# Manual[1.6.2] # 1 Overview This document is intended to act as a user manual and explain WCC Lite usage in detail. It is expected the person referring to this manual is experienced in programmable logic controllers (PLC), networking (IPv4, ethernet) and the use of the operating system of choice (Windows, Linux, Mac, etc.). This document might not cover all of the use cases. For usage not described in this document please contact Elseta technical support (contact info available on the last page of this document).# 2 Hardware and software requirements In order to get the WCC Liteup and running, a PC/Mac is required, capable of running a web browser and an MS Excel compatible spreadsheet editor (e.g. LibreOffice or an online spreadsheet editor such as Google Sheets). A built­in or external Ethernet adapter is also required to connect to the WCC Lite.# 3 Technical information
##### System
ProcessorARM CPU (AR9331, 400MHz)
Memory16 MB Flash/64 MB DDR2 RAM
Wireless802.11 b/g/n
I/O1x Binary input (hardware version >=1.4) 1x Relay output
Additional storage SD card (2GB by default)SD card (2GB by default)
Ethernet10/100 Base­-T ­ RJ­45 connector up to 2 independent ports
Serial ports1x RS­485 1x RS­485 / RS­232 (switchable)
Time synchronizationNTP client + server, IEC 60870­-5-­101, IEC 60870-­5-­104
GSM2G(GPRS, EDGE) / 4G(LTE) 2G(GPRS, EDGE) / 3G(UMTS, HSDPA, HSUPA) 2G(GPRS, EDGE) / 3G(UMTS, HSDPA, HSUPA) / 4G(LTE) Single OR Dual SIM card modem
##### Power requirements
Power supply 12 ­- 24 VDC
Power consumption < 6W
Dimensions 101 (H) x 22.5 (W) x 119 (L), mm
Mounting Wall mount, Din rail
##### Environmental
Operating temperature-40°C to +85°C
Warranty 2 year
##### Software
Compatibility with HMI (Human Machine Interface)Compatible with cloud based SCADA system -CloudIndustries.eu
Routing• Isolated LAN interface • Isolated LAN interface, but omitted to provide TCP / UDP ports or VPN mergers • Routed LAN internet connection masking data for GSM interfaces • Secure LAN data transfer via VPN • Secure LAN data transmission through VPN access to the Internet • Single OR Dual SIM card modem
Database• File based database • Data buffering in case of network outage
Data security• All data between WCC Lite and Cloud based SCADA exchange over secure encrypted VPN tunnel • Firewall to prevent intrusion and DoS attacks • VPN solution with VPN gateway can be used to manage (configure and update) and monitor VPN and WCC devices from a single place
Device maintenanceIt is possible to configure and monitor devices and protocols connected to the WCC Lite through Elseta cloud based SCADA system CloudIndustries.eu or 3rd party SCADAs and see device­based alarms such as communication errors, etc.
Supported protocols• Modbus master / slave (RTU / ASCII / TCP) • M­Bus master (Serial / TCP) • IEC 60870­-5­-101 master / slave • IEC 60870­-5­-103 master • IEC 60870­-5­-104 master / slave • IEC 62056­-31 master • IEC 62056­-21 (since v1.2.13) • DNP3.0(Serial/LAN/WAN) master / slave • SMA Net • DLMS Cosem (Serial/TCP) (since v1.3.0) • Resol VBus • IEC 61499 (since v1.4.0) • IEC 61850 (v1/v2/v2.1) master / slave (since v1.5.0)
Supported devices• Other Elseta products • Aurora PV inverters • Delta inverters • Kaco PV inverters • SMA PV inverters • Ginlong PV inverters • Solplus PV inverters • Kostal devices • Windlog data logger • Vestas Wind turbines • Elgama elektronika electricity meters
Network features• IPsec • OpenVPN • xl2tp • Firewall • Routing • RADIUS • SNMP • ser2net • API • NTP synchronization
Extra features• Software update • Remote configuration via CloudIndustries.eu administration • Device fault notifications • Internal web page for configuration and diagnostics
# 4 WCC Lite status indication and control ### Status indication [![image-1601989825830.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601989825830.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601989825830.png) ### Reset button The reset button is located on the front panel of WCC Lite, to access it, remove a transparent front panel cover. Different time lengths of button pressing call different behaviour.
Pressing timeDescriptionIndication
Short PressSystem rebootRed STATUS LED starts blinking
Long press (>3s)Reset to factory settingsRed STATUS LED turns on
# 5 Installing the WCC Lite ### Mounting To mount the device: 1\. Secure the top of the mounting clip onto a DIN rail. 2\. Push the bottom of a device forward to fix the clip in place. To dismount the device: 1\. Pull red colored clip downwards (found at the bottom side of the DIN rail). 2\. Pull back the bottom of the device. 3\. Pull device upwards to dismount it. [![image-1669191907888.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669191907888.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669191907888.png)[![image-1669191924303.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669191924303.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669191924303.png) ### Power WCC Lite It is recommended to power WCC Lite from 6W (minimum) 12-24V DC power supply. A full range is 5V to 36V. [![image-1669191981661.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669191981661.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669191981661.png)

Note: Make sure that device is compatible with your power source before proceeding! Check the label next to power connector or on the side of device.

### SIM card slot (hardware versions older than 1.3) [![image-1669192005723.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192005723.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192005723.png)

As of hardware versions 1.3 onwards single SIM modem support for WCC Lite has been discontinued.

WCC Lite has push-push type microSIM card connector with card detection function. The connector is located on the front panel of WCC Lite. To access it, remove a transparent front panel cover. To insert a SIM card gently push it inside (see Figure below) until it locks in place. Press again to release and remove the card. [![image-1669192038290.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192038290.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192038290.png) ### Dual-SIM card slot WCC Lite has optional Dual-SIM card modem. To access both SIM cards, remove a transparent front panel cover and press through marked hole with small tool until SIM holder pops out. [![image-1669192076737.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192076737.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192076737.png) To insert SIM cards, remove Dual-SIM holder and fit SIM cards into it. Insert holder with SIM cards into slot.

Note: Be careful when removing or inserting DUAL-SIM holder, as SIM cards can fall out.

Note: WCC Lite will automatically detect a SIM card insertion or removing.

# 6 WCC Lite interfaces WCC lite supports various interfaces to be acquire data and control external circuitry. That includes two serial port interfaces, relay output, digital input and external cellular connection antennae. ### Serial port interfaces WCC Lite WCC Lite has 2 serial ports. Selectable RS485 (by default) or RS232 interface on PORT1 and RS485 interface on PORT2. [![image-1669192152932.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192152932.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192152932.png) WCC Lite RS485 interface supports baud rates up to 115200 and has an integrated 120 termination resistor. It is recommended to use termination at each end of the RS485 cable. To reduce reflections, keep the stubs (cable distance from main RS485 bus line) as short as possible when connecting device. See typical RS485 connection diagram on figure 8.

Note: Double check if A and B wires are not mixed up.

WCC Lite 3-wire RS232 interface is available on PORT1 and can be selected by user (see Port settings). Baud rates up to 115200 are supported. See typical RS232 connection diagram on figure 9. [![image-1601990090504.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601990090504.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601990090504.png) [![image-1601990164490.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601990164490.png) ](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601990164490.png) ### Relay output WCC Lite integrates 1 signal relay (3-way RO connector) with COM (common), NC (normally closed) and NO (normally open) signals. [![image-1669192213316.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192213316.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192213316.png) Maximum switching power is 60W, maximum contact current is 2A, maximum switching voltage is 60VDC/60VAC. The lower is switching power, the higher is lifecycle of Relay Output. Relay electrical endurance: • resistive load, 30VDC / 1A - 30W min. 1x105 operations; • resistive load, 30VDC / 2A - 60W min. 1x104 operations. ### Digital Input With WCC Lite hardware version 1.4 a digital input functionality has been introduced. Software configuration guidelines are discussed later in this document. [![image-1669192480919.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192480919.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192480919.png) ### GSM WCC Lite comes with an optional GSM module. There are few hardware configurations available: • Without GSM modem. • With single SIM modem (HW version 1.0 - 1.2) - 2G/3G (GPRS, EDGE / UMTS, HSDPA, HSUPA) version - 5.76Mb/s upload, 7.2Mb/s download. UMTS/HSPA bands 900, 2100. GSM bands 900, 1800. Modem chip - Ublox Sara-U270. • With single SIM modem (HW version 1.0 - 1.2) - 2G/4G (GPRS, EDGE / LTE) Cat 1 version - 10.3Mb/s upload, 5.2Mb/s download. LTE bands 3, 7, 20. GSM bands 900, 1800. Modem chip - Ublox Lara-R211. • With dual SIM modem (HW version 1.0 - 1.2) - 2G/3G (GPRS, EDGE / UMTS, HSDPA, HSUPA) version - 5.76Mb/s upload, 7.2Mb/s download. UMTS/HSPA bands 900, 2100. GSM bands 900, 1800. Modem chip - Ublox Sara-U270. • With dual SIM modem (HW version 1.0 - 1.2) - 2G/4G (GPRS, EDGE / LTE) Cat 1 version - 10.3Mb/s upload, 5.2Mb/s download. LTE bands 3, 7, 20. GSM bands 900, 1800. Modem chip - Ublox Lara-R211. • With dual SIM modem (HW version 1.3 - 1.4) - 2G/3G/4G (GPRS, EDGE / UMTS, HSDPA, HSUPA / LTE) Cat 4 version - 50Mb/s (max) upload, 150Mb/s (max) download. LTE bands 1, 3, 5, 7, 8, 20, 38, 40, 41. GSM bands 3, 8. UMTS bands 1, 5, 8. Modem chip - Quectel EC25-E. They are based on mini PCI-e standard connector and compatible with any other devices. Check label on package for current modification. [![image-1669192522982.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192522982.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192522982.png) Connect an antenna to the SMA connector labeled “ANT1“. Select a good antenna placement spot considering the operation environment and network coverage of your mobile provider in the area. To enable MIMO functionality for 4G (LTE) modems a second antenna should be connected to the SMA connector labeled ”ANT2”.

4G (LTE) Cat 1 version modem both antennas are used for LTE communication. In such case internal WIFI antenna is used. Network can be limited in distance and speed, especially in metal based panels.

Make sure the signal level is over -80dBm to have a stable connection to the network. ### Wi-Fi For hardware version older than version 1.3, in case a Wi-Fi connection is needed, connect a Wi-fi antenna to the SMA connector labeled “WIFI“. Select a good antenna placement spot considering the operation environment. [![image-1669192615395.png](https://wiki.elseta.com/uploads/images/gallery/2022-11/scaled-1680-/image-1669192615395.png)](https://wiki.elseta.com/uploads/images/gallery/2022-11/image-1669192615395.png) Never hardware versions don’t have an option of connecting an external Wi-Fi antenna as MIMO capability for cellular modems has been introduced. In case stronger reach is needed, a user should contact manufacturer to provide possible solutions. Make sure the signal level is over -80dBm to have a stable connection to the network.# 7 Tags #### Single point Commonly used in storing digital states single point values have only one bit of information. The value of such tags can be either one or zero. On the internal web of WCC Lite states of this type of tags are shown in colored boxes with customisable label.
ValueRepresentation
0OFF
1ON
#### Double point Double point signals contain two bits of information that allow four different states, therefore they contain additional information compared to single point ones. INDETERMINATE state might, for example, mean that part of the equipment has been turned off or a mechanical part which does the switching has stuck between states. ERROR state might mean that both contacts are connected and there might be a short circuit in the equipment.
ValueRepresentation
00INDETERMINATE
01OFF
10ON
11ERROR
# 8.1 Initial Setup ### Initial setup WCC Lite comes with static network configuration with its IP set to 192.168.1.1. For initial setup set a static IP address on your computer and connect your network card to the WCC Lite with an ethernet cable. ### Static IP address setup on Windows 1\. Press Win+R on your keyboard. This will open the run window. Enter ncpa.cpl and press OK. This will open the Network Connections window. [![image-1637917371163.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637917371163.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637917371163.png) 2\. Right­-click on the Local Area Connection icon, then select Properties [![image-1637917705932.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637917705932.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637917705932.png) 3\. In the window that opens, click on the Internet Protocol Version 4 (TCP/IPv4) (you may need to scroll down to find it). Next, click on the Properties button. [![image-1637918015359.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637918015359.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637918015359.png) 4\. In the window that opens, click the Use the following IP address radio button. Fill the following fields and click OK: • IP address: 192.168.1.2 • Subnet mask: 255.255.255.0 • Default gateway: (leave empty) [![image-1637918059194.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637918059194.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637918059194.png) ### Connecting to an internal web page If your computer IP address is set up and ethernet cable is connected power up the device. Wait a few minutes until the device boots. Then open your web browser and enter the following URL: http://192.168.1.1/ Supported web browsers: • Google Chrome (recommended) • Mozilla Firefox • Internet Explorer 8 or later [![image-1637918176782.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637918176782.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637918176782.png) Login with the root user: - *Username*: root - *Password*: wcclite

It is recommended to change the password immediately to avoid any unauthorized access.

Before plugging WCC Lite with a static IP address to the local computer network, make sure to check if such address is not already reserved by other devices.

# 8.2 Site Layout ### Site layout [![image-1637918414929.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637918414929.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637918414929.png) It provides the main navigation through the website. Contains the following sections: - *PROTOCOL* *HUB*: configuration related to data exchange between WCC Lite and other devices. - *STATUS:* system information and diagnostics. - *SYSTEM:* basic system settings such as time setup. - *SERVICES:* various other services. - *NETWORK:* network related settings and services. - *USERS*: existing user groups and management of their permissions - *LOGOUT:* user logout.# 8.3 Protocol Hub ### Protocol HUB Protocol HUB section stores configuration for every connected device. You can configure it by importing settings from an Excel file. #### Configuration [![image-1637920676580.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637920676580.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637920676580.png) In this tab a user can: - Import new configuration from Excel file (.xls, .xlsx formats). If any errors in the file are found, device will not be imported and importing process will be stopped. - Import .fboot file for PLC. - Import IEC61850 Server model file - Download current configuration Excel file. - Download a template configuration Excel file. #### Imported Signals [![image-1637921790318.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637921790318.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637921790318.png) Imported signals section shows basic information about applied configuration. This section is view only. #### Event Log [![image-1637922251841.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637922251841.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637922251841.png) Event Log is the time­stamped status data. It allows to review latest events and changes for device’s state changes in chronological order. Newest events are shown at the top of the list. WCC Lite will time­stamp the status data with a time resolution of one millisecond. Initially, all breakers, protection contacts digital status input points in the WCCLite; events captured from IEDs (Intelligent electronic devices) shall be configured as Event Log points. It’s possible to assign any digital status input data point in the WCCLite as SOE point with Excel template during configuration. Each time a device changes state, the WCClite will save it with time­tag in internal storage. WCC Lite will maintain a Event Log buffer within the configured history size limitations. Event Log can also be downloaded by pressing the download button at the bottom of the page.

Events are recorded only for devices that have *log* field set. When log size exceeds its limit, oldest records are deleted.

#### Protocol Connections [![image-1637922438098.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637922438098.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1637922438098.png) Protocol connections section shows shows configured devices their ports and their status. This section is view only.# 8.4 Status ### Overview #### System [![image-1601551511604.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551511604.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551511604.png)System section in status tab shows basic information about current status of the system. Hostname: The label that is used to identify the device in the network. Model: Model of the device. Firmware version: Current firmware version. Kernel version: Current kernel version. Local Time: Current local time. Uptime: The time a device has been working. Load average: Measure CPU utilization of the last 1, 5, and 15 minute periods. Load of 0.5 means the CPU has been 50% utilized over the last period. Values over 1.0 mean the system was overloaded. #### Memory [![image-1601551636726.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551636726.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551636726.png) The ”Memory” window provides memory usage information on the device. Total available memory: The amount of available memory that could be used over installed physical memory. Free: The amount of physical memory that is not currently in use over installed physical memory. Buffered: The amount of buffered memory that is currently in use for active I/O operations over installed physical memory. #### Network [![image-1601551674236.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551674236.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551674236.png) IPv4 WAN, IPv6 WAN status and active connections of the device. Type: Type of addressing of IPv4 network interface – DHCP or static. Address: IP address of the device. Netmask: Netmask of the device. Gateway: IP address of the Gateway. DNS: IP address of DNS server. Expires: DHCP lease expiration time of the connection. Connected: The time a device has been connected. Active Connections: The number of the active connections with the device. #### DHCP leases [![image-1601551755263.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551755263.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551755263.png) DHCPv4 and DHCPv6 lease expiration time. Hostname: The label that is used to identify the device in the network. IPv4-Address: IPv4 address of network interface. MAC-Address: The media access control address of IPv4 network interface. DUID: DHCP Unique Identifier of IPv6 network interface. Lease Time remaining: The amount of time the device will be allowed connection to the Router. #### Wireless[![image-1601551793225.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551793225.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551793225.png) WiFi interface information window. SSID: The sequence of characters that uniquely names a wireless local area network. Mode: Shows how the device is connected to the wireless network – Master or Client. Channel: The number of channel and radio frequency for connection to access point. Bitrate: The number of bits that pass the device in a given amount of time. BSSID: The MAC address of the wireless access point. Encryption: Security protocol for the wireless network. #### Associated stations [![image-1601551830832.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551830832.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551830832.png)List of associated stations (clients). Network: Mode and SSID of network point. MAC-Address: The media access control address of IPv4 network interface. Hostname: The label or IP address that is used to identify the device in the network. Signal/Noise: Received signal level over the background noise level. -30 dBm is the maximum achievable signal strength, -70 dBm is the minimum signal strength for reliable packet delivery in the wireless network. RX Rate/TX rate: Used measure data transmission in the wireless network over bandwidth. RX Rate represents the rate at which data packets being received by the device, TX Rate represents the rate at which data packets being sent from the device. #### Board information [![image-1601551883930.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601551883930.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601551883930.png)Board information provides the following details: Hardware version: Current hardware version; Serial number: Serial number of the board; SoC ID: Unique identifier of CPU unit; ### Firewall #### IPv4 Firewall [![image-1601552021522.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552021522.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552021522.png) Firewall rule list for IPv4 traffic. Table: The four distinct tables which store rules regulating operations on the packet. Filter concerns filtering rules. NAT concerns translation of source or destination addresses and ports of packages. Mangle table is for specialized packet alteration. The raw table is for configuration exceptions. Chain: The list of rules. Filter table has the following built-in chains: Input – concerns packets whose destination is the firewall itself, Forward – concerns packets transiting through the firewall, Output – concerns packets emitted by the firewall, Reject – reject the packet, Accept – allow the packet to go on its way. NAT table has the following built-in chains: Prerouting – to modify packets as soon as they arrive, Postrouting – to modify packets when they are ready to go on their way. Mangle table has one built-in chain: Forward for transiting packets through the firewall. Pkts.: The packets processed by the firewall. Traffic: The amount of data processed by the firewall. Target: The chain of the table of the firewall. Prot.: The transport layer protocol processed by the firewall. In: The network interface for the input chain processed by the firewall. Out: The network interface for the output chain processed by the firewall. Source: IPv4 address of the device that the packet comes from. Destination: IPv4 address of the device that the packet goes to. Options: The options for configuring the firewall. #### IPv6 Firewall [![image-1601552266384.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552266384.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552266384.png) Firewall rule list for IPv6 traffic. Table: The three distinct tables which store rules regulating operations on the packet. Filter concerns filtering rules. Mangle table is for specialized packet alteration. The raw table is for configuration exceptions. Chain: The list of rules. Filter table has the following built-in chains: Input – concerns packets whose destination is the firewall itself, Forward – concerns packets transiting through the firewall, Output – concerns packets emitted by the firewall, Reject – reject the packet, Accept – allow the packet to go on its way. Mangle table has one built-in chain: Forward for transiting packets through the firewall. Pkts.: The packets processed by the firewall. Traffic: The amount of data processed by the firewall. Target: The chain of the table of the firewall. Prot.: The transport layer protocol processed by the firewall. In: The network interface for the input chain processed by the firewall. Out: The network interface for the output chain processed by the firewall. Source: IPv6 address of the device that the packet comes from. Destination: IPv6 address of the device that the packet goes to. Options: The options for configuring the firewall. ### Routes [![image-1601552456174.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552456174.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552456174.png) The routing tables provide information on how datagrams are sent to their destinations. ARP: An address Resolution Protocol which defines how IP address is converted to a physical hardware address needed to deliver packets to the devices. Interface: The type of Network interface. br-lan refers to the virtual bridged interface: to make multiple network interfaces act as if they were one network interface. Network: The type of network through which the traffic will be sent to the destination subnet. Target: An address of the destination network. The prefix /24 refers the subnet mask 255.255.255.0. IPv4-Gateway: IP address of the gateway to which traffic intended for the destination subnet will be sent. Metric: The number of hops required to reach destinations via the gateway. Table: The type of routing tables: main (default), local (maintained by the kernel). IPv6 Neighbours: The devices on the same network with IPv6 addresses. ### System Log [![image-1601552517322.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552517322.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552517322.png) System log window shows a table containing the events that are logged by the device. It has the following columns: - \# (sequence number); - Time (day of the week, month, day of the month, time and year); - facility; - process (who generated the message); - priority level; - message. Messages can be sorted and filtered to extract a particular set of messages. This might be useful when debugging kernel or protocol level problems. ### Kernel Log [![image-1601552562425.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552562425.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552562425.png) Kernel log shows a list of the events that are logged by the kernel of the device. Log format: time in seconds since the kernel started and message. ### Processes [![image-1601552597976.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552597976.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552597976.png) List of processes running on the system. PID: Process ID. Owner: User to whom the process belongs. Command: Process. CPU usage: It is CPU usage of the individual process. CPU usage above 90 % is an indicator of insufficient processing power. Memory usage: Memory usage of the individual process. Hang Up: To freeze the process. Terminate: To end the process cleanly. Kill: To end the process immediately. ### Realtime graph #### Realtime Load [![image-1601552704789.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552704789.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552704789.png) CPU utilization graph. Load of 0.5 means the CPU has been 50% utilized over the last period. Values over 1.0 mean the system was overloaded. #### Realtime Traffic [![image-1601552745346.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552745346.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552745346.png) Graphs representing the status of the virtual and physical network interfaces of the device. Inbound: The speed at which the incoming packets arrive at the device. Outbound: The speed of the packets which were originated by the device. Phy. Rate: The speed at which bits can be transmitted over the physical layer. #### Realtime Wireless [![image-1601552775159.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552775159.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552775159.png) WiFi status graph. Signal: Signal strength level. Noise: Noise level. Phy. Rate: The speed at which bits can be transmitted on the physical layer. #### Active connections [![image-1601552803957.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552803957.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552803957.png) Graph representation of active connections with the device. UDP: Transport layer – User Datagram Protocol. TCP: Transport layer – Transmission Control Protocol. Network: Type of the network layer – IPv4 or IPv6. Source, Destination: IP address and the port number. Transfer: The amount of the transferred data in kB and packets. #### GSM signal quality [![image-1601552834471.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552834471.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552834471.png) [![image-1601552842151.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552842151.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552842151.png) Graph representation of gsm modem receiving signal quality. RSRP - RSRQ graph is showed, when connected to 4G/LTE network, RSSI - when 2G/3G networks are used. RSSI: Received Signal Strength Indicator in dBm. RSRP: Received Signal Reference Power in dBm. RSRQ: Received Signal Reference Quality in dBm. ### GSM status This page shows all information that is related to GSM modem. [![image-1601552902904.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601552902904.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601552902904.png) #### Hardware info All static information on GSM modem. Modem model: Manufacturer and model of present modem. Modem type: Single SIM or Double SIM modem. Supported network modes: Shows which network modes (or their combinations) are supported (e.g. 2G 4G 2G/4G). IMEI: IMEI (International Mobile Equipment Identity number). #### Network info All dynamic information on GSM modem and connected network. IMSI: IMSI (International Mobile Subscriber Identity) number related to current SIM card user. ICCID: ICCID (Integrated Circuit Card Identifier) number related to physical SIM card. Registration status: Curren status of network connection. Internet status: Status of connection to internet ( valid, when gsm-pinger is enabled and can reach provided hosts). Operator: Operator’s name, to which modem is currently connected. Service provider: IMEI (Service provider for SIM card. Data interface: Shows, whether wcc-lite have a data connection through gsm or not (possible values: ”Up”, ”Down”). SIM state: Shows current status of SIM card (needs PIN, needs PUK, not-inserted and etc.). Signal quality: Shows current signal strength value in dBms. RSSI value is shown, when connected to 2G/3G networks, RSRP-RSRQ values - when connected to 4G network. Radio access tech.: Current radio technology used (2G, 3G or 4G). Active SIM: Shows which SIM card is active (if the modem is Dual SIM). Roaming status: Current status of roaming (”Off”, ”On”). Little bars with percentage at the center left shows signal strength. It is calculated with the respect to current radio access technology used (RSSI or RSRP). Two buttons at the bottom can reset (cold-reset) modem or manually switch SIM cards (if it is Dual SIM modem and both cards are enabled). [![image-1601554364523.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601554364523.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601554364523.png)

Signal quality is described in different ways for different type for different mobile services: Received Signal Strength Indication (RSSI) in GSM (2G) and UMTS (3G), the Reference Signal Received Quality (RSRQ) in LTE RAT.

The Reference Signal Received Power (RSRP) is a LTE specific measure that averages the power received on the subcarriers carrying the reference signal. The RSRP measurement bandwidth is equivalent to a single LTE subcarrier: its value is therefore much lower than the total received power usually referred to as RSSI. In LTE the RSSI depends on the currently allocated bandwidth, which is not pre-determined. Therefore the RSSI is not useful to describe the signal level in the cell.

