Download
Share
Print this page
ABB ARM600 User Manual
  1. Manuals
  2. Brands
  3. ABB Manuals
  4. Gateway
  5. ARM600
  6. User manual
ABB ARM600 User Manual

ABB ARM600 User Manual

M2m gateway
Hide thumbs Also See for ARM600:

Advertisement

Quick Links

Download this manual
M2M Gateway
ARM600
User Manual

Advertisement

loading
Need help?

Need help?

Do you have a question about the ARM600 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ABB ARM600

Summary of Contents for ABB ARM600

  • Page 1 — M2M Gateway ARM600 User Manual...
  • Page 3 Document ID: 1MRS758861 Issued: 2020-06-30 Revision: D Product version: 4.5.3 © Copyright 2020 ABB. All rights reserved...
  • Page 4 Copyright This document and parts thereof must not be reproduced or copied without written permission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed only in accordance with the terms of such license.
  • Page 5 ABB is not liable for any such damages and/or losses.
  • Page 6 (EMC Directive 2014/30/EU) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2014/35/EU). This conformity is the result of tests conducted by ABB in accordance with the product standard EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive.

  • Page 7: End User License Agreement

    End user license agreement This End User License Agreement is a legal agreement between you and ABB for the Product identified below. BY INSTALLING, COPYING, OR OTHERWISE USING THE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE, YOU ARE NOT ENTITLED TO INSTALL OR USE THE PRODUCT.
  • Page 8 ABB in writing in each and every case. Such approval shall be granted only if ABB’s liability for damage to property, personal injury and death, damage to plant as well...

  • Page 9: Additional Software

    To use a Product identified as an upgrade, you must first be licensed for the product identified by ABB as eligible for the upgrade. After upgrading, you may no longer use the product that formed the basis for your upgrade eligibility.
  • Page 10 13.1 ABB will indemnify you against any third party claim that the Product infringes upon intellectual property rights of any third party, provided that (i) you promptly notify ABB in writing of the claim; (ii) ABB shall have the sole control...

  • Page 11: Warranty

    14. Warranty Provided that you have a valid license to use the Product, ABB warrants that a) for a period of 90 days from the date of shipment of your license (the “Warranty Period”) that it will perform substantially in accordance with the written materials...

  • Page 12: Exclusion Of Liability

    Product, even if ABB or any of its suppliers has been advised of the possibility of such damages. In any case ABB’s entire liability under any provision of this Agreement shall be limited to the amount actually paid by you for the Product.

  • Page 13: Safety Information

    Safety information Dangerous voltages can occur on the connectors, even though the auxiliary voltage has been disconnected. Non-observance can result in death, personal injury or substantial property damage. National and local electrical safety regulations must always be followed. This product is not fault-tolerant and is not designed, manufactured or intended for use or resale as on-line control equipment or as part of such equipment in any hazardous environment requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft...

  • Page 15: Table Of Contents

    Intended audience................5 Product documentation...............5 Product documentation set............5 Document revision history............. 5 Related documentation..............6 Symbols and conventions..............6 Symbols..................6 Document conventions..............7 Section 2 ARM600 overview............9 Overview.....................9 Key features..................10 Physical interfaces................11 Standard edition................11 Front panel................11 Back panel................12 Health indicators..............12 Enterprise edition.................13...
  • Page 16 Manually deactivating and activating SSH legacy mode..... 60 SSH-VPN key update tool..............61 Comparison of SSH versions............61 Checking SSH version..............62 Using SSH key update tool............63 Section 9 Troubleshooting..............65 Common problems and solutions............. 65 Questions and answers..............66 Section 10 Technical data..............67 ARM600 User Manual...
  • Page 17 Table of contents Section 11 Glossary................. 69 ARM600 User Manual...

  • Page 19: Section 1 Introduction

    The personnel involved in installing and managing the Arctic devices are expected to be experienced in secure network practices. Product documentation 1.3.1 Product documentation set Product series- and product-specific manuals can be downloaded from the ABB Web site www.abb.com/mediumvoltage. 1.3.2 Document revision history Document revision/date...

  • Page 20: Related Documentation

    3G/LTE configuration guide Technical Configuring Wireless Gateways, 1MRS758449 Note Controllers and M2M Gateway Product series- and product-specific manuals can be downloaded from the ABB Web site www.abb.com/mediumvoltage. Symbols and conventions 1.4.1 Symbols The electrical warning icon indicates the presence of a hazard which could result in electrical shock.

  • Page 21: Document Conventions

    Select Main menu/Settings. • Parameter names are shown in italics. The function can be enabled and disabled with the Operation setting. • Parameter values are indicated with quotation marks. The corresponding parameter values are "On" and "Off". ARM600 User Manual...

