How to secure STM32CubeMonitor

Revision as of 14:18, 27 October 2022 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Different ways to secure STM32CubeMonitor

You have a lot of ways to secure your STM32CubeMonitor tool. Each one of these secured way is easy to set up :

  • Prevent or allow any machine different from the host one to see your STM32CubeMonitor tool
  • Secure your flow : create accounts with different permissions to modify the flow
  • Secure your dashboard : create an account to regulate access to the flow

2. How to prevent/allow other machines from connecting to my tool ?

This configuration will prevent or allow someone who knows your IP adress to connect to your STM32CubeMonitor environment. From STM32CubeMonitor 1.5.0, the default value is to prevent external access. It should be open only on secured network.

Go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and comment/uncomment the uiHost line :

uiHost: "127.0.0.1",

If this line uncommented, nobody will be able to access to your STM32CubeMonitor tool except from the host machine. If the line is commented, anybody can access your STM32CubeMonitor tool.

3. How to secure my flow ?

You can add a login and a password to your STM32CubeMonitor tool. This authentication will prevent non-logged users to modify and deploy your flow. Nevertheless, they will be able to go in dashboard mode and start the acquisition.

To secure your flow, go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and uncomment the adminAuth block. Then, generate the password hash.

  • Generate a password hash :

In the editor, add the node "bcrypt". (Need STM32CubeMonitor 1.5.0 or above) Connect an inject node to send the password, and a debug node to see the result. 

[
    {
        "id": "0c142a1d01775c4b",
        "type": "tab",
        "label": "Password",
        "disabled": false,
        "info": "",
        "env": []
    },
    {
        "id": "8c42fc7298eddcf0",
        "type": "inject",
        "z": "0c142a1d01775c4b",
        "name": "",
        "props": [
            {
                "p": "payload"
            }
        ],
        "repeat": "",
        "crontab": "",
        "once": false,
        "onceDelay": 0.1,
        "topic": "",
        "payload": "mypassword",
        "payloadType": "str",
        "x": 250,
        "y": 220,
        "wires": [
            [
                "fc91ac3519e28fee"
            ]
        ]
    },
    {
        "id": "fc91ac3519e28fee",
        "type": "bcrypt",
        "z": "0c142a1d01775c4b",
        "name": "Hash",
        "action": "encrypt",
        "field": "payload",
        "hash": "payload",
        "target": "payload",
        "assignment": "replace",
        "match": "match",
        "outputs": 1,
        "rounds": 10,
        "x": 410,
        "y": 220,
        "wires": [
            [
                "22350cdbe3af32a8"
            ]
        ]
    },
    {
        "id": "22350cdbe3af32a8",
        "type": "debug",
        "z": "0c142a1d01775c4b",
        "name": "debug 1",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": true,
        "complete": "payload",
        "targetType": "msg",
        "statusVal": "payload",
        "statusType": "auto",
        "x": 580,
        "y": 220,
        "wires": []
    }
]

Type your password in the password field and copy/paste the hashed password. In the settings.js file, choose the username, and replace the default password by your new password. Finally, you can choose between two permissions :

  • * : the user will be able to do whatever he wants on the flow.
  • read : the user will only be able to see the flow configuration an switch in dashboard view but not to deploy. This is a "read-only" mode.

The "default" key will give the "read" permission to any user, even the non-logged ones. 

 adminAuth: {
        type: "credentials",
        users: [{
            username: "admin",
            password: "$2b$08$jLZtZBM8ySdwPGpbGsDaE.kZagU4cetH5c7QPhspaOJ60QSOahaoa", //password : admin
            permissions: "*"
        },
       {
           username: "user",
           password: "$2b$08$f1pbalRjiHDBjOoPJ3fsmO6caEvFwGmbh0kFsTMmHuSkM6Z/BT8O.", //password : user
           permissions: "read"
       }],
        default: {
            permissions: "read"
        }
    },

Your tool is now secured you'll need an authentication to deploy your flow.

To go further see the node-red page on how to secure a node-red flow.

4. How to secure my dashboard ?

You can add a login and a password in order to access to the dashboard window. The connection will be done after the click on the "dashboard" button, a popup will display. Thus, a user whitout account to connect on the dashboard will however be able to modify and deploy the flow. You can also combine the flow and the dashboard security.

Like the flow security, to secure your dashboard, go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and uncomment the httpNodeAuth line. You may change the username and generate a new password following the previous method :

  • node-red admin hash-pw - if you are using the Node-Red 1.1.0 version
  • node-red-admin hash-pw - if you are using an older version
httpNodeAuth: {user:"demo",pass:"$2b$08$50L83HdgJESfdUETL1f2ceyJVhi.Yi77XJ2C/.8rPRZZGTZpR5Zoy"}, //password : demo

To have more information see the node-red page on how to secure a node-red dashboard.

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=STM32CubeMonitor:How_to_secure_STM32CubeMonitor&oldid=24407"
No categories assignedEdit