### VNSTAT Traffic monitor To monitor the traffic of various network interfaces VNSTAT Traffic monitor can be used. Traffic tracking can be useful if user wants to have a precise information on how much data is used because it can have a dependance with data transmission costs, for example, mobile (cellular) data. #### Graph [![image-1601554562243.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601554562243.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601554562243.png) An example graph shows the statistics gathered for two network interfaces. In these graphs: eth1: Network interface (e.g. Ethernet). br-lan: Virtual network interface (bridge). rx: Data packets received by the device. tx: Data packets sent from the device. #### Configuration [![image-1601554612964.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601554612964.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601554612964.png) Interfaces to be monitored can be selected in a configuration screen. It includes all the network interfaces configured in a system. To start or stop monitoring user should either select or unselect respective checkbox and save settings by pressing Save & Apply.# 8.5 System ### System System tab includes various properties, configuration, and settings of the system and contains the following pages: [![image-1601558710866.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601558710866.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601558710866.png) • SYSTEM: properties and settings of the system. • ADMINISTRATION: settings of the administration for various services. • SOFTWARE: settings of the packages. • STARTUP: process management. • SCHEDULED TASKS: settings of the scheduled tasks. • MOUNT POINTS: settings for the mount points. • BOARD: board configuration. • CERTIFICATE STORAGE: certificate management panel. • LED CONFIGURATION: settings for the LEDs. • BACKUP/FLASH FIRMWARE: management of the configuration files and firmware image upgrade. • REBOOT: device reboot page. #### System Basic aspects of the device can be configured. These include time settings, hostname, system event logging settings, language and theme selection. **System properties** [![image-1601558783282.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601558783282.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601558783282.png) General settings of the WCC Lite device are defined as follows: Local Time: Current local time. Hostname: The label that is used to identify the device in the network. Timezone: A region of the globe that observes a uniform standard time. The time zone number indicates the number of hours by which the time is shifted ahead of or behind UTC – Coordinated Universal Time. Some zones are, however, shifted by 30 or 45 minutes. [![image-1601558841889.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601558841889.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601558841889.png) Logging settings of the WCC Lite device are defined as follows: System log buffer size: The amount of the records before writing these data to the disk. External system log server: IP address of the server. External system log server port: An endpoint of communication with the server. External system log server protocol: A standard that defines how to establish and maintain a network connection: UDP - User Datagram Protocol, TCP - Transmission Control Protocol. Write system log to file: The name of the file with the path to it. Log output level: Log output messages can be grouped by their importance to the user. Levels are described in a table below.
**Log output level****Description**
EmergencySystem is unusable
AlertAction must be taken immediately
CriticalCritical conditions
ErrorError conditions
WarningPotentially hazardous conditions
NoticeNormal conditions that might need action
InfoInformation messages
DebugDebugging messages
Cron Log Level: Cron has three output levels to choose from to write to its logs. Possible options are described in a table below.
**Cron log level****Description**
DebugDebugging messages
NormalGeneral administrative messages
WarningPotentially hazardous conditions
[![image-1601559832754.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601559832754.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601559832754.png) Language and Style settings are defined as follows: Language: The language of the Web interface of the device. Design: The theme of the Web interface of the device. #### Time synchronization WCC Lite has an NTP client to synchronize date and time with external sources. It is not the only source for synchronization, it can also be done using methods defined in IEC-60870-5 protocols. [![image-1601559881965.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601559881965.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601559881965.png)

Please take care choosing a time sync method. If both NTP and IEC 60870-5 protocol slave interface time sync methods are activated simultaneously, they can interfere if there is a time difference. We strongly recommend to use single time sync method to prevent time interference.

Time synchronization options are defined as: Enable NTP client: The local time of the device will sync with external time servers. Provide NTP server: Turn the device into a local NTP server. NTP server candidates: The network time protocol servers. ### Administration [![image-1601559945166.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601559945166.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601559945166.png) Administrator password can be changed. To change it the combination of digits and letters of the alphabet should be entered and then confirmed in Confirmation field by typing in again.

It is advised not to use the default password.

#### Dropbear instance WCC Lite has a compact secure shell (SSH) server named Dropbear. Multiple options are, however, available to be changed via WCC Lite web interface, ranging from automatic firewall rules to authentification flexibility. [![image-1601560003967.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560003967.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560003967.png) Dropbear options are defined as follows: Interface: Listen only on the given interface or on all, in unspecified. Port: Specifies the listening port of this interface. Password authentication: Allow SSH password authentication. Allow roots logins with password: Allow the root user to login with the password. Gateway ports: Allow remote hosts to connect to local SSH forwarded ports. #### SSH-keys [![image-1601560050675.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560050675.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560050675.png) SSH keys can be added via WCC Lite web interface. They might be helpful if the user logs into device frequently and does not want to always have to write his credentials. #### HTTPS certificate [![image-1601560081935.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560081935.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560081935.png) WCC Lite by default is shipped with a default certificate for HTTPS connection. This certificate only enables connecting to device via web interface and might cause warnings from a web browser. To eliminate them, user can use his own certificate to secure access to web interface. User can use certificates uploaded to a certificate storage. It should be noted that only valid certificates with \*.pem extension can be used. Certificate to be used is validated every time device is restarted. If validation fails, default certificate is used. This is done to prevent user from losing device access via web interface. For new certificate to come to effect user should restart the device. ### Software Individual packages can be installed via WCC Lite web interface. They can either be installed using web link or selected from the pre-defined feeds. [![image-1601560319986.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560319986.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560319986.png) Various options can be selected when installing packages, however, default ones should work well enough and it’s advised to only change them for advanced users. [![image-1601560339950.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560339950.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560339950.png) Feeds from which packages are listed for update are defined in Open PacKaGe management (OPKG) configuration that can be changed easily from user interface. [![image-1601560359726.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560359726.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560359726.png) Specific distribution feeds can also be added for special cases if standard ones do not fit the needs. [![image-1601560377187.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560377187.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560377187.png) ### Startup All of the processes that have init.d scripts can optionally enabled or disabled. This can be very useful if user only intends to use only part of the processes. [![image-1601560412520.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560412520.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560412520.png)

User should not disable processes that are essential for device operation as it can render the device unusable.

[![image-1601560436943.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560436943.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560436943.png) User can optionally run scripts and programs on device startup by putting them into a /etc/rc.local file. This file can be updated from WCC Web interface. ### Scheduled tasks [![image-1601560465567.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560465567.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560465567.png) Various tasks can be scheduled with the system crontab. New tasks can be included by creating and saving new rules conforming to cron rules. WCC Lite accepts full cron configuration functionality. Example in the pictures shows how to execute the disk usage command to get the directory sizes every 6 p.m. on the 1st through the 15th of each month. E-mail is sent to the specified email address. ### Mount points #### Global settings [![image-1601560521128.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560521128.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560521128.png) File system mount point configuration window. Generate Config: Find all currently attached filesystems and swap and replace configuration with defaults based on what was detected. Anonymous Swap: Mount swap not specifically configured. Anonymous Mount: Mount filesystems not specifically configured. Automount Swap: Automatically mount swap on hotplug. Automount Filesystem: Automatically mount filesystems on hotplug. Check filesystems before mount: Automatically check filesystem for errors before mounting. #### Mounted file systems [![image-1601560579298.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560579298.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560579298.png) List of mounted file systems, some of which can be dismounted manually. #### Mount points [![image-1601560604355.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560604355.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560604355.png) List of mount points which can be enabled, disabled or deleted. #### Swap Swap section is used to describe the virtual memory that can be used if there’s a lack of main memory. WCC Lite does not use any virtual memory by default. [![image-1601560651205.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601560651205.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601560651205.png)

It should be noted that virtual memory might do a lot of reading and writing operations. As WCC Lite uses SD card as an additional flash memory, it is highly advised to not use swap to reduce wearing.

### LED configuration WCC Lite has three LEDs that can be configured: WAN, LAN and WLAN. All of the LEDs have a default configuration which should fit most of the cases. [![image-1601561055496.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601561055496.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601561055496.png) All possible LED configuration options: Name: Name of the LED configuration. LED Name: Colour and location of the LED. These can be changed, however, normally they should be left unchanged. Default state of the LED: On/Off. Trigger: One of the various triggers can be assigned to an LED to changes its states. Possible values are shown in a table below. Table. Possible trigger for an LED:
Trigger type Description
none No blinking function assigned to LED
defaulton LED always stays on
timer Blinking according to predefined timer pattern
heartbeat Simulating actual heart beats
nand-disk Flashed as data is written to flash memory
netdev Flashes according to link status and send/receive activity
phy0rx, phy0tx, phy0radio, phy0tpt, phy0assoc Flashed on WiFi activity events
usbdev Turned on when USB device is connected. Applicable for modems
Device: Network interface which is going to be tracked. ### Backup/flash firmware Software update allows to upgrade the software running in WCC Lite. It is recommended to keep the device up to date to receive the latest features and stability fixes. Backup archives contain complete WCC Lite configuration that can be restored at any time. A file will be downloaded by your browser when creating a backup. This file can be later uploaded to the web page to restore configuration.

Generated backup archive should only be applied to the same firmware version it was generated. Applying backup to a different firmware version might render some parts of operating system unstable or even unusable

[![image-1601561414978.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601561414978.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601561414978.png) A user can choose to keep existing settings after an upgrade. Marking Keep Settings checkbox preserves files listed in /etc/sysupgrade.conf and /lib/upgrade/keep.d/. It is advised to do a clean install and use backup files to restore settings later if a user intends to make a major system upgrade.

Uploading firmware image, to preserve RAM memory, will stop all Protocol HUB processes. After upload, you will have 2 minutes to proceed with firmware flash or to cancel it. After 2 minutes, firmware file will be deleted and Protocol HUB processes will be restarted.

[![image-1601561479820.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601561479820.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601561479820.png) A file name /etc/sysupgrade.conf can be updated via WCC Web interface. To preserve additional file user should add them to backup file and press Submit. To get the whole list files that would be backed up press Open list.... It is advised to check it before doing a back-up or an upgrade while keeping settings. ### Reboot [![image-1601561516242.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601561516242.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601561516242.png) This reboots the operating system of the device.# 8.6 Services ### Introduction Services tab shows the services of the device and contains the following subsections: [![image-1601563935032.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601563935032.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601563935032.png) Services tab shows the services of the device and contains the following subsections: - TELEMETRY AGENT: device telemetry sending to a remote server; - IPSEC: encrypted virtual private network (VPN) configuration. - OPENVPN: shows the open-source software application that implements virtual private network (VPN). - SER2NET: network-to-serial proxy; ### Telemetry agent Having data about the device helps to easily maintain it. Telemetry agent gathers information in a compact and easily decodable way. It uses UDP packets therefore only small overhead is introduced. However, UDP does not guarantee the arrival of sent packets therefore not every message might reach the server saving these messages. To start using Telemetry agent a user should configure and enable it. Four options are available: - Enable agent; - Server address; - Port (UDP); - Period (s). Every time timer of period length expires, a message is sent to a server of configured server if service is enabled .

Telemetry agent doesn’t start as a service if Enable agent checkbox is unchecked.

Enabling agent and saving the configuration automatically starts the process with the new configuration.

### IPsec #### Background WCC Lite supports ipsec vpn, thus is able to deliver data securely over encrypted link. To establish ipsec vpn, a connection definition must be created by entering appropriate configuration settings. For advanced connection description auxiliary settings sets can be defined. They can be joined to the connection and can be reusable several times according to the need. Each configuration record is identified by a unique name, which is assigned in time of creation. The following diagram shows relations between connection and auxiliary sets. [![image-1601564177757.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601564177757.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601564177757.png) #### Ipsec settings ##### Connection description Options supported by wcclite is described below.
ItemTypeDescription
GatewaystringHost name or IP address of the remote peer.
TypeselectorTunnel mode: full packet encryption, covers host-to-host, host-to-subnet, subnet-to-subnet situations or transport mode: ip payload encryption, secures host-to-host data only.
Local subnetstringSpecifies local network, in form network/netmask, for example 192.168.11.0/24
Remote subnetstringSpecifies remote network at another side of a tunnel.
AuthenticationselectorPre-shared key or RSA certificate
Pre-shared keystringAvailable if Authentication set to Pre-shared key
Certificate set selectorAvailable if Authentication set to RSA certificate. Selectable from configured auxiliary set.
Phase 1 proposal (IKE) selectorAuthentication-encryption schema, selectable from configured auxiliary set.
Phase 2 proposal (ESP) selectorAuthentication-encryption schema, selectable from configured auxiliary set.
Local ID stringSpecifies the identity of the local endpoint
Remote ID stringSpecifies the identity of the remote endpoint
Key exchange selector Sets method of key exchange IKEv2 or IKEv1. Default IKEv2.
Exchange mode selector Main or aggressive. Available if key exchange is set to IKEv1.
Use compression checkboxIf selected a compression ability will be proposed to the peer.
DPD action selector Controls the use of dead peer detection protocol, values: - none – default, disables sending of DPD messages. - clear – the connection closed with no action. - hold – keeps description, tries re-negotiate connection on demand. - restart – will try to re-negotiate immediately.
DPD delay stringTime interval in seconds between peer check. Default 30.
DPD timeout stringTime in seconds after which peer consider to be unusable. IKEv1 only. Default 150.
Key lifetime stringLifetime of data channel in seconds . Default 10800.
IKE lifetime stringLifetime of keying channel in seconds. Default 3600.
##### Auxiliary settings Phase 1 proposals - IKE/ISAKMP cipher suite components:
ItemTypeDescriptionNote
Encryption algorithm selector Encryption algorithm – 3DES, AES128, AES192, AES256. required
Hash algorithm selector Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512. required
DH exponentiation selector Specifies Diffie-Hellman groups – 1,2,5,14,15,16,18 required
Phase 2 proposals - ESP cipher suite components:
ItemTypeDescriptionNote
Encryption algorithm selector Encryption algorithm – 3DES, AES128, AES192, AES256. required
Hash algorithm selector Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512. required
DH exponentiation selector Specifies Diffie-Hellman groups – 1,2,5,14,15,16,18 optional

The following specification and topology map corresponds to settings used in further configuration walk-through example.

#### Creating a connection description ##### Site-to-Site VPN scenario [![image-1601565165686.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601565165686.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601565165686.png) ##### VPN connection details Tunnel: demoo ```demoo IPSec peer: ipsec.vpn.net Pre-shared key: thebigsecret Mode: tunnel Remote network: 10.10.10.10/24 Local network: 10.10.12.0/24 Local ID: wcclite IKE authentication: aes256 IKE hash: sha256 IKE DH group: 5 (modp1536) ESP authentication: aes128 ESP hash: sha1 ```

If auxiliary data is needed, it is recommended to check or define it first.

##### Creation of Phase 1 proposal - Enter section “Phase 1 proposals”. - Create a new record by assigning new name, for example “aes256-sha256-dh5” and click the button “Add”. - Choose corresponding values: encryption, hash algorithm and DH exponentiation. - Push “save” to save the data. [![image-1601568023894.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601568023894.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601568023894.png) ##### Creation of Phase 2 proposal - Enter section “Phase 2 proposals”. - Create a new record by assign new name for example “aes128-sha1” and click the button “Add”. - Choose corresponding values: encryption, hash algorithm. - Push “save” to save the data. [![image-1601568071003.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601568071003.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601568071003.png) ##### Creation of tunnel definition Enter section connections - Create a new record by assigning new name (e.g.“demo0”) and clicking “Add”. - Call a detail form by pushing the button “edit”. - Enter peer address into “Gateway”: “ipsec.vpn.net”. - Ensure “Type” is set to: “Tunnel”. - Fill local subnet to: 10.10.12.0/24. - Fill remote subnet to: 10.10.10.0/24. - Make sure authentication is set to: “Shared secret”. - Enter Pre-shared key (PSK): thebigsecret. - “Phase 1 proposal (IKE)”, choose a value: aes256\_sha256\_dh5. - “Phase 2 proposal (ESP)”, choose a value: aes128\_sha1. - Locate combo box “additional field”, select “Local ID”, then set value to: wcclite. - Push “Save”. [![image-1601568148856.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601568148856.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601568148856.png) ##### Activating the tunnel - Return to the section “connections”. - Check the checkbox “Enabled”. - Push the button “save & apply”. - Examine indicator “configured”, it should be “yes”, if not, review settings just entered. - The tunnel should be prepared for operation and will be established on demand. - Optionally, it is possible to establish tunnel operation by pressing button “start”. [![image-1601568201450.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601568201450.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601568201450.png) ### L2TP/IPsec Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETFRFC 3193. The process of setting up an L2TP/IPsec VPN is as follows: - Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called ”pre-shared keys”), public keys, or X.509 certificates on both ends, although other keying methods exist. - Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place. - Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses UDP port 1701. When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be gathered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints. A potential point of confusion in L2TP/IPsec is the use of the terms tunnel and secure channel. The term tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/PPP, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel. ### OpenVPN #### OpenVPN Instances The primary goal is to get a working WCC Lite tunnel and establish a basic platform for further customisation. Most users will require further configuration tailored to their individual needs. If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details. OpenVPN can be configured either by using WCC Lite Web interface or uploading the OVPN file containing necessary parameters. OpenVPN will automatically attempt to load all \*.conf files placed in the /etc/openvpn folder. Several OpenVPN recipes are suggested containing most used configurations that may only require minor changes. If a user intends setting up OpenVPN without OVPN file, it is highly advised to use these recipes and tweaking them up to individual needs. [![image-1601568407933.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601568407933.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601568407933.png) OpenVPN instances page contains parameters to be configured. Enabled: Flag to specify if a particular configuration should be enabled; Started: Specifies if a particular configuration has been started by OpenVPN; Start/Stop: Button to manually start or stop any configured tunnels; Port: Specifies the listening port of this service; Protocol: A standard that defines how to establish and maintain a network connection: UDP - User Datagram Protocol, TCP - Transmission Control Protocol. More parameters for every instance can be changed by pressing Edit button, configuration can be removed with Delete button. Pressing Edit takes the user to main configuration screen containing the options usually used in particular OpenVPN recipes. To do more specific changes user should further select Switch to advanced configuration. OVPN files contain configuration in a textual form therefore changing parameters requires having prior knowledge about different OpenVPN parameters. It is advised to used OVPN files, however, if configuration has been pre-built beforehand and is used without further changes. ### ser2net The ser2net daemon allows telnet and tcp sessions to be established with a device’s serial ports. The program comes up normally as a daemon, opens the TCP ports specified in the configuration file, and waits for connections. Once a connection occurs, the program attempts to set up the connection and open the serial port. If another user is already using the connection or serial port, the connection is refused with an error message. ### API The firmware of the WCC Lite features a built-in API which is accessible via the web interface.

As of version 1.2.11, it does not implement any access restriction features apart from those provided by the firewall functionality.

Individual API endpoints can be enabled or disabled via the web configuration interface at Services->API.

All endpoints are disabled by default.

Available API endpoints are shown in the table below. Table. Available API endpoints:
EndpointDescription
/api/version Version of the API
/api/actions List of available points
/api/syncVersionVersion of the sync service
/api/sync Protocol hub configuration sync (name=”file”)\*
/api/syslog Prints out the syslog
/api/systemInfo General system info
/api/gsmInfo GSM modem information
/api/devices List of configured devices
/api/device/info Device information (name=”device\_alias”)\*\*
/api/device/tags List of tags on particular device (name=”device\_alias”)\*\*
/api/device/tag/value Tag value (name=”device\_alias”, name=”signal\_alias”)\*\*
/api/tags List of configured tags
/api/sysupgrade Firmware upgrade (name=”file”)\*
\* Endpoints accepting files \*\* Endpoints accepting field data The API accepts data and files as POST requests encoded as ”multipart/form-data”. ### SNMP SNMP (Simple Network Management Protocol) is an internet-standard protocol for managing devices on IP networks. SNMP exposes management data in the form of a hierarchy of variables in a MIB (Management Information Base). WCC Lite supports SNMP service which is not added to default build of firmware but can be installed as a module. It enables user to collect data on various parameters of system: • CPU time - time spent for calculations of various processes: user - time for user processes; system - time for system processes; idle - time spent idling; interrupts - time spent handling interrupts. • CPU load average - CPU load average for 1, 5 and 15 minutes respectively; • Disk usage: total - total amount of storage in the device (in kB) available - amount of storage available to store data (in kB) used - amount of storage used in the device (in KB) blocks used percentage - blocks (sectors) used to store data in a disk (in kB) inodes used percentage - the inode (index node) is a data structure in a Unix-style file system that describes a file-system object such as a file or a directory. Each inode stores the attributes and disk block location(s) of the object’s data. • Memory usage - RAM usage statistics: total - total amount of RAM in the device (in kB); available - unused amount of RAM in the device (in kB); shared - shared amount of RAM between multiple processes (in kB); buffered - refers to an electronic buffer placed between the memory and the memory controller; cached - a portion of memory made of high-speed static RAM (SRAM) instead of the slower dynamic RAM (DRAM) used for main memory; • Network interfaces: MTU - maximum transmission unit to be sent over network; speed - rate of network transmission; physical address - unique MAC address assigned to a device; tx/rx: byte, packet, drop, error count; • System properties: uptime - time since the device was turned on; process uptime - time since the process has been started; hostname - a label that is assigned to a device connected to a computer network; name - name of the device (if defined); location - location of the device (if defined).# 8.7 Network [![image-1601981573216.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981573216.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981573216.png) The page shows information about current interface status, its configurations, provides various interface, network properties configuration capabilities and contains the following subsections: • INTERFACES: shows information about current interface status, allows to create new and configure them. • WIRELESS: shows information about wireless radio stations, covers physical settings of the wireless hardware. • DHCP AND DNS: allows management of DHCP and DNS servers. • HOSTNAMES: allows management of host names. • STATIC ROUTES: allows management of IPv4 and IPv6 static routes. • FIREWALL: allows management of firewall zones and various firewall properties. • DIAGNOSTICS: provides network diagnostics utilities. • GSM: allows management of gsm modem and SIM cards. ### Interfaces [![image-1601981624366.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981624366.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981624366.png) Current information and status of various network interfaces (GSM, LAN, WAN). Uptime: Current interface uptime in hours, minutes and seconds. MAC address: Physical interface address. RX: Received data in bytes (packet count). TX: Transmitted data in bytes (packet count). IPv4: Internet protocol version 4 address. IPv6: Internet protocol version 6 address. In addition to the network interface status, several actions may be performed: Connect/Reconnect: Connect to configured interface network if it does not do it automatically. If it already connected to the network it will be trying to reconnect to it. Stop: Shutdown interface. If you are connected through this interface the connection may be lost. Edit: Edit interface settings. Delete: Delete interface. Add new interface: Adding new Ethernet, GSM or wireless interface with the custom name, protocol and etc.
ethoeth1
TypeStaticDHCP
Address192.168.1.1
Subnet mask255.255.255.0
Gateway

Changes will only take effect after device reboots.

Network interfaces can be configured on the common page, which can be accessed through add new interface or edit button. [![image-1601981894639.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981894639.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981894639.png) The following options can be defined in the interface creation panel: name of the interface, protocol, coverage of a particular interface or bridging with other interfaces. After the general setup is done, more detailed settings can be set. [![image-1601981923788.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981923788.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981923788.png) General common interface setup panel. [![image-1601981938817.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981938817.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981938817.png) Advanced common interface setup panel. [![image-1601981952607.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981952607.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981952607.png) Physical common interface setup panel. [![image-1601981969125.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981969125.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981969125.png) Firewall common interface setup panel. [![image-1601981983334.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981983334.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981983334.png) DHCP server general setup panel. [![image-1601981997552.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601981997552.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601981997552.png) DHCP server advanced setup panel. [![image-1601982015776.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982015776.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982015776.png) DHCP server IPv6 settings setup panel. **GSM** [![image-1601982038949.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982038949.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982038949.png) General Settings Information tab. Gives you name of physical GSM interface, lets you choose protocol (not recomended!).

Note: Make sure you won’t change GSM interafce’s protocol, which is set by default to WWAN. Changing this parameter will lead to undefined GSM modem behaviour.

[![image-1601982122856.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982122856.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982122856.png) Advanced Settings tab enables user to configure advanced settings for mobile communication. It includes the following options: Bring up on boot: Checkbox to start a GSM interface on startup; Use builtin IPv6-management: Checkbox to select if the device is going to use its own tools to manage IPv6 transport layer messages; Force link: Specifies whether IP address, route, and gateway are assigned to the interface regardless of the link being active or only after the link has become active; when active, carrier sense events do not invoke hotplug handlers; IPv6 support: User can select if IPv6 support is handled automatically, manually or disabled altogether; Modem init timeout: Maximum amount of seconds before the device gives up on finishing initialization; Use default gateway: Uses the default gateway obtained through DHCP. If left unchecked, no default route is configured; Prefer PPP connection: If ,the modem, supports PPP and any other communication protocol (e.g. QMI, RNDIS and etc.), prioritise PPP type connection; Use gateway metric: The WAN configuration by default generates a routing table entry. In this field you can alter the metric of that entry. Higher metric means higher priority; Use DNS servers advertised by peer: Uses DNS servers obtained from DHCP. If left unchecked, the advertised DNS server addresses are ignored; LCP echo failure threshold: LCP (link control protocol) is a part of PPP (Point-to-Point Protocol) and helps to determine the quality of data transmission. If enough failures happen, LCP presumes link to be dead. 0 disables failure count checking; LCP echo interval: Determines the period of LCP echo requests. Only effective if LCP echo failure threshold is more than zero; Inactivity timeout: Station inactivity limit in seconds: if a station does not send anything, the connection will be dropped. A value of 0 can be used to persist connection. Override MTU: Set custom MTU to gsm interface.

Note: If modem uses QMI connection protocol and user haven’t defined custom MTU setting, the MTU on interface will be set to operator’s defined MTU value.

[![image-1601982419586.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982419586.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982419586.png) GSM configuration ends with firewall settings. A user can assign an already defined firewall zone or create a new one. ### Wireless The wireless network interface parameters and configuration are described in this section. [![image-1601982558981.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982558981.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982558981.png) Configured interfaces for the physical radio device. Channel: Specifies the wireless channel to use. Bitrate: Specifies transfer rate in Mbit/s. SSID: The broadcasted service set identifier of the wireless network. Mode: Selects the operation mode of the wireless network interface controller. BSSID: The basic service set identification of the network, only applicable in adhoc or STA mode. Encryption: Wireless encryption method. [![image-1601982595431.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982595431.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982595431.png) List of associated wireless stations. The Device Configuration section covers physical settings of the radio hardware such as channel, transmit power or antenna selection which are shared among all defined wireless networks (if the radio hardware is multi-SSID capable). Per network settings like encryption or operation mode are grouped in the Interface Configuration. [![image-1601982626129.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982626129.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982626129.png) General device settings. [![image-1601982639908.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982639908.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982639908.png) Advanced device settings. [![image-1601982652167.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982652167.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982652167.png) General interface settings. [![image-1601982673135.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982673135.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982673135.png) Wireless security interface settings. [![image-1601982684996.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982684996.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982684996.png) Advanced interface settings. ### DHCP and DNS DHCP server and DNS forward for NAT firewalls is described in this section. [![image-1601982718976.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982718976.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982718976.png) General DHCP settings. [![image-1601982733226.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982733226.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982733226.png) Resolve and hosts files settings. [![image-1601982746196.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982746196.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982746196.png) TFTP server settings. [![image-1601982757748.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982757748.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982757748.png) Advanced settings. [![image-1601982769138.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601982769138.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601982769138.png) List of active DHCP and static leases. It is also possible to assign fixed IP addresses to hosts on the network, based on their MAC (hardware) address. ### Hostnames [![image-1601983068649.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983068649.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983068649.png) List of existing host names. Addition or deletion is allowed for the user. ### Static routes Routes specify over which interface and gateway a certain host or network can be reached. [![image-1601983099686.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983099686.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983099686.png) Current IPv4 and IPv6 static routes configuration. Interface: Lets to chose for which interface static route is created. Target: Defines target host IP or network. IPv4 Netmask: Defines netmask if the target is a network. IPv4/IPv6 Gateway: Defines IPv4 or IPv6 gateway. Metric: Specifies the route metric to use for the route. MTU: Maximum Transmit/Receive Unit, in bytes. Route type: All incoming packets can be: accepted, rejected, dropped. ### Firewall This subsection is divided into four categories: general settings, port forwards, traffic rules and custom rules. #### General settings [![image-1601983169200.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983169200.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983169200.png) General Settings for firewall can be changed in General Settings screen. These settings are defined as follows: Input: All incoming packets can be: accepted, rejected, dropped. Output: All outgoing packets can be: accepted, rejected, dropped. Forward: All packets being sent to another device can be: accepted, rejected, dropped. [![image-1601983200596.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983200596.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983200596.png) Additional zones for firewall can be created, edited or deleted. Zone => Forwardings: Defines zones and their traffic flow. Input: All incoming packets can be: accepted, rejected, dropped. Output: All outgoing packets can be: accepted, rejected, dropped. Forward: All packets being sent to another device can be: accepted, rejected, dropped. Masquerading: Allows one or more devices in a zones network without assigned IP addresses to communicate with the Internet. MSS clamping: Change the maximum segment size (MSS) of all TCP connections passing through this zone with MTU lower than the Ethernet default of 1500.

