Add PKI security settings to your configuration

To block unencrypted connections to readers when using PKI encryption, you need to add security settings to the reader configuration. Here, you can optionally also restrict permissions, both for encrypted host connections and connections in maintenance mode.

This feature is available in BALTECH ToolSuite as of version 4.23.00.

Create a security settings component

Please note: The security settings form is currently optimized for AES encryption as this is the more commonly used method. Please bear with us while we're working on a dedicated form for PKI. In the meantime, don't let this confuse you and follow the instructions below.

To create a security settings component:

  1. Open BALTECH ConfigEditor.

    If you haven't installed it yet, you can download it herecall_made as part of BALTECH ToolSuite.

  2. In the popup window, click Open.
    Screenshot: Open an existing configuration (BALCFG format) in BALTECH ConfigEditor

  3. Select the BALCFG file of your existing configuration. If you don't have a configuration file yet, create a new one.

  4. Click Extend Configuration > Settings > Security Settings (BRP Communication).
    Screenshot: Menu path to add security settings in BALTECH ConfigEditor

  5. If you've created only one project in PKI Certificate Manager, disable the checkbox Activate Support For Security Level 1 and save the empty form as part of your configuration. Thus, you grant full permissions to this project.

    If you've created several projects in PKI Certificate Manager, you can restrict permissions as described in the next section.

    Screenshot: Add empty security settings for PKI encryption in BALTECH ConfigEditor

Restrict permissions

When you create multiple projects in BALTECH PKI Certificate Manager (or multiple PKIs with openSSL), each of them gets full permissions by default. In the security settings, you can now make the required restrictions.

  1. To restrict permissions for security level 1, enable the checkbox Activate Support For Security Level 1.
  2. In the Encryption Key field, enter FF...FF.

  3. Click Restrict Allowed Operations Via This Channel and deselect the operations you want to exclude.

    Screenshot: Restrict permissions for PKI-encrypted connections in BALTECH ConfigEditor

  4. Repeat steps 1 to 3 for security level 2 if required. Level 3 always includes full permissions and cannot be restricted.

Restrict unencrypted access in maintenance mode

By default, maintenance mode gives you full access to the reader, even if the connection is not encrypted. If needed, you can exclude certain operations. To perform them, you'll then need an encrypted connection even in maintenance mode.

To exclude operations for unencrypted access:

  1. Enable Allow Unsafe Communication For Some Protocols.
  2. In the drop-down, select TCP/IP Maintenance.
  3. Click Restrict Allowed Operations Via This Channel and deselect the operations you want to exclude.

    We highly recommend you always keep "Allow Factory Reset" enabled, so you can reset the reader in case of misconfiguration.

    Screenshot: Restrict permissions for Ethernet maintenance mode in BALTECH ConfigEditor

That's it. You can now test the encrypted connection using the BALTECH tools and establish encrypted connections via your own host application.