How to secure STM32CubeMonitor

Revision as of 14:53, 27 October 2022 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Different ways to secure STM32CubeMonitor

You have a lot of ways to secure your STM32CubeMonitor tool. Each one of these secured way is easy to set up :

  • Prevent or allow remote access : Allow any machine different from the host one to see your STM32CubeMonitor tool
  • Secure your flow : create accounts with different permissions to modify the flow
  • Secure your dashboard : create an account to regulate access to the dashboard

2. How to prevent/allow other machines from connecting to my tool ?

This configuration will prevent or allow someone who knows your IP adress to connect to your STM32CubeMonitor environment. From STM32CubeMonitor 1.5.0, the default value is to prevent external access. It should be open only on secured network.

Go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and comment/uncomment the uiHost line :

uiHost: "127.0.0.1",

If this line uncommented, nobody will be able to access to your STM32CubeMonitor tool except from the host machine. If the line is commented, anybody can access your STM32CubeMonitor tool.

3. How to secure my flow ?

You can add a login and a password to your STM32CubeMonitor tool. This authentication will prevent non-logged users to modify and deploy your flow. Nevertheless, they will be able to go in dashboard mode and start the acquisition.

To secure your flow :

  • Generate a password hash to hide the new password (see below)
  • Go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file
  • Uncomment the adminAuth block.
  • Choose the username, and replace the default password by your new password hash. Finally, you can choose between two permissions :
    • * : the user will be able to do whatever he wants on the flow.
    • read : the user will only be able to see the flow configuration an switch in dashboard view but not to deploy. This is a "read-only" mode.

The "default" key will give the "read" permission to any user, even the non-logged ones. 

 adminAuth: {
        type: "credentials",
        users: [{
            username: "admin",
            password: "$2b$08$jLZtZBM8ySdwPGpbGsDaE.kZagU4cetH5c7QPhspaOJ60QSOahaoa", //password : admin
            permissions: "*"
        },
       {
           username: "user",
           password: "$2b$08$f1pbalRjiHDBjOoPJ3fsmO6caEvFwGmbh0kFsTMmHuSkM6Z/BT8O.", //password : user
           permissions: "read"
       }],
        default: {
            permissions: "read"
        }
    },

Your tool is now secured you'll need an authentication to deploy your flow.

To go further see the node-red page on how to secure a node-red flow.

4. How to secure my dashboard ?

You can add a login and a password in order to access to the dashboard window. The connection will be done after the click on the "dashboard" button, a popup will display. Thus, an user without account to connect on the dashboard will however be able to modify and deploy the flow. You can also combine the flow and the dashboard security.

Like the flow security, to secure your dashboard, go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and uncomment the httpNodeAuth line. You may change the username and generate a new password following the same method (see below) : 

httpNodeAuth: {user:"demo",pass:"$2b$08$50L83HdgJESfdUETL1f2ceyJVhi.Yi77XJ2C/.8rPRZZGTZpR5Zoy"}, //password : demo

To have more information see the node-red page on how to secure a node-red dashboard.

5. How to generate the password hash

It is easy to generate the password hash with a flow in the editor:

  • In the editor add the node "bcrypt". (Need STM32CubeMonitor 1.5.0 or above)
  • Connect an inject node to send the password,
  • Connect a debug node to log the result.

password flow.png

Copy/paste this code to import the nodes:

[{"id":"8c42fc7298eddcf0","type":"inject","z":"0c142a1d01775c4b","name":"","props":[{"p":"payload"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"mypassword","payloadType":"str","x":430,"y":80,"wires":[["fc91ac3519e28fee"]]},{"id":"fc91ac3519e28fee","type":"bcrypt","z":"0c142a1d01775c4b","name":"Hash","action":"encrypt","field":"payload","hash":"payload","target":"payload","assignment":"replace","match":"match","outputs":1,"rounds":10,"x":590,"y":80,"wires":[["22350cdbe3af32a8"]]},{"id":"22350cdbe3af32a8","type":"debug","z":"0c142a1d01775c4b","name":"Hash password","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":780,"y":80,"wires":[]}]

In the inject node, set the password you want to use. Then click on the square button of the inject node. The hashed password is visible in the log on the right side of the tool.

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=STM32CubeMonitor:How_to_secure_STM32CubeMonitor&oldid=24415"
No categories assignedEdit