Settings

You can access the settings screen in the navbar menu.

Settings

General

This section allows you to adjust general settings for the system i.e. router identifier, config generators, login and password restrictions.

Device types

This section allows you to manage existing device types.

Row actions

You can perform the following extra actions on a single row:

  1. Details - Open details about the selected device type.

  2. Duplicate - Duplicate the selected device type.

  3. Enable - Allows you to enable the selected device type.

  4. Disable - Allows you to disable the selected device type.

  5. Secrets - Allows you to manage device secrets settings for devices in selected device type.

Communication procedure

Devices communicate with SMART EMS to deliver many functionalities including managing configuration, updating firmwares, gathering diagnose data, sending logs, managing certificate types, managing secure VPN connection. Some communication procedures are tailored to a specific device, while others (i.e. edge gateway communication procedure) are designed to be easily integrated with third-party devices. Communication procedures can require some functionalities to be enabled in a device type to be able to support designed functionalities.

Please contact Welotec directly to get guidance and detailed information about working with communication procedures or integrating third-party devices.

Edit form

When editing a device type that already has some devices created, this form will be limited only to fields that can be modified without creating dangerous inconsistencies in existing devices.

Device secrets

Device secrets functionality allows you to safely manage sensitive information like passwords, keys and credentials for a specific device.

Functionality includes:

  1. Device type secrets - Allows you to manage device secrets settings for devices in selected device type.

  2. Device secrets - Allows users to show, edit and delete values of device secret

  3. Secret log - Allows you to audit who, when and how used device secrets

  4. Device secret variables - System automatically prepares additional predefined device variables to use in device configs

Manage device type secrets

Accessible from device type screen. It allows you to manage device secrets settings in selected device type.

Secret have following properties:

  1. Device type - The device type associated with the secret.

  2. Name - A human-readable name of the secret (used in logs and device details)

  3. Description - A human-readable explanation of the secret’s purpose and usage (shown in device details).

  4. Use secret as device variable - Whether the system should automatically generate variables based on this secret.

  5. Variable name prefix - (Only applicable if “Use as Device Variable” is enabled) Prefix for system-generated device variables.

  6. Secret value behaviour - How secret value should behave during device communication.

  7. Allow users to manually edit secret value - Whether users can manually edit the secret value.

    • Administrators - Can edit/clear all device secrets.

    • SMART EMS users - Can edit/clear specific device secrets if they have:

      • Access to the device.

      • At least one access tag from the defined access tag list.

    • VPN users - cannot edit/clear device secrets.

  8. Enable reminder for manual secret value renewal - Reminder will be visible on device details screen in device secret section. You can specify number of days after which reminder should appear.

  9. Access tags - A list of access tags required for SMART EMS users to access device secrets (users must also have device access).

  10. Secret value requirements - Minimum length and character type requirements (lowercase, uppercase, special characters, digits) for the secret value. Automatically renewed secrets will meet these requirements.

Device secrets

Accessible from device detail screen. SMART EMS users have access to device secrets only when they have access to this device. List of device secrets is also limited based on access tags (at least one access tag that SMART EMS user has assigned is also assigned to device secret). VPN users do not have access to this functionality.

List of device secrets also include last renewed at column which includes informative icons when:

  1. Secret value will be automatically generated during next device communication.

  2. Secret value will be automatically renewed during device communication.

  3. Secret value will be automatically renewed during device communication, but it is already expired.

  4. Secret value should be renewed manually as soon as possible.

Users can:

  1. Show secret value - A dialog will be shown with secret value and device secret variables.

  2. Edit - Possible when device secret allows users to manually edit secret value.

  3. Clear secret value - Possible when device secret allows users to manually edit secret value.

Secret log

The secret log allows you to audit any:

  • Showing or changing of device secret value by a user

  • Showing or changing of device secret value by a device authentication user during device communication

  • Showing content of communication logs, config logs, and diagnose logs by user

  • Showing previous or updated device secret value of secret log by user

SMART EMS users can access the content of communication, configuration, and diagnostic logs only if:

  • They have access to the specific device.

  • They have access to all the device’s secrets with “Use secret as device variable” enabled.

Device secret variables

The system automatically generates a list of device secret variables for each device secret with “Use secret as device variable” enabled. These variables are constructed by combining the “Variable name prefix” with an encoding algorithm.

Available Variables:

  • prefixPlain: Warning: Stores the device secret value in plain text. Do not use except for exceptional circumstances.

  • prefixBase64: Warning: Stores the device secret value encoded with Base64, which is reversible. Not recommended for most use cases.

  • prefixCryptMd5: Uses the Crypt MD5 algorithm for encoding. Considered less secure for modern password storage. Use with caution. (Example: $1$0YyPL6hr$8evKweYo5.YdqCTUT6YVi0)

  • prefixCrypBlowFish: Uses the Crypt BlowFish algorithm for encoding. (Example: $2y$10$tVKxnUo5cgYXFGriRLaPNuf0iRQEhOm4gGvmMPEgWFqVJAnNL3heu)

  • prefixCrypSha256: Uses the Crypt SHA-256 algorithm for encoding. (Example: $5$s6EGldrZmqN3MaeL$xa4pZVRJE8yBgdFlRVKN.dr.M1ZVp249H0wuz/nGVH2)

  • prefixCrypSha512: Uses the Crypt SHA-512 algorithm for encoding. (Example: $6$Vw0KA4YXj1LZIkSG$jlhIiH6BqhC2Rb5yEse5JyZu65QPzgCqef0rRpsNDuny5hEKYUMTuGcEU5rnvRciG01//sPCYwo5NYCidXhYw1)

Important Notes:

  • When used in device configs, the values will be obscured within the web interface.