  • Page 23: Section 2 Arm600 Overview

    ARM600 overview Overview M2M Gateway ARM600 is a member of ABB’s Arctic product family. ARM600 is a communication server, a VPN concentrator and firewall and is typically placed in the same location as the central control and monitoring system, such as SCADA.

  • Page 24: Key Features

    • Supports OpenVPN, L2TP and SSH-VPN tunnels • OpenVPN bridging • Connection to ARM600 with a PC from any location via VPN • Firewall to restrict unauthorized access • Provides static IP addressing of Arctic 600 series wireless gateways for SCADA •...

  • Page 25: Physical Interfaces

    Section 2 1MRS758861 D ARM600 overview Physical interfaces 2.3.1 Standard edition 2.3.1.1 Front panel GUID-257E5F22-2ADB-47CA-A85F-4ABB94710FE9 V2 EN-US Figure 2: Front panel 1 Optical drive 2 Power on indicator, power button 3 Hard drive 4 Service tag (EST) 5 USB 2.0 port...

  • Page 26: Back Panel

    Section 2 1MRS758861 D ARM600 overview 2.3.1.2 Back panel GUID-782AFB7E-203E-4C87-A70F-DED52B49E55A V2 EN-US Figure 3: Back panel 1 Ethernet port eth0 (Gb1) 2 Ethernet port eth1 (Gb2) 3 Power supply health/activity indicators 4 Video (VGA) port 5 iDRAC 6 Two USB 3.0 ports 7 Power supply unit (PSU) 2.3.1.3...

  • Page 27: Enterprise Edition

    Section 2 1MRS758861 D ARM600 overview 2.3.2 Enterprise edition 2.3.2.1 Front panel GUID-4673F94B-E625-408D-B504-8BDC8D9E6D50 V2 EN-US Figure 4: Front panel 1 Optical drive 2 Power on indicator, power button 3 Hard drive 1 4 Hard drive 2 5 Service tag (EST) 6 USB 2.0 port...

  • Page 28: Back Panel

    IP address. The public IP address is required for the data from the connected Arctic 600 series wireless gateways to be routed to ARM600 via the public Internet. The fixed IP address is required because the data connection between the Arctic 600 series wireless gateways and ARM600 is initiated by the wireless gateways.
  • Page 29 1MRS758861 D ARM600 overview If a private APN is used, ARM600 does not need a public IP address. Instead, a private static IP address can be used. The cellular operator’s access router provides routing between IP addresses of the SIM cards and M2M gateway. The added...
  • Page 30 Section 2 1MRS758861 D ARM600 overview ARM600 Company LAN Eth1 Eth0 GUID-26EFFA2A-7F83-4CA7-8F22-571D1B4A185F V1 EN-US Figure 8: Directly connected to internet installation ARM600 User Manual...

  • Page 31: Section 3 Cybersecurity

    Keep passwords stored in a safe place, for example, Encrypted password management tool. • Check that all unused services are disabled. • If possible, allow IP connections only via VPN. • Disable all unused services, for example, Dial-in, SMSconfig, serial and SNMP. • Back up the configuration. ARM600 User Manual...

  • Page 33: Section 4 Getting Started

    Verify that the available AC operating voltage complies with the hardware specifications. Insert the AC power cord to ARM600 and connect the other end to the AC socket or rack’s power rail. Connect the Ethernet cable between the PC and the ARM600 Ethernet port eth0 (located on the back panel).

  • Page 34: Logging In

    Logging in Configure the PC to use the same IP address space as the device. Example: Laptop IP is 10.10.10.11 with netmask 255.255.255.0. In a Web browser, connect to the ARM600 WHMI on port 10000 using the HTTPS protocol. •...

  • Page 35: Section 5 Web Hmi

    • System • Network • • Firewall • Arctic Patrol • Tools GUID-45F85539-9F74-4477-BA08-6A4E57D384C5 V1 EN-US Figure 9: Menu structure System menu The system menu contains the system overview and time settings. ARM600 User Manual...

  • Page 36: Network Menu

    • Using NTP server for acquiring and keeping the correct time ARM600 can work as a time server for providing time to the LAN or VPN connected devices. By default the time setting is configured as NTP client using the NTP pool servers.

  • Page 37: Vpn Menu

    Using OpenVPN with firewall The built-in firewall in ARM600 affects the IP packets routed through an OpenVPN server because they belong to the same IP layer of the host ARM600. The Client to client setting of the OpenVPN server alters this behavior.

