does not grant any rights to source code. 3.2. If the Software licensed under this Agreement contains or is derived from Open Source Software, the terms and conditions governing the use of such Open Source Software are in the Open Source Software Licenses of the copyright owner and not in this Agreement.
no representations or warranties with respect to any third-party software included in the Software. 6.2 Tait sole obligation to Licensee, and Licensee’s exclusive remedy under this warranty, is to use reasonable efforts to remedy any material Software defect covered by this warranty. These efforts will involve either replacing the media or attempting to correct significant, demonstrable program or documentation errors or Security Vulnerabilities.
indirect, or consequential arising out of or in connection with any use or inability of using the Software. 10.2. Licensee’s sole remedy against Tait will be limited to breach of contract and Tait sole and total liability for any such claim shall be limited at the option of Tait to the repair or replacement of the Software or the refund of the purchase price of the Software. Section 11 GENERAL 11.1. COPYRIGHT NOTICES.