Enhanced Security For Passwords And Oem Protection - Emerson PACSystems RX3i User Manual

PACSystems™ RX3i and RSTi-EP CPU Reference Manual
GFK-2222AK
For OEM protection, it is recommended to store the program to User Flash and set
configuration to always load from Flash. When setting up OEM protection it is important
to download the user program to RAM and User Flash before enabling the OEM
protection. For example, the following steps can be used to set up OEM protection.
1. Set OEM Key password (Must be at Access Level 4 to set OEM Key)
2. Download program to both RAM and User Flash.
3. Set OEM Protection to the Locked state (see firmware note below).
If you are storing a non-blank OEM key to flash memory, you should be careful to record
the OEM key for future reference. If disabling OEM protection, be sure to clear the OEM
key that is stored in flash memory.
Note: In CPU firmware versions 7.80 or later which support Enhanced Security (with
merged password tables), OEM Protection Lock must be explicitly set.
In earlier versions, the OEM Protection could be enabled in User Flash without explicitly
setting the OEM Protection to Locked. With the earlier firmware, a non-blank OEM Key
that is loaded from User Flash at power-up would result in an automatic OEM Lock. In CPU
firmware versions 7.80 or later (i.e., with merged passwords), this is no longer supported.
In firmware versions earlier than 6.01, the OEM protection was not preserved unless a
battery was attached.
4.9.3

Enhanced Security for Passwords and OEM Protection

Enhanced Security passwords are supported by CPU firmware versions 7.80 or later. This
feature provides a cryptographically secure password protocol between an SRTP client
(for example, PAC Machine Edition) and a PACSystems controller. Enhanced Security
passwords operate in a very similar fashion to the Legacy Security password operation
that is supported by previous firmware versions.
Enhanced Security passwords are enabled in PME
enable/disable the Enhanced Security mode of a target. This PME password restricts
changes to the security mode used by a specific PME target and is independent of any
passwords later configured on the controller.
Enabling Enhanced Security on a target does not force the controller to use only
Enhanced Security. The controller supports both Legacy and Enhanced Security requests
concurrently. For example, one PME target could be used to set initial passwords with
Legacy security and a different PME target with Enhanced Security could connect and
authenticate with the same controller.
Passwords set with one password mechanism (Legacy or Enhanced Security) can be
authenticated and changed using the other mechanism, as long as the password is 7
ASCII characters or fewer. Setting passwords with Enhanced Security that are more than 7
characters prevents access using the Legacy mechanism. For example, you could use
Enhanced Security to set a 10-character ASCII password for Level 4 and Level 3 privileges,
but set a 7-character ASCII password for Level 2. In this case, a Legacy target could be
used to obtain Level 2 privileges, but the Legacy target could never access Level 4 or Level
3 privileges because of 7-character ASCII limit of the Legacy scheme.
64 To determine the required PME version, refer to the Important Product Information (IPI) document provided with the CPU firmware version
you are using.
CPU Operation
64 . PME requires a password in order to
Section 4
October 2019
105