March 20, 2015 at 12:10Integration of Bolid in 1C or how we tamed ACS
Somewhere in 2009, when there was still no talk of a group of companies in their current form, i-Free rented premises in a business center, first occupying one room and expanding over the years.
Branches in six countries of the world and accommodation with difficulty in four business centers of St. Petersburg are yet to come, but so far there are only 5 offices at different ends of the corridor and even at different floors. The corridor is common for different tenants, the entrance to the business center is free. Running to colleagues in another office, they often forgot to lock the doors with the key. Therefore, ACS has become a necessity. We thought about the decision, and then the choice fell on the car .
Why car? There weren’t any particular alternatives that were implemented in the business center, they were “extended" for themselves, simply because the necessary specialist was at hand.
We quickly decided to separate our system from the business center so that there were no discussions about access and management of access control systems.
After the appearance of more rooms, they refused contact “tablets” in favor of more convenient contactless ones. Readers em marine, cards. We bought “as many as 150 cards” and drove them into the system.
Designed, installed, setup completed, cards issued, daily work went on.
I will omit the pros, I will write about the cons so that it is clear how and why we came to today's system.
So cons:
- For simple card issuance, a specialist trained in working with a very intricate Bolid interface with appropriate access to the control program is required. It means "you can’t go on vacation, you can’t be sick, you are forbidden to die under pain of death";
- very quickly came the understanding that cards need not only to be issued, but also changed. With the growth of the company, more than 200 employees lost at least 2 cards a week;
- much more often, "Oh, I forgot today at home, give me a card." Up to a dozen a day;
“And also,” we have guests from Beijing, 10 people, in the corridor, urgently need cards ... what does it mean to you once? I need it! ”;
- duplication of information input - the personnel officer enters information about the employee in 1C, the administrator - in AD, the access control engineer - in the car. Three times;
- And also, the company pays for the employees ’meals, and the idea“ how would we have lunch on cards in our cafe ”was in the air all the time;
““ But it would be nice to have such a report, we have all the moves logged ... what does it mean you cannot make a report? ” it's a database ... ". Bolid’s reports were then provided, but for the money. And a very limited set of reports at the same time;
Implementation
The first step towards integration was the transfer of the Bolide database to the server. There is a database description, we tried to connect from 1C - hurray! The issue of reports has been resolved. Whatever we want, this is what we get.
As time passed , a “card-based” food payment system was developed, a harbinger of the present at Lunch
The power system required the Mifare format, in order to organize a “wallet” on the card, all readers had to be replaced. And this was the next step.
At some point, we grew out of “our” business center, rented an additional two more floors in another. They connected the remote premises via a local network, since Bolid allows such an architecture. Much later, even branches in Moscow, Ukraine, and Kazakhstan were connected to our system.
The turnstiles at the entrance to the second business center remained a bottleneck - we had to hang our Mifare readers on other devices that work with em marine. If “on the floors” we controlled the entrance to our premises independently, then “on the turnstiles” had to regularly send lists of keys, new and blocked. Once a week, which created problems for the “losses” and new employees. At some point, it was possible to agree with remote business centers to put in parallel not readers, but our devices connected via a network. And then the question of updating keys became a matter of minutes, not days.
At the same time, we actively studied the car from the inside, it turned out to be a fairly flexible system. Due to the internal macro-language of the scenarios, we were able to discipline the employees: every day the script checked about 50 rooms for protection, if the room is not protected, an alert was generated for the person responsible for disassembling flights. Plus additional conveniences: arming several rooms at once with a certain algorithm, or receiving comments from security by e-mail, in case of alarm situations.
As time passed, the transition to Mifare and the torment with two cards from employees finally ended. ACS reports are already in 1C, corporate power is also there, the thing is small - to ensure that the data from 1C themselves fall into the controllers. Here, a development kit for Orion Pro came to our aid.
Using XML-RPC procedures, we were able to immediately update data on system controllers, quickly lock keys or change employee access levels.
Here is an example of how to play with doors if you have a similar system - the ControlAccess request sends a command to open the door, for this we need Curl and a request of the form:
Control access
ControlAccess ComPort 1 //адрес компорта к которому подключена ветка контроллеров;
PKUAddress 0 //при наличии клавиатуры управления С2000\С2000М, указываем её адрес;
DeviceAddress 111 //адрес нашего контроллера с экспериментируемой дверью;
AggregateAddress 1 //номер реле, для С2000-2 с однодверной конфигурацией это 1;
Command 0 //команда управления 0 – предоставление доступа на время, заданное в контроллере, обычно на вход ставят около 10 сек;
MethodNameForAnswer Result IPSERVER 127.0.0.1 //куда отправлять ответ о выполнении запроса;
PORTSERVER 8080 We save it in test.txt and send it to the ACS server, in our case it is local C: \ curl \ bin \ curl.exe -X POST -d @C: \ test.txt 127.0.0.1 : 8080
The lock is unlocked for the set time or until opening the door, just do not expect that this action will go unnoticed. In the event log of Orion we will see the entry: DateTime - xx.xx.xxx hh.mm.ss; Event - Access granted (by button); Door is the name; Description - Entry \ Exit; Address - 1/0/111/1; Access zone - registered in the controller.
Soon, our main business center was already cramped and did not satisfy current needs. For this purpose, we built three floors especially for us in the congress and exhibition center in the neighborhood, in which our main office is now safely located.
In the course of acquaintance with the current systems of the new business center, we again met the Fireball: in the form of a fire, security and access control system, we continued to build on it.
