Author: Brandon Powell

Categories
Technical Advisory Bulletins Knowledge Support exacqVision EDGE exacqVision Enterprise Support exacqVision Client Other exacqVision Server exacqVision Mobile exacqVision Webservice exacqVision Hardware Products exacqVision Integrations

Support procedure for reporting newly discovered cyber security vulnerabilities in Exacq Software 

This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product.

Product 

Any exacqVision product

Procedure:

  1. Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
  2. Email the GPS (Global Product Security) team at: productsecurity@jci.com
    • Provide vulnerability analysis in this email and any relevant links
    • Provide customer details and contact information in this email
    • Provide software product and software versions in this email
    • CC the customer on the email
  3. Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.

Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.

<br>

Categories
exacqVision Enterprise Linux exacqVision Enterprise 23.03 exacqVision Enterprise 22.12 Software Categories exacqVision Enterprise Windows Knowledge Support Support exacqVision Enterprise

Enterprise Manager fails to save edits to Custom User Roles

Description 

Support has identified an issue affecting Customer User Roles in some Enterprise Manager public release versions.

This issue prevents camera permissions such as video inputs and edits from being saved, and these permission checkboxes may “uncheck” themselves after a period of short time. This issue has been resolved in later versions.

Product 

ExacqVision Enterprise Manager Versions:
22.12.0.0
23.03.0.0

Steps to Reproduce 

  • Create a Custom User Role
  • Attach valid User/Users to this Custom User Role
  • edit permissions such as video inputs
  • Save the configuration changes
  • Wait a few minutes
  • Edit the Custom User Role you created and observe the previously saved edits

Expected Results 

The edits made to the Custom User Role should be saved.

Actual Results 

The edits made to the Custom User Role are not saved, and the checkboxes have “unchecked” themselves.

Solution

Upgrade Enterprise Manager software version to 23.06.2.0.
AES-347 , AES-530

Categories
exacqVision Client Other exacqVision Server 22.09 exacqVision Enterprise Windows exacqVision Server 22.06 exacqVision Enterprise 23.03 exacqVision Server 22.03 exacqVision Enterprise 22.12 exacqVision Server Other exacqVision Enterprise 22.09 exacqVision Client Windows exacqVision Enterprise 22.06 exacqVision Client 23.03 exacqVision Enterprise 22.03 exacqVision Client 22.12 exacqVision Enterprise Other exacqVision Server Windows exacqVision Client 22.09 exacqVision Server Windows x64 exacqVision Client 22.06 exacqVision Server 23.03 exacqVision Client 22.03 exacqVision Server 22.12 Knowledge Support Support exacqVision Client exacqVision Server exacqVision Hardware

Recording Not Possible – Windows DST Issue

Description 

If the exacqVision Server data drives are full and are displaying “Recording Not Possible” on the storage page then it is possible an invalid hour folder was created during the switch to Daylight Savings Times (DST).  Use the following instructions to verify and resolve the issue. 

Product 

  • exacqVision Server

Solution

These instruction are based on Windows OS and North America DST.

  • Check DST Rules for your area here.
  • Make note of the Date and Time of the change to DST and determine if an invalid folder exist.
  • For this example most of North America changed to DST on March 12th, 2023 at 02:00 AM
  • Therefore any .ps or .psi files stored in the folder D:\2023\03\12\02 are in the wrong folder.
  • The folder either needs to be removed or the files need to be moved to D:\2023\03\12\03
  • Note: D: is the disk letter which will vary across systems with more than one disk.
    i.e. – E:\2023\03\12, F:\2023\03\12, etc.

Use File Explorer to Edit Directory

  • Log into the Exacq server OS using your Admin credentials
  • Open “File Explorer”
  • When File Explorer opens navigate to data drive
    D: > 2023 > 03 > 12
  • NOTE: If your system has more than 1 data drive, you will also need to look in each mount point/disk letter and repeat this process listed below.
    i.e. – look in E: > 2023 > 03 > 12, F: > 2023 > 03 > 12, etc. 
  • If you find a folder named “02” within
    D:\2023\03\12 you will need to copy the contents to
    D:\2023\03\12\03 then delete this 02 folder.
  • Repeat this process for all data drives attached. Optionally, you can delete this 02 folder altogether, but only with permission from the system administrator.
  • Restart the ExacqVision server service from the services.msc console:

Note:
Depending on the amount of data retention the system has it may be necessary to go back to previous years to make the same edits for Daylight Savings Time changes.

