This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product.
Product
Any exacqVision product
Procedure:
Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Email the GPS (Global Product Security) team at: productsecurity@jci.com
Provide vulnerability analysis in this email and any relevant links
Provide customer details and contact information in this email
Provide software product and software versions in this email
CC the customer on the email
Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.
Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.
Support has identified an issue affecting Customer User Roles in some Enterprise Manager public release versions.
This issue prevents camera permissions such as video inputs and edits from being saved, and these permission checkboxes may “uncheck” themselves after a period of short time. This issue has been resolved in later versions.
If the exacqVision Server data drives are full and are displaying “Recording Not Possible” on the storage page then it is possible an invalid hour folder was created during the switch to Daylight Savings Times (DST). Use the following instructions to verify and resolve the issue.
Product
exacqVision Server
Solution
These instruction are based on Windows OS and North America DST.
Make note of the Date and Time of the change to DST and determine if an invalid folder exist.
For this example most of North America changed to DST on March 12th, 2023 at 02:00 AM
Therefore any .ps or .psi files stored in the folder D:\2023\03\12\02 are in the wrong folder.
The folder either needs to be removed or the files need to be moved to D:\2023\03\12\03
Note: D: is the disk letter which will vary across systems with more than one disk. i.e. – E:\2023\03\12, F:\2023\03\12, etc.
Use File Explorer to Edit Directory
Log into the Exacq server OS using your Admin credentials
Open “File Explorer”
When File Explorer opens navigate to data drive D: > 2023 > 03 > 12
NOTE: If your system has more than 1 data drive, you will also need to look in each mount point/disk letter and repeat this process listed below. i.e. – look in E: > 2023 > 03 > 12, F: > 2023 > 03 > 12, etc.
If you find a folder named “02” within D:\2023\03\12 you will need to copy the contents to D:\2023\03\12\03 then delete this 02 folder.
Repeat this process for all data drives attached. Optionally, you can delete this 02 folder altogether, but only with permission from the system administrator.
Restart the ExacqVision server service from the services.msc console:
Note: Depending on the amount of data retention the system has it may be necessary to go back to previous years to make the same edits for Daylight Savings Time changes.
In Example: DST change was March 13th in 2022. You would find the 03/13/2022 directory, and make the same edits removing the 02 hour folder or moving the contents of the 02 hour folder to the 03 folder in this directory.
Enterprise Manager (EM), formerly known as Enterprise System Manager (ESM), includes a feature called Camera Inspection which allows EM users to notate cameras which need attention for a later date.
This handy feature means you can easily create a punch list of cameras which need attention for integrator/installer work orders to do things such as:
Clean camera domes/lenses
Maintain camera focus on subjects
Trim foliage or remove debris blocking camera views
Re-orient camera field of view if a camera has been tampered with or nudged
Beneath the Cameras header on the navigation menu, click on Inspection.<br><br>
A paginated view of available cameras is displayed. Each camera listed will display the Server Group name / Server name / Camera name at the top of its box.
Orange border = Has not been checked
Green border = Marked Good
Red border = Marked Bad
To work effectively a reference image would have been set when the camera was added/installed. This image appears on the left and can be set using the Use current image as camera image link on the camera details page.<br><br>
Use the Camera Inspection page by comparing the current snapshot on the right with the one on the left. <br><br>
Mark Good if you are pleased that the current snapshot indicates no action is needed.
Mark Bad if further action is needed.
Clicking the View Details link allows the user to enter additional comments, such as “Camera is out of focus”, or, “Camera dome needs cleaned”. Comments could also include notes about the person or date/time an issue was resolved. The bottom corner allows navigating through all cameras one by one while in the details/comments view.
After marking each camera, you may export a report to provide your integrator/installer. <br><br>
After issues have been fixed, use the Camera Inspection tool to Mark Fixed.<br><br>
psycopg2.errors.ForeignKeyViolation: update or delete on table “organization_enterpriseuser” violates foreign key constraint “auditlogger_auditlog_user_id_%1_fk_organizat” on table “auditlogger_auditlog”
Description
Reviewing
Notes
%1 suggest the user id number.%BR% See KB 15724 for resolution.
Downgrading ExacqVision Enterprise Manager from 23.06.0.0 to any version lower will prevent users from accessing the ExacqVision Client software due to the migration to AES-128 from ARC4 Encryption methods used on earlier ExacqVision Enterprise Manager versions.
Downgrading or “Rolling Back” Enterprise Manager software from versions 23.06.0.0 and up to a lower version is not recommended due to this encryption migration.
Note: It is advised to take an Enterprise Manager backup of your system prior to attempting any upgrades/downgrades. Best Practices would include taking a database back up of PostgreSQL or Microsoft SQL.