  • Page 38: Firewall Menu

    VPN network never reach the host ARM600 network stack which is, therefore, not affected by the firewall settings by default. This simplifies the scenario that clients need to be able to connect to each other over an OpenVPN tunnel.

  • Page 39: Arctic Patrol Menu

    Usually the port forwarding is not needed in ARM600. S-NAT Used to adjust the source addresses of packets. The S-NAT is needed, for example, when ARM600 is used as a border router to Internet. Custom rules The custom rules are for the experienced user who has knowledge of iptables configuration.
  • Page 40 Registration Provides a method for pre-registering the Arctic wireless devices to ARM600. The connection mode (HTTPS or SSH) is selected and the wireless device's serial number is entered. If the SSH mode is used, the client configuration (including SSH keys) is copied to the Arctic wireless device.

  • Page 41: Tools Menu

    ARM600 is connected to the Internet. Tools menu The tools menu is used to configure users and backups, take snapshots of log files for technical support purposes, view release notes and reboot the ARM600 server. Table 7: Tools submenus Menu...
  • Page 42 1MRS758861 D Web HMI Menu Description Support Log Used to download the system log and ARM600 configuration collection to a PC. The support log is used for troubleshooting purposes. Release Notes Contains the release notes for the currently running ARM600 firmware version.

  • Page 43: Section 6 Network Configuration

    Click Edit interface eth1 and configure the eth1 parameters. It is recommended to configure the eth1 interface first, as the PC is now connected to ARM600 via the eth0 interface. Change the IP address and netmask according to the required setup.
  • Page 44 ARM600 using the address https://10.10.10.10:10000. 11. Switch the Ethernet cable from ARM600’s eth0 port to the eth1 port. If the eth1 interface has been configured according to this example, use the address https://192.168.0.1:10000 to access ARM600 via its eth1 port.

  • Page 45: Ethernet Interface Setup Parameters

    At this point, there is usually no need for adding static routes. If the SCADA or other control entity is in a different subnet than the ARM600 LAN, define a static route to that subnet. Do not define static routes over dynamic VPN tunnels.
  • Page 46 Section 6 1MRS758861 D Network configuration Parameter Description UUID Universal unique identifier for the interface TYPE Interface type Name of the interface as displayed in the NAME Network Connections ARM600 User Manual...

  • Page 47: Section 7 Arctic Patrol

    Arctic wireless devices’ firmware in larger batches as opposed to device-by-device. The asset management in Patrol is a feature of the ABB Arctic product line, but it also supports other ABB products that have been connected to a remote Arctic wireless device.
  • Page 48 Click No to confirm that there is no existing SSH public key. Define the device information and click Register device. • Arctic device’s serial number • ARM600’s IP address (usually public) • Connection mode • Connection interval GUID-55D1DC35-DABB-4706-A409-0A0439A3A232 V1 EN-US...
  • Page 49 GUID-25FBF1ED-6C4E-4A9B-8F71-E0FB08FC07BA V1 EN-US Figure 12: Configuration content Log in to the Arctic device as the arctic-adm user. Click Arctic Patrol and select Import New. Paste the configuration content to the Patrol configuration file box and click Submit. ARM600 User Manual...
  • Page 50 Figure 14: Editing configuration Reboot the Arctic device. 10. Log in to ARM600's WHMI, click Arctic Patrol and select Devices. 11. Select the check box of the new Arctic device, select Accept devices from the drop-down list and click Do action.

  • Page 51: Allowing Arctic Devices To Scan Local Networks

    Accepting devices 12. Click OK in the verification dialog. When the Arctic device is rebooted and accepted in the ARM600’s Patrol, the device details and configuration file are transferred to ARM600. The device details are shown in the ARM600’s Patrol view.

  • Page 52: Asset Management

    Arctic wireless devices. Additionally, RIO600 update actions can also be performed from a remote Arctic wireless device through the ARM600’s WHMI. The asset management functionality is developed on top of the Arctic Patrol application, which is a centralized management system running in ARM600 (server) and Arctic wireless devices (clients).

  • Page 53: Selecting Devices For Device Management

    Choose one or more devices to be managed by selecting the check box next to the device. The selected devices are listed in the top part of the ARM600's WHMI. Perform an action on the selected devices in one of the alternative ways.

  • Page 54: Arctic Device Management

    ARM600 if ARM600 is connected to the Internet. When there are new Arctic firmware versions available, notifications are visible on the upper pane of the ARM600’s WHMI if ARM600 is connected to the Internet. For the ARM600’s automatic fetching of the Arctic device firmware, allow TCP connections on port 443 (HTTPS) to the host arcticupdate.abb.com.