Additional actions can be performed with zones: add, edit, delete.

[![image-1601983251142.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983251142.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983251142.png) Common properties of newly created or edited zones chan be edited in this panel. The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specify which available networks are members of this zone. [![image-1601983277384.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983277384.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983277384.png) Advanced settings of new created or edited zone. Restrict to address family option defines to what IP families the zone belongs to IPv4, IPv6 or both. Restrict masquerading to given source/destination subnets defines one or more subnets for which the masquerading option is applied to. Connection tracking and logging options enable additional information gathering on the zone. [![image-1601983300488.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983300488.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983300488.png) Controls of the forwarding policies between new/edited zone and other zones. Destination zones cover forwarded traffic originating from the new/edited zone. Source zones match forwarded traffic from other zones targeted at the new/edited zone. The forwarding rule is unidirectional, e.g. a forward from LAN to WAN does not imply a permission to forward from WAN to LAN as well. #### Port forwards [![image-1601983338573.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983338573.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983338573.png) Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN. It is done in a way of routing network packets within a private network created by the device. Settings for the port forwarding of the device are defined as follows: Name: The name of the port forwarding rule. Match: Informs what port forward is matched to. Forward to: Informs where the port is forwarded to. Enable: Enable (checked) or disable port forward. Sort: Allows to sort port forwarding. The user can add, edit or delete port forwarding rules. #### Traffic rules [![image-1601983387128.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983387128.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983387128.png) Traffic rules which define policies for packets traveling between different zones. Name: The name of the traffic rule. Match: Informs what ICMP types are matched. Action: Informs what action would be performed. Enable: Enable (checked) or disable the rule. Sort: Allows to sort rules. The user can add, edit or delete traffic rules. For every rule can be defined these options: name,restrict to address family, protocol, match ICMP type, source and destination zones, source MAC, IP addresses and port, destination IP address and port, action and extra arguments, month and weekdays for which rule will apply, start/stop dates and times, time in UTC. [![image-1601983450903.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983450903.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983450903.png) Source NAT, which is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic, for the example to map multiple WAN addresses to internal subnets. The user can add, edit or delete source NAT rules. For every rule can be defined these options: name, protocol, source and destination zones, source, destination, SNAT IP addresses, ports, extra arguments, month and weekdays for which rule will apply, start/stop dates and times, time in UTC. #### Custom rules [![image-1601983486025.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983486025.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983486025.png) Custom rules allow to executing arbitrary iptables commands which are not otherwise covered by the firewall framework. The commands are executed after each firewall restart, right after the default ruleset has been loaded. ### Diagnostics [![image-1601983517039.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983517039.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983517039.png) Diagnostics tools which can be used to diagnose some of the networking problems: ping, traceroute and nslookup. ### GSM [![image-1601983543956.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601983543956.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601983543956.png) #### SIM cards parameters Parameters for SIM card. If single SIM modem is used, there won’t be ”SIM 1” and ”SIM 2” tabs. Enable: Enable or disable this SIM card. PIN code: PIN code to use on that SIM card. APN: APN to use on that SIM car. PAP/CHAP username: Username (optional). PAP/CHAP password: Password (optional). #### Modem parameters Enable data connection: Enable or disable data connection through gsm modem. Priority SIM: Primary SIM card (if Dual SIM modem is used). Mainly used for pinger configuration. Service Type: Which radio access technology will be used when connecting to the gsm network. #### Pinger configuration Pinger is a service which pings defined hosts to check internet connection. If both of these hosts are unreachable pinger will wait and restart modem (or switch SIM card, if Dual-SIM modem is installed in WCC Lite) Disable: Disable pinger functionality. Failed ping count: Limit of failed ping requests, before pinger decides that internet connection is lost. Reset modem: If checked, pinger resets gsm modem after ”Failed ping count”. Switch SIM: If checked, pinger switches SIM to non-priority after ”Priority SIM retry count”. If internet connection is not available with non-priority SIM as well, pinger switches back to priority SIM after one failed ping attempt. Priority SIM retry count: How many blocks of failed pings will the pinger tolerate, before switching to non-priority SIM. Ping interval (minutes): Interval between ping requests. Primary host: The host that will be pinged first. Secondary host: The host that will be pinged second, if the primary host fails. Network interface: GSM network interface name.

GSM Pinger is used to detect the status of network connection via cellular network. This status is written to file (/var/run/board/internet-status) and can be configured to be sent to SCADAs. If pinger is disabled, status is always set equal to zero and should not be trusted to represent internet status. Additionally, this status is reflected in the ”Status”->”GSM Status” window.

This is Pinger functionality described step by step: • Pinger will ping the primary host every 2 minutes. • If the primary host fails, pinger redirects to the secondary host immediately. • If either primary or secondary host is responding to ping requests, pinger will continue testing connection every ”Ping interval (minutes)” parameter and no further action is taken. • If both primary and secondary hosts are unreachable, pinger will start pinging these hosts every ”Ping interval (minutes) / 2” minute for ”Failed ping count” times. • If hosts are still unreachable, pinger will try to switch SIM and restart modem (if corresponding parameters are set) or will restart immediately if single SIM modem is used. • SIM card is switched to non-priority SIM after ”Priority SIM retry count” failed modem restarts with priority SIM. If a non-priority SIM fails, it is switched to priority SIM in the next pinger action. #### Dual SIM start procedure Table below shows, which card is expected on boot, when selectiom is made between Enable/Disable SIM cards and Primary card.
SIM 1 EnabledSIM 2 EnabledPriority SIMSIM on boot
X 11
X 21
X12
X22
XX11
XX22
1Undefined
2Undefined
### Layer 2 Tunneling Protocol In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy. #### Description The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram. It is common to carry PPP sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec (discussed below). The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LNS waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this, an L2TP session (or ’call’) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP. The packets exchanged within an L2TP tunnel are categorized as either control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel. L2TP allows the creation of a virtual private dialup network (VPDN) to connect a remote client to its corporate network by using a shared infrastructure, which could be the Internet or a service provider’s network. #### Setting up L2TP interface In order to create a L2TP tunnel following steps are required: 1\. Go to **Network > Interfaces > Add new interface:** [![image-1601984022597.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601984022597.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601984022597.png) 2\. Enter interface name and selet L2TP protocol: [![image-1601984035063.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601984035063.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601984035063.png) 3\. Enter server name and authorization parameters: [![image-1601984049181.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601984049181.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601984049181.png) 4\. Save and apply the new configuration. A new network interface will appear.# 8.8 Logout [![image-1601984096052.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601984096052.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601984096052.png) To log out of the device graphical user interface a logout button in interface’s upper right corner should be pressed. A user is automatically disconnected after ten minutes of inactivity. This ensures that the device would not be suspect to any deliberate damage made by unauthorized access.# 9 API The firmware of the WCC Lite features a built­in API which is accessible via the web interface. As of version 1.2.11, it does not implement any access restriction features apart from those provided by the firewall functionality. Individual API endpoints can be enabled or disabled via the web configuration interface at Services­>API. All endpoints are disabled by default. Available API endpoints are shown in the table below.
PathDescription
/api/versionVersion of the API
/api/actions List of available points
/api/syncVersionVersion of the sync service
/api/sync Protocolhub configuration sync (name=”file”)\*
/api/syslog Prints out the syslog
/api/systemInfoGeneral system info
/api/gsmInfo GSM modem information
/api/devices List of configured devices
/api/device/info Device information (name=”device\_alias”)\*\*
/api/device/tagsList of tags on particular device (name=”device\_alias”)\*\*
/api/device/tag/valueTag value (name=”device\_alias”, name=”signal\_alias”)\*\*
/api/tags List of configured tags
/api/sysupgrade Firmware upgrade (name=”file”)\*
\* Endpoints accepting files \*\* Endpoints accepting field data The API accepts data and files as POST requests encoded as ”multipart/form­data”.# 10 SNMP SNMP (Simple Network Management Protocol) is an internet­standard protocol for managing devices on IP networks. SNMP exposes management data in the form of a hierarchy of variables in a MIB (Management Information Base). WCC Lite supports SNMP service which is not added to default build of firmware but can be installed as a module. It enables user to collect data on various parameters of system: - CPU time ­ time spent for calculations of various processes: - *user* ­- time for user processes; - *system* -­ time for system processes; - *idle* ­- time spent idling; - *interrupts* -­ time spent handling interrupts. - *CPU load average* -­ CPU load average for 1, 5 and 15 minutes respectively; - Disk usage: - *total* ­- total amount of storage in the device (in kB) - *available* -­ amount of storage available to store data (in kB) - *used* -­ amount of storage used in the device (in KB) - *blocks used percentage* ­- blocks (sectors) used to store data in a disk (in kB) - *inodes used percentage* ­- the inode (index node) is a data structure in a Unix­style file system that describes a file­system object such as a file or a directory. Each inode stores the attributes and disk block location(s) of the object’s data. - *Memory usage* ­- RAM usage statistics: - *total* ­- total amount of RAM in the device (in kB); - *available* -­ unused amount of RAM in the device (in kB); - *shared* -­ shared amount of RAM between multiple processes (in kB); - *buffered* - refers to an electronic buffer placed between the memory and the memory controller; - *cached* ­- a portion of memory made of high­speed static RAM (SRAM) instead of the slower dynamic RAM (DRAM) used for main memory; - *Network interfaces*: - *MTU* ­- maximum transmission unit to be sent over network; - *speed* -­ rate of network transmission; - *physical address* ­- unique MAC address assigned to a device; - *tx/rx*: byte, packet, drop, error count; - *System properties*: - *uptime* -­ time since the device was turned on; - *process uptime* ­- time since the process has been started; - *hostname* ­- a label that is assigned to a device connected to a computer network; - *name* ­- name of the device (if defined); - *location* ­- location of the device (if defined).# 11 DNP 3.0 ### Introduction DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. It was developed for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it is used by SCADA Master Stations (a.k.a. Control Centers), Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs). It is primarily used for communications between a master station and RTUs or IEDs. ICCP, the Inter­Control Center Communications Protocol (a part of IEC-60870­6), is used for inter­master station communications. Elseta’s DNP3 stack has both Master and Slave protocols implemented. Both of them are able to serve multiple serial (over physical RS­485 line), TCP or TLS (over TCP) connections with high efficiency. IEEE­1815 defines 4 subset levels (1­4) that consist of the objects and function codes that must be supported by the master and outstation. Levels 1­3 are supported fully and level 4 is supported partially. To get more information about how DNP3 works and what capabilities are supported one should get a copy of protocol specification and/or check Slave Interoperability List/Configuration guides for both Master and Slave protocols.

To set up TLS connection for both DNP3 Master and Slave, refer to sections Excel configuration and Certificates. All keys and certificates should be provided in the PEM format.

If no configuration is set up, DNP3 Master and Slave services are not started.

### DNP 3.0 Master Default group and variation sets are used to send commands. If slave devices support different groups and variations, they can be adjusted in Excel configuration. For more information check section Excel configuration. #### Configuring datapoints To use DNP3 Master in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in ­Devices and Signals. ##### DNP3 Master parameters for Devices tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used (”dnp3 serial”/”dnp3 tcp” (case insensitive))Yes
modestringChoosing between TCP, TLS and SERIAL modes . If protocol provided DNP3 TCP mode defaults to tcp and if DNP3 serial is provided mode defaults to serialNoTCP or SERIALTCP, SERIAL
hoststringIP address of TCP slave deviceYes (for TCP).
bind\_address stringIP address of network adapter used to connect to slave deviceNo (for TCP)0.0.0.0
portintegerTCP communication portNo (for TCP)20000
deviceintegerCommunication port (”PORT1” or ”PORT2”)Yes (for SERIAL)
baudrateintegerCommunication speed, bauds/sNo (for SERIAL)9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo (for SERIAL)869
stopbitsintegerStop bit count for communicationNo (for SERIAL)102
paritystringCommunication parity optionNo (for SERIAL)nonenone, even, odd
flowcontrolstringCommunication device flow control option. No (for SERIAL)nonenone
tlsbooleanEnable/disable use of TLS Yes (for TLS)001
tls\_local\_certificatestringLocal certificate for TLS connectionYes (for TLS)
tls\_peer\_certificatestringCertificate authority file for TLS connectionNo (for TLS)
tls\_private\_keystringFile consisting of private key for TLS connectionNo (for TLS)
max\_rx\_frag\_sizeintegerMaximum size of a received fragment.No204802048
destination\_addressintegerAddress of a master stationNo1065535
source\_addressintegerAddress of a slave (local) station.No1065535
unsol\_disableboolDisables unsolicited messages on startup. Overrides **unsol\_classes** parameter. No001
unsol\_classesstringDefines which classes will have unsolicited actions on startup. Can be overriden with **unsol\_disable**. (Example: "1,3,2")Nono class13
groups\_scan\_maskintegerBitmask for enabling separate group scans with x06 qualifier (all objects): 0 -­ Binary, 1 ­- Double­bit Binary, 2 ­- Binary Output Status, 3 ­- Counter, 4 ­- Frozen Counter, 5 ­- Analog, 6 ­- Analog Output Status, 7 ­- Octet StringNo007
groups\_scan\_intervalinteger, string Time between separate groups scans intervals in seconds. Set to 0 to disable.No00
exception\_scan\_intervalinteger, string Time between exception scan (classes 1,2,3) intervals in seconds. Set to 0 to disable.No00
integrity\_scan\_intervalinteger, string Time between integrity scan (classes 0,1,2,3) intervals in seconds (general interrogation). Set to 0 to disable.No00
timesync\_modestringWill override masters default setting for choosing timesync procedureNoNON-LAN(for Serial) LAN (for tcp) LAN, NON-LAN
time\_sync\_interval\_sec integer, string Periodic time sync interval in seconds. If 0 < ­- time syncs are forced and periodic. If = 0 ­- time syncs react to IIN bits from slave. If < 0 -­ time syncs are disabled. No00
select\_msintegerSelect command timeout. Valid for all signals.No10000
timeout\_msintegerResponse timeout in millisecondsNo 2000
keep\_alive\_timeoutintegerTime interval for sending a keep alive packet in milliseconds.No60
##### DNP3 Master parameters for Signals tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_alias Unique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of a deviceNo101
indexintegerIndex of a signal.Yes 065535
logbooleanEnable logging in event logNo00
signal\_typestringDNP3 signal type. (case insensitive) Yes ”BINARY”, ”ANALOG”, ”DOUBLEBITBINARY” ”BINARYOUTPUTSTATUS”, ”COUNTER”, ”FROZENCOUNTER”, ”ANALOGOUTPUTSTATUS, ”OCTETSTRING”, ”TIMEANDINTERVAL”, ”BINARYOUTPUTCOMMAND”, ”ANALOGOUTPUTCOMMAND”
command\_variationintegerDNP3 command variation. *Supported variations depend on signal type and are provided in table below* No004
static\_variationintegerDNP3 command variation (). Supported variations depend on signal type and are provided in table below.No 0, 1, 2, 3, 4, 5, 6, 9, 10
event\_variationintegerDNP3 command variation. Supported variations depend on signal type and are provided in table below.No 08
control\_codeintegerDNP3 control model code of CROB signal. TripClose and Pulse controlmodel requires **PulseOn/off** times to be set No LATCH, PULSE, TRIPCLOSE
pulse\_on\_time\_msintegerPulse ON time in milliseconds, when using Pulse or TripClose control models must be setNo
pulse\_off\_time\_msintegerPulse OFF time in milliseconds, when using Pulse or TripClose control models must be setNo
class\_numintegerClass assignment of this signal.No003
operate\_typeinteger No1-11
job\_todostringDevice status signal can be configured by providing one of the given values. No COMMUNICATION\_STATUS, DEVICE\_RUNNING, DEVICE\_ERROR, UNKNOWN\_ERROR
#### Debugging the DNP3 Master service If configuration for DNP3 devices is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally decrease unnecessary memory usage. DNP3 protocol runs a service called **dnp3-­master**. If DNP3 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop **dnp3-­master** process and run **dnp3-m­aster** command with respective flags as in the table given below. Procedure for DNP3 Master protocol service debugging: - **Step 1**: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/dnp3-­master stop** - **Step 2**: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **dnp3­-master ­-c /etc/dnp3-­master/dnp3­master.json ­-d7**Additional output forming options described in the table below. - **Step 3**: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/dnp3-­master start** dnp3­-master command line debugging options
Option Description
­-h \[ –help \] Display help information
­-V \[ –version \] Show version
-p \[ –port \]­Show output for one port only
­-d <debug level>Set debugging level
-­c \[ –config \] Config path
-­a \[ –app \]Show application layer data
–l \[ –link \] Show link layer data
–t \[ –transport \] Show transport layer data
-­r \[ –redis \] Show Redis messages
-­R \[ –readyfile \] Ready notification file
### DNP 3.0 Slave Default group and variation sets are used to send static and event values. If master devices support different groups and variations, they can be adjusted in Excel configuration. Wcc­-Lite supported variations are provided in: *Static and Event variations* and *Command variations.* ##### DNP3 Slave parameters for Devices tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes dnp3 tcp slave dnp3 serial slave
modestringChoosing between TCP, TLS and SERIAL modes. If protocol provided DNP3 TCP mode defaults to tcp and if DNP3 serial is provided mode defaults to SERIALNoTCP or SERIALTCP, SERIAL, TLS
hoststringIP address of TCP slave deviceYes (for TCP).
bind\_address stringIP address of network adapter used to connect to slave deviceNo (for TCP)0.0.0.0
portintegerTCP communication portNo (for TCP)20000
deviceintegerCommunication port (”PORT1” or ”PORT2”)Yes (for SERIAL)
baudrateintegerCommunication speed, bauds/sNo (for SERIAL)9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo (for SERIAL)869
stopbitsintegerStop bit count for communicationNo (for SERIAL)102
paritystringCommunication parity optionNo (for SERIAL)nonenone, even, odd
flowcontrolstringCommunication device flow control option. No (for SERIAL)nonenone
tlsbooleanEnable/disable use of TLS Yes (for TLS)001
tls\_local\_certificatestringLocal certificate for TLS connectionYes (for TLS)
tls\_peer\_certificatestringCertificate authority file for TLS connectionNo (for TLS)
tls\_private\_keystringFile consisting of private key for TLS connectionNo (for TLS)
max\_tx\_frag\_sizeintegerMaximum size of a received fragment.No204802048
destination\_addressintegerAddress of a master stationNo1065535
source\_addressintegerAddress of a slave (local) station.No1065535
unsol\_classesstringDefines which classes will have unsolicited actions on startup. Can be overriden with **unsol\_disable**. (Example: "1,3,2")Nono class13
time\_sync\_interval\_sec integer, string Periodic time sync interval in seconds. If 0 < ­- time syncs are forced and periodic. If = 0 ­- time syncs react to IIN bits from slave. If < 0 -­ time syncs are disabled. No00
select\_msintegerSelect command timeout. Valid for all signals.No10000
timeout\_msintegerResponse timeout in millisecondsNo 2000
keep\_alive\_timeoutintegerTime interval for sending a keep alive packet in milliseconds.No60
##### DNP3 Slave parameters for Signals tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_alias Unique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of a deviceNo101
indexintegerIndex of a signal.Yes 065535
logboleanEnable logging in event logNo00
deadbanddoubleDeadband for Analog, Analog Output Status, Counter, Frozen Counter signals.No0
signal\_typestringDNP3 signal type. (case insensitive) Yes ”BINARY”, ”ANALOG”, ”DOUBLEBITBINARY” ”BINARYOUTPUTSTATUS”, ”COUNTER”, ”FROZENCOUNTER”, ”ANALOGOUTPUTSTATUS, ”OCTETSTRING”, ”TIMEANDINTERVAL”, ”BINARYOUTPUTCOMMAND”, ”ANALOGOUTPUTCOMMAND”
command\_variationintegerDNP3 command variation. *Supported variations depend on signal type and are provided in table below* No004
static\_variationintegerOverride default signal’s static variation. Valid for Status mode signals.No 0, 1, 2, 3, 4, 5, 6, 9, 10
event\_variationintegerOverride default signal’s event variation. Valid for Status mode signals. No 08
control\_codeintegerDNP3 control model code of CROB signal. TripClose and Pulse controlmodel requires **PulseOn/off** times to be set No LATCH, PULSE, TRIPCLOSE
pulse\_on\_time\_msintegerPulse ON time in milliseconds, when using Pulse or TripClose control models must be setNo
pulse\_off\_time\_msintegerPulse OFF time in milliseconds, when using Pulse or TripClose control models must be setNo
class\_numintegerClass assignment of this signal.No003
operate\_typeintegerDefault command behaviour. IF selected ”­**-1**” ­- DirectOperateNoAck, **”0”** - DirectOperate, "**1" -**­ SelectBeforeOperate. No1-11
job\_todostringDevice status signal can be configured by providing one of the given values. No COMMUNICATION\_STATUS, DEVICE\_RUNNING, DEVICE\_ERROR, UNKNOWN\_ERROR
##### Command variations
Signal TypeAvailable Command VariationDefault Command Variation
Binary Output Command (Group12)0, 11
Analog Output Command (Group41)0, 1, 2, 3, 41
##### Static and Event variations
Signal TypeAvailable VariationsDefault Variations
BinaryStatic variation (Group1) 1, 2 Event variation (Group2) 1, 2, 3Static variation 2 Event variation 1
Double BinaryStatic variation (Group3) 1, 2 Event variation (Group4) 1, 2, 3Static variation 2 Event variation 1
Binary Output StatusStatic variation (Group10) 2 Event variation (Group11) 1, 2Static variation 2 Event variation 1
CounterStatic variation (Group20) 1, 2, 5, 6 Event variation (Group22) 1, 2, 5, 6Static variation 1 Event variation 1
Frozen CounterStatic variations (Group21) 1, 2, 5, 6, 9,10 Event variation (Group23) 1, 2, 5, 6Static variation 1 Event variation 1
AnalogStatic variation (Group30) 1, 2, 3, 4, 5, 6 Event variation (Group32) 1, 2, 3, 4, 5, 6, 7, 8Static variation 1 Event variation 1
Analog Output StatusStatic variation (Group40) 1, 2, 3, 4 Event variation (Group42) 1, 2, 3, 4, 5, 6, 7, 8Static variation 1 Event variation 1
Time and IntervalStatic variation (Group50) 1Static variation 1
Octet StringStatic variation (Group110) 0 Event variation (Group111) 0Static variation 0 Event variation 0
#### Debugging the DNP3 Slave service If configuration for DNP3 devices is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally decrease unnecessary memory usage. DNP3 protocol runs a service called **dnp3-­slave** . If DNP3 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop **dnp3-­slave** process and run **dnp3-slave** command with respective flags as in the table given below. Procedure for DNP3 Master protocol service debugging: - **Step 1**: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/dnp3-­slave stop** - **Step 2**: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **dnp3­-slave ­-c /etc/dnp3-­slave/dnp3­slave.json ­-d7** Additional output forming options described in the table below. - **Step 3**: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/dnp3-­slave start** dnp3­-slave command line debugging options
Option Description
­-h \[ –help \] Display help information
­-V \[ –version \] Show version
-p \[ –port \]­Show output for one port only
­-d <debug level>Set debugging level
-­c \[ –config \] Config path
-­a \[ –app \]Show application layer data
–l \[ –link \] Show link layer data
–t \[ –transport \] Show transport layer data
-­r \[ –redis \] Show Redis messages
-­R \[ –readyfile \] Ready notification file
# 12 SMS sender ### General SMS sender is a service that lets user configure WCC Lite to send SMS on a set tag trigger.s

SMS sender functionality is available since firmware version v1.5.4, of WCC Lite.

### Configuring SMS sender To configure WCC Lite to use SMS sender user must fill in the needed parameters in Excel configuration. These parameters are shown in the tables below. *SMS sender parameters for Devices tab:*
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes **SMS sender**
hoststringList of phone numbers to send SMS to, separated by space.Yes
[![image-1632837719431.png](https://wiki.elseta.com/uploads/images/gallery/2021-09/scaled-1680-/image-1632837719431.png)](https://wiki.elseta.com/uploads/images/gallery/2021-09/image-1632837719431.png) *SMS sender parameters for Signals tab:*
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique signal name to be usedYes
source\_device\_aliasstringdevice\_alias of the source deviceNo
source\_signal\_aliasstringsource\_alias of the source signalNo
enablebooleanEnabling/disabling of a signalNo101
log integerEnable logging in event log No00
job\_todostringSpecific SMS sender tag typeYes send-sms, device-control, device-status
tag\_job\_todostringSMS sender tag for **send-sms**: *text message* Yes
triggerstringTrigger expression for the SMS to be sentNo (Only for send\_sms)value!=0
To configure SMS sender, 3 types of signals are mandatory. These values should be written inside the *job\_todo* field for each signal: - **send-sms** - This signal takes value from the provided *source\_signal\_alias* field and checks if the value evaluates as true against the *trigger* field. If its true, the SMS sender will send the text from the *tag\_job\_todo* field to the specified phone numbers. - **device-control** - This signal controls if the SMS sender is enabled or disabled. Its *tag\_job\_todo* parameter should be set to enable. It takes value from the *source\_signal\_alias* field and evaluates it against the *trigger* field. If the *trigger* is evaluated as true, the SMS sender will be enabled, otherwise it will disable the SMS sender. - **device-status** - This signal indicates if the service is enabled or not. Its *tag\_job\_todo* parameter should be set to *enabled.* Trigger expressions can be configured with basic comparison operators: - Less than **<** - Greater than **>** - Less than or equal to **<=** - Greater than or equal to **>=** - Equal **==** - Not equal **!=** *Example configuration of SMS sender:* [![image-1632898451171.png](https://wiki.elseta.com/uploads/images/gallery/2021-09/scaled-1680-/image-1632898451171.png)](https://wiki.elseta.com/uploads/images/gallery/2021-09/image-1632898451171.png)# 13 DLMS/COSEM ### Introduction **IEC 62056** is a set of standards for electricity metering data exchange by [International Electrotechnical Commission](https://en.wikipedia.org/wiki/International_Electrotechnical_Commission "International Electrotechnical Commission"). The IEC 62056 standards are the [international standard](https://en.wikipedia.org/wiki/International_standard "International standard") versions of the DLMS/COSEM specification. **DLMS** or **Device Language Message Specification** (originally Distribution Line Message Specification),[\[1\]](https://en.wikipedia.org/wiki/IEC_62056#cite_note-1) is the suite of standards developed and maintained by the DLMS User Association (DLMS UA) and has been adopted by the IEC TC13 WG14 into the IEC 62056 series of standards. The DLMS User Association maintains a D Type liaison with IEC TC13 WG14 responsible for international standards for meter data exchange and establishing the IEC 62056 series. In this role, the DLMS UA provides maintenance, registration and compliance certification services for IEC 62056 DLMS/COSEM. **COSEM** or **Companion Specification for Energy Metering**, includes a set of specifications that defines the [transport](https://en.wikipedia.org/wiki/Transport_layer "Transport layer") and [application](https://en.wikipedia.org/wiki/Application_layer "Application layer") layers of the DLMS protocol. The DLMS User Association defines the protocols into a set of four specification documents namely Green Book, Yellow Book, Blue Book and White Book. The Blue Book describes the COSEM meter object model and the OBIS object identification system, the Green Book describes the architecture and protocols, the Yellow Book treats all the questions concerning conformance testing, the White Book contains the glossary of terms. If a product passes the [conformance test](https://en.wikipedia.org/wiki/Conformance_test "Conformance test") specified in the Yellow Book, then a certification of DLMS/COSEM compliance is issued by the DLMS UA. The IEC TC13 WG14 groups the DLMS specifications under the common heading: "Electricity metering data exchange - The DLMS/COSEM suite". DLMS/COSEM protocol is not specific to electricity metering, it is also used for gas, water and heat metering. Source: [https://en.wikipedia.org/wiki/IEC\_62056](https://en.wikipedia.org/wiki/IEC_62056 "Wikipedia") ### DLMS Master #### Overview DLMS (Device Language Message Specification) is a suite of standards developed and maintained by the DLMS User Association. COSEM (Companion Specification for Energy Metering) includes a set of specifications that define the transport and application layers of the DLMS protocol. In DLMS/COSEM all the data in electronic utility meters and devices are represented by means of mapping them to appropriate classes and related attribute values. Objects are identified with the help of OBIS (Object Identification System) codes (as per IEC 62056-61). The DLMS driver allows only for readout and displaying only numeric values of DLMS object data fields. Connection via TCP (HDLC or WRAPPER) or serial (RS232/RS485) port are supported. The setup of the DLMS driver consists of communication and tag configuration. Protocol specific parameters (except for DLMS/IEC handshake mode) apply for both serial and IP connections. #### Configuration ##### Devices section **serialnumber**, **server\_address** and **id** define the meter addressing parameters. Either **serialnumber** (meter serial number) or a combination of **server\_address** (physical server address) and **id** (logical server address) is used. If a serial number is provided, physical and logical server addresses are ignored.

