The XBee devices can secure the TLS connection to Digi Remote Manager. The default configuration provides confidentiality of the communication but is not able to authenticate the server without a certificate being provided.
You should follow the procedure below to add the necessary certificate if server authentication is needed.
Step 1: Get the certificate
Navigate to the Firmware Updates section of the Digi XBee 3 Cellular LTE CAT 1 support page.
Click Remote Manager TLS Public Certificate to download the certificate .zip file.
Unzip the .zip file.
Calculate the SHA-256 hash to verify that the file is correct. The correct file will have an SHA-256 hash of:
33d91e18668b0d8a9ec59c5f9f312c53ca2884adaa62337839e5495c26d2d64c
Step 2: Configure device
You should confirm that the default settings are correct. You can use either Remote Manager or XCTU to verify these settings and place the certificate file in the correct location.
Verify the following settings
Setting Value
DO = Bit 0 (mask 0x1) must be set. This enables the use of Digi Remote Manager within the firmware.
MO = Bit 1 (mask 0x2) must be set. When this value is set the Remote Manager TCP connection will be secured with TLS.
$D By default will contain the value /flash/cert/digi-remote-mgr.pem. This is the file system location where the firmware will look for the certificate to use.
Use XCTU or Remote Manager to place the downloaded and unzipped certificate file in the location specified in the $D command.
Step 3: Verify that authentication is being performed
The next TCP connection to Remote Manager should only succeed if the server can be authenticated using the provided certificate. You can confirm that the server has been authenticated.
Cause an active connection to Remote Manager. For example, you could set bit 0 for the MO command. Make sure that you do not clear bit 1.
After a short wait you should be able to see the device as connected in Remote Manager.
Log in to Remote Manager.
Click Device Management.
Locate the device in the device list and verify that the connection icon in the left column is blue and the hover tool tip says "Connected".
When the device is connected to Remote Manager, the DI command can take on any of the three values shown below, based on the security level of the connection. Verify the that the DI command is set to 6 to verify that the server was correctly authenticated.
0: Connected without TLS
5: Connected with TLS but without authentication
6: Connected with TLS and with authentication
Last updated:
Oct 10, 2024