Page 1 of 1

Niagara 4.9 is now released!

Posted: Tue Jul 14, 2020 8:03 pm
by orion242
Next version of Niagara is out. Just on the surface there doesn't seem to be anything too exciting. Getting video to work again, that sure took long enough.
In Niagara 4.9, all modules must be signed by valid, trusted certificate (may be self-signed).
Is it me or does "trusted certificate" and self-signed being in the same sentence make one shutter. Wonder if selfies only apply to code signing or if that applies to any TLS connection Niagara makes since the selfi-CA cert would be in the trust store?
What's the expiration on these code signing certs? Do my drivers stop working when that happens??
And it sucks up another ~40Mb memory vs 4.8


Tridium is pleased to announce the general availability of Niagara Framework® 4.9. This release incorporates important new features and functionality to support Niagara users in cyber security, visualization, rapid deployment, edge control, connectivity, certification, and IT compliance. We hope you will upgrade soon to take advantage of all that is built into Niagara 4.9 as detailed below.

NEW IN NIAGARA 4.9
  • Single Sign-On with Niagara as an Identity Provider: Securely navigate Niagara Stations using Single Sign-On (SSO) with Niagara as the identity provider (IdP), instead of manually configuring and managing an external IdP. SSO allows users to login into one station and access all other connected stations via a browser without having to re-authenticate.
  • Enhanced Graphics with Tag-Based Visualization: Create a graphical user interface (GUI) for your Niagara station based entirely on tags. Tag based PX bindings allow you to create graphics and assign them semantic tags from the dictionary of your choice once, and then reuse any number of times.
  • Edge 10 – IO Expansion: Edge 10 now supports two IO-R-34 modules and allows control of both onboard and remote IO with ACE. Utilize the Edge 10 for more applications by enabling critical control of field equipment that require additional IO modules. License refresh required.
  • Cloud Connectivity: New connectivity options reduce the time and complexity of integrating Niagara with cloud solutions:
Updates to Niagara MQTT driver to support AWS (Amazon Web Services) Authentication.
New JSON Toolkit makes it easy to construct bespoke messages into required formats for cloud communication.
  • Improved Edge Tools: The latest updates make it easier to upgrade installed application templates and provide greater flexibility when defining and configuring peer device and/or station proxies upon installation of an application template.
  • Niagara Proxy Service Enhancements: The Niagara Proxy Service now supports HTTPS connections and a digest authentication scheme, facilitating improved IT compliance and enabling modern web services that utilize secure connectivity behind corporate IT proxy servers.
  • Niagara Security History Log: The Security History Log provides users with an understanding of who, or what, is logging into or changing security related settings on your Niagara instance
  • Third-Party Module Signing: The security posture of any Niagara installation is stronger when all third-party modules are signed. Niagara now enforces this best practice and makes administrators aware of unsigned modules, automatically eliminating the risk that modules may have been tampered with or come from an untrustworthy source. To allow developers sufficient time to transition to signing their code, this feature began its rollout in Niagara 4.8. In Niagara 4.9, all modules must be signed by valid, trusted certificate (may be self-signed).
  • ACE on Third-Party Hardware: Originally released in 4.8 for Edge 10, Niagara's ACE deterministic engine enables users to make changes to logic and load the updated code without a complete shutdown. When shut-down is necessary, start-up is faster with ACE. Niagara 4.9 gives third-party vendors creating controllers powered by Niagara the option to include ACE on their platforms. ACE is available to partners as Early Access to be officially released in 4.10. Look for announcements from your favorite ‘Powered By Niagara’ controller as ACE is rolled out.
  • HTML5 Video Streaming: Milestone and Axis video drivers have been updated to eliminate java dependencies in the browser. View video streams associated with alarms directly from the Niagara alarm console and add video links to your system graphics to enhance building intelligence. With HTML5 streaming, mobile devices can also access these video streams, enabling remote users to quickly assess situations in their facility and react accordingly.
  • Updated OS and Enterprise Applications: In Niagara 4.9, we have added support for a number of new operating systems and enterprise applications (new additions in bold type). As with all software products, we must also deprecate support for some operating systems and enterprise applications. Here is the list of deprecated products that will not be supported as of Niagara 4.9.
  • Cyber Security Update: Niagara 4.9 includes a fix to a TLS timeout issue that could occur during a failed TLS handshake.
HOW TO GET STARTED
  • Learn about some of the new features of 4.9 with our free Niagara 4.9 training courses on Tridium University.
  • Review new Niagara 4.9 documentation.
  • New license features were added for Single Sign On. When deploying Niagara 4.9, Tridium recommends refreshing your license to pick up the new features added to the Niagara 4 Supervisor, JACE-8000, and Edge 10 parts.
  • Join the TridiumTalk on July 23 to learn more about the new features of Niagara 4.9. Register today!

Re: Niagara 4.9 is now released!

Posted: Wed Jul 15, 2020 1:21 pm
by Maxburn
Self signed basically says it came from such and such and the file isn't corrupted. It's verifiable if they post their public key like you probably have seen with downloads and MD5 hashes. If they spend a couple dollars it can be trusted with a little work that isn't really that bad. After a recent Dragos webinar where they were discussing what's done in oil field/water plant equipment they stated they are standardizing on 30 year certs in many facilities. By that time the equipment is due replacement. I've been doing 10 year certs by default of the OpenVPN/EasyRSA but I just added instruction to make that 20 year certs. The revocation problem isn't really a problem in this setting, I can kill the cert on the server and that client can't connect ever again. In niagara the revocation problem is real, don't know how they would deal with it.

The real question is MS/TP fixed now?

Re: Niagara 4.9 is now released!

Posted: Tue Jul 21, 2020 12:51 am
by orion242
Maxburn wrote: Wed Jul 15, 2020 1:21 pmSelf signed basically says it came from such and such and the file isn't corrupted.
Indeed. The question is that selfie cert also vaild for niagara, https, etc connections as well. One would like to think its limited to just code signing and not anything else. If folks are using that same cert for the web server, that seems to be getting pretty sketchy as any PCs connecting would also likely have that selfie CA cert installed. At that point can you trust any TLS connection that PC is making? Having some fly by night contractor installing their CA certs on machines doesn't seem like a great idea imo. Haven't looked into this, but I assume you need to put your code singing selfie CA cert in the trust store of the station. At that point the station will trust it for anything unless I'm missing something. More than likely shady contractors will also use that for HTTPS, FOXS, etc.
Maxburn wrote: Wed Jul 15, 2020 1:21 pmThe real question is MS/TP fixed now?
Think that's a matter of how one architects the system. I can 4x MS/TP trunks on a Jace, setup fairly decent access control on what happens to them and everything on the IP side can be TLS encrypted, authenticated and granular permissions enforced. Flat BACnet, nope...and for good reason if that's an concern. If Niagara network is the only path in, that's pretty good control of the MS/TP side of the house. Hell of alot less painful than dealing with flat BACnet/IP.

MS/TP in my time is far easier to deal with in areas that security is a real concern.