The status of the storage page is showing “Recording Not Possible” on ExacqVision Edge for some Illustra cameras. This is a result of SD encryption mode being enabled on the camera.
Products
ExacqVision Edge
Illustra Pro Gen4
Steps to Reproduce
Install the Edge software on the camera, and then try to record video to the SD card.
Expected Results
The video will record without an issue and the status on the Storage page will be healthy
Actual Results
No video is recorded and the storage page shows a status of “Recording Not Possible”
Solution
By default SD card encryption is enabled and to resume normal operations must be disabled.
Log in to the camera Web GUI and select Setup on the Web User Interface banner to display the setup menus.
Select SD Card Management from the Edge Recording menu
Disable encryption mode Note: Any change to the encryption status requires the SD card to be formatted,
Format the SD card by selecting Format and select Mount to mount the encrypted SD card
Re-install ExacqVision Edge
Verify “Recording Not Possible” message is no longer present on the
Refer to the Encrypted SD card storage section of the cameras users guide for additional information.
If the DigiCert Trusted Root G4 Certificate is missing, exacqVision Software updates downloaded from exacq.com or initiated within exacqVision Client, will report a signature error.
Gain a deeper understanding of the benefits each of the many export file types available from ExacqVision provides you.
If an incident occurs and you need to share recordings with your management, a legal representative, law enforcement, or others… knowing which file type provides the protections or data needed, and that they can review is key.
ExacqVision Server software is not supporting the AES encryption method in the connection with LDAP earlier than version 21.12.6
If you are using an earlier version of the ExacqVision Server, you will be able to communicate with LDAP using the RC4 encryption method only
To determine if you are using the AES encryption or not.
Check the logs from Exacq server for the StreamPi plugin, and if you are using the AES encryption and the Server is not able to decode it then it would show you these logs
For client-server communication, we use 128 bit AES encryption in combination with Diffie-Hellman key exchange. By default, the key is updated every 5 minutes. This is true for all data except video stream, audio stream and blob (map images, etc…) data.
For server-camera/device communication, the encryption is camera dependent and does not use SSL. We use HTTP Basic or HTTP Digest Authentication for all data except video and audio streams.
exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.
There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.
<br><br>
Versions
Discussing versions quickly becomes a tangled web, which we will try to unravel here.
When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.
Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.
How to check the version of Samba installed on your S-series or other Linux system:
Open a Terminal window, by pressing CTRL+ALT+T
Type samba --version, and press Enter.
<br><br>
Server Signing
Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.
How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.
<br><br>
Encryption
SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.
SMB Dialect
Encryption Method
2.0
HMAC-SHA256
3.0
AES-CMAC and AES-CCM
3.1.1
AES-128-GCM and AES-128-CCM
<br><br>
Manual Enforcement
As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.
The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.
IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.
<br>
To manually configure SMB:
On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
Use sudo permissions to edit /etc/samba/smb.conf
Locate the [global] settings section.
Beneath the [global] tag, add the following lines: server signing = mandatory server min protocol = SMB3_11 server max protocol = SMB3_11
Save your changes, then exit the file.
Restart Samba by entering sudo /etc/init.d/samba restart
The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.
server signing = [default, auto, mandatory, disabled]
server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.
IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following: server signing = auto server min protocol = SMB2_02 server max protocol = SMB3
exacqVision supports connecting to many cameras using HTTPS. Depending on the camera firmware capabilities and the device type plugin used in exacqVision the level of encryption provided may vary.
Using the IP Camera Integration Database, you may choose to filter the displayed results by devices which support SSL (HTTPS).
<br>
Connecting with HTTPS
When adding a new camera to an exacqVision Server or editing an existing camera connection, the IP Camera Information section on the Add IP Cameras page provides a Protocol drop-down menu. The following options are available:
HTTP
HTTPS If Available
HTTPS Required
Selecting ‘HTTPS If Available‘ does not permit customizing the Port number field. This option will attempt to connect to the camera using HTTPS on port 443. If this attempt fails it will fall back to attempt connection with HTTP on port 80. This may add a small delay to the initial connection as it tests HTTPS first.
Selecting ‘HTTPS Required‘ will only permit connection to the device using HTTPS. If the device cannot accept such a connection the device will fail to connect. You are permitted to change the Port number field should your camera be configured to provide HTTPS over a custom port number.
<br>
HTTPS Connection Symbols
The IP Camera List on the Add IP Cameras page as well as the Camera Recording page provide symbols in the Protocol column allowing you to quickly view which devices are connected with HTTPS and to what level.
An empty field in the Protocol column indicates an HTTP connection.
The gear icon denotes that the connection is made to the device with HTTPS, which encrypts the login credentials to the device, the camera web interface in the Client’s web panels, and CGI commands made to the camera.
A padlock icon in the Protocol column indicates that the HTTPS connection encrypts the credentials, web page, and CGI commands, but also includes encryption of the video stream.
NOTE: HTTPS between the exacqVision software and camera encrypts only the communications between those two devices.
<br>
Enabling HTTPS on Your Camera
Cameras will vary from manufacturer to manufacturer as well as between versions of firmware. Legacy firmware on some devices may require you to apply your own certificate. Many IP cameras today provide HTTPS support out-of-box using self-signed certificates. Below, we examine the settings on an Illustra IQ camera. For other devices, please refer to your device’s documentation.
NOTE: When accessing a camera through the web browser interface using HTTPS, your browser may warn you or prompt you for permission to continue due to having a self-signed certificate. A self-signed certificate can be used to encrypt communication but cannot provide certificate validation. Certificate validation requires the certificate be issued by a Certificate Authority (CA).
Some devices may require you to generate a new self-signed certificate if you have changed the IP address since the last certificate was created.
<br>
Illustra IQ Cameras
Illustra IQ devices provide self-signed certificates out-of-box. When entering the Setup mode of an Illustra IQ camera expand the Security menu, then navigate to the HTTP/HTTPS page, as shown.
This page allows you to configure the port number used. Using the Upload button will allow you to upload your own certificate from a trusted Certificate Authority rather than using the camera’s self-signed certificate.
If you decide to use a certificate from a Certificate Authority you must provide them with a Certificate Signing Request (CSR) from the camera. Each camera requires its own, unique certificate from your CA.
NOTE: Do not use wildcard certificates for this purpose.
To generate a CSR file to provide to your CA, navigate to the Generate CSR page, also found under the Security menu. Complete the form on the left as required for your site and needs, then click Apply. The field to the right will populate. You will copy the data from this field into a new text file, but save it as a .CSR file. If you accidentally save the file as .txt, simply replace the .txt file extension with .csr. Provide this file to your CA.