Before configuring the Device section it is best to first check the connection parameters with a 3rd party DLMS utility.

**master\_address** defines the client address. This usually depends on the authentication used. Most meters support 16 for no authentication. **type** defines the object referencing. SN should be used for short name referencing and LN for logical name referencing. **mode** defines the communications mode. If IEC is used along with comms settings for serial readout, the connection is initiated as per IEC 62056-21, at the default initial baud rate (300 7E1). DLMS-HDLC shall be used for HDLC connections via IP. DLMS-WRAPPER is also supported for IP connections. The default setting is DLMS-HDLC. **timeout\_ms** defines the reply timeout for telegrams both via serial and TCP. **auth** and **password** define the authentication mode and password. This can be set to None, or other authentication variant (see table below), depending on the mode configured and supported by the particular meter. **ip** and **port** define the IP address and TCP port for DLMS communication via IP. To use TCP/IP communication set protocol to **DLMS TCP** and for serial use **DLMS serial**

Connection parameters are device specific and can differ between makes, models and utility companies. For initial connection settings please refer to the configuration of the particular meter.

When ip and port are configured, any serial port settings are ignored and connection is initiated only via IP.

Device configuration parameters for DLMS meters acquisition:
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
name stringUser-­friendly name for a device Yes
descriptionstringDescription of a device No
device\_aliasstringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes DLMS serial, DLMS TCP
serialnumberintegerMeter serial number No0
slave\_addressintegerMeter physical server address No1600
idintegerMeter logical server address No0
address\_sizeintegerMeter address size in bytes No114
master\_address integerClient address Yes
typestringMeter object referencing: SN - short referencing, LN - logical referencing NoSNSN, LN
modestringInitial handshake mode. YesDLMS-­HDLCDLMS, IEC, DLMS-­DLC or DLMS-­RAPPER
timeout\_msintegerTimeout in milliseconds No2500
authstringAuthentication. NoNoneNone, Low, High, HighMd5, HighSha1, HighSha256, HighGmac HighEcdsa
passwordstringPassword for authentication No when auth is None
ipstringIP address Yes (For TCP)
portintegerTCP port Yes (For TCP)
device Communication port Yes (For Serial) PORT1PORT2
baudrateintegerCommunication speed, bauds/s No (For Serial)9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No (For Serial)869
stopbitsintegerStop bit count for communication No (For Serial)112
paritystringCommunication parity option No (For Serial)nonenone, even, odd
flowcontrolstringCommunication device flow control option. No (For Serial)nonenone
retry\_counterintegerNumber of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No3
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in milliseconds No10000
poll\_delay\_msintegerMinimum time delay in milliseconds to wait before sending any data on port. No200
##### Signals section The tag\_job defines the tag job. A list of comma-separated OBIS codes (or a single OBIS) should be used. Attribute indexes for objects of types register and extended register are selected automatically. Any other object types should include the attribute index in the form of OBIS:index. tag\_job\_todo defines the job sub-job. This field should contain an OBIS code from within the list of the tag\_job. DLMS configuration parameters creating signals:
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
logboolean Enable logging in event log No0
SNinteger Address of value to read (Short name). No
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msstringTime interval for short output pulse to stay activeNo
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
#### Debugging the DLMS service If configuration for DLMS devices is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally decrease unnecessary memory usage. DLMS protocol runs a service called pooler. If DLMS does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop pooler process and run pooler command with respective flags as in the table shown below. Procedure for DLMS Master protocol service debugging: - **Step 1**: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/pooler stop** - **Step 2**: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **pooler ­-c /etc/pooler.json ­-d7 -dlms** Additional output forming options are described in the table below. - **Step 3**: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/pooler start** DLMScommand line debugging options
Option Description
­-h \[ –help \] Display help information
­-V \[ –version \] Show version
-p \[ –port \]­Show output for one port only
­-d <debug level>Set debugging level
-­c \[ –config \] Config path
-­a \[ –app \]Show application layer data
–l \[ –link \] Show link layer data
–t \[ –transport \] Show transport layer data
-­r \[ –redis \] Show Redis messages
-­R \[ –readyfile \] Ready notification file
# 14 Aurora ### Overview The Aurora Protocol is a link layer communications protocol for use on point­to­point serial links. It is intended for use in high­speed (gigabits/second and more) connections internally in a computer or in an embedded system. It uses either 8b/10b encoding or 64b/66b encoding #### Aurora parameters for Device tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Aurora
baudrateintegerCommunication speed, bauds/s (See values 33.1.2)No9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity option (”none”/”even”/”odd”)Nonone
flowcontrolstringCommunication device flow control option.Nonone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsNo2500
idintegerInverter IDNo0
devicestringCommunication portYes PORT1PORT2
#### Aurora parameters for Signals tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly device nameYes
device\_aliasstringDevice alias from a Devices tabYes
enableboolean Enabling/disabling of an individual signal No101
log integerEnable logging in event log (Default: 0)No00
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
job\_todobooleanDefine tag­-functionYes
tag\_job\_todostringDefine tag action that depends on tag functionYes
number\_typeintegerType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 15 Elgama ### Overview Elgama protocol is used for communications with Elagama *elektronika electricity meters*. ### Configuration Available meter types (use number only): - 0 ­ EPQM/LZQM - 1 ­ EPQS - 2 ­ GAMA300 - 3 ­ GAMA100 - 4 ­ ITS cl ##### Elgama parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes Elgama
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
serial\_close\_delayintegerDelay before closing serial port in millisecondsNo400
timeout\_msintegerTimeout of waiting for incoming request in millisecondsYes
idintegerMeter serial numberYes
meter\_modelintegerMeter type (See 15.2)Yes 04
use\_timebooleanUse system/meter (0/1) time (Default: 0)No001
##### Elgama parameters for *Signals* tab
**Parameter** **Type** **Description** **Required** **Default value** (when not specified) **Range**
MinMax
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
# 16 SMA NET ### Overview SMA Net can transfer SMA Data, TCP/IP and many more telegrams due to its multi­protocol capability. Thus, it is the preferred telegram frame in case of new developments. ### Configuration ##### SMA NET parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes sma net
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity optionNononenone, even, odd
flowcontrolstringCommunication device flow control option.Nononenone
scan\_rate\_msintegerDelay before closing serial port in milisecondsNo10000
poll\_delay\_msinteger No200
timeout\_msintegerTimeout of waiting for incoming request in milisecondsNo2500
serial\_numberintegerInverter serial numberYes
device Communication portYes PORT1PORT2
serial\_close\_delayintegerDelay before closing serial portNo400
##### SMA NET parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay active No
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
# 17 Windlog ### Overview Windlog protocol is used for communications with *Windlog data logger*. ### Configuration ##### Windlog parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes Windlog
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo115200300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity optionNononenone, even, odd
flowcontrolstringCommunication device flow control option.Nononenone
timeout\_msintegerTimeout of waiting for incoming request in milisecondsYes 060000
serial\_close\_delayintegerDelay before closing serial portNo400
##### Windlog parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
# 18 At command ### Overview At command protocol is used for communications with AT Commands. ### Configuration ##### At command parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes at command
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity optionNononenone, even, odd
flowcontrolstringCommunication device flow control option.Nononenone
timeout\_msintegerTimeout of waiting for incoming request in milisecondsYes 060000
serial\_close\_delayintegerDelay before closing serial portNo400
##### At command parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
# 19 SOLPLUS ### Overview Solplus protocol is used to download inverter data from Solplus inverters using a http client. ### Configuration ##### Solplus parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes Solplus
scan\_rate\_msintegerAll reads and writes will be executed within thetimeframe in milisecondsNo10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout of waiting for incoming request in milisecondsNo2500060000
urlstringHTTP server location URLYes
##### Solplus parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
# 20 GINLONG ### Overview Ginlong protocol is used to communicate with Ginlong inverters over serial communication. ##### GINLONG parameters for *Device* tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Ginlong
baudrateintegerCommunication speed, bauds/s (See values 33.1.2)No9600300115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity option (”none”/”even”/”odd”)Nonone
flowcontrolstringCommunication device flow control option. (Default: (case-sensitive): ”none”)Nonone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsNo2500
idintegerInverter IDYes0
devicestringCommunication portYes PORT1PORT2
##### GINLONG parameters for Signals tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly device nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logintegerAllow signal to be logged.No0
job\_todobooleanDefine tag­-functionYes
tag\_job\_todostringDefine tag action that depends on tag functionYes
number\_typeintegerType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 21 Delta ### Overview Delta protocol is used to communicate with Delta inverters over serial communication. ### Configuration ##### Delta parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Delta
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity option (”none”/”even”/”odd”)Nonone
flowcontrolstringCommunication device flow control option. (Default: (case-sensitive): ”none”)Nonone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsNo 060000
idintegerInverter IDYes0
devicestringCommunication portYes PORT1PORT2
##### Delta parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
# 22 COMLYNX ### Overview Comlynx protocol is used to communicate with Comlynx inverters over serial communication. ##### Comlynx parameters for *Device* tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Comlynx
addressintegerDevice addressNo1
subnetintegerSubnet addressNo0
networkintegerNetwork addressNo0
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo19200300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity option (”none”/”even”/”odd”)Nonone
flowcontrolstringCommunication device flow control option. (Default: (case-sensitive): ”none”)Nonone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsYes 060000
##### Comlynx parameters for *Signals* tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly device nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logintegerAllow signal to be logged.No0
job\_todobooleanDefine tag­-functionYes
tag\_job\_todostringDefine tag action that depends on tag functionYes
number\_typeintegerType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 23 POWERONE ### Overview PowerOne protocol is used to communicate with Aurora inverters over serial communication. Serial communication parameters (baudrate, parity, etc.) are handled automatically by the protocol. ### Configuration ##### PowerOne parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes powerone
serialnumberintegerInverter serial numberYes
typeintegerInverter type : - CU ­ Collecting unit - CB ­ Normal CB - HID ­ HID with integrated CB NoCU
device Communication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
scan\_rate\_msintegerDelay before closing serial port in milisecondsNo10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout of waiting for incoming request in milisecondsNo1000060000
##### PowerOne parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay active No0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 24 KOSTAL ### Overview Kostal protocol is used to communicate with Kostal devices over serial communication. ### Configuration ##### Kostal parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes kostal
idintegerKostal device idYes
device Communication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600,115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity optionNononenone, even, odd
scan\_rate\_msintegerDelay before closing serial port in milisecondsNo10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout of waiting for incoming request in milisecondsYes 060000
##### Kostal parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay active No
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
# 25 VBUS ### Overview Vbus is a protocol used for communication with solar station automation via serial link. ### Configuration ##### VBUS parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Vbus
slave\_addressintegerSlave device addressYes 0255
master\_addressintegerMaster device addressYes 0255
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity optionNononenone, even, odd
flowcontrolstringCommunication device flow control option.Nononenone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsNo2500060000
##### VBUS parameters for *Signals* tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly device nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logintegerAllow signal to be logged.No00
job\_todobooleanDefine tag­-functionYes
tag\_job\_todostringDefine tag action that depends on tag functionYes
number\_typeintegerType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 26 VESTAS ### Overview Vestas is a protocol used for communication with solar station automation via serial link. ### Configuration ##### Vestas parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device nameYes
descriptionstringDescription of the deviceNo
device\_aliasstringDevice alias to be used in configurationYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringSelection of protocolYes Vestas
slave\_addressintegerSlave device addressYes 0255
master\_addressintegerMaster device addressNo00255
devicestringCommunication portYes PORT1PORT2
baudrateintegerCommunication speed, bauds/sNo9600300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo869
stopbitsintegerStop bit count for communicationNo112
paritystringCommunication parity option (”none”/”even”/”odd”)Nononenone, even, odd
flowcontrolstringCommunication device flow control option. (Default: (case-sensitive): ”none”)Nonone
scan\_rate\_msintegerIf provided and positive ­ all reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout in millisecondsNo2500
##### Vestas parameters for *Signals* tab:
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly device nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logintegerAllow signal to be logged.No0
job\_todobooleanDefine tag­-functionYes
tag\_job\_todostringDefine tag action that depends on tag functionYes
number\_typeintegerType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo0
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo0
# 27 Kaco ### Overview This protocol is meant to be used by inverters that convert the DC power generated by the photovoltaic (PV) modules into AC power and feed this into the power grid.

This protocol handles serial communication parameters (baudrate, databits, stopbits, etc.) automatically.

### Configuration ##### Kaco parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be used.Yes Kaco
scan\_rate\_msintegerAll reads and writes will be executed within the timeframe in miliseconds.No10000
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout of waiting for incoming request in milisecondsNo2500060000
subidintegerInverter serial number displayNo0
ext\_deviceboolean0 ­- Inverter is connected directly 1 -­ Inverter is connected via remote terminalNo001
idintegerInverter serial numberYes
devicestringCommunication portYes PORT1PORT2
##### Kaco parameters for *Signals* tab
**Parameter****Type****Description****Required****Default value** (when not specified) **Range**
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
pulse\_short\_time\_msintegerTime interval for short output pulse to stay activeNo
pulse\_long\_time\_msintegerTime interval for long output pulse to stay activeNo
# 28 M-Bus ### Overview M-Bus or Meter-Bus is a protocol for the remote reading of water, gas, or electricity meters. M-Bus is also usable for other types of consumption meters, such as heating systems or water meters. The M-Bus interface is made for communication on two wires, making it cost-effective. M-bus over TCP is also supported. When configured, meters will deliver the data they have collected to a WCCLite RTU that is connected at periodic intervals (scan\_rate\_ms) to read all utility meters. ### Configuration ##### M-Bus parameters for *Device* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device nameYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling a deviceNo101
protocolstringProtocol to be used.Yes mbus serial, mbus tcp
scan\_rate\_msintegerAll reads and writes will be executed within the timeframe in milliseconds.No10000
poll\_delay\_msintegerMinimum time delay in milliseconds to wait before sending any data on port.No200
timeout\_msintegerTimeout of waiting for an incoming response in millisecondsYes 060000
addressintegerDevice addressYes
devicestringCommunication portYes (for serial) PORT1PORT2
baudrateintegerCommunication speed, baud/s No (for serial) 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No (for serial ) 8 6 9
stopbitsintegerStop bit count for communication No (for serial) 1 1 2
paritystring Communication parity option No (for serial) none none, even, odd
serial_close_delay
integerDelay before closing the serial connection.No (for serial)400
ipstringThe IP address of the TCP slave deviceYes (for TCP).
portintegerTCP communication port Yes (for TCP) 065535
##### M-Bus parameters for the *Signals* tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestring User-­friendly signal name Yes
device\_aliasstring Device alias from a Devices tab Yes
signal\_aliasstring Unique alphanumeric name of the signal to be used Yes
enableboolean Enabling/disabling of an individual signal No10 1
loginteger Enable logging in the event log No0
number\_typestringType of a number (FLOAT, DOUBLE, DIGITAL, etc.)Yes
job\_todostring Tag job as single or multiple comma-separated OBIS codes Yes
tag\_job\_todostringTag sub jobYes
# 28 Modbus ### Introduction Modbus is a serial communications protocol for use with its programmable logic controllers (PLCs). Modbus has become a de facto standard communication protocol and is now a commonly available means of connecting industrial electronic devices. It was developed for industrial applications, is relatively easy to deploy and maintain compared to other standards, and places few restrictions other than size on the format of the data to be transmitted. Modbus enables communication among many devices connected to the same network, for example, a system that measures temperature and humidity and communicates the results to a computer. Modbus is often used to connect a supervisory computer with a remote terminal unit (RTU) in supervisory control and data acquisition (SCADA) systems. Many of the data types are named from industry usage of Ladder logic and its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. WCC Lite supports both Modbus Master and Slave protocols. One can select between transmission over TCP/IP or serial connection (RS-485/RS232). Bytes to transmit can either be encoded according to both RTU and ASCII parts of standard. ### Modbus Master Modbus communication contains a single Master and may include more than 1, but not more than 247 devices. To gather data from peripheral devices, master device request a cluster of slave devices for data. If any device understand that this message is addressed for it, replies with data. As no timestamp is sent along with data, having recent data requires frequent polling. WCC Lite can be configured to acquire data periodically in custom-defined intervals. #### Configuring datapoints To use Modbus Master in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in - Devices and Signals ##### Modbus Master parameters for Devices tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes Modbus RTU, Modbus TCP
ipstringIP address of TCP slave deviceYes (for TCP).
portintegerTCP communication port No (for TCP) 502
bind\_addressstringIP address of network adapter used to connect to slave device (Default: ”0.0.0.0”) No (for TCP)0.0.0.0
idintegerModbus Slave IDYes
modestringChoosing between RTU (”rtu”), ASCII (”ascii”) and TCP(”tcp”) modes. ASCII is the same as RTU, but with ASCII symbols.NoTCP (for TCP) RTU (for Serial) rtu, ascii, tcp
timeout\_msintegerResponse timeout in milliseconds No 10000
devicestring Communication port (”PORT1”/”PORT2”) Yes (for RTU/ASCII) PORT1 PORT2
baudrateintegerCommunication speed, baud/s No (for RTU/ASCII) 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No (for RTU/ASCII) 8 6 9
stopbitsintegerStop bit count for communication No (for RTU/ASCII) 1 1 2
paritystring Communication parity option No (for RTU/ASCII) none none, even, odd
flowcontrolstring Number of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No (for RTU/ASCII) none none
scan\_rate\_msintegerIf provided and positive - all jobs will have similar scan rate - all reads and writes will be executed within this timeframe (parameter scan\_rate\_ms in Signals tab will be ignored) No300
retry\_countintegerNumber of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No3
serial\_delayintegerRS485 delay between read and write operations in milliseconds No (for RTU/ASCII) 50
keep\_alive\_timeout integerTime interval for sending a keep alive packet (in milliseconds) No (for TCP)60
modbus\_multi\_write booleanUse 15/16 functions to write 1 register/coil (Default: 0) No001
comm\_restart\_delay integerTime delay between disconnecting from slave device and restarting connection (in milliseconds) (Default: 500) No (for TCP) 500
##### Modbus Master parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
enablebooleanEnabling/disabling of an individual signal No101
job\_todo stringRequest to send according to modbus specification without device address and checksum. This field can be identical on several tags to fetch them in single request Yes
tag\_job\_todo stringSimilar format to job\_todo field. Address and length must be a subset of job field. Defines the individual tag’s resgister(s) or coil(s). Can be described in HEX or DEC formats Yes
number\_type stringType of a number (FLOAT, DOUBLE, DIGITAL, etc.) Yes
log integerSize of this signal’s log in Event log. No0
pulse\_short\_time\_ms integerTime interval for short output pulse to stay active No
pulse\_long\_time\_ms integerTime interval for long output pulse to stay active No
Different device vendors can have different implementations of a Modbus protocol stack. A register table can be a one of the primary differences. WCC Lite Modbus Master transmits the most significant word (byte) first, however, devices from some vendors might require transmitting the least significant word (byte) first. If that is the case, make sure to switch bytes as needed. To find out more about setting a correct number format, one should consult a section `number_type`. Modbus job or tag (as a task to be completed) can be built in a two different formats - user can select a more convenient way for him: - hexadecimal format with every single byte separated by | symbol. Device address, bytes containing output information and CRC (LRC) bytes should be excluded from the message; - decimal format containing function number, first address and address count, separated by ; symbol. All other information should be excluded from the message; `job_todo` can group several `tag_job_todo`’s. That way one Modbus message can be used to extract several tags. Grouping is accomplished dynamically meaning that if several identical jobs are found, their tags are grouped automatically. Modbus Master and Slave both have an additional signal which can be configured to show communication status. It is used to indicate if the slave device has disconnected from master (WCC Lite). To configure such signal, two columns should be filled with particular values. To a newly created additional signal one should make `job_todo` equal to `device_status` and `tag_job_todo` equal to communication\_status. Communication error status is set when a predefined count of messages (three by default, defined in `poll_retry_count` column) fail to be received or are considered invalid. Debugging a Modbus Master application If configuration for Modbus Master is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage. Modbus Master command line debugging options `modbus-master ` ``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data -s [ –serial ] Show serial port data –tcp Show tcp packets –ascii Show ASCII messages –rtu Show RTU messages -e [ –redis ] Show redis debug information -R [ –readyfile ] Ready notification file ``` If Modbus Master does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop modbus-master process and run modbus-master command with respective flags as shown above. ### Modbus Slave WCC Lite can act as one (or several) of slave devices in a communication line. This can be used to transmit data to SCADA systems or other RTU devices. It can reply to a messages from Modbus Master with matching device and register addresses. #### Configuring datapoints To use Modbus Slave in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in - Devices and Signals

If TCP/IP is used as a trasmission medium, only devices with IPs predefined in host column are allowed to connect. All other connections are rejected

##### Modbus Slave parameters for Devices tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes Modbus serial Slave, Modbus TCP Slave
hoststringSpace separated host IP addresses of master deviceYes (for TCP).
portintegerTCP port to listen for incoming connections Yes (for TCP)
bind\_addressstringIP address of network adapter used to connect to slave device (Default: ”0.0.0.0”) No (for TCP)0.0.0.0
keep\_alive\_timeout integerMinimum time a connection can be idle without being closed in miliseconds No (for TCP)60
modestringChoosing between RTU (”rtu”), ASCII (”ascii”) and TCP(”tcp”) modes. ASCII is the same as RTU, but with ASCII symbols.NoTCP (for TCP) RTU (for Serial) rtu, ascii, tcp
devicestring Communication port (”PORT1”/”PORT2”) Yes (for serial) PORT1 PORT2
baudrateintegerCommunication speed, baud/s No (for serial) 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No (for serial) 8 6 9
stopbitsintegerStop bit count for communication No for serial) 1 1 2
paritystring Communication parity option No (for serial) none none, even, odd
flowcontrolstring Communication device’s flow control option. No (for serial) none none
##### Modbus Slave parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
enablebooleanEnabling/disabling of an individual signal No101
number\_type stringType of a number (FLOAT, DOUBLE, DIGITAL, etc.) Yes
log integerSize of this signal’s log in Event log. No0
common\_addressintegerAddress of a slave deviceYes
functionintegerFunction numberYes
info\_addressintegerRegister addressYes
sizeintegerRegister/Coil sizeYes
#### Mapping values to registers Internally stored values aren’t organised in a register-like order, therefore mapping should be done by the user. This mapping includes setting an address of the device WCC Lite is simulating as well as function number, register number and how much 16-bit registers are used to store a value. These values should be set in `common_address`, `function`, `info_address` and `size` columns respectively in the Excel configuration. To find out how many register should be used for storing a values, how values can have their values swapped, a user should consult a section `number_type` (18.2.4).

If a Modbus master device requests a data from a register that is mapped but doesn’t yet have initial value, ILLEGAL DATA ADDRESS error code will be returned. The same error code is returned if a requested size of value is bigger that defined or if register is not configured at all.

#### Debugging a Modbus Slave application If configuration for Modbus Slave is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage. Modbus Slave command line debugging options `modbus-slave` ``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data -s [ –serial ] Show serial port data –tcp Show tcp packets –ascii Show ASCII messages –rtu Show RTU messages -e [ –redis ] Show redis debug information -R [ –readyfile ] Ready notification file ```

If Modbus Slave does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly.

To launch a debugging session, a user should stop `modbus-slave` process and run `modbus-slave` command with respective flags as shown above.