  • During device communication, the unobscured values are used.

  • Due to this, communication, config, and diagnostic logs that might contain these secrets. Accessing them is logged in the secret log.

  • To access the content of these logs, users must have permission to all the device’s secrets with “Use secret as device variable” enabled.

  • If defined or predefined variable with same name exists, device secret variable will override value in generated config

Logs

This section allows you to adjust settings for cleanup duration and size of different types of logs.

Radius

This section allows you to adjust settings for radius authentication.

Two-factor authentication

This section allows you to adjust settings for two-factor authentication (TOTP).

Single Sign-on (SSO)

This section allows you to adjust settings for single sign-on (SSO).

Microsoft Entra ID with OpenID Connect

You can configure SMART EMS to use OpenID Connect to sign-in users via Azure portal App.

You can find “Application (client) ID” and “Directory (tenant) ID” in your Azure Application under “Overview”. You can read more about “Credential” options below. Please refer to “Roles” section under “Azure Application configuration” and fill “Role mappings”.

After clicking “Submit”, a new button “Log in using Microsoft” will be visible on SMART EMS login screen.

Client secret credential

On your Azure Application please navigate to “Certificates & secrets” (“Manage” section), click “New client secret”, fill the form according to your needs and click “Add”. Value in “Value” of created client secret will be needed to configure SMART EMS.

Uploaded certificate credential

Please upload public and private key. Public key should be uploaded to your Azure Application on “Certificates” tab in “Certificates & secrets” (“Manage” section).

Generated certificate credential

You can generate public and private key by checking “Generate public and private key” and saving the form. You will be able to view or download generated public key afterwards. It should be uploaded to your Azure Application on “Certificates” tab in “Certificates & secrets” (“Manage” section).

Azure Application configuration

Please navigate to “App registrations”, select your application and navigate to “Authentication” (“Manage” section). Please add platform for “Web” and add to “Redirect URIs” your SMART EMS URL followed by /authentication/sso/microsoftoidc/login (i.e. https://example.com/authentication/sso/microsoftoidc/login).

Please navigate to “Certificates & secrets” (“Manage” section) and configure it according to selected “Credential” in SMART EMS.

preferred_username claim can be used to have human readable username for the user. In order to use it please navigate to “Token configuration” (“Manage” section) and click “Add optional claim”. Select “Token type” ID, check preferred_username claim and click “Add” to apply the changes.

In order to support front-channel logout (recommended) please also configure “Front-channel logout URL”. Use your SMART EMS URL followed by /web/api/authentication/sso/microsoftoidc/logout (i.e. https://example.com/web/api/authentication/sso/microsoftoidc/logout). You also need to adjust token configuration. Please navigate to “Token configuration” (“Manage” section) and click “Add optional claim”. Select “Token type” ID, check sid claim and click “Add” to apply the changes.

Roles

In order to assign roles to specific groups or users please navigate to “App roles” (“Manage” section). Please click “Create app role” and fill the form according to your needs. Please take into considation that value set in “Value” field is used by SMART EMS to map roles in the application.

In order to map roles in SMART EMS please navigate to “Settings” (click on your username in top right corner) and “Single sign-on (SSO)”. Under “Role mappings” you can set user permissions for each role that has been created in “App roles”.

VPN Security Suite

This section allows you to adjust settings for VPN Security Suite which includes configuring connection to OPNsense, OpenVPN configuration, devices OpenVPN and virtual networks, technicians OpenVPN networks.

Certificate types

This section allows you to manage certificate types and their configuration.

A certificate type defines various aspects of certificates used by devices. You can create and manage certificate types to suit the needs of your specific devices and PKI infrastructure.

Key Properties of a Certificate Type

  • Name: A user-friendly name for the certificate type (e.g., “Device Authentication Certificate”).

  • Certificate entity: Specifies which entity can use this certificate type.

  • Common Name Prefix: A prefix used to automatically generate the Common Name field in certificates issued for this type (e.g., “eg-“).

  • Variable Name Prefix: A prefix used to generate predefined variables containing device certificate related data to use in device config.

  • Enabled: Allows to enable or disable certificate type

  • User available actions: Download, upload, delete, generate and revoke using PKI - when enabled actions will be visible for users in device or user actions

  • Automatic behaviours: Defines how system should handle certificate when device or user is being enabled or disabled

  • PKI Protocol: Choose PKI protocol for handling generation and revocation of certificate

  • SCEP protocol settings: (if PKI protocol is SCEP) Define SCEP protocol settings like URLs, credentials, etc.

REST API documentation

This section allows you to enable or disable REST API documentation for specific users.