Security Configuration
New Feature in version 4.5.0 and after!
In the Bridge Control Tab there is a new button Update Security Settings that will popup a dialog box to configure the security to be used for the ha-bridge. This is a suggested feature to use as with the advent of home automation devices being the target of hacks such as the network video cameras that where taken over.
WARNING: The ha-bridge should never be exposed to the internet through your router. Period. End of Story. Doing so is inviting hackers to try and get in. The ha-bridge can control too many things in your home that would be targets. It does not matter how much security is put into the ha-bridge, it is just better to not give any one the choice.
So, now we have that out of the way, let's discuss the settings.
There are two arguments for security that can be used. One of which is very important if you decide to use username and passwords.
This option is very important to set if you will be using username/passwords to secure the ha-bridge. The ha-bridge needs to encrypt the settings in the config file and to make sure they are secured specifically to you is to provide this key. Otherwise a default key is used and it is available in the code on github for the ha-bridge here, so not very secure in that sense. It is very important provide this if you are using username/password.
This sets a directory of your choosing to have a walled area for what can be executed by the Exec Command type. This is a good feature to use if you use the capabilities of executing a script or program from the ha-bridge. The default is not set which allows any program or script to be called and anyone with access to the your system could create an exec command call and execute it from the api. This is will prevent any issues if your system gets hacked.
-
Use HTTPS- selection will require you to generate a java keytool keystore file for the ha-bridge to use.
This will require the path to the keyfile and the password that was used to secure the keyfile. There are mulitple ways to add the key file. The basic way is to generate a self signed keystore using keytool as follows:
Step 1 Open the command console
Step 2 Run this command (Where indicate the number of days for which the certificate will be valid) keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass -validity 365 -keysize 2048
Step 3 Enter a password for the keystore. Note this as you require this for configuring the server
Step 4 When prompted for first name and last name, enter the domain name of the server. For example, myserver or myserver.mycompany.com.
Step 5 Enter the other details, such as Organizational Unit, Organization, City, State, and Country.
Step 6 When prompted with Enter key for , press Enter to use the same as the keystore
Step 7 Run this command to verify the contents of the keystore keytool -list -v -keystore selfsigned.jks
Step 8 When prompted, enter the keystore password note in Step 3. The basic information about the generated
certificate is displayed. Verify that the Owner and Issuer are the same. Also, you should see the information you provided in Step 4 and 5.
The second way is to acquire a certified certificate to use in the keyfile. Such way to get one is use letsencrypt. Once you have the certifcate files you can follow this to create the keystore: https://community.letsencrypt.org/t/tutorial-java-keystores-jks-with-lets-encrypt/34754.
The easiest place to keep the keystore files is in your ha bridge data directory.
-
Keyfile Path- This is the input to have the absolute path to the keyfile generated above. -
Keyfile Password- This is the password used to seucre the keyfile generated above. -
Use Link Button- This item tells the ha-bridge to operate like a hue bridge with it's link button. No device can register with the ha-bridge unless the'Link' button is pressed on theBridge Devicespage. TheLink` button is only visible when this setting is checked. -
Use username/password for HUE Api- This item tells the ha-bridge that you want to have the HUE API itself secured with the username and password that you configure. If you do have a username configured (See next item on how), you will not be able to use any application that expects to talk to a HUE in it's normal way. This option is for persons that use the ha-bridge by calling it from their custom programs. -
Update- This button will change the settings for the HTTPS items, the link button and secure hue api items above. -
Add/Delete User- This is where you can set your username to be entered to secure your system. Once you create the password in the fields below this item, your system will ask you to provide the credentials going forward. This field also allows you to remove usernames from the system. Once the last username is removed, the system will then be unsecured and not ask for login credentials. This is accomplished by typing in the username and selecting theDeletebutton which is only shown when the bridge has usernames configured. -
Change Password for <username>- This item will display the username of the user logged in or will dynamically update when adding a new user. type in the password to set. You will then have to confirm it on the next field. The little check box to the side will allow you to see your password. -
Confirm Password- This item is to confirm your password that you entered in the field above this. When the passwords match, you will then get a button to eitherAdd Userif you were entering a new user into the system or aChange Passwordbutton if you are changing your password. -
Change Password- This button only is visible when you have entered matching passwords in the fields above this when the logged in user is changing the password. -
Add User- This button is only visible when you have entered matching passwords in the fields above this when a new uesr is being added. -
Dismiss- This button can be used anytime to clear the dialog and will not save or update any items that were not already done through other buttons.