# 29 IEC 60870-5 ### Introduction **IEC 60870 part 5** is one of the [IEC 60870](https://en.wikipedia.org/wiki/IEC_60870 "IEC 60870") set of standards which define systems used for telecontrol ([supervisory control and data acquisition](https://en.wikipedia.org/wiki/Supervisory_control_and_data_acquisition "Supervisory control and data acquisition")) in [electrical engineering](https://en.wikipedia.org/wiki/Electrical_engineering "Electrical engineering") and [power system automation](https://en.wikipedia.org/wiki/Power_system_automation "Power system automation") applications. Part 5 provides a communication profile for sending basic telecontrol messages between two systems, which uses permanent directly connected data circuits between the systems. The [IEC Technical Committee 57](https://en.wikipedia.org/wiki/IEC_TC_57 "IEC TC 57") (Working Group 03) have developed a [protocol](https://en.wikipedia.org/wiki/Communications_protocol "Communications protocol") standard for telecontrol, teleprotection, and associated telecommunications for [electric power](https://en.wikipedia.org/wiki/Electric_power "Electric power") systems. The result of this work is IEC 60870-5. Five documents specify the base IEC 60870-5: - IEC 60870-5-1 Transmission Frame Formats - IEC 60870-5-2 Data Link Transmission Services - IEC 60870-5-3 General Structure of Application Data - IEC 60870-5-4 Definition and Coding of Information Elements - IEC 60870-5-5 Basic Application Functions - IEC 60870-5-6 Guidelines for conformance testing for the IEC 60870-5 companion standards - IEC TS 60870-5-7 Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351) The IEC Technical Committee 57 has also generated companion standards: - IEC 60870-5-101 Transmission Protocols - companion standards especially for basic telecontrol tasks - IEC 60870-5-102 Transmission Protocols - Companion standard for the transmission of integrated totals in electric power systems (this standard is not widely used) - IEC 60870-5-103 Transmission Protocols - Companion standard for the informative interface of protection equipment - IEC 60870-5-104 Transmission Protocols - Network access for IEC 60870-5-101 using standard transport profiles - IEC TS 60870-5-601 Transmission protocols - Conformance test cases for the IEC 60870-5-101 companion standard - IEC TS 60870-5-604 Conformance test cases for the IEC 60870-5-104 companion standard IEC 60870-5-101/102/103/104 are companion standards generated for basic telecontrol tasks, transmission of integrated totals, data exchange from protection equipment & network access of IEC101 respectively. Source: [https://en.wikipedia.org/wiki/IEC\_60870-5](https://en.wikipedia.org/wiki/IEC_60870-5 "Wikipedia")# 29.1 IEC 60870-5-101 The IEC 60870-­5-­101 protocol is a companion standard for power system monitoring, control associated communications for telecontrol, teleprotection, and associated telecommunications for electric power systems. Standard IEC 60870­5­101 was prepared by IEC technical committee 57 (Power system control and associated communications). Standard IEC 60870-­5-­101 defines an **Application Service Data Unit** (**ASDU** Figure below). In ASDU there is ASDU identifier(with type of ASDU in it) and information objects.![image-1638258623652.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1638258623652.png) IEC 60870­-5-­101 ASDU structure **Common Address of ASDU** Defines the stations address and can be configured in Devices asdu\_address field for source and *Signals* common\_address field for destination. **Information Object Address** Used as destination object address in the control direction and as source object address in monitor direction can be configured in Signals info\_address field. Standard IEC 60870­-5­-101 transmission frames are separated into 3 different types: **frame with variable length**, **frame with fixed length** and **single control characters** [![image-1638259001158.png](https://wiki.elseta.com/uploads/images/gallery/2021-11/scaled-1680-/image-1638259001158.png)](https://wiki.elseta.com/uploads/images/gallery/2021-11/image-1638259001158.png) IEC 60870­-5-­101 ASDU structure **Control field** provides information about the message direction, type of service and checksum. **Address field** specifies the link address which points to the messages destination. WCC Lite supports IEC 60870-­5-­101 Master protocol over serial link (according EIA RS­485). Its full functionality list can be found in a IEC 60870­-5-­101 PID Interoperability List which can be downloaded separately from this user manual. ### Configuring datapoints (master) To use IEC 60870-­5-­101 Master in WCC Lite, it has to configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in ­Devices and Signals. ##### IEC 60870-­5-­101 master parameters for *Devices* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 60870­-5-101 master
devicestring Communication port Yes PORT1 PORT2
baudrateintegerCommunication speed, baud/s No 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No 8 6 9
stopbitsintegerStop bit count for communication No 1 1 2
paritystring Communication parity option No none none, even, odd
flowcontrolstring Number of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No none none
link\_addressintegerDestination address when in transmit and source address when broadcastingYes 065535
link\_sizeintegerLink address size in bytesNo112
asdu\_addressintegerApplication Service Data Unit addressYes 065535
asdu\_sizeintegerCommon address size in bytesNo113
ioa\_sizeintegerInformation object address (IOA) size in bytesNo213
cot\_sizeintegerCause of transmission (COT) size in bytesNo112
time\_sync\_interval\_secintegerDefines how often (in seconds) slave will request time synchronization. **If greater than 0** ­slave will request synchronizations, will reset timer if master did it earlier. **If 0** slave won’t request timesyncs, but will allow them. **If ­1** ­ timesyncs are not supported ­ requests will be dropped.No60
gi\_interval\_secintegerTime frame between General Interrogation requests in seconds, if 0 requests are disabledNo300
scan\_rate\_msintegerPolling interval in milliseconds. Time frame between two telegrams from master No100
timeout\_msintegerResponse timeout in milliseconds No 1000
retry\_countintegerNumber of retries of failed requests before announcing that device is in Error state No1
##### IEC 60870­-5-­101 master parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
source\_device\_alias stringdevice\_alias of a source device For commands
source\_signal\_alias stringsignal\_alias of a source signal For commands
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be logged No0
gibooleanIncluding/excluding (1 or 0) signal from General InterrogationNo001
common\_addressintegerAddress of a destination deviceYes
info\_addressintegerInformation object addressYes
data\_typeintegerASDU type identificatorYes
IEC 60870-­5-­101 has an additional signal which can be configured to show communication status. It is used to indicate if the slave device has disconnected from master (WCC Lite). To configure such signal, two columns should be filled with particular values. To a newly created additional signal one should make **job\_todo** equal to device\_status and **tag\_job\_todo** equal to communication\_status. ### Debugging a IEC 60870-­5­-101 Master application If configuration for IEC 60870-­5-­101 devices is set up, handler for protocol will start automatically. If the configuration is missing or contains errors, protocol will not start. It is done intentionally decrease unnecessary memory usage. If IEC 60870-­5-­101 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop *iec101­-master* process and run *iec101-­master* command with respective flags as shown in the table below. Procedure for IEC 60870-­5-­101 master service debugging: - **Step 1**: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/iec101-­master stop** - **Step 2**: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **iec101-­master -­c /etc/iec101-master/iec101­master.json ­-d7** Additional output forming options described here: Command line arguments. - **Step 3**: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/iec101-­master start** ##### IEC 60870-­5­-101 command line debugging options ``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data -R [ –readyfile ] Ready notification file ``` ### Configuring datapoints (slave) To use IEC 60870­-5­-101 Slave in WCC Lite, it has to configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in *­Devices* and *Signals.* ##### *IEC 60870-­5-­101 slave parameters for Devices tab*
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 60870­-5-101 slave
devicestring Communication port Yes PORT1 PORT2
baudrateintegerCommunication speed, baud/s No 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No 8 6 9
stopbitsintegerStop bit count for communication No 1 1 2
paritystring Communication parity option No none none, even, odd
flowcontrolstring Number of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No none none
link\_addressintegerDestination address when in transmit and source address when broadcastingYes 065535
link\_sizeintegerLink address size in bytesNo112
asdu\_sizeintegerCommon address size in bytesNo113
ioa\_sizeintegerInformation object address (IOA) size in bytesNo213
cot\_sizeintegerCause of transmission (COT) size in bytesNo112
time\_syncbooleanAllow time synchronization, 1 to enable and 0 to disableNo001
sp\_timebooleanAdd CP56Time2a information to single point signals, 1 to enable and 0 to disableNo001
dp\_timebooleanAdd CP56Time2a information to double point signals, 1 to enable and 0 to disableNo001
me\_timebooleanAdd CP56Time2a information to measurements, 1 to enable and 0 to disableNo001
message\_sizeintegerMaximum length of a messageYes 0255
cache\_sizeintegerMaximum number of events to store in a bufferNo10001000
respond\_delayintegerTime in microseconds to wait before sending responsesYes 01000000
single\_byte\_ackbooleanUse single character acknowledge, 1 to enable and 0 to disableNo 001
keep\_alive\_timeoutintegerTime interval in seconds before serial connection is considered offlineNo 60
**keep\_alive\_timeout** timer is used for connection tracker to display protocol status. This parameter has no effect on protocol functionality and is only used to track it’s status in connection tracker. ##### IEC 60870­-5-­101 slave parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
source\_device\_alias stringdevice\_alias of a source device For commands
source\_signal\_alias stringsignal\_alias of a source signal For commands
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be logged No0
gibooleanIncluding/excluding (1 or 0) signal from General InterrogationNo001
common\_addressintegerAddress of a destination deviceYes
info\_addressintegerInformation object addressYes
data\_typeintegerASDU type identificatorYes
IEC 60870­5­101 has an additional signal which can be configured to show communication status. It is used to indicate if the slave device has disconnected from master (WCC Lite). To configure such signal, two columns should be filled with particular values. To a newly created additional signal one should make **job\_todo** equal to device\_status and **tag\_job\_todo** equal to communication\_status. ### Debugging a IEC 60870­5­101 Master application If configuration for IEC 60870-­5-­101 devices is set up, handler for protocol will start automatically. If the configuration is missing or contains errors, protocol will not start. It is done intentionally decrease unnecessary memory usage. If IEC 60870-­5-­101 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly. To launch a debugging session, a user should stop *iec101­-slave* process and run *iec101-­slave* command with respective flags as shown in the table below. Procedure for IEC 60870-­5-­101 slave service debugging: - **Step 1**: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/iec101-­slave stop** - **Step 2**: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **iec101-­slave-­c /etc/iec101-slave/iec101slave.json ­-d7** Additional output forming options described here: Command line arguments. - **Step 3**: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/iec101-­slave start** ##### IEC 60870-­5­-101 command line debugging options ``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data -R [ –readyfile ] Ready notification file ```# 29.2 IEC 60870-5-103 ### IEC 60870-5-103 The IEC 60870-5-103 protocol is a companion standard for the informative interface of protection equipment. Standard IEC 60870-5-103 was prepared by IEC technical committee 57 (Power system control and associated communications).It is a companion standard for the basic standards in series IEC 60870-5: Standard IEC 60870-5-103 defines communication between protection equipment and devices of a control system (supervisor or RTU) in a substation. Standard IEC 60870-5-103 defines a multipoint communication protocol via which information can be exchanged between a control system (supervisor or RTU) and one or more protection devices. The control system is the master and the protection devices are the slaves. Each slave is identified by a unique address between 1 and 254. Address 255 is reserved for broadcast frames. ### IEC 60870-5-103 Master ### Configuring datapoints WCC Lite supports IEC 60870-5-103 Master protocol over serial link (according EIA RS-485). Its full functionality list can be found in a IEC 60870-5-103 PID Interoperability List. To use IEC 60870-5-103 Master in WCC Lite, it has to configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in - Devices and Signals. ##### IEC 60870-­5-­103 parameters for Devices tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 60870­-5-103 master
devicestring Communication port Yes PORT1 PORT2
baudrateintegerCommunication speed, baud/s No 9600 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communication No 8 8
stopbitsintegerStop bit count for communication No 1 1 2
paritystring Communication parity option No none none, even, odd
flowcontrolstring Number of requests, before link is considered lost (device status signals are changed) and reconnect attempt will be issued No none none
link\_addressintegerDestination address when in transmit and source address when broadcastingYes 065535
asdu\_addressintegerApplication Service Data Unit addressYes 065535
time\_sync\_interval\_secintegerTime frame between Time Synchronization requests in secondsNo60
gi\_interval\_secintegerTime frame between General Interrogation requests in seconds, if 0 requests are disabledNo300
scan\_rate\_msintegerPolling interval in milliseconds. Time frame between two telegrams from master No100
timeout\_msintegerResponse timeout in milliseconds No 1000
serial\_delayintegerCommunication device’s serial delay in milliseconds. Time frame in which master station is not TX’ing after last RX byteNo50
retry\_countintegerNumber of retries of failed requests before announcing that device is in Error state No3
retry\_delay\_msintegerTime before the next retry in millisecondsNo500
##### IEC 60870­-5-­103 master parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
source\_device\_alias stringdevice\_alias of a source device For commands
source\_signal\_alias stringsignal\_alias of a source signal For commands
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be logged No0
gibooleanIncluding/excluding (1 or 0) signal from General InterrogationNo001
common\_addressintegerAddress of a destination deviceYes
functionintegerFunction numberNo0
info\_addressintegerInformation object addressYes
info\_numberintegerInformation numberYes
data\_typeintegerASDU type identificatorNo0
fleetingbooleanMark signal as fleeting type (1 or 0). Fleeting signals have go to DPI::OFF after defined timeNo 01
normalise\_time\_msintegerTime in milliseconds between station receiving DPI::ON and automatically switching to DPI::OFFIf fleeting is used 100
IEC 60870-5-103 has an additional signal which can be configured to show communication status. It is used to indicate if the slave device has disconnected from master (WCC Lite). To configure such signal, two columns should be filled with particular values. To a newly created additional signal one should make **job\_todo** equal to device\_status and **tag\_job\_todo** equal to communication\_status. ### Debugging a IEC 60870-5-103 Master aplication If configuration for IEC 60870-5-103 devices is set up, the handler for the protocol will start automatically. If a configuration is missing or contains errors, the protocol will not start. It is done intentionally to decrease unnecessary memory usage. If IEC 60870-5-103 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command-line interface and find out why link is not functioning properly or use WCC Utility to do that. To launch a debugging session, a user should stop the iec103-master process and run the iec103-master command with respective flags. - Step 1: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/iec103-­master stop** - Step 2: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **iec103-­master ­-c /etc/iec/iec103-­master.json -­d7** - Step 3: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/iec103-­master start** ##### IEC 60870-­5­-103 command line debugging options
``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data -R [ –readyfile ] Ready notification file ```
# 29.3 IEC 60870-5-104 ### IEC 60870-5-104 Master IEC 60870-5-104 protocol (in short IEC 104) is a part of IEC Telecontrol Equipment and Systems Standard IEC 60870-5 that provides a communication profile for sending basic telecontrol messages between two systems in electrical engineering and power system automation. Telecontrol means transmitting supervisory data and data acquisition requests for controlling power transmission grids. IEC 104 provides the network access to IEC 60870-5-101 (in short IEC 101) using standard transport profiles. In simple terms, it delivers IEC 101 messages as application data (L7) over TCP, usually port 2404. IEC 104 enables communication between control station and a substation via a standard TCP/IP network. The communication is based on the client-server model.

To set up TLS connection for both IEC104 Master and Slave, refer to sections Excel configuration and Certificates. All keys and certificates should be provided in the PEM format.

If no configuration is set up, IEC104 Master and Slave services are not started.

#### Configuring IEC 104 Master datapoints To use IEC 60870-­5-­104 Master in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in ­ Devices and Signals. ##### IEC 60870­-5-­104 Master parameters for *Devices* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 60870­-5-104 master
asdu\_addressintegerApplication Service Data Unit addressYes 065535
asdu\_sizeintegerCommon address size in bytesNo213
time\_sync\_interval\_secintegerTime frame between Time Synchronization requests in secondsNo60
gi\_interval\_secintegerTime frame between General Interrogation requests in seconds, if 0 requests are disabledNo300
portintegerTCP portYes 065535
ioa\_sizeintegerInformation object address (IOA) size in bytesNo313
swtintegerSend window (SWT)Yes
rwtintegerReceive window (RWT)Yes
cot\_sizeintegerCause of transmission (COT) size in bytesNo212
hoststringHost IP address (ipv4)Yes
t1 integerAcknowledge timeout t1 (sec)Yes
t2integerConnection ACKRSN clock t2 (sec)Yes
t3integerConnection TESTFR clock t3 (sec)Yes
originatorintegerProvides a means for a controlling station toexplicitly identify itselfNo00255
##### IEC 60870­-5-­104 Master parameters for *Signals* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
source\_device\_alias stringdevice\_alias of a source device For commands
source\_signal\_alias stringsignal\_alias of a source signal For commands
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be logged No0
gibooleanIncluding/excluding (1 or 0) signal from General InterrogationNo001
common\_addressintegerAddress of a destination deviceYes
functionintegerFunction numberNo0
info\_addressintegerInformation object addressYes
data\_typeintegerASDU type identificatorNo
select\_msintegerTime limit in milliseconds for command execution. Command select has to be performed before execution if this parameter is specified. Direct command execution can be performed only if this field is left empty or set to zero.No0
### Debugging a IEC 60870-5-104 Master aplication If configuration for IEC 60870-5-104 devices is set up, the handler for the protocol will start automatically. If a configuration is missing or contains errors, the protocol will not start. It is done intentionally to decrease unnecessary memory usage. If IEC 60870-5-104 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command-line interface and find out why link is not functioning properly or use WCC Utility to do that. To launch a debugging session, a user should stop the *iec104-master* process and run the *iec104-master* command with respective flags. - Step 1: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/iec104-­master stop** - Step 2: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **iec104-­master ­-c /etc/iec104-master/iec104-­master.json -­d7** - Step 3: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/iec104-­master start** ##### IEC 60870-­5­-104 command line debugging options
``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data