In Example:
DST change was March 13th in 2022. You would find the 03/13/2022 directory, and make the same edits removing the 02 hour folder or moving the contents of the 02 hour folder to the 03 folder in this directory.

Categories
Knowledge Support Support exacqVision Server Categories

Motion Detection Fails on HikVision DS-6716HUHI-K Encoder

Description

The HikVision DS-6716HUHI-K encoder fails to record when set to motion detection recording schedule in exacqVision.

Note: This device has been deprecated by the manufacturer.

Product 

  • exacqVision Server

Steps to Reproduce 

  • Connect a HikVision DS-6716HUHI-K using any firmware version and set schedule to record on motion
  • Trigger a Motion Detection event in an analog camera connected to this device

Expected Results 

Motion is detected and video is recorded

Actual Results 

Motion is not detected and video is not recorded

Solution

We have found that updating the device to firmware version v3.5.31_221207 resolves the issue. 

Download Firmware v3.5.31_221207


AES-34; AES-500

Categories
Knowledge Support Support exacqVision Enterprise exacqVision Client exacqVision Server Products

Downgrading Enterprise Manager software from 23.06 to lower versions


Downgrading ExacqVision Enterprise Manager from 23.06.0.0 to any version lower will prevent users from accessing the ExacqVision Client software due to the migration to AES-128 from ARC4 Encryption methods used on earlier ExacqVision Enterprise Manager versions. 

Downgrading or “Rolling Back” Enterprise Manager software from versions 23.06.0.0 and up to a lower version is not recommended due to this encryption migration.

Note: It is advised to take an Enterprise Manager backup of your system prior to attempting any upgrades/downgrades. Best Practices would include taking a database back up of PostgreSQL or Microsoft SQL.

Product 

ExacqVision Enterprise Manager versions 23.06.0.0 and higher subsequently released versions.

Steps to Reproduce 

  • Downgrade ExacqVision Enterprise Manager software to any prior version from 23.06.0.0

Expected Results 

This downgrade should complete reflecting the new version, and all functionality should remain intact.

Actual Results 

ExacqVision Client users will receive the error: “Invalid Username/Password account locked or disabled” upon trying to log in after the downgrade has been performed.

Solution

Do not downgrade from ExacqVision Enterprise Manager versions 23.06.0.0 to a lower version. If you find this needs to happen for an unforeseen reason it is recommended to uninstall the current version of Enterprise Manager 23.06.0.0 or higher, followed by installing the desired legacy version which will require rebuilding the configuration.

Categories
Knowledge Support Documentation Support exacqVision Client exacqVision Server Products

ExacqVision Server and Client support LDAP authentication with Azure Active Directory

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision software stack with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). It allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when being integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting ExacqVision Server on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Server & Client have the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Server Software version 22.12.5.0 and up
  • ExacqVision Client version 22.12.2.0 and up

Minimum Requirements for ExacqVision Server and Client software: 

  • Server and Client versions must be 22.12 or later
  • Your ExacqVision Server must have an Enterprise license to interact with Azure AD.
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • To configure Azure Active Directory integrations on an ExacqVision Server, you must have Azure Active Directory credentials with access to the following Active Directory parameters as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName,  sAMAccountName,  inetOrgPerson, krbPrincipalName

Configuration steps for ExacqVision Server and Client software: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and then log into the Client with administrative privileges
  • Navigate to Enterprise > ActiveDirectory/LDAP. Enable Directory Service and add the Azure AD Instance address in the Server Address field with the proper Port number, proper setting for USE SSL, Base DN and Bind account information in the corresponding fields – as supplied by your Local IT Department or Network Administrator NOTE: It is recommended to enable “Permission to Create SPN” when using Azure Active Directory LDAP authentication.
  • Apply the Changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Client & Server.

For more information on how to configure ExacqVision for use with LDAP authentication please see the ExacqVision Client User Manual.