  • Page 55: Updating Rtu Configuration

    Click Upload and use the Firmware drop-down menu to verify that the firmware is correct. When the file has been uploaded to ARM600, verify that all the devices are compatible with the firmware update action. Click Run this action for all selected devices to run the batch update.
  • Page 56 Arctic Patrol The RTU section on the Profiles page shows how many RTU configurations are available. Click Edit to proceed. The following page lists the RTU configurations available in ARM600. GUID-BA05DECE-199A-459D-A5EC-405D40D12A2C V1 EN-US Figure 22: Available RTU configurations Update the configurations in one of the alternative ways.

  • Page 57: Updating Device Xml Configuration

    4.6. Reboot the Arctic device to activate the RTU configuration. 7.3.2.3 Updating device XML configuration Arctic field devices have their full configuration stored in XML format. ARM600 product Ver.4.5.1 and newer include support for updating the full XML configuration using Arctic Patrol.
  • Page 58 XML with _PRECONFIG_XXX marker tags. Upload the configuration template to ARM600. XML files can be imported to ARM600 under the Arctic Patrol menu Profiles page. The first version of the XML template becomes revision 1 on ARM600. Any changes made and updated after this increase the revision counter automatically.
  • Page 59 • vpn.openvpn_client.client.remote_port: <remote_port> _PRECONFIG_VPNPORT </remote_port> The tag names described above use the same naming conventions as the ARM600 command line operations viola patrol create-ssh-clients and viola openvpn export- clients. This way if the field device Patrol configurations and OpenVPN configuration have been mass-created on ARM600 using command line utilities, the field names in the generated CSV files match the XML template's _PRECONFIG_ tags.

  • Page 60: Rebooting Arctic Devices

    RIO600 device management Remote RIO600 devices connected to an Arctic device can be updated using the tools available in ARM600 WHMI's Arctic Patrol application. It is possible to transfer a new configuration as well as firmware to the RIO600 devices. However, the RIO600 device configuration and maintenance is always handled with PCM600.

  • Page 61: Updating Rio600 Configuration

    RIO600 devices and report them to the ARM600’s Patrol view. The RIO600 devices are separately listed under each Arctic device the way they were found on the network. Although the ARM600’s asset management features do not have any knowledge of the RIO600 device composition, software or configuration, it attempts to show this information whenever available.
  • Page 62 GUID-16B24A84-9CD1-4CB4-84E2-482889D4688D V1 EN-US Figure 27: Selecting RIO600 configuration package ARM600 asset management tries to automatically associate uploaded configurations to the found devices. However, if this is not possible, create the association manually. 8.1. Select a configuration from the left side under Configurations.

  • Page 63: Updating Rio600 Firmware

    7.3.3.2 Updating RIO600 firmware The ARM600 Patrol application enables the writing of firmware as a batch to several RIO600 devices connected to one or several Arctic devices. However, all RIO600 modules and firmware versions cannot be updated. The firmware packages...

  • Page 64: Exporting Rio600 Configurations From Pcm600

    Exporting RIO600 configurations from PCM600 RIO600 configurations are always maintained and stored within a PCM600 project. This requires that the RIO600 connectivity package is installed in PCM600. Every RIO600 device must have their own unique configuration within a PCM600 project. ARM600 User Manual...
  • Page 65 RIO600 devices and the Write to IED command is executed, the configuration is exported to a zip file instead of being directly written to a RIO600 device. The exported zip file can be uploaded into ARM600’s Patrol WHMI for transfer as a batch to the RIO600 devices connected to the Arctic devices.
  • Page 66 GUID-EA1CFE80-171E-49B3-872C-3198F849647B V1 EN-US Figure 32: Selecting Export Configuration in Write to IED In the ExportConfigurationWindow dialog, select each of the RIO600 devices from which the configuration should be exported, click Browse to set the Export Path and click OK. ARM600 User Manual...

  • Page 67: Openvpn Certificate Management

    OpenVPN certificate management The server and client certificates that OpenVPN uses are always valid for a limited time. ARM600's WHMI shows a warning about expiring certificates when there is less than 6 months left until some OpenVPN certificates expire. It is recommended to take action well in advance before the certificates expire, since expired certificates cause VPN connections to fail.

  • Page 68: Renewing Certificates For An Openvpn Server

    • OpenVPN client names and Arctic hostnames must match, otherwise ARM600 is not able to match Patrol connections with VPN connections and is not able to transfer the new certificates.