­-e [ –redis ] Show redis message -R [ –readyfile ] Ready notification file ```
### IEC 60870-5-104 Slave IEC 60870-5-104 Slave is designed not to lose data acquired from Master protocols. The data that arrives from Master protocols is stored in cache. This data is checked every second to manage further data sending. The data that leaves IEC 60870-5-104 Slave has output caches. They’re built to provide switching between multiple sessions (redundant SCADA). If a new connection arrives, the old one is dropped, but data, that is stored in cache, not sent and not confirmed by SCADA is transfered to new connection. #### Configuring IEC 104 Slave datapoints To use IEC 60870-­5­-104 Slave in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in ­Devices and Signals. ##### IEC 60870-­5-­104 Slave parameters for *Devices* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 60870­-5-104 slave
asdu\_sizeintegerCommon address size in bytesNo213
time\_syncbooleanEnable/disable (1 or 0) time synchronizationYes
portintegerTCP portNo2404065535
ioa\_sizeintegerInformation object address (IOA) size in bytesNo313
swtintegerSend window (SWT)No12
rwtintegerReceive window (RWT)No8
cot\_sizeintegerCause of transmission (COT) size in bytesNo212
hoststringSpace separated remote host IP addresses (ipv4)Yes
bind\_addressstringBind to local IP address (ipv4)No0.0.0.0
t1 integerAcknowledge timeout t1 (sec)Yes
t2integerConnection ACKRSN clock t2 (sec)Yes
t3integerConnection TESTFR clock t3 (sec)Yes
sp\_timebooleanAdd (1 or 0) CP56Time2a information to single point signalsNo001
dp\_timebooleanAdd (1 or 0) CP56Time2a information to double point signalsNo001
me\_timebooleanAdd (1 or 0) CP56Time2a information to measurementsNo001
message\_sizebooleanMaximum length of a messageYes 0255
cache\_sizeinteger Yes 01000
tlsbooleanEnable/disable use of TLSNo001
tls\_local\_certificatestringLocal certificate for TLS connectionYes (for TLS)
tls\_peer\_certificatestringCertificate authority file for TLS connectionNo
tls\_private\_keystringFile consisting of private key for TLS connectionNo
##### IEC 60870­-5­-104 Slave parameters for *Signals* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_name stringUser-friendly signal name Yes
device\_alias stringAlphanumeric string to identify a device Yes
signal\_alias stringUnique alphanumeric name of the signal to be Yes used Yes
source\_device\_alias stringdevice\_alias of a source device For commands
source\_signal\_alias stringsignal\_alias of a source signal For commands
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be logged No001
gibooleanIncluding/excluding (1 or 0) signal from General InterrogationNo001
common\_addressintegerAddress of a destination deviceYes
info\_addressintegerInformation object addressYes
data\_typeintegerASDU type id. Types are identified automatically if this field is not set.No0
select\_msintegerTime limit in milliseconds for command execution. Command select has to be performed before execution if this parameter is specified. Direct command execution can be performed only if this field is left empty or set to zero.No0
### Debugging a IEC 60870-5-104 Slave aplication If configuration for IEC 60870-5-104 devices is set up, the handler for the protocol will start automatically. If a configuration is missing or contains errors, the protocol will not start. It is done intentionally to decrease unnecessary memory usage. If IEC 60870-5-104 does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command-line interface and find out why the link is not functioning properly or use WCC Utility to do that. To launch a debugging session, a user should stop the *iec104-slave* process and run the *iec104-slave* command with respective flags. - Step 1: Service must be stopped by entering the following command into the wcclite: **/etc/init.d/iec104-­slave stop** - Step 2: After service is stopped it must be started with the preferred configuration file (JSON files found in /etc/ folder) and a debug level 7: **iec104-­slave­-c /etc/iec104-slave/iec104-­slave.json -­d7** - Step 3: Once the problem is diagnosed normal operations can be resumed with the following command: **/etc/init.d/iec107-­slave start** ##### IEC 60870-­5­-10 command line debugging options
``` -h [ –help ] Display help information -V [ –version ] Show version -d Set debugging level -c [ –config ] Config path -r [ –raw ] Show raw telegram data -f [ –frame ] Show frame data

­-e [ –redis ] Show redis message -R [ –readyfile ] Ready notification file ```
# 30 IEC 62056-21 ### Introduction **IEC 61107** or currently IEC 62056-21, was an international standard for a computer [protocol](https://en.wikipedia.org/wiki/Communications_protocol "Communications protocol") to read utility meters. It is designed to operate over any media, including the [Internet](https://en.wikipedia.org/wiki/Internet "Internet"). A meter sends [ASCII](https://en.wikipedia.org/wiki/ASCII "ASCII") (in modes A..D) or [HDLC](https://en.wikipedia.org/wiki/HDLC "HDLC") (mode E) data to a nearby hand-held unit (HHU) using a [serial port](https://en.wikipedia.org/wiki/Serial_port "Serial port"). The physical media are usually either modulated light, sent with an [LED](https://en.wikipedia.org/wiki/LED "LED") and received with a [photodiode](https://en.wikipedia.org/wiki/Photodiode "Photodiode"), or a pair of wires, usually modulated by a 20mA [current loop](https://en.wikipedia.org/wiki/Current_loop "Current loop"). The protocol is usually [half-duplex](https://en.wikipedia.org/wiki/Duplex_(telecommunications) "Duplex (telecommunications)"). The following exchange usually takes a second or two, and occurs when a person from the utility company presses a meter-reading gun against a transparent faceplate on the meter, or plugs into the metering bus at the mailbox of an apartment building. The general protocol consists of a "sign on" sequence, in which a handheld unit identifies itself to the metering unit. During sign-on, the handheld unit addresses a particular meter by number. The meter and hand-held unit negotiate various parameters such as the maximum frame length during transmission and reception, whether multiple frames can be sent without acknowledging individual frames ([windowing](https://en.wikipedia.org/wiki/Flow_control_(data) "Flow control (data)")), the fastest communication rate that they can both manage (only in case of mode E switching to HDLC) etc. Next, the meter informs the handheld unit about the various parameters that are available with it in various security settings viz. the 'no-security logical group', ' the low-security logical groups' and ' the high-security logical groups'. If the parameter required is in the no-security group, just a get.request will provide the HHU with the desired response. If the parameter required is in the low-security group, a password authentication of the HHU is required before information can be read. In case of high-security parameters, the meter challenges the handheld unit with a cryptographic password. The handheld unit must return an encrypted password. If the password exchange is correct, the meter accepts the handheld unit: it is "signed on." After signing on, the handheld unit generally reads a meter description. This describes some registers that describe the current count of metered units (i.e. kilowatt hours, megajoules, litres of gas or water) and the metering unit's reliability (is it still operating correctly?). Occasionally a manufacturer will define a new quantity to measure, and in this case, a new or different data type will appear in the meter definition. Most metering units have special modes for calibration and resetting meter registers. These modes are usually protected by anti-tampering features such as switches that sense if the meter enclosure has been opened. The HHU may also be given limited rights to set or reset certain parameters in the meter. The handheld unit then sends a sign-off message. If no sign-off message is sent, the meter automatically signs off after a previously negotiated time interval after the last message. Source: [https://en.wikipedia.org/wiki/IEC\_62056#IEC\_62056-21](https://en.wikipedia.org/wiki/IEC_62056#IEC_62056-21 "Wikipedia") ### Overview The IEC 62056-21 standard defines protocol specifications for local meter data exchange. Data is read out via serial port in modes A, B or C. The default initial serial port settings are 300 bps 7E1, as per standard, but can be user configured. The driver implementation additionally allows for communication via TCP/IP, which is not described in the standard. In this case, baud rate acknowledgement is allowed however actual switchover between baud rates is not possible. **Mode A**: data is requested and read out at the configured baud rate. **Mode B**: data is requested at the configured baud rate and mutually switched to the baud rate proposed by the meter. Baud rate confirmation is absent. **Mode C**: data is requested at the configured baud rate, new baud rate is proposed by the meter and, if acknowledged, data is read out at the proposed baud rate. Currently data readout is supported in modes A, B and C. For data readout it is necessary to know the port settings and the format of OBIS code representation as they can slightly differ (see table) depending on the configuration of the meter. ### Configuration #### Device section The serialnumber defines the serial number of the meter. 0 (zero) will result in a ’/?!’ handshake string and may cause issues if more than one meter is wired to the serial port. The baudrate defines the initial connection baud rate. In modes B and C this will be switched to what ever baud rate is proposed by the meter. The meter\_model defines the meter profile. This is reserved for future use and should be set to 1. type defines the connection mode. Modes A, B and C are supported.

If **ip** or **port** parameters are configured, any serial port settings are ignored and connections are initiated via TCP.

IEC 62056-21 device configuration parameters:
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a device Yes
description stringDescription of a device No
device\_alias stringAlphanumeric string to identify a device Yes
enablebooleanEnabling/disabling of a device No101
protocolstringProtocol to be used Yes IEC 62056-21
poll\_delay\_msintegerMinimum time delay in miliseconds to wait before sending any data on port.No200
scan\_rate\_msinteger 10000
devicestringCommunication portNo (for serial) PORT1PORT2
baudrateinteger Communication speed, bauds/sNo (for serial)6900300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200
databitsintegerData bit count for communicationNo (for serial)869
stopbitsintegerStop bit count for communicationNo (for serial)112
paritystringCommunication parity optionNo (for serial)NONENONE, EVEN, ODD
flowcontrolstringCommunication device flow control optionNo NONE
serialnumberunsigned longMeter serial numberYes 1
serial\_close\_delayintegerDelay before closing serial portNo400
timeout\_msintegerTimeout of waiting for incoming requestNo2500
typestringDefines a connection modeNoCA,B,C
t2integerTime to wait before acknowledging the suggested baudrate in mode CNo3002001500
ipstringIP address for TCP connectionYes (for TCP)
portintegerTCP portYes (for TCP) 065535
#### Signals section **tag\_job\_todo** defines the job sub-job. This field should contain the exact representation of the OBIS code as it is configured in the meter. E.g. if the parameter of interest is represented as ”1.8.0\*24(0147238.4\*kWh)”, the value of the configuration field should be ”1.8.0\*24” (excluding quotation marks). IEC 62056-21 tags configuration parameters:
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
signal\_namestringUser­-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstring Unique alphanumeric name of the signal to be useYes
enableboolean No101
logintegerAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be loggedNo00
number\_typestringNumber format typeYes
tag\_job\_todo stringTag job in OBIS format Yes

For **tag\_job\_todo** configuration it is best to first manually read the meter via PC or HHU (hand-held unit) to determine the exact OBIS representation format of the parameter as they can differ between meter manufacturers and utility companies.

# 31 IEC 61850 ### Introduction IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. It is a part of the International Electrotechnical Commission’s (IEC) Technical Committee 57 reference architecture for electric power systems. The abstract data models defined in IEC 61850 can be mapped to a number of protocols. Possible mappings in the standard can be MMS (Manufacturing Message Specification), GOOSE (Generic Object Oriented Substation Event), SMV (Sampled Measured Values). These protocols can run over TCP/IP networks or substation LANs using high speed switched Ethernet to obtain the necessary response times below four milliseconds for protective relaying.

As of version v1.5.0, WCC Lite supports MMS type messaging. Logging and groups setting services are not supported.

### IEC 61850 Server WCC Lite can act as a IEC 61850 server to serve data to remote SCADA systems. For example, WCC Lite can be used to acquire data from various protocols (Modbus, IEC 60870-5-103, etc.), this data can be redirected and propagated further to a single or multiple IEC 61850 clients. IEC 61850 Server supports TCP and TLS connection types. TCP connection can be secured with password authentication. #### Commands WCC Lite **IEC 61850 Server** implementation defines four command types which are described by their control model: - **Case 1**: Direct control with normal security (direct-operate); - **Case 2**: SBO control with normal security (operate-once or operate-many); - **Case 3**: Direct control with enhanced security (direct-operate); - **Case 4**: SBO control with enhanced security (operate-once or operate-many). Normal security commands are considered for execution if the command signal is found in Excel configuration. There aren’t any additional checks in command execution in any master protocol. Enhanced security commands need feedback from master protocol to either to succeed or fail. If feedback is not received within **command\_ack\_timeout\_ms** timeframe, the command is considered as failed. Command value attributes (e.g. stVal) must be updated separately (if they need to be updated).

When using SBO commands, select is not routed to master protocol and select logic is performed only in IEC 61850 Server protocol.

#### Configuring datapoints To use IEC 61850 Server in WCC Lite, it has to be configured via an Excel configuration and data model must be uploaded. This configuration contains two Excel sheets where parameters have to befilled in - Devices and Signals. ##### IEC 61850 Server parameters for Devices tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a deviceYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be usedYes IEC 61850 Server
tlsstringSelecting if TLS should be usedNo0 01
bind\_addressstring (IP address format)IP address of and interface to use with serverNo0.0.0.0
hoststring (IP address format)IP address list of allowed IPs (separated with spaces) Yes
portintegerTCP communication port Yes
tls\_local\_certificatestringLocal certificate for TLS connection Yes (for TLS)
tls\_peer\_certificatestringCertificate authority file for TLS connectionYes (for TLS)
tls\_private\_keystringFile consisting of private key for TLS connectionYes (for TLS)
event\_history\_sizeintegerEvent log sizeNo
ied\_namestringName of an Intelligent Electronic DeviceYes
authorizationstringAuthorization typeNo password
passwordstringAuthorization password for server deviceYes (if authorization is yes)
model\_filenamestringFilename of data model uploaded to WCC (with or without file extension)Yes
editionstringWhich IEC61850 edition to use. No21,2, 2.1
command\_ack\_timeout\_ms integerTimeframe (ms) in which enhanced-security commands must be acknowledged (Default: 3000) No3000
report\_buffered\_sizeintegerReport control blocks buffer size in bytes (Default: 65536) No65536
report\_unbuffered\_sizeintegerUnbuffered report control blocks buffer size in bytes (Default: 65513) No65513
##### IEC 61850 Server parameters for Signals tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_namestringUser-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logbooleanAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be loggedNo0
number\_typestringNumber format type (BOOLEAN, FLOAT, INT16, etc.)Yes
ld\_instancestringInstance of a logical deviceYes
ln\_classstringLogical node class typeYes
ln\_instanceintegerInstance of a logical node No
ln\_prefixstringPrefix of logical node stringNo
cdcstringCommon Data Class (CDC) nameYes SPS, DPS, INS, ENS, ACT, ACD, MV, CMV, SAV, SPC, DPC, INC, ENC, BSC, ISC, APC, BAC
data\_objectstringName of data object in datasetYes
da\_valuestringName of a data attribute value nodeYes
da\_timestringName of a data attribute time nodeNo
da\_qualitystringName of a data attribute quality nodeNo
da\_fcstringFunctional constrain for data objectYes ST,MX, CO, SP
control\_modelstring Model of output control No status-onlystatus-only, direct-with-normal-security, sbo-with-normal-security, direct-with-enhanced-security, sbo-with-enhanced-security
#### Converting and uploading data model To use IEC61850 Server protocol in WCC Lite, user must upload a data model in specific format (file extension .cfg). These data models can be converted from SCL files (.icd or .cid files). To convert a data model, the user must use WCC Excel Utility. There’s a separate tab for this operation as shown in picture below. [![image-1601465307717.png](https://wiki.elseta.com/uploads/images/gallery/2020-09/scaled-1680-/image-1601465307717.png)](https://wiki.elseta.com/uploads/images/gallery/2020-09/image-1601465307717.png) Converted file can be uploaded in WCC Lite web interface, Protocol Hub section. Current model can be also downloaded in the same page as shown in picture below. [![image-1601465353342.png](https://wiki.elseta.com/uploads/images/gallery/2020-09/scaled-1680-/image-1601465353342.png)](https://wiki.elseta.com/uploads/images/gallery/2020-09/image-1601465353342.png) #### Debugging a IEC 61850 server application If configuration for IEC 61850 Server is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage.

If IEC 61850 Server does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly.

To launch a debugging session, a user should stop `iec61850-server` process and run` iec61850-server` command with respective flags as you can see below:

`iec61850-server ` ```iec61850-server -h [--help] Show help message -c [--config] arg Configuration file location -V [--version] Show version -d [--debug] arg Set Debug level -r [--redis] Show Redis messages -C [--commands] Show command messages -R [--readyfile] arg Ready notification file ``` ### IEC 61850 Client WCC Lite can be used as a master station to collect data from IEC 61850 compatible server devices such as protection relays. As relays require fast, secure and responsive interfaces, WCC Lite can be considered as a valid option. For additional security a user can use encrypted transmission (TLS) or set up a password.

As TCP (TLS) connection can encounter issues and break, automatic reconnection is implemented. After every failed reconnection attempt the fallback delay is doubled starting from 1 second up until 32 seconds. After that connection reestablishment will be attempted every 32 seconds until a successful connection.

#### Acquiring data via report control blocks As per IEC 61850 standard, the report control block controls the procedures that are required for reporting values of data objects from one or more logical nodes to one client. Automatic reporting enables data servers (slave devices) to only send data on its (or its quality) change, thus saving network bandwith. Instances of report control blocks are configured in the server at configuration time. Report control blocks send information that is defined in their respective datasets. Dataset is a set of data elements grouped to represent some data group. For example, it is a common practice to group measurements and events into different groups. A server restricts access to an instance of a report control block to one client at a time. That client exclusively shall own that instance and shall receive reports from that instance of report control blocks. There are two classes of report control blocks defined, each with a slightly different behaviour: - buffered-report-control-block (BRCB) - internal events (caused by trigger options data-change, quality-change, and data-update) issue immediate sending of reports or buffer the events (to some practical limit) for transmission, such that values of data object are not lost due to transport flow control constraints or loss of connection. BRCB provides the sequence-of-events (SOE) functionality; - unbuffered-report-control-block (URCB) - internal events (caused by trigger options data-change, quality-change, and data-update) issue immediate sending of reports on a best efforts basis. If no association exists, or if the transport data flow is not fast enough to support it, events may be lost. Buffered report control blocks are therefore useful to keep event data, for example, keeping the last known state of a relay switch where a loss of information might lead to a confusion and even financial losses. Unbuffered report control blocks are particularly useful for data which is useful only momentarily, e.g. measurements of voltages, current or power. This information can change frequently and old measurements might not reflect the real state of a substation. To allow multiple clients to receive the same values of data object, multiple instances of the report control classes shall be made available. Buffered report control blocks are usually configured to be used by a specific client implementing a well-defined functionality, for example, a SCADA master. The client may know the ObjectReference of the BRCB by configuration or by the use of a naming convention. Parsing of report control blocks is based on types of Common Data Class (CDC). Some of these types can have more then one data point of interest. Table below shows what data attributes are supported from various Common Data Classes. To select which data attribute should be used a `da_value` column should be filled with a data attribute name. Common Data Classes consist of data attributes with different Functional Constraints therefore to get the status points of interest correctly the user must fill in a correct value in `da_fc` column. IEC 61850 Client supported data attributes:
Common Data ClassFunction ConstraintData attributes
SPS DPS INS ENS STstVal
ACTSTgeneral phsA phsB phsC neut
ACDSTgeneral dirGeneral phsA dirPhsA phsB dirPhsB phsC dirPhsC neut dirNeut
MVMXinstMag mag
CMVMXinstCVal cVal
SAVMXinstMag
SPC DPC INC ENC STstVal
BSC ISC STvalWTr
APC BAC MXmxVal
Some of data attributes are structures themselves, for example, `mag` attribute is a struct that can hold integer or float values. To select a fitting attribute the user should extend `da_value` parameter with additional attributes, for example, if float magnitude value is to be selected from MV Common Data Class, `da_value` column should be filled with `mag.f` value; if the user intends `cVal` magnitude value in float format from CMV Common Data Class, `da_value` should be filled with `cVal.mag.f` value. See IEC 61850-7-3 for more information about Common Data Classes. To ensure the integrity of configuration, WCC Lite has additional checks implemented at configuration time. If report control block (or its dataset) with a predefined ObjectReference doesn’t exist, it is considered that IEC 61850 Client has not been configured properly or configuration has been changed in either of IEC 61850 devices and cannot be matched, therefore should be considered invalid. #### Number Types IEC 61580 has a distinct number\_type field when compared to other protocols.
**number\_type**
BOOLEAN
INT8
INT16
INT32
INT64
INT128
INT8U
INT24U
INT32U
FLOAT32
FLOAT64
ENUMERATED
OCTET STRING 6
OCTET STRING 8
OCTET STRING 64
VISIBLE STRING 32
VISIBLE STRING 64
VISIBLE STRING 65
VISIBLE STRING 129
UNICODE STRING 255
TIMESTAMP
QUALITY
CHECK
CODEDENUM
GENERIC BITSTRING
CONSTRUCTED
ENTRY TIME
PHYCOMADDR
CURRENCY
OPTFLDS
TRGOPS
#### Controlling remote equipment via commands The control model provides a specific way to change the state of internal and external processes by a client. The control model can only be applied to data object instances of a controllable Common Data Class (CDC) and whose ctlModel DataAttribute is not set to status - only. Such data objects can be referred to as control objects. If controls are enabled in a IEC 61850 Server device the user can configure controls by filling control\_model column in Excel configuration with a control model (*direct-with-normal-security, sbo-with-normal-security, direct-with-enhanced-security, sbo-with-enhanced-security*) as well as setting functional constraint in `da_fc` column to CO. Depending on the application, different behaviours of a control object shall be used. Therefore, different state machines are defined. Four cases are defined: - **Case 1**: Direct control with normal security (direct-operate); - **Case 2**: SBO control with normal security (operate-once or operate-many); - **Case 3**: Direct control with enhanced security (direct-operate); - **Case 4**: SBO control with enhanced security (operate-once or operate-many). IEC 61850 standard enables the user to plan command transmission in advance - set the timer when the command should be issued. However, as this possibility is rarely used in practice, it is not implemented as of version v1.5.0. All issued commands are executed immediately. For more information on control class model, please consult IEC 61850-7-2 standard. If ctlModel is read-only, messages from internal database will be ignored for this point, otherwise a subscribe callback will be launched to handle commands as soon as they are sent. If CDC of a signal does not have means of control, ctlModel parameter is ignored. Originator identification can be attached to a station so that replies to command requests could be forwarded to only one device. To use this functionality a user should select an origin identificator by filling value in Excel configuration, originator column. Originator category is always enforced to tell that remote control command is issued. #### Configuring datapoints To use IEC 61850 Client in WCC Lite, it has to be configured via an Excel configuration. This configuration contains two Excel sheets where parameters have to be filled in - Devices and Signals tables. ##### Table IEC 61850 Client parameters for *Devices* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range
MinMax
name stringUser-friendly name for a deviceYes
descriptionstringDescription of a deviceNo
device\_aliasstringAlphanumeric string to identify a deviceYes
enablebooleanEnabling/disabling of a deviceNo101
protocolstringProtocol to be usedYes IEC 61850 Client
tlsstringSelecting if TLS should be usedNo0 01
hoststring (IP address format)IP address of server device Yes0.0.0.0
portintegerTCP communication port Yes102
tls\_local\_certificatestringLocal certificate for TLS connection Yes (for TLS)
tls\_peer\_certificatestringCertificate authority file for TLS connectionYes (for TLS)
tls\_private\_keystringFile consisting of private key for TLS connectionYes (for TLS)
event\_history\_sizeintegerEvent log sizeNo
ied\_namestringName of an Intelligent Electronic DeviceYes
authorizationstringAuthorization typeNo password
passwordstringAuthorization password for server deviceNo
originatorstringOrigin identificator for device No
##### Table IEC 61850 Client parameters for *Signals* tab
**Parameter** **Type** **Description** **Required** **Default Value** (when not specified) **Range**
MinMax
signal\_namestringUser-friendly signal nameYes
device\_aliasstringDevice alias from a Devices tabYes
signal\_aliasstringUnique alphanumeric name of the signal to be usedYes
enablebooleanEnabling/disabling of an individual signalNo101
logbooleanAllow signal to be logged. If **log is 0 signal** will not be logged. If **log is more than 0** signal will be loggedNo0
number\_typestringNumber format type Yes
ld\_instancestringInstance of a logical deviceYes
ln\_classstringLogical node class typeYes
ln\_instanceintegerInstance of a logical node No
ln\_prefixstringPrefix of logical node stringNo
cdcstringCommon Data Class (CDC) nameYes SPS, DPS, INS, ENS, ACT, ACD, MV, CMV, SAV, SPC, DPC, INC, ENC, BSC, ISC, APC, BAC
data\_objectstringName of data object in datasetYes
da\_valuestringName of a data attribute value nodeYes
da\_fcstringFunctional constrain for data objectYes ST,MX, CO, SP
control\_modelstring Model of output control No status-onlystatus-only, direct-with-normal-security, sbo-with-normal-security, direct-with-enhanced-security, sbo-with-enhanced-security
dataset string Full object reference of a dataset Yes
report\_control\_block string Full object reference of a report control block Yes
intgPd integer Integrity period in milliseconds No 0

It should be noted that ACT and ACD messages can only be parsed from report if either only ‘general’ attribute or all attributes attached to all three phases and neutral can be found in report

IEC 61850 Client has an additional signal which can be configured to show communication status. It is used to indicate if the server device has disconnected from client (WCC Lite). To configure such signal, two columns should be filled with particular values. To a newly created additional signal one should make `job_todo` equal to device\_status and `tag_job_todo` equal to communication\_status. Communication error status is set after a disconnection of a server device. #### Debugging a IEC 61850 Client application If configuration for IEC 61850 Client is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage. IEC 61850 Client command line debugging options `iec61850-client` ``` -h [ –help ] Show help message -c [–config] arg Configuration file location -V [–version] Show version -d [–debug] arg Set debugging level -r [–redis] Show Redis messages -C [–commands] Show command messages -D [–datasets] Show dataset messages –report Show report messages -R [–readyfile] arg Ready notification file ```

If IEC 61850 Client does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly.

To launch a debugging session, a user should stop `iec61850-client` process and run `iec61850-client` command with respective flags as was shown above.

# 32 WCC Lite internal signals ### Overview The WCC Lite contains several internal data points for readout and control which can be accessed via the Pooler service. ### Configuration #### Devices section In the devices section, only the protocol, scan\_rate\_ms and poll\_delay\_ms are to be configured for this type of device. ##### WCC Lite internal signals
**Parameter** **Type****Description** **Required****Default Value** (when not specified) **Range**
namestring User-friendly device nameYes
device\_aliasstringAlphanumeric string to identify a deviceYes
protocol Protocol identifier Internal dataYes **Internal data**
scan\_rate\_msintegerUpdate rateNo60000
poll\_delay\_msintegerPoll delayNo200

It is advised to set scan\_rate\_ms to a value greater than 5000 ms as frequent scans may result in significant overload of the pooler process.

#### Signals section `tag_job` defines the tag job. This can be set to `gpio`, `board`, `netstat`, `led` and `process`. `tag_job_todo` defines the job sub­ job. This field should address the particular point of interest.
**job\_todo****Description****tag\_job\_todo****Description**
gpio Get GPIOGPIO numberUse number 11 for onboard digital input; SIM select ­ 12; SIM detect 20
Set GPIO\[integer\]|\[1/0\]Set gpio number to high or low
board Board info active-­sim­-iccidActive SIM ICCID
active­-simActive SIM card
cpu-­usageCPU usage
duidDUID
fw­-versionFirmware version
gsm­-available­-ratGSM available radio access technologies
gsm­-current­-ratGSM current radio access technology
gsm­-current-­rat-­numGSM current radio access technology identifier
gsm-­imsiGSM IMSI number
gsm-­internet­-statusGSM Internet status
internet­-statusSame as gsm­-internet­-status
gsm­-network-­reg-­statusGSM network register status
gsm-­operatorGSM operator
gsm-­operator-­numGSM operator number
gsm­-roaming­-statusGSM roaming status
gsm­-selected-­ratGSM selected rat
gsm-­service-­providerGSM service provider
gsm-­signal­-qualityGSM signal quality
gsm-­signal­-quality-numGSM signal quality (dBm)
gsm-­sig-qualitySame as gsm-­signal­-quality-num
hostnameHostname
hw­-infoHardware information
modem­-imeiModem IMEI number
modem­-manufacturerModem manufacturer name
modem­-modelModem model
modem-­typeModem type
ram­-usageRAM usage
sim­-statusSIM card status
uuidUUID
netstat|\[interface\]Network statisticsTX Bytes transferred
RXBytes received
smsstat SMS statistics received SMS received
sent SMS sent
call SMS call
failed SMS failed
led LED status/control ath9k­-phy0WLAN LED
wcclite:blue:heartbeatStatus LED
wcclite:blue:wlanWLAN LED
wcclite:green:eth0ETH0 LED
wcclite:green:eth1ETH1 LED
wcclite:green:signal1Signal 1 LED
wcclite:green:signal2Signal 2 LED
wcclite:green:signal3Signal 3 LED
wcclite:gsm­-rstGSM LED
wcclite:red:faultFault LED
wcclite:rs232-­enRS LED
wcclite:relayRelay LED & Output
processCheck if process is running\[process name\]1 or 0 is returned

Assigning source signals to tags other than wcclite:relay may cause undesirable effects. Signals other than wcclite:relay should be used for monitoring only.

# 33.1 Devices configuration Protocol HUB uses configuration in excel file format. Each sheet represents a specific part of configuration: - **Devices** contains device list and protocol related configuration. - **Signals** contains a list of signals and their options. First line on each sheet is a header row that contains parameter name for each column. Header order determines parameter names for each following row. Every line after the header is a new entry. An empty row is interpreted as end of sheet. Any rows after empty row are discarded. ### Devices sheet Devices sheet contains all devices to be configured on gateway. Each row represents one device and its settings. Following options are required for each device: - **name** - Name of the device. Used for representation only. - **description** - A short description for the device. Used for representation only. - **device\_alias** - A unique short name for the device. It is used for linking signals to a device.

Alias can only contain alphanumeric characters and dashes ( - and \_ ). Alias must be unique for each device.

- **protocol** - Protocol type to use on device. Exact values of protocols are writen in every protocol documentation. Please look into range of supported protocols: **IEC 61850 MMS:** – IEC 61850 Client (since FW 1.5.0) – IEC 61850 Server (since FW 1.5.0) **IEC 60870-5:** – IEC 60870-5-101 master – IEC 60870-5-101 slave – IEC 60870-5-103 master – IEC 60870-5-104 master \- IEC 60870-5-104 slave **DNP 3.0 Serial/LAN/WAN:** \- DNP3 Master – DNP3 Slave **Modbus Serial/TCP:** \- Modbus RTU/ASCII – Modbus TCP **Metering protocols:** \- DLMS/COSEM (since FW 1.3.0) – IEC 62056-21 (since FW 1.2.13) – MBus Serial – MBus TCP – Elgama (Meters based on IEC 62056-21 / 31 protocols) **Industrial IOT protocols:** \- MQTT \- RESTful API **Specific protocols:** – Aurora (ABB PV inverters protocol) – PowerOne (ABB PV inverters protocol) – SMA Net (SMA PV inverters protocol) – Kaco (Kaco PV inverters protocol) – Ginlong (Ginlong PV inverters protocol) – Solplus (Solutronic AG PV inverters protocol) – ComLynx (Danfoss PV inverters protocol) – Delta (Delta PV inverters protocol) – Windlog (Wind sensors from RainWise Inc.) – Vestas ( Wind turbines protocol) – Internal data – VBus.

Although device name rules aren’t strictly enforced, it is highly advised to give a unique name for every new device. Identical device names might introduce confusion while searching for signal in Imported Signals tab.

#### Optional settings - **enable** - Flag to enable or disable device on system. Can contain values 0 or 1. - **event\_history\_size** - Maximum number of signal events to save on device for later review. Older records will be erased. This feature is only available on cloud firmware. #### Serial port settings Required for any protocol that uses serial line communication. - **device** - Serial port for communication **(PORT1/PORT2)** - **baudrate** - Serial port speed. Valid values: – 300 – 600 – 1200 – 2400 – 4800 – 9600 – 19200 – 38400 – 57600 – 115200 - **databits** - Number of data bits (6-9) - **stopbits** - Number of stop bits (1-2) - **parity** - Parity mode (none/even/odd) - **flowcontrol** - Flow control method (none/hardware/software) #### TCP/IP settings Settings for any protocol that uses communication over TCP/IP. Note that all TLS certificates and keys are stored in single folder therefore only name and not the path should be filled in respective fields.

TLS fields are only supported for IEC 61850 Client and Server, IEC-60870-5-104 Slave and DNP3 Master and Slave.

- **ip** - IP address for master protocol to connect to; - **bind\_address** - one of local IP addresses to bind the server to. Connections through other network devices will be ignored; - **host** - space separated host IP addresses of master devices; - **port** - TCP port to listen for incoming connections; - **tls\_local\_certificate** - name of local TLS certificate; - **tls\_peer\_certificate** - name of certificate authority (CA) TLS certificate; - **tls\_private\_key** - name of private key for making TLS connections.# 33.2 Signals Configuration The signals sheet contains all signals linked to devices. Each signal is defined in a single row. The Signal list can be split into multiple sheets. Each sheet name may start as Signals. ### Required attributes These attributes are mandatory for every configured signal. Every Excel configuration should have specified them in the first row of the Signals sheet:
- **signal\_name** - Name of the signal. Used for representation only. - **device\_alias** - Alias of a device defined in Devices sheet. A signal is linked to a matching device. - **signal\_alias** - A unique short name for the signal. It is used for linking signals to other signals. The alias can only contain alphanumeric characters and dashes ( - and \_ ). Device and signal alias combination must be unique.
### Optional attributes Optional attributes are required depending on the protocol in use and they can be used to extend protocol functionality:
- **source\_device\_alias** - Alias of a source device defined in Devices sheet. If a user intends to use several signals and combine them via mathematical or logical function, every alias should be separated by a newline symbol (in the same cell). An operation used must also be defined in an operation column. - **source\_signal\_alias** - Alias of a source signal defined in Signals sheet. If a user intends to use several signals and combine them via mathematical or logical function, every alias should be separated by a newline symbol (in the same cell). An operation used must also be defined in an operation column. Each `source_signal_alias` should be posted in the same line as its respective `source_device_alias`. Aliases can only contain alphanumeric characters and dashes ( - and \_ ). Device and signal alias combination must be unique. - **enable** - Flag to enable or disable signal on the system. Can contain values 0 or 1. - **tag\_type** - Tag type. Simple signals are polled from the device. Virtual signals are computed internally. - **off\_message** - Message to display when a single point or double point signals are in OFF state. - **on\_message** - Message to display when a single point or double point signals are in ON state. - **units** - Signal value measurements units. - **multiply** - Multiply value by this number. - **add** - Add this number to a value. - **sum\_signals** - Define other signal values to add to the current signal. This field uses following **format**: dev\_alias/tag\_alias. Multiple signals can be defined using commas. - **min\_value** - Minimum expected value. If the result is lower than this value, the invalid flag is raised. - **max\_value** - Maximum expected value. If the result is higher than this value, the overflow flag is raised. - **absolute\_threshold** - Absolute threshold level. - **integral\_threshold** - Integral threshold level. - **integral\_threshold\_interval** - Integral threshold addition interval in milliseconds. - **threshold\_units** - Units used in threshold level fields (percent/real). - **log\_size** - Maximum number of records for this tag to keep in storage for CloudIndustries logging. - **suppression\_values** - Space-separated numeric values to be used in suppression. - **suppression\_time\_ms** - Suppression time in milliseconds. - **operation** - Mathematical or logical operation to be used for signals defined in source\_signal\_alias column. Following mathematical operations for source signal values can be used: avg (average of all values), min (lowest value), max (highest value), median (median value), and sum (all values accumulated to a single number). Logical operations, intended for unsigned integers only. - **bit\_select** - selecting an individual bit of an integer number; bit numeration starts from zero. - **math\_expression** - a mathematical expression for signal value to be evaluated against. Explained in detail in **Mathematical expressions document**.
Picture. Result of using an absolute threshold: [![image-1601977355078.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601977355078.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601977355078.png) Picture. Result of using an integral threshold: ![image-1601977339925.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601977339925.png) ### Signal recalculation operation priority A value generated by some protocol usually has to be recalculated in one way or another. This might mean changing the value of an argument as well as adding flags needed for other protocols to correctly interpret results. As recalculation is a sequential process, some actions are done before others. The sequence of operations done to a value is as follows:
- *Edition of attributes*. Attributes for further interpretation are added. This might, for example, include a flag to show that a signal resembles an answer to a command; - *Mathematical calculations*. **multiply**, **add**, **bit\_select,** and **math\_expression** columns are evaluated here; - *Usage of last value*. Decision if last value for a signal should be used if a new value of a signal is not a number (NaN) or contains a non-topical (NT) flag; - *Limiting of values*. If a value exceeds a lower or higher configured limit, value is approximated not be lower (or higher) than the limit. An additional invalid (IV) or overflow (OV) flag is added as frequently used in IEC-60870-5 protocols; - *Suppresion of values*. As electrical circuits can be noisy, protocols may generate multiple values in a short amount of time. What is more, some values are considered as intermediary and ideally should not be sent to SCADA unless they stay in the same state for some amount of time. **suppression\_values** and **suppression\_time\_ms** are used to configure this functionality; - *Threshold* checking. If a new signal doesn’t cross a threshold target value, value is supressed and not used in further stages. **absolute\_threshold, integral\_threshold, integral\_threshold\_interval, threshold\_units** columns are used to configure this functionality.

Not all of the elements in this sequence have to configured, missing operation are skipped and values are fed to a further stage of signal recalculation.

### `number_type` field This field is required for some protocols to determine a method to retrieve a signal value from hexadecimal form. Available values: • **FLOAT** - 32-bit single precision floating point value according to IEEE 754 standard • **DOUBLE** - 64-bit double precision floating point value according to IEEE 754 standard • **DIGITAL** - 1-bit boolean value • **UNSIGNED8** - 8-bit unsigned integer (0 - 255) • **SIGNED8** - 8-bit signed integer (-128 - 127) • **UNSIGNED16** - 16-bit unsigned integer (0 - 65535) • **SIGNED16** - 16-bit signed integer (-32768 - 32767) • **UNSIGNED32** - 32-bit unsigned integer (0 - 4294967295) • **SIGNED32** - 32-bit signed integer (-2147483648 - 2147483647) • **UNSIGNED64** - 64-bit unsigned integer (0 - 18446744073709551615) • **SIGNED64** - 64-bit signed integer (-9223372036854775808 - 9223372036854775807) Number conversion uses **big endian** byte order by default. Converted data will be invalid if byte order on connected device side is different. In such case byte swap operations can be used. Adding swap prefixes to number type will set different a byte order while converting values. Following swap operations are available:
- **SW8** - Swap every pair of bytes (8 bits) (e.g., **0xAABBCCDD** is translated to **0xBBAADDCC**); - **SW16** - Swap every pair of words (16 bits) (e.g., **0xAABBCCDD** is translated to **0xCCDDAABB**); - **SW32** - Swap every pair of two words (32 bits) (e.g., **0x1122334455667788** is translated to **0x5566778811223344**);
Table. Example of using different swapping functions:
Address01234567
Original numberByte 0Byte 1Byte 2Byte 3Byte 4Byte 5Byte 6Byte 7
SW8Byte 1Byte 0Byte 3Byte 2Byte 5Byte 4Byte 7Byte 6
SW16Byte 4Byte 5Byte 6Byte 7Byte 1Byte 6Byte 4Byte 5
SW32Byte 4Byte 5Byte 6Byte 7Byte 0Byte 1Byte 2Byte 3
SW8.SW16Byte 3Byte 2Byte 1Byte 0Byte 7Byte 6Byte 5Byte 4
SW8.SW32Byte 4Byte 4Byte 7Byte 6Byte 1Byte 0Byte 3Byte 2
SW8.SW16.SW32Byte 7Byte 6Byte 5Byte 4Byte 3Byte 2Byte 1Byte 0

Where Byte x, means bit x position in byte.

Add a dot separated prefix to number format to use byte swapping. Multiple swap operations can be used simultaneously. For example, use `SW8.SW16.SIGNED32` to correctly parse a 32-bit signed integer in a little endian format. Table 35 shows in detail how bytes, words or double words can be swapped and how swapping functions can be combined to make different swapping patterns. Table shows how byte swap is done for 64-bit (8-byte) numbers. It doesn’t matter if it is an unsigned/signed integer or double, byte swapping is considered a bit-level operation. If a number is shorter than 64 bits, the same logic applies, the only difference is unavailability of some swapping operations (`SW32` for 32-bit and smaller numbers). Using such unavailable operation might lead to an undefined behaviour. ### Linking signals Signals can be linked together to achieve data transfer between several protocols. If a signal source is defined, all output from that source will be routed to the input of target signal. This way events polled from a modbus device (e.g., [Modbus](https://wiki.elseta.com/books/rtu-usage/page/modbus "Modbus protocol"), [IEC 60870-5](https://wiki.elseta.com/books/rtu-usage/chapter/protocols-configuration "Protocols - configuration"), etc.) can be delivered to external station over a different protocol. A signal source is required if a signal is created on a slave protocol configuration to link events between protocols. #### Example 1: To read a coil state from a Modbus device and transfer it to [IEC 60870-5-104](https://wiki.elseta.com/books/rtu-usage/page/iec-60870-5-104 "IEC 60870-5-104") station, following steps may be taken:
1. Create a Modbus master configuration in Devices sheet. 2. Create a IEC 60870-5-104 slave configuration in Devices sheet. 3. Create a signal on master device to read coil status (function 1). 4. Create a signal on slave device with single point type (data\_type = 1). 5. Set **source\_device\_alias** and **source\_signal\_alias** fields on slave device signal to match **device\_alias** and **ignal\_alias** on master device’s coil signal.
#### Example 2 To write a coil state to a Modbus device on a command from [IEC 60870-5-104](https://wiki.elseta.com/books/rtu-usage/page/iec-60870-5-104) station, following steps may be taken:
1. Follow steps 1-3 from example 1. 2. Create a signal on slave device with single command type (data\_type = 45). 3. Set source\_device\_alias and source\_signal\_alias fields on master configuration coil signal to match device\_alias and signal\_alias on slave device’s command signal. Coil will be written to a value received by a command. 4. Set source\_device\_alias and source\_signal\_alias fields on command signal to match device\_alias and signal\_alias on master device’s coil signal. A command termination signal will be reported to the station on coil write result.

For additional information regarding the configuration of IEC 60870-5-101/103/104 protocols, please refer to ”IEC 60780-5-101/103/104 PID interoperability for WCC Lite devices”, accordingly.

### Introduction Signal value might require some recalculation or signal update prior to being sent. Understandably, existing columns in Excel configuration like `multiply`, `add`, `bit_select` might not be flexible enough. To overcome these limitations, symbolic mathematical expressions can be configured to do calculations automatically on every update of a signal.

It should be noted that filling mathematical expression disables other mathematical scalar operations for a single value such as `multiply`, `add` or `bit_select`. Other functions (primarily between several signals) are still available such as operation.

### Feature list: - Optimized for speed - High parsing performance - if-then-else operator with lazy evaluation - Default implementaion with many features - 25 predefined functions - 18 predefined operators - Unit support - Use postfix operators as unit multipliers (3m -> 0.003) ### Mathematical functions Table. Supported mathematical functions:
NameArgument countExplanation
sin1sine function (rad)
cos1cosine function (rad)
tan1tangent function (rad)
asin1arcus sine function (rad)
acos1arcus cosine function (rad)
atan1arcus tangens function (rad)
sinh 1hyperbolic sine function
cosh1hyperbolic cosine
tanh1hyperbolic tangens function
asinh1hyperbolic arcus sine function
acosh1hyperbolic arcus tangens function
atanh1hyperbolic arcur tangens function
log21logarithm to the base 2
log101logarithm to the base 10
log1logarithm to base e (2.71828...)
ln1logarithm to base e (2.71828...)
exp1e raised to the power of x
sqrt1square root of a value
sign1sign function -1 if x<0; 1 if x>0
rint1round to nearest integer
abs1absolute value
minvariablemin of all arguments
maxvariablemax of all arguments
sumvariablesum of all arguments
avgvariablemean value of all arguments

It should be noted that trigonometric functions (excluding hiperbolic functions) only support arguments in radians. This means that arguments for this function have to be recalculated if angle is defined in degress.

Value recalculation is only triggered on signal change of the preconfigured signal. That means that using other signals (via TagValue() call) does not trigger value update.

Some mathematical expression cannot be mathematically evaluated in some conditions, for example, square root cannot be found for negative numbers. As complex numbers are not supported, result is then equal to Not a Number (NaN). These results are marked with an invalid (IV) flag.

### Binary operations Table. Supported binary operators:
OperatorDescriptionPriority
= assignment -1
» right shift 0
« left shift 0
& bitwise and 0
| bitwise or 0
&& logical and 1
|| logical or 2
<= less or equal 4
>= greater or equal 4
!= not equal 4
== equal 4
>greater than 4
<less than 4
+addition 5
-subtraction 5
\*multiplication 6
/division 6
^ raise x to the power of y 7
Ternary operators can be used. This expression can be compared to the operator supported by C/C++ language (Table 39). Condition is written before a question (?) sign. If condition is true, result after question sign is selected. If condition is false, result after colon (:) is selected. ### Ternary operations Table. Supported ternary operators
OperatorDescriptionRemarks
?: if then else operator C++ style syntax
### Examples User can construct his own equation by using the aforementioned operators and functions. These examples can be seen in Table bellow. Table. Example expressions
Expression Description
value \* 0.0001 Multiply the tag by a constant.
value + TagValue(”tag/dev\_alias/sig\_alias/out”) Add value of tag/dev\_alias/sig\_alias/out to the current tag.
sin(value) Return a predefined sine function value of the tag.
(value>5)? 1: 0 If value is greater than 5, result should be equal to 1, otherwise - equal to 0
Variable called value is generated or updated on every signal change and represent the signals being configured. If another value from tag list is intended to be used, one should use `TagValue()` function to retrieve its last value. The inner argument of `TagValue()` function has to described in a Redis topic structure of WCC Lite. That means that it has to be constructed in a certain way. Quotes should be used to feed the topic name value, otherwise expression evaluation will fail. Every Redis topic name is constructed as tag/\[device\_alias\]/\[signal\_alias\]/\[direction\]. Prefix tag/ is always used before the rest of argument. `device_alias` and `signal_alias` represent columns in Excel configuration. direction can have one of four possible values - rout, out, in, rin; all of which depend on the direction data is sent or acquired device-wise. For example, out keyword marks data sent out of WCC Lite device, whereas in direction represents data that WCC Lite is waiting to receive, for example, commands. Additional r before either direction means that data is raw, it was is presented the way it was read by an individual protocol. ### Extra functions Several functions are defined make tag operations possible: - `TagValue(key)` - returns last known value of tag identified by redis key; - `TagFlag(key)` - returns 1 if tag flag exists. Name format is: ”key flag”. For example to check if tag is notopical, name would be ”tag/19xxxxxxx/x/x nt”; - `TagAttribute(key)` - similar to TagFlag, but returns a numeric value of a tag attribute; - `TagTime(key)` - returns unix timestamp in milliseconds of a last know tag value.# 33.3 Uploading configuration As of WCC Lite version v1.4.0 there are three separate ways to import the configuration: import an Excel file via web interface, generate compressed configuration files and later upload them via web interface; or generate compressed configuration files and upload them via utility application. For WCC Lite versions v1.4.0, name of the file is shown in Protocol Hub->Configuration. Older versions only allow configuration file to be stored to a file called phub.xlsx and later downloaded with a custom-built name reflecting date of a download. Upgrade process from older version to versions v1.4.0 and above when preserving configuration files automatically makes the neccessary changes to enable this new functionality of WCC Lite.

If a user intends to **downgrade** firmware to versions older than version v1.4.0 from newer versions, he/she must first download the configuration files and later reupload the configuration after finishing the upgrade process.

### Importing an Excel file Excel file can be imported without any external tools. This option can be used where there is no internet connection or only minor change has to be applied. This way of importing is not suitable for validation of Excel configuration file.

**Generating configuration is a resource-intensive task.** It might take up to 10 minutes depending on configuration complexity

Supported types of an Excel configuration: .xlsx, .xlsm, .xltm, .xltx

To upload an Excel file, open Protocol Hub->Configuration screen in Web interface, select Configuration file and press Import configuration. ### Generating .zip file To accelerate a task of generating configuration a computer can be used. For this user should download WCC Excel Utility application. Upon opening an application, user should search for a field called Excel file which lets to choose an Excel file for which a conversion should be made. Output file should be filled out automatically, however, this value can be edited. To make a conversion press Convert. If there are no errors found in the configuration, output file should contain the generated configuration, otherwise, error message is shown to a user. This .zip file can be uploaded via Web interface, using the same tools as used for import of an Excel file. ### Uploading configuration remotely As of WCC Lite version v1.4.0 generated configuration files can be uploaded by a click of button in the Excel Utility. There are four parameters (not counting the configuration file itself) that have to be filled in before starting upload:
- *Hostname*: an IP address for device to connect to. This field conforms to hostname rules, therefore, if invalid value is selected, it is reset to default (192.168.1.1); - *Port*: a PORT number to which a SSH connection can be made; valid values fall into a range between 1 and 65535; if invalid value is selected, it is reset to default (22); - *Username*: a username which is used to make a SSH connection; make sure this user has enough rights, preferably root; - *Password*: a password of a user used for establishing a SSH connection;

Configuration can only be uploaded if a port used for SSH connection is open for IP address filled in hostname entry field. Please check WCC Lite firewall settings in case of connection failure.

To upload a configuration remotely, press Upload configuration. If no errors occur, you should finally be met with text output mentioning configuration has been applied. During the course of upload process the aforementioned button is disabled to prevent spanning multiple concurrent processes.# 34 Programmable logic controller A programmable logic controller (PLC) is a digital device adapted for control of processes which require high reliability, ease of programming and real­time responses. Such functionality has long since replaced hard­wired relays, timers and sequencers which would be required to complete various tasks. Programmable logic controllers usually had to conform to IEC 61131­3 standard which defines four programming languages: function block diagram (FBD), ladder diagram (LD), structured text (ST) and sequential function chart (SFC). This standard does not support distributed control systems therefore IEC 61499 standard was published in 2005. The standard is considered an extension of IEC 61131­3 standard. WCC Lite supports PLC functionality while conforming to specifications of IEC 61499 standard. ### IEC 61499 IEC 61499-1 defines the architecture for distributed systems. In IEC 61499 the cyclic execution model of IEC 61131 is replaced by an event driven execution model. The event driven execution model allows for an explicit specification of the execution order of function blocks. If necessary, periodically executed applications can be implemented by using the E\_CYCLE function block for the generation of periodic events. IEC 61499 enables an application-centric design, in which one or more applications, defined by networks of interconnected function blocks, are created for the whole system and subsequently distributed to the available devices. All devices within a system are described within a device model. The topology of the system is reflected by the system model. The distribution of an application is described within the mapping model. Therefore, applications of a system are distributable but maintained together. Like IEC 61131-3 function blocks, IEC 61499 function block types specify both an interface and an implementation. In contrast to IEC 61131-3, an IEC 61499 interface contains event inputs and outputs in addition to data inputs and outputs. Events can be associated with data inputs and outputs by WITH constraints. IEC 61499 defines several function block types, all of which can contain a behavior description in terms of service sequences: Service interface function block – SIFB: The source code is hidden and its functionality is only described by service sequences; • Basic function block - BFB: Its functionality is described in terms of an Execution Control Chart (ECC), which is similar to a state diagram (UML). Every state can have several actions. Each action references one or zero algorithms and one or zero events. Algorithms can be implemented as defined in compliant standards. • Composite function block - CFB: Its functionality is defined by a function block network. • Adapter interfaces: An adapter interface is not a real function block. It combines several events and data connections within one connection and provides an interface concept to separate specification and implementation. • Subapplication: Its functionality is also defined as a function block network. In contrast to CFBs, subapplications can be distributed. To maintain the applications on a device IEC 61499 provides a management model. The device manager maintains the lifecycle of any resource and manages the communication with the software tools (e.g., configuration tool, agent) via management commands. ### 4Diac framework [![image-1601992021990.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992021990.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992021990.png) The PLC functionality in the WCC Lite is implemented using Eclipse 4diac framework, consisting of the 4diac IDE and the 4diac FORTE runtime. The system corresponds to IEC 61499, an extension of IEC 61131-3. For more in-depth instructions and function block reference please see the 4diac manual - this document is merely a quick start guide that emphasizes the specifics of tailoring the applications to run on the WCC Lite. The 4diac IDE application is used to model logic sequences. An output file, \*.fboot, is then generated and either loaded into the runtime for debugging purposes (functionality available from within the IDE), or uploaded into the controller for normal use via web interface.

During debugging, the output logic is executed directly in the runtime. Any logic loaded during debugging will be discarded after a reboot of the controller. Logic applications for regular use should be uploaded via the web interface.

It is possible to run multiple tasks at once. These tasks can either be implemented in the same screen or split into separate tasks. Please note, however, that all elements should have unique names, even between different tasks. As of 4diac IDE 1.11.3 this is not enforced between separate apps, however, 4Diac runtime application rejects such file purely because of naming issues.

The 4diac FORTE runtime is able to execute the aforementioned fboot files containing the logic. The FORTE runtime can be run on both the WCC Lite and a PC for debugging purposes. The runtime is integrated to interact with the REDIS database. ### Example project The best way to understand basics of 4Diac and WCC Lite collaboration is through an example project. This user manual intends to show the pieces needed to run PLC applications on WCC Lite. It is not intended to be definitive guide on how to use 4Diac IDE or how to interpret IEC 61499 standard. During (at least) the first start of the IDE user will be asked to select a directory for the workspace as in Figure. Workspace is used to save files needed for projects. [![image-1601992159243.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992159243.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992159243.png) [![image-1601992177394.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992177394.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992177394.png) After that a user should be met by the welcome window as in Figure 20. If such window is not shown, one can create create project by selecting File->New->Project and filling in the required fields (figure 21). To create a simple application, simply drag and drop objects from the palette to the canvas and wire them accordingly. Event trigger and data pathways cannot be connected to one another. Displayed below is an example of a simple blinker application (figure 22).

Having less wiring by connecting several signals to same subnet as PCB designer (such as Altium Designer) as of 4Diac IDE 1.11.3 is not supported. However, if some parts are used frequently, it is highly advised to have less wiring by simply compiling several elements into a subapplication. For this, you would have to select elements to be grouped, press right key and select New Subapplication. You can later change names of such elements and its pins.

[![image-1601992239152.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992239152.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992239152.png) [![image-1601992245178.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992245178.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992245178.png) In the System Configuration section, drag and drop a FORTE\_PC device, an Ethernet segment and link them (figure 23). For debugging in the local (PC) runtime, leave the address ”localhost:61499”. For testing on a WCC Lite, enter the IP address of the device, along with the port number (which by default is 61499 as well). [![image-1601992273595.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992273595.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992273595.png) In order to deploy the application, the circuit needs to be mapped to the controller. For a non-distributed application (distributed application cases will not be discussed in this chapter), all the FBs of the application need to be selected and mapped to the configured controller as shown in figure 24. [![image-1601992299991.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992299991.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992299991.png) To start the application execution, an initial trigger needs to be present. For a non-distributed application, the initial event trigger needs to be wired from the START function block in the resource section as shown in figure 25. [![image-1601992323578.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992323578.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992323578.png) [![image-1601992330383.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1601992330383.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1601992330383.png) To deploy the application, go to the System Configuration tab and simply select ”Deploy” from the right-click menu of the controller device (figure 26). If a running application exist in the runtime, you may be asked whether you want to replace it. This will only overwrite the application in the memory and not the storage. If the controller is restarted, the old application will be loaded from the non-volatile memory of the controller. ### Configuring data endpoints To use WCC Lite as a programmable logic controller, it needs to be configured in a particular way. The PLC functionality of the WCC Lite only allows for the use of data that is has been configured in the Excel configuration spreadsheet. This has been done for security purposes and to preserve transmission medium only for data that is available. Only topics defined in the configuration can post or get data. If a certain data entry exists but it has not been linked to a PLC program, all calls from PLC runtime application to Redis database will be ignored. Therefore it is highly advised to prepare and upload the Excel configuration before using this signal in the PLC application. Some parameters are mandatory for PLC usage. These parameters are shown in two tables below (one for Devices, one for Signals tab). Please note that other parameters can be used as well, but are not covered because they aren’t specific to PLC functionality. Table. Mandatory parameters for Devices tab
ParameterTypeDescription
name string User-friendly device name
device\_alias string Device alias to used in configuration
enable booleanEnabling/disabling of a device
protocol string Selection of protocol (IEC 61499)
Table. Mandatory parameters for Signals tab
ParameterTypeDescription
signal\_name string User-friendly signal name
device\_alias string Device alias from a Devices tab
signal\_alias stringUnique signal name to be used
source\_device\_alias string device\_alias of a source device
source\_signal\_alias string signal\_alias of a source signal
If an upload consisting of configuration for IEC 61499 has been succesful, one should be able to access a configuration stored in /etc/iec61499.json file where protocol-specific parameters are shown in a JSON format. If the file is missing, make sure you have a correct firmware version installed and haven’t made any typing errors. Parameters mentioned earlier, namely device\_alias and signal\_alias, are the only parameters one needs to fill to bind Excel configuration to 4Diac framework. Two types of blocks are used for data transmission - PUBLISH blocks to write data to REDIS database and SUBSCRIBE blocks to acquire data from database as soon as it changes its value. Both of them have an ID connection. To connect a block to a datapoint, one should set this pin as raw\[\].redis\[device\_alias,signal\_alias\], e.g. raw\[\].redis\[example\_plc\_device,example\_plc\_signal\_alias\]. An example with SUBSCRIBE and PUBLISH function blocks is shown below in image below. Subscribe and publish examples[![image-1602661793915.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602661793915.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602661793915.png)

Outputs of variable type ANY cannot be directly wired to inputs of the same type and therefore need to be explicitly typed using transitional function blocks

No more than 20 tags should be published over a period of 5 seconds, as this may overfill the queue. A ”publish only on change” policy is advised.

Currently only PUBLISH\_1 and SUBSCRIBE\_1 function blocks are supported.

If every step until now has been succesful, a user could now start debugging a PLC application. ### Debugging an IEC 61499 application After a project has been built and binded to an existing Excel configuration, a user would normally want to check if every part is working according to the prior requirements before compiling finished project and uploading it to production. Both 4Diac framework and WCC Lite offer tools for flexible debugging. There is a possibility that 4Diac FORTE might not start as a process. It may happen if multiple faults occured and process has stopped. Process is also programmed to not start if no excel configuration file is found, therefore a user should make sure that Excel configuration is uploaded and ready for use. Individual function blocks can be set to Watch mode: events can be triggered and values can be forced at inputs or outputs (look into images bellow). To monitor the function blocks, the application should be deployed and the IDE should be in Online mode (Debug -> Monitor System -> NewSystem). Selecting watch mode: [![image-1602662191072.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662191072.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662191072.png) Function blocks in watch mode: [![image-1602662206569.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662206569.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662206569.png) Seeing information dynamically updated on 4Diac IDE might be very informative, however, some applications might require accesing WCC Lite via command-line interface. For example, in case of information not being updated one would want to assure that 4Diac FORTE in WCC Lite is not filtering data out but sending it to internal database (Redis). To run 4Diac FORTE debug from command-line interface, a user should write forte and press Enter. All possible choices are shown by adding -h flag. More flags are shown in a Table bellow. Make sure to stop any running process that could use the address that 4Diac framework is going to use. Table. 4Diac FORTE command line debugging options: ``` -h - Display help information -c : - Set the listening IP and port for the incoming connections -r - Show redis messages -d - Set debugging level -f - Set the boot-file where to read from to load the applications ``` ### Generating and uploading FORTE logic file After the PLC design is finished and debugged, such design can be compiled into FBOOT file and uploaded to one or multiple devices to be used in production. As application being debuggged is not automatically considered as a default application, one should be uploaded explicitly via web interface. To generate FORTE boot-files a user should select Run->Create FORTE boot-file.... After that one should select devices which should have their boot files created as well as additional devices’ properties and directory where these files should be stored as in picture bellow. Generating FBOOT file:[![image-1602662453356.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662453356.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662453356.png) Upload button for FORTE file in web interface can be found in Protocol Hub tab, Configuration screen (FORTE boot file upload supported for versions v1.4.0 and above). You should see a view as in picture below. WCC Lite Web interface. Upload and download of 4Diac configuration files: [![image-1602662559336.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662559336.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662559336.png) After the file has been imported one should be able to download it from the same screen as seen in the picture before.

Please note that only files with \*.fboot extension are allowed.

Uploading a file saves it's name and shows it in the web interface. It is advised to carefully choose a filename to separate different versions of PLC application files.

### Distributed control application IEC 64199 standard introduced requirements for a distributed control. This means that multiple devices can change information between them and make their own decisions based on the data they receive from other sources. This enables distributed applications between multiple WCC Lite devices and all other devices that support IEC 61499. Communication between devices can be configured using: - Publish/Subscribe function blocks (via UDP packets); - Client/Server function blocks (via TCP packets). A Publish block can publish data messages using UDP multi-cast addresses meaning that multiple devices would be able to simultaneously get the same data. However, one would have to make sure that all of the devices support multi-cast option. This user manual will only cover setting up point-to-point communication between devices via Publish/Subscribe blocks. For more information on communication between several IEC 61499 devices please check documentation for Eclipse 4diac framework. Let’s say we would like to count how many times the light has been turned on. For this we can add counting functionality to application shown in picture below. The application should run on 2 devices. The blinking part of the application will run on a 4diac FORTE and the count on another 4diac FORTE, see the architecture below. The two different programs running on two separate WCC Lite devices emulate two PLCs. Two different devices can be identified by different colors of function blocks. One can identify device and it properties by accessing System Configuration screen as seen below. Yellow function blocks belong to WCC\_212 device which can be accessed through 192.168.4.212 (port number 61499) whereas brown function blocks belong to WCC\_218 device which can accessed through 192.168.4.212 (port number 61499). Example blinking application as a distributed system:[![image-1602662769321.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662769321.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662769321.png) Example system configuration for a distributed system:[![image-1602662862391.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662862391.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662862391.png) Example app for blinking part of a distributed system:[![image-1602662875556.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662875556.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662875556.png) Example app for counting part of a distributed system:[![image-1602662888137.png](https://wiki.elseta.com/uploads/images/gallery/2020-10/scaled-1680-/image-1602662888137.png)](https://wiki.elseta.com/uploads/images/gallery/2020-10/image-1602662888137.png) To count the blinking, two new Function Blocks (FBs) have been added to the existing application for a different device (WCC\_218): - E\_PERMIT - E\_CTU To communicate between devices, an additional PUBLISH\_X/SUBSCRIBE\_X pair must be used. As one can identify, these blocks are not seen when looking at a whole distributed system and should be seen as an intermediary between devices. The PUBLISH\_X FB is used to send messages over the network which are received by an according SUBSCRIBE\_X FB. Every time a REQ is triggered, a message is sent according to the ID input. With the value of the ID input you can specify what specific network protocol you would like to use (e.g., MQTT). If you don’t specify a dedicated protocol the default as defined in the ”IEC 61499 Compliance Profile for Feasibility Demonstrations” is used. The number X in PUBLISH\_X is the number of data elements that you want to send in the message. Since we are only sending one value we used PUBLISH\_1. The used ID value specifies an IP:PORT pair.# 35 MQTT ### Introduction MQTT (short for MQ Telemetry Transport) is an open OASIS and ISO standard (ISO/IEC PRF 20922) lightweight, publish-subscribe network protocol that transports messages between devices. The protocol usually runs over TCP/IP, although its variant, MQTT-SN, is used over other transports such as UDP or Bluetooth. It is designed for connections with remote locations where a small code footprint is required or the network bandwidth is limited. The broker acts as a post office, MQTT doesn’t use the address of the intended recipient but uses the subject line called “Topic”, and anyone who wants a copy of that message will subscribe to that topic. Multiple clients can receive the message from a single broker (one to many capability). Similarly, multiple publishers can publish topics to a single subscriber (many to one). Each client can both produce and receive data by both publishing and subscribing, i.e. the devices can publish sensor data and still be able to receive the configuration information or control commands. This helps in both sharing data, managing and controlling devices. With MQTT broker architecture the devices and application becomes decoupled and more secure. MQTT might use Transport Layer Security (TLS) encryption with user name, password protected connections, and optional certifications that requires clients to provide a certificate file that matches with the server’s. The clients are unaware of each others IP address. The broker can store the data in the form of retained messages so that new subscribers to the topic can get the last value straight away. The main advantages of MQTT broker are: - Eliminates vulnerable and insecure client connections - Can easily scale from a single device to thousands - Manages and tracks all client connection states, including security credentials and certificates - Reduced network strain without compromising the security (cellular or satellite network) Each connection to the broker can specify a quality of service measure. These are classified in increasing order of overhead:
- At most once - the message is sent only once and the client and broker take no additional steps to acknowledge delivery (fire and forget). - At least once - the message is re-tried by the sender multiple times until acknowledgement is received (acknowledged delivery). - Exactly once - the sender and receiver engage in a two-level handshake to ensure only one copy of the message is received (assured delivery).
### Using WCC Lite as MQTT Client MQTT serves as an alternative for protocols conforming to IEC standards, for example, to send data to a cloud infrastructure that supports MQTT instead of IEC-60870-5-104.

WCC Lite supports MQTT messaging compatible with MQTT v3.1 standard (starting from version **v1.4.0**). Such messaging is possible via mapping of Redis and MQTT data therefore data can be transmitted from any protocol that is supported by WCC Lite.

All standard functions, except for data encryption, are supported. Encrypted messages are not supported yet, therefore to ensure security a user would have to use a VPN service. A user can choose from three different Quality of Service levels, select if messages are to be retained, authenticate users and optionally send Last Will messages. To configure WCC Lite a user can fill in the needed parameters in Excel configuration. These parameters are shown in two tables below. Table. MQTT parameters for Devices tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestring User-friendly device name Yes
device\_aliasstring Device alias to used in configuration Yes
enablebooleanEnabling/disabling of a device No001
protocolstring Selection of protocol Yes MQTT
hoststring MQTT broker IP address selection Yes
portintegerMQTT broker port selection No1883
enable\_thresholdbooleanA parameter to determine if identical values should not be sent multiple times in a row. No101
gi\_interval\_secintegerParameter to determine how frequently should all values be sent at once. Disabled if equal to 0. No0
mqtt\_qosintegerMQTT Quality of Service for message as in standard No002
mqtt\_retainbooleanSelecting if MQTT broker should retain last received messages No001
userstring MQTT user name Yes
passwordstring MQTT user passwordYes
use\_last\_willbooleanSelecting if MQTT should use Last Will and Testament functionality (Default: False) No001
last\_will\_topicstring Topic to which an MQTT message would be sent if the device abruptly disconnected message broker Yes (If use\_last\_will=True)
last\_will\_messagestring Message to be sent over MQTT if the device abruptly disconnected message broker No
last\_will\_qos integerMQTT Quality of Service selection as in standard No0
last\_will\_retain booleanSelecting if MQTT broker should retain last will message No001
To map the signal to send through MQTT client, it should have its device\_alias and signal\_alias mapped to source\_device\_alias and source\_signal\_alias respectively. If MQTT is configured but does not send data, a user can use command line interface to debug transmission. All options for MQTT process which transmits data over MQTT (called mqtt-client as it Table. MQTT parameters for Signals tab
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
signal\_namestringUser-friendly signal name Yes
device\_aliasstringDevice alias from a Devices tab Yes
signal\_aliasstringUnique signal name to be used Yes
source\_device\_aliasstringdevice\_alias of a source device No
source\_signal\_aliasstringsignal\_alias of a source signal No
enablebooleanEnabling/disabling of an individual signal No101
log integerAllow signal to be logged. Log signal with 1 and no logging with 0. No0
topicstringTopic name to override the value built by default No
### MQTT data format The format of a MQTT message is a bit different than Redis messages. Redis messages are supported as CSV strings: value,timeStamp,flags (where value can be float, integer or nan; timeStamp - Unix timestamp in milliseconds; flags contain additional information about a measurement). MQTT messages are supported as value,timestamp,quality (where value can be float, integer or nan; timeStamp - Unix timestamp in milliseconds; quality shows if a value is to be considered as valid). Quality parts of a string is always equal to 1 except for Redis messages containing invalid (IV), non-topic (NT) and/or overflow (OV) flags. As mentioned, MQTT client acts as an adapter between Redis and MQTT, therefore data from topic in Redis is written to a topic in MQTT. Therefore mqtt-client has to know the mapping table before starting. This table is saved at /etc/elseta-mqtt.json. Every Redis topic name is constructed as tag/\[device\_alias\]/\[signal\_alias\]/\[direction\]. Prefix tag/ is always used before the rest of argument. `device_alias` and `signal_alias` represent columns in Excel configuration. Direction can have one of four possible values - rout, out, in, rin; all of which depend on the direction data is sent or acquired protocol-wise. The same Redis topic structure is preserved in MQTT by default making it easier to find matching signals, however, as no recalculation is done by MQTT and only PUBLISH messages are now supported, only Redis signals with in direction have their MQTT mappings. A user can create and select his own topic name in Excel configuration, in topic column. As no recalculation is done by MQTT and only PUBLISH messages are now supported, only Redis signals with in direction have their MQTT mappings. ### Debugging a MQTT protocol If configuration for MQTT is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage. MQTT Client command line debugging options `mqtt-client`
``` -h [ –help ] Display help information -c [ –config ] Configuration file location (default - /etc/elseta-mqtt.conf) -V [ –version ] Show version -d [ –debug ] Set debugging level -r [ –redis ] Show REDIS output -m [ –mqtt ] Show MQTT output ```