Categories
Configuration Knowledge Support Documentation Support exacqVision Enterprise exacqVision Client exacqVision Server Products Uncategorized exacqVision Integrations

Enterprise Manager supports LDAP authentication with Azure Active Directory 

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision Enterprise Manager software with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). This allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting Enterprise Manager on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Enterprise Manager has the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Enterprise Manager version 22.12.0.0 and up

Minimum Requirements for ExacqVision Enterprise Manager Software: 

  • Enterprise Manager version must be 22.12.0.0 or later
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • you must have Azure Active Directory credentials with access to the following Active Directory parameters – as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName , sAMAccountName , inetOrgPerson , krbPrincipalName

Configuration Steps for Enterprise Manager: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and login to Enterprise Manager user interface with administrative privileges
  • Navigate to the Domain settings page
  • Under “Add Domain” enter the address of the Azure Active Directory instance in the “Hostname or IP” field and enter the above mentioned credential criteria with the proper port number, security protocol, Search Criteria information, and Attribute names information in their corresponding fields – as supplied by your Local IT Department or Network Administrator
  • Apply the changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Enterprise Manager.

For more information on how to configure ExacqVision Enterprise Manager for use with LDAP authentication please see the ExacqVision Enterprise Manager user manual.

Categories
Knowledge Support exacqVision Server Products Uncategorized

False Drive Offline status on some Q-series models

Description 

Some drives may show an “offline” status on the hardware tab in ExacqVision Client when Server Version 23.03.1.0 is installed on Q-series models, though data can be read from and written to the drive.

Note: This issue manifests itself cosmetically by appearing as if the drive is offline but has no bearing on functionality for video searching.

Product 

ExacqVision Server Version 23.03.1.0

Steps to Reproduce 

Update to Server Version 23.03.1.0 from a previous server software version.

Expected Results

Drives should populate hardware tab with a healthy status.

Actual Results 

One or more drives may appear as “Offline” on the hardware tab.

Solution

Update to ExacqVision Server 23.03.2.0 if SSA is current and up to date, or alternatively rollback to ExacqVision Server 20.12.8.0 as a workaround.

AES-457


Categories
exacqVision Server Linux exacqVision Server Windows x64 exacqVision Server Linux x64 exacqVision Server 23.03 exacqVision Server 22.12 exacqVision Server Windows Knowledge Support Support exacqVision Server Categories Products

False Positive drives offline status for disks labeled “sat” – invalid disk type errors

False Positive drives offline for disks labeled “sat” – invalid disk type errors

Exacq Support has identified an issue with SMART attribute labels causing false positive drive offline errors on the hardware tab of ExacqVision Client.

Some Disks may show error of “invalid disk type”  

Some systems may contain drives that get listed as “sat” instead of “ata” or “scsi” per smartctl -j -scan queries. This labeling causes the Hardware Tab of ExacqVision Client to show some drives offline, though data can be written to and retrieved from this drive.

Product 

-ExacqVision Server 22.12.2.0 – ExacqVision Server 23.06.2.0

Steps to Reproduce 

  1. Update ExacqVision Server from version 22.09 to versions 22.12 thru versions 23.06.
    2. Observer the Hardware tab for select drives showing “offline” status.
    3. Verify can write data to drive that shows offline

Expected Results 

Drives should remain with status of “Healthy” on hardware tab after update.

Actual Results 

Select Drives may show false positive error/status of “Offline”

Solution

Update to ExacqVision server 23.09.102 or higher which contains fix for this issue.

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Stuck Pinned Spare/Data Restore Pending due to firewall blocking vfba process

Exacq Support has identified an issue preventing fail-back due to VFBA.exe being blocked; which uses port 28774.

Windows Versions

It is recommended to create both inbound and outbound Windows firewall rules on the SPARE server to allow communications through port 28774 for the Windows Firewall.

** Due to issues with the Window OS, disabling Windows Firewall does not allow this thru, and the creation of the FIREWALL rule is required. **

On a Windows Machine, do a search for FIREWALL and click on the option for Windows Firewall with Advanced Security.

Click on the inbound/outbound rules and select NEW RULE from the right.

Highlight Port and click NEXT

Select Port 28774 and click next.

Be sure to repeat this for BOTH Inbound and Outbound connections.

In some cases it may be necessary to “whitelist” ExacqVision components (core.exe, edvrclient.exe, including .ps and .psi file types, and ExacqVision Enterprise System Manager components) Enterprise Manager, Server and Client software along with vfba.exe within any used Antivirus configuration.