  • Page 69: Sending Renewed Certificates To Arctic Devices

    Once the certificates for a server and its clients have been renewed, the new certificates need to be sent to all clients, and activated. Log in to ARM600's WHMI as the arctic-adm user. On the left pane under the VPN menu, select OpenVPN.
  • Page 70 Certificate upload icon • Click the upload icon next to one OpenVPN client to transfer new certificates only to a specific client. The tool now shows a list of clients for the chosen OpenVPN server as shown Figure ARM600 User Manual...
  • Page 71 OpenVPN peers and certificate status Column Certificate on device expires shows when the certificate installed on the device expires. Since ARM600 might not know how the device is configured, this column might contain "unknown" values. The device status can be queried with the Check certificate status tool.

  • Page 72: Checking Certificate Status On Arctic Wireless Devices

    It may be useful to check the expiration times of OpenVPN certificates on individual Arctic wireless devices, since the configuration of the device might have been changed manually. ARM600 might not then have access to the latest status of the OpenVPN certificates on all devices.

  • Page 73: Section 8 Ssh Mode Selection And Key Update

    The recent OpenSSH software versions no longer support the deprecated SSH protocol version 1 (SSHv1). OpenSSH is used for SSH-VPN, SSH Patrol and console access on ARM600. While the SSHv1 protocol is no longer supported for new connections, the SSHv1 protocol might be in use, especially for SSH-VPN connections in older installations.

  • Page 74: Legacy Mode Activation

    SSH legacy mode replaces the earlier "Enable SSH Protocol 1" SSH-VPN server setting. SSH legacy mode is disabled by default in new installations, but it is automatically activated when upgrading the ARM600 software or restoring a backup of an installation where the following two criteria are met: SSH protocol version 1 is enabled.

  • Page 75: Ssh-Vpn Key Update Tool

    Due to the security risk inherent in the SSH legacy mode, a notification is shown at the top of ARM600's WHMI when it is active. The notification can be dismissed by clicking the link to the right of the notification and confirming it permanently by selecting the Do not show this again check box followed by clicking Confirm.

  • Page 76: Checking Ssh Version

    Viola Arctic 2G products and Viola M2M Gateway products (except for version 3.5.2) do not support SSH v.2. In case of these products, it is recommended to replace them with devices from the new ABB Arctic product line that support SSH v.2.

  • Page 77: Using Ssh Key Update Tool

    Updating SSH-VPN key The SSH key update tool creates a new SSH key pair for every device, stores the public part of the key in ARM600 and takes the new key into use on ARM600 and the Arctic wireless device.
  • Page 78 Section 8 1MRS758861 D SSH mode selection and key update The Arctic devices must be rebooted to take the new SSH keys in use. ARM600 User Manual...

  • Page 79: Section 9 Troubleshooting

    Check that the border firewall does not block the traffic and that there is a port forwarding to ARM600, if the public IP is associated to the border router. At least the VPN port must be open (UDP 1194 for first OpenVPN server instance).

  • Page 80: Questions And Answers

    When using standard “off the shelf” public cellular network SIM cards in the Arctic field ARM600? devices, they are routed over the Internet. ARM600 is a server equipment and it requires a public, static IP address when public networks are used. The public IP address may be associated to the company’s border router and VPN packets can be port forwarded to...

  • Page 81: Section 10 Technical Data

    100...240 V AC, autoranging, 50/60 Hz Operating voltage Temperature Continuous operation 10...35°C (50...95°F) with no direct sunlight on (for altitudes less than the equipment 950 m or 3,117 ft) Storage -40...65°C (-40...149°F) Table continues on next page ARM600 User Manual...
  • Page 82 Description Standard edition Enterprise edition ARM600C2500NA ARM600C2505NA Ethernet ports Power supply single dual single dual RAID CPU type Intel Pentium G5500 Intel Xeon E-2288G 8 GB 32 GB Max Arctic connections 3000 Size 1U 19" 1U 19" ARM600 User Manual...
  • Page 83 IP address that specifies the location for the TCP/IP protocol. Key performance indicator L2TP Layer 2 tunneling protocol Local area network Liquid crystal display Machine to machine Message digest algorithm 5 Network time protocol 1. Personal computer 2. Polycarbonate PCM600 Protection and Control IED Manager ARM600 User Manual...
  • Page 84 Supervision, control and data acquisition Subscriber identity module SNMP Simple Network Management Protocol Secure shell Transmission Control Protocol Transmit/Transmitted User datagram protocol Universal serial bus Video graphics array Virtual Private Network Wide area network WHMI Web human-machine interface Extensible markup language ARM600 User Manual...
  • Page 88 — ABB Distribution Solutions P.O. Box 699 FI-65101 VAASA, Finland Phone +358 10 22 11 www.abb.com/mediumvoltage © Copyright 2020 ABB. All rights reserved.