If MQTT Client does not work properly (e.g. no communication between devices, data is corrupted, etc.), a user can launch a debug session from command line interface and find out why link is not functioning properly.

To launch a debugging session, a user should stop `mqtt-client` process and run `mqtt-client` command with respective flags as was shown above.

# 36 Data Export ## General Various protocols are made to transmit data points as they are generated. This is enough for a lot of systems (e.g. SCADAs) that have their own databases and devices only have to buffer fairly recent messages in case of connection or transmission errors. However, there is frequently a need to save and keep the data in files, grouped in batches, and later transmit these batches to a remote server via HTTP(S) or FTP(S). For this purpose a dedicated protocol has been created and called **Data export.**

Data export functionality is available since firmware version v1.5.0, of WCC Lite.

## Overview Data export service gathers information from other protocols, puts it into files (optionally compressing them) after a timeout or when data buffers fill up; eventually periodically sending them to a server. HTTP(S) and FTP(S) servers with optional authentication are supported. A user can optionally choose between ISO8601 and UNIX timestamp time formats (the latter being the default value). More than one instance can set up, for instance, some of the information can be sent to an FTP server, while other could be transmitted to the HTTP server which is able to handle POST requests. ## Using WCC Lite for data export To configure WCC Lite to use data export server a user can fill in the needed parameters in Excel configuration. These parameters are shown in two tables below. Default values are shown in a bold font. *Data export (data-export) parameters for Devices tab table:*
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
namestringUser-friendly device name Yes
device\_aliasstringDevice alias to be used in configuration Yes
enablebooleanEnabling/disabling of a device No101
protocolstringSelection of protocol Yes Data Export
timeoutintegerTime frame during which transmission to remote server has to be completed (**in seconds**) No5
typestringSelection of file format Nocsv-simplecsv-simple, csv-periodic, json-simple, json-samples
hoststringA URL of remote server where files should be sent Yes
upload\_rate\_sec integerFrequency of generated file uploads (**in seconds)** No60
records\_buffer\_size integerA maximum amount of data change entries to hold before initiating logging mechanism No100
logging\_period\_sec integerDescribes how frequently data buffer of records\_buffer\_size is saved to file No 1
log\_folder stringA folder in WCC Lite file system to save generated file (**”/var/cache/data-export”**) No
timestamp stringSelection of time format No unixtimestamp, iso8601
compress stringSelection of file compression mechanism Nononenone, gz, tar.gz
compress\_password stringEnable feature of file password protection No yes, true
csv\_field\_separator stringColumns separator in .csv file format No"," - (comma)"," - (comma) ";" - (dot) "." - (semicolon) " " - whitespace) "|" - (pipe)
csv\_decimal\_separator stringDecimal separator in values No"." - (dot)"." - (dot) "," - (comma)

Same symbols cannot be selected for both csv\_field\_separator and csv\_decimal\_separator. In such case both of them will be set to default values ­ ”.” and ”,” respectively.

It is possible that data generation rate is going to be bigger than what data buffer can hold (controlled by *records\_buffer\_size* and *logging\_period\_sec*). To make sure that no data loss occurs there’s an additional data logging call made in case data buffer reaches a *records\_buffer\_size* value. Signals to be sent are configured differently than signals for most other protocols. As data export service only transmits signals and does no data processing, usual signal logic is not used for them. That means that: • Signals for data export service are not seen in the *Imported Signals* tab; • Signals for data export service are configured in different Excel sheet called DataExport Parameters to be filled in the DataExport sheet are shown in a table below. *Data export (data-export) parameters for DataExport tab*
**Parameter** **Type** **Description** **Required **Default value** (when not specified) **Range**
Min Max
device\_alias stringDevice alias to be used in configuration Yes Yes
device\_name stringUser friendly device name as in Device sheet Yes
tag\_namestringUser friendly signal name Yes
source\_device\_aliasstringdevice\_alias of a source device Yes
source\_signal\_aliasstringsource\_alias of a source signa Yes
enablebooleanEnabling/disabling of a measurement to be transmitted and logged No101
attributestringAdditional attribute to be attached to a signal No
## Debugging data export service If configuration for Data export service is set up, handler for protocol will start automatically. If configuration is missing or contains errors, protocol will not start. It is done intentionally to decrease unnecessary memory usage. Data export (data-export) command-line debugging options

The below-described parameters for debugging are accessible over console (SSH).

`-h [--help] Display help information` `-c [--config] Configuration file location` `-V [ –version ] Show version` `-d [ –debug ] Set debugging level` `-R [ –readyfile] Ready notification file` `-p [ –http ] Show HTTP messages` `-r [ –redis ] Show Redis output` If Data export service does not work properly (e.g. data is corrupted, etc.), a user can launch a debug session from command line interface and find out why it is not functioning properly. To launch a debugging session, a user should stop data-export processes and run data-export command with respective flags as in table above. ## Host URL format rules Parameter host is highly configurable and might contain a considerable amount of information: • *Protocol* - FTP or HTTP (encrypted and encrypted); • *URL address* - both resolved and non-resolved; • *Authentication* - pair of user and/or password; • *Port* - useful when non-standard value is used; • *Endpoint* - a place in server to which a call is made The format for host parameter can be summarized as: `[ h t t p ( s ) / f t p ( s ) ] : / / [ [ u s e r ] : [ p a s s w o r d ]@] [ URL ] [ : p o r t ] / [ e n d p o i n t ]` Options are printed in square brackets. A protocol has to be selected, otherwise HTTP will be used as a default. User and password pair is optional, but if user:password pair is used, it should proceeded with @ sign. HTTP and FTP use default or user assigned ports. By default HTTP uses port 80, while HTTPS uses port 443, FTP sends data over port 21, FTPS - over port 990. Make sure that these ports are open in firewall on both server and client side, otherwise data will not be sent succesfully. Finally, POST request (for HTTP) or upload (for FTP) can be made to a specific place (endpoint). This endpoint should be described after a URL and port (if used). ## Format of exported data For a server to interpret data, a set of rules for a file format have to be established. ***Csv-simple*** format applies to all files by default and is used as in this example: ``` ###DUID:3182121xx #device name; tag name; value; quality; timestamp; atribute inv1;Ia;236.9,1;1599137189963;Pa ``` Example of additional format *csv-periodic:* ``` ###DUID:318212xxx ##DEVICE:inv1 #Time;Upv1;Upv2;Upv3;Upv4;Upv5;Upv6;Ipv1;Ipv2;Ipv3;Ipv4;Ipv5;Ipv6;Status;Error;Temp;cos;fac;Pac;Qac;Eac;E-Day;E-Total;Cycle Time 2020-09-02T15:45:00Z;462.3;462.3;370.2;370.2;371.2;371.2;1.40;1.43;1.35;1.47;1.21;1.26;512;0;26.3;1.000;50.00;3.217;-0.029;0.28;17.41;54284.53;5; 2020-09-02T15:40:00Z;462.3;462.3;370.2;370.2;371.2;371.2;1.40;1.43;1.35;1.47;1.21;1.26;;512;0;26.3;1.000;50.00;3.217;-0.029;0.28;17.41;54284.53;5; ##DEVICE:meter #Time;Uab;Ubc;Uca;P;Q;S;F;eTOT;Cycle Time 2020-09-02T15:45:00Z;421.3;421.3;421.3;15000;100;15600;50;246894;5; 2020-09-02T15:40:00Z;421.3;421.3;421.3;15000;100;15600;50;246895;5; ``` Example of additional format json-simple*:* ``` { "metadata": { "duid": "318xxxxx", "name": "hostname", "loggingPeriod": "15min", "format": "json" }, "data": [ { "tag_name": "Ia", "device_name": "inv1", "attribute": "Pa", "last": { "value": 12.2, "timestamp": 1213123 }, "min": { "value": 12, "timestamp": 1213123 }, "max": { "value": 12, "timestamp": 1213123 }, "avg": { "value": 12, "timestamp": 1213123 } }, { "tagName": "Ib", "deviceName": "inv1", "attribute": "Pb", "last": { "value": -12.3, "timestamp": 1213123 }, "min": { "value": 12, "timestamp": 1213123 }, "max": { "value": 12, "timestamp": 1213123 }, "avg": { "value": 12, "timestamp": 1213123 } }, ] } ``` Example of additional format json-sample*:* ``` { "metadata": { "duid": "318xxxxx", "name": "hostname", "loggingPeriod": "15min", "format": "json-samples" }, "data": [ { "tag_name": "Ia", "device_name": "inv1", "attribute": "Pa", "timestamp":{ "first": 123123, "last": 123236 }, "first": { "value": 12.2, "timestamp": 1213123 }, "last": { "value": 12.2, "timestamp": 1213123 }, "min": { "value": -12, "timestamp": 1213123 }, "max": { "value": 12, "timestamp": 1213123 }, "avg": { "value": 12, "timestamp": 1213123 }, "samplesCount": 2, "samples": [ {"value": 12, "timestamp": 1213123, "quality": true}, {"value": -12.3, "timestamp": 1213123, "quality": true} ] } ] } ```# 37 Certificates Devices that send unencrypted data are susceptible to attacks which might cause deliberate damage to the user system. Therefore it is highly advised to use cryptography to secure the sensitive data. WCC Lite offers means to easily store certificates for their later usage. Some protocols, namely IEC­60870-­5-­104 Slave, DNP v3.0 Slave and Master might be configured to send data over TCP/IP. For these protocols, secured connection over TCP/IP using TLS certificates can be made. For this purpose, certificate storage has been created and is available since firmware version 1.3.0. To make storage secure, multiple steps have been taken: - By default certificate storage is only accessible for root user and users with group level 15 permissions; - By default certificates are not added to backup to avoid private key leakages; private keys should never be revealed to public; - By default certificates are deleted after system upgrade; - Only basic information is shown on a web interface; certificates can be uploaded, deleted but not downloaded Certificates can be split into three parts ­ local (private) certificate, certificate from peer (usually called Certificate Authority (CA)) and private key. It has to be noted that all of these certificates sometimes can be found in one file, therefore ideally a user should have at least minimal understanding about formats in which certificates are stored. Certificates should conform to the X509 standard. The difference between local certificate and certificate authority certificates is that only certificate authority generates certificates for others. Therefore Issuer and Subject fields are always the same for certificate authority certificate whereas they differ for local certificates. Both of these certificates are usually stored in a device to validate if incoming connections have valid certificates and are to be trusted. Both of the certificates have the public key which together with public key enable having encrypted connections. The private key is a text file used initially to generate a Certificate Signing Request (CSR), and later to secure and verify connections using the certificate created per that request. It usually contains a unique hash made in a way that chances of guessing it by using brute force are technically infeasible. The private key should be closely guarded, since anyone with access to it use it in nefarious ways. If you lose your private key, or believe it was compromised in any way, it is recommended to re­key your certificate – reissue it with a new private key. To make certificate upload more intuitive, certain restrictions are imposed. Only files with certain extensions (\*.crt, \*.pem, \*.der, \*.key) can be uploaded. Trying to upload other files will result in an error message. Certificate storage should be considered a folder with certain access restrictions, therefore file names should be unique for every file It should be noted that this chapter only reviews main certificates and suggest means to use them for Protocol Hub services. Certificates can also be used for other causes, e.g. to secure VPN connections. For the sake of simplicity, uploading certificates and their usage are explained in their respective chapters where applicable. Interface for certificate storage [![image-1638366685126.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638366685126.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638366685126.png) To get more details about how one could use TLS for Protocol Hub protocols please check section Excel configuration format. To find out more about why certificates help keep device secure please check section Cyber security or check X.509 and RFC 5755 standard.# 38 Cyber security WCC Lite is based on OpenWRT operating system. OpenWrt is described as a Linux distribution for embedded devices. WCC Lite has same functionality as Linux OS including user management. Basic configuration on WCC Lite can be done using web based frontend. More advanced configuration is available over terminal interface. For secure web access, WCC Lite can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. You can use openssl utility to generate your own certificate authority and certificates to be used on web interface. Certificates can also be named or placed in whatever directory you wish by editing /etc/lighttpd/lighttpd.conf. Terminal is accessible over Telnet or SSH. For security reasons we strongly recommend to use SSH. SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol. Secure shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network such as the Internet. SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another. ### User rights Depending on the user name, different rights are defined: admin is generally entitled to make changes while user does not have any editing permissions, the relevant buttons are disabled. User can be assigned to one of fifteen user groups that can access different amounts of device parameters. Highest (fifteenth) permision level grants the same permission as root user has. User group rights can be edited to give more rights or restrictions, except for highest (15th) level. #### User management and rights authentication WCC Lite provides different authentication mechanisms: - Authentication via locally stored credentials. In this scenario all users, passwords and permissions are encrypted and stored in internal WCC Lite storage. - Authentication via external RADIUS Server. In this scenario all users, passwords and permissions (profiles) are defined in remote RADIUS Server. Login into WCC Lite is available only if RADIUS Server will grant authentication and will provide user profile with user rights on that device (more detailed description below). This also means that a password for such user cannot be changed remotely. - Authentication via external RADIUS Server with fallback option. In this scenario users will be authenticated via RADIUS server. If server fails to respond (configured timeout is passed) WCC will use locally stored credentials. Fallback options are selected with PAM configuration. By default only authentication via locally stored credentials is allowed. For authentication via external RADIUS server a user should at first enable RADIUS process and configure at least one server. #### Locally stored credentials management Device has predefined default users like *root* and *user.* *Screen containing all users* [![image-1638367451931.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638367451931.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638367451931.png) Screen for new user configuration [![image-1638367486607.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638367486607.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638367486607.png) **root** user has full permission set to connect to WCC Lite over web interface and SSH or Telnet. This user is default user on WCC Lite and cannot be deleted. However, it is highly advised to change the default password to a different one less susceptible for attacks. **user** is limited user on system and can’t get root rights. A default password for access via command­line interface and web interface is wcclite. It is advised to change this password to increase a level of security. System allows customer to set up even more users with well known commands like *adduser, passwd* and *userdel.* More users can also be added or edited via web interface as shown in the figures above. User should enter user name, user groups for which the user should belong (the group must be preconfigured first), SSH access permision as well as password. When editing user settings, only *User Group* and *SSH Access* permission can be changed. To change user password, *Change Password* button should be pressed as seen in figure above to lead user to a screen seen in the figure below. Changing user password [![image-1638367819194.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638367819194.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638367819194.png) A user needs to be assigned to **root** group for admin rights and have root access

It should be noted that assigning user to a root group only gives complete authority over web interface. Permissions for a command­line interface should be given by a root user via command­line interface.

Following commands may be used in comamnd line interface for user control: **adduser** -­ create a new user or update default new user information When invoked without the **­-D** option, the *adduser* command creates a new user account using the values specified on the command line plus the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user’s home directory and copy initial files. **passwd** -­ change user password The *passwd* command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. *passwd* also changes the account or associated password validity period. **deluser** -­ delete a user account and related files The *deluser* command modifies the system account files, deleting all entries that refer to the user name LOGIN. The named user must exist.

If a user intends to use newly created user account via both command­line interface and web interface he should create and delete users via web interface and not using adduser and deluser commands as they don’t create uci entries.

For more information about controlling users via command line interface one should refer to Linux documentation #### Authentication via external service WCC Lite support external authentification via RADIUS service. Remote Authentication Dial­In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back­end of choice for 802.1X authentication as well. The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server. In WCC Lite RADIUS Client is implemented since WCC Lite software version v1.2.4. The user sends a request to a WCC Lite to gain access to get access using access credentials posted in an HTTP/HTTPS WCCLite web login form This request includes access credentials, typically in the form of username and password. Additionally, the request may contain other information which the Device knows about the user, such as its network address or information regarding the user’s physical point of attachment to the device. The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user’s proof of identification is verified, along with, optionally, other information related to the request, such as the user’s network address, account status, and specific network service access privileges. Historically, RADIUS servers checked the user’s information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user’s credentials. The RADIUS server then returns one of two responses to the WCC Lite: 1. **Access-Reject** -­ The user is unconditionally denied access to all requested resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account. 2. **Access-Accept** ­- The user is granted access. Once the user is authenticated, the RADIUS server will periodically check if the user is authorized to use the service requested. A given user may be allowed to get admin rights or user rights depending on permissions set on RADIUS Server. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source such as LDAP or Active Directory. To use this mechanism a RADIUS server must be configured. The parameter Radius Authentication must be Enabled on WCC Lite. As of firmware version 1.2.13, the RADIUS service is disabled by default. The service can be enabled at System­->Startup. If the RADIUS authentication is enabled, WCC Lite uses the RADIUS server IP address and the RADIUS shared secret key for communication with External RADIUS Server. After entering the login credentials and login attempt, WCC Lite sends these credentials to the RADIUS server for authentication. If the RADIUS server is available, it compares the login credentials: - If the comparison is successful, the RADIUS server returns the specific user role and Access-Accept; - If the login credentials are invalid, Radius Server returns Access­-Reject and the logon fails. - If the RADIUS server is not available and fallback option is disabled login into WCC Lite will be imposible. If RADIUS server is not available and timeout occurs, login will be attempted via local login credentials. *Enabled:* Enables or disables this server. *Hostname/IP:* Hostname or IP address of RADIUS server. *Timeout:* Timeout in seconds to wait for server response. *Shared* secret: Key shared between RADIUS server and RADIUS client. *Add:* Adds auxiliary (backup) server. #### Audit Log WCC Lite OS with version >1.2.0 has integrated Audit logging for important events such as: - Login/logout. - Wrong password attempts to login into system. - Device boot event, when system was started. - Device reboot/halt event. - Configuration changes. - Firmware changes. - Date and time changes in system (excluding automatic system time updates over NTP or IEC 60870­5­10x protocol)

Enabling external system log server setup in System properties ­> Logging is recomended. System stores logs in RAM memory by default due to limited flash storage. Rebooting or powering off the device will result in loss of log history.

#### Secure your device’s access There are some possibilities to grant access to the device (or to any PC/Server): 1. ask for nothing: anybody who can establish a connection gets access 2. ask for username and password on an unsecured connection (e.g. telnet) 3. ask for username and password on an encrypted connection (e.g. SSH) (e.g. by following firstlogin) 4. ask for username and merely a signature instead of a password (e.g. SSH with signature.authentication) If you ask for username/password, an attacker has to guess the combination. If you use an unencrypted connection, he could eavesdrop on you and obtain them. If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. This is always possible. How long it takes to decrypt the content, depends on the algorithm and key length you used. Also, as long as an attacker has network access to the console, he can always run a brute­force attack to find out username and password. He does not have to do that himself: he can let his computer(s) do the guessing. To render this option improbable or even impossible you can: - not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges - by letting the SSH server dropbear and the web­Server lighttpd not listen on theexternal/WAN port - by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in yourfirewall - make it more difficult to guess: - don’t use the username root - don’t use a weak password with 8 or less characters - don’t let the SSH server dropbear listen on the default port (22) - use the combination of: - username different than root - tell dropbear to listen on a random port (should be >1024): **System > Administration >Dropbear Instance > Port** - public key authentication. Your public keys can be specified in **Administation > System > SSH­keys**. An older guide to DropBear SSH public key authentication has detailed information on generating SSH keypairs which include the public key(s) you should upload to your configuration. ### Groups rights 1. If user is logged on via external server, its authentification level is acquired. As no direct mapping to existing users is used, authentification levels are a way to grant proper permissions for external users. WCC Lite uses a CISCO­like authentification system, meaning that there are fifteen different permission set level settings, of which the first 14 can be configured to enable or disable View and Edit permissions #### SSH Access SSH Access of WCC Lite is made by Dropbear software package. To extend the basic functionality, Pluggable Authentification Module (PAM) for RADIUS is used. This enables user to add his own authentification modules as long as they are properly configured. Fifteen levels of authorization are mapped for SSH access, meaning that user should be able to access SSH with credentials used to log into web interface. However, one should note that permissions in command line interface are not configurable via web interface. This means that first fourteen levels are restricted to basic permissions made my creating group by default. Highest level user has all the permissions root user has. If a user intends to change permissions for user groups, it should be done via command line interfaces. It is only advised for advanced users. #### Web interface permissions Fifteen levels of authorization permission are mapped for web interface access, meaning that user should be able to access web interface with credentials used to log into command line interface. User assigned to a highest authorization level group is able to access every possible screen therefore this groups cannot be edited. Figure below shows a screen containing already existing groups in a device. Pressing *Add New Group...* guides user to an *Edit group* screen, with *Edit* and *Delete* buttons respectively user can Edit and Delete configuration of a given user group. Screen showing existing user groups [![image-1638369614131.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638369614131.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638369614131.png) Screen for user group editing [![image-1638369707688.png](https://wiki.elseta.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638369707688.png)](https://wiki.elseta.com/uploads/images/gallery/2021-12/image-1638369707688.png) Edit group screen for an individual group can be seen in Figure above. Group name doesn’t have any specific purpose for RADIUS, but it enables naming groups with words most meaningful for a given context. Access level values can only be integers between 1 and 14, other values will result in an error messages; only unconfigured levels are shown in a dropdown list when configuring. Other fields are dedicated for an individual menu configuration. To add more first level menus user should select from a dropdown list at the bottom named *–Additional Field–* and press Add. Permissions for web interface are split into to parts: *View* and *Edit.* *View* permissions can be assigned to second level menus meaning that only allowed subtabs are shown for a user. Selecting *View* checkbox show more parameters containing all the subtabs (submenus). If a user can access a given screen, it means all of the actions in that screen are available to be executed. Therefore, if a user with a lot of restrictions shouldn’t, for example, import Excel configuration to WCC Lite, a tab containing this action (*Protocol Hub­>Configuration*) should be disabled in his groups' configuration. *Edit* permissions can be assigned to first level menus meaning that if this permission is given, every configuration in the first level menu can be saved and applied succesfully ### Conformance to IEC 62351 standard IEC 62351 is a standard developed by WG15 of IEC TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870­5 series, IEC 60870­6 series, IEC 61850 series, IEC 61970 series and IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection. Conformance to IEC 62351 standard of WCC Lite devices is described in a table below. Conformance to IEC 62351 standard
**Standard****Description** **Topic** **Implemented** **Version**
IEC 62351­-3 Security for any profiles including TCP/IPTLS EncryptionYes>=1.3
Node Authentication by means of X.509 certificatesYes>=1.3
Message AuthenticationYes>=1.3
IEC 62351­-4Security for any profiles including MMSAuthentication for MMSYes>=1.5
TLS (RFC 2246)is inserted between RFC 1006 & RFC 793 to provide transport layer securityYes>=1.5
IEC 62351­-5Security for any profiles including IEC 60870­5TLS for TCP/IP profiles and encryption for serial profilesNo
IEC 62351­-6Security for IEC 61850 profiles VLAN use is made as mandatory for GOOSENo
RFC 2030 to be used for SNTPNo
IEC 62351­-7Security through network and system managementDefines Management Information Base (MIBs) that are specific for the power industry, to handle network and system management through SNMP based methodsNo
IEC 62351­-8Role­-based access controlCovers the access control of users and automated agents to data objects in power systems by means of role­based access control (RBAC)Yes>=1.2.6
IEC 62351­-9Key Management Describes the correct and safe usage of safety-­critical parameters, e.g. passwords, encryption keys.No
Covers the whole life cycle of cryptographic information (enrolment, creation, distribution, installation, usage, storage and removal)No
Methods for algorithms using asymmetric cryptographyNo
A secure distribution mechanism based on GDOI and the IKEv2 protocol is presented for the usage of symmetric keys, e.g. session keysNo
IEC 62351­-10Security Architecture Explanation of security architectures for the entire IT infrastructureNo
Identifying critical points of the communication architecture, e.g. substation control center, substation automationNo
Appropriate mechanisms security requirements, e.g. data encryption, user authenticationNo
Applicability of well­proven standards from the IT domain, e.g. VPN tunnel, secure FTP, HTTPSNo
IEC 62351­-11Security for XML FilesEmbedding of the original XML content into an XML containerNo
Date of issue and access control for XML dataNo
X.509 signature for authenticity of XML dataNo
Optional data encryptionNo