Product
ExacqVision Enterprise Manager versions 23.06.0.0 and higher subsequently released versions.
Steps to Reproduce
Downgrade ExacqVision Enterprise Manager software to any prior version from 23.06.0.0
Expected Results
This downgrade should complete reflecting the new version, and all functionality should remain intact.
Actual Results
ExacqVision Client users will receive the error: “Invalid Username/Password account locked or disabled” upon trying to log in after the downgrade has been performed.
Solution
Do not downgrade from ExacqVision Enterprise Manager versions 23.06.0.0 to a lower version. If you find this needs to happen for an unforeseen reason it is recommended to uninstall the current version of Enterprise Manager 23.06.0.0 or higher, followed by installing the desired legacy version which will require rebuilding the configuration.
EM experiencing High resources and data roll off banner.
Product
Enterprise Manager 23.03 Windows 10
Steps to Reproduce
Log into EM and if you see a Red Roll Off Banner.
Check system resources for high CPU and Memory.
Check Data Roll off logs for the following error.
psycopg2.errors.ForeignKeyViolation: update or delete on table "organization_enterpriseuser" violates foreign key constraint "auditlogger_auditlog_user_id_fbf03342_fk_organizat" on table "auditlogger_auditlog"
DETAIL: Key (id)=(2) is still referenced from table "auditlogger_auditlog"
Expected Results
We should not see high Resources and Data Roll Off Banner.
Actual Results
High Memory, CPU, and Red Banner Data Roll Off.
Solution
Update to exacqVisionEnterpriseManager_23.06.101.0_x64.exe or official EM release 23.06.
Enhancement – Integration of WiseAI analytics from Hanwha
Enhancement – Enhanced camera discovery for new Illustra Flex Dual Sensor camera (AESW-5541)
Enhancement – Server installer no longer checks Illustrapi or Illustraflexpi for install by default
Enhancement – Changed the reported name to “Illustra Multisensor”
Enhancement – Added legacy tag to Illustrapi and Illustraflexpi
Enhancement – Added support for Axis “Optics Control” autofocus (AESW-2649)
Enhancement – Added support for Bosch “RuleEngine” analytics (AESW-1326)
ExacqVision Client
Bug Fix – wxWidgets version upgrade New installs, not upgrades, automatically select dark or light theme based on the OS theme and prevent user changes (AESW-5146)
Enhancement – Copy selected camera information when adding a new camera If camera is highlighted in IP Cameras List on the Add Cameras page when the New button is clicked, the Device Type field will automatically populate with the same as that which was highlighted saving time from selecting from Device Type list. (AESW-5855)
ExacqVision Web Service
Bug Fix – Updated nvrg version to fix group type retrieval, fixes issue with group items (AESW-3340)
Bug Fix – Updated nvrg version to fix a soft trigger bottleneck, fixes issue where triggers from web or mobile client resulted in status flickering between ‘Alarm’ and ‘Normal’ in Desktop Client. (AESW-3816)
ExacqVision Enterprise Manager
Bug Fix – Improved logging for DynamicDNS files for Integrator Service Portal (AESW-5897)
Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision Enterprise Manager software with the Azure AD instance.
Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.
Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). This allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when integrated with Azure Active Directory as a modern solution to cloud based computing.
When a network hosting Enterprise Manager on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Enterprise Manager has the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.
Products
ExacqVision Enterprise Manager version 22.12.0.0 and up
Minimum Requirements for ExacqVision Enterprise Manager Software:
Enterprise Manager version must be 22.12.0.0 or later
Your network configuration must be properly configured to communicate with your Azure AD instance
you must have Azure Active Directory credentials with access to the following Active Directory parameters – as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName , sAMAccountName , inetOrgPerson , krbPrincipalName
Configuration Steps for Enterprise Manager:
Properly configure the network to communicate with Azure Active Directory instance without restriction.
Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and login to Enterprise Manager user interface with administrative privileges
Navigate to the Domain settings page
Under “Add Domain” enter the address of the Azure Active Directory instance in the “Hostname or IP” field and enter the above mentioned credential criteria with the proper port number, security protocol, Search Criteria information, and Attribute names information in their corresponding fields – as supplied by your Local IT Department or Network Administrator
Apply the changes.
Expected Results
The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Enterprise Manager.
When connecting the web service to the EM server, The EM server can connect to the web service. However, it can’t push an update to it or remotely administrate the web service and keeps going back and force between “Remote Restriction” and “Running”
Solution
This issue has been fixed on Enterprise Manager Version 23.03.103 or above
<br><br>