Fees and relocation are a separate issue, but the result was worth it .
The integration of the car in 1C greatly facilitated administration, allowed creating automatic rules for changing access levels when moving an employee between departments and automatic blocking when leaving, but when replacing cards, operator intervention was still required.
Here using our SMS-Directwe have activated a service for automatic replacement and blocking of cards, for this, the employee needs to send code words, if skud block, then all available keys are blocked by the employee, if the skud pin, then the code comes back, which you need to enter on the keyboard for authentication.
The list of employees with phones is stored in 1C, and a white list of phone numbers of employees is uploaded daily to the SMS-Direct node. Upon receipt of an SMS with a request, the phone number is checked according to the list, if it is not on the list, a response is sent that it would be good to go to the HR department and check if everything is OK - a random short number is generated and sent to 1C and the employee, 1C converts the pin key code for controllers:
1234 = F300000000123401
4321 = 1B00000000432101
9876 = 9E00000000987601
4582 = 8200000000458201
123456 = 0500000012345601
If you analyze the last example, then 05 is the checksum, 000000 is up to 16 characters, 123456 is our short code, 01 is added to the end of all keys.
The cyclic checksum is obtained according to the rule of Dallas. The calculation is as follows:
CRCTable: array [0..255] of byte = (
0.94,188,226,97,63,221,131,194,156,126,32,163,253,31,65,
157,195,33,127,252,162,64,30,95,1,227,189,62,96,130,220,
35,125,159,193,66,28,254,160,291,291,260,129 , 3,128,222,60,98,
190,224,2,92,223,129,99,61,124,34,192,158,29,67,161,255,
70,24,250,164,39,121,155,197,132,218,56,102,229,187,89,7,
219,133,103,57,186,228,6,88,25,71,165,251,120,38,196,154,
101 , 59,217,135,4,90,184,230,167,249,27,69,198,152,122,36,
248,166,68,26,153,199,37,123,58,100,134,216,91,5,231,185,
140,210,48,110,237,179,81,15,78,16,242,172,47,113,147,205,
17,79,173,243,112,46,204,146,211,141,111,49,178,236,14 80,
175,241,19,77,206,144,114,44,109,51,209,143,12,82,176,238,
50,108,142,208,83,13,239,177,240,174,76,18,145,207,45,115,
202,148,118,40,171,245,23,73,8,86,180,234,105,55,213,139,
87,9,235,181,54,104,138,212,149,203,41,119,244,170,72,22,
233,183,85,11,136,214,52,106,43,117,151,201,74, 20,246,168,
116,42,200,150,21,75,169,247,182,232,10,84,215,137,107,53);
KeyCode: array [1..8] of byte;
KeyCode [8]: = 0;
For j: = 1 to 7 do
KeyCode [8]: = CRCTable [KeyCode [8] xor KeyCode [j]];
0.94,188,226,97,63,221,131,194,156,126,32,163,253,31,65,
157,195,33,127,252,162,64,30,95,1,227,189,62,96,130,220,
35,125,159,193,66,28,254,160,291,291,260,129 , 3,128,222,60,98,
190,224,2,92,223,129,99,61,124,34,192,158,29,67,161,255,
70,24,250,164,39,121,155,197,132,218,56,102,229,187,89,7,
219,133,103,57,186,228,6,88,25,71,165,251,120,38,196,154,
101 , 59,217,135,4,90,184,230,167,249,27,69,198,152,122,36,
248,166,68,26,153,199,37,123,58,100,134,216,91,5,231,185,
140,210,48,110,237,179,81,15,78,16,242,172,47,113,147,205,
17,79,173,243,112,46,204,146,211,141,111,49,178,236,14 80,
175,241,19,77,206,144,114,44,109,51,209,143,12,82,176,238,
50,108,142,208,83,13,239,177,240,174,76,18,145,207,45,115,
202,148,118,40,171,245,23,73,8,86,180,234,105,55,213,139,
87,9,235,181,54,104,138,212,149,203,41,119,244,170,72,22,
233,183,85,11,136,214,52,106,43,117,151,201,74, 20,246,168,
116,42,200,150,21,75,169,247,182,232,10,84,215,137,107,53);
KeyCode: array [1..8] of byte;
KeyCode [8]: = 0;
For j: = 1 to 7 do
KeyCode [8]: = CRCTable [KeyCode [8] xor KeyCode [j]];
Then, in 1C, a pre-set access level is set with antipassback enabled (so that the key is not entered 5 times) and XML is sent to the kernel. Orion, according to the access level, sends the keys to the necessary controllers, the controllers are waiting for the appearance of our employee. Typically, the PIN code request procedure takes no more than a minute, after the employee enters the PIN code on the keyboard, the controller generates a signal for access and sends Orion a message about the successful authentication of the employee. In Orion, monitoring of the key brought to the reader we need begins, using the ReadKeyCodeFromReader method, and a command is sent to turn on relay 2 to signal the user to “lean” the card, after receiving the code, the relay is released (activating antipassback) and a request is generated in 1C, in which a short authentication code and new card code. In 1C, upon this request, the corresponding key replacement documents are created. The entire operation from sending SMS to activating the card takes no more than a couple of minutes.
The terminal for activating cards is a S2000-2 controller and a reader and keyboard connected to it, plus a pack of unregistered cards. We placed one in the guard post, the second in the HR department.
Now, each employee can independently at any time replace his penetration and get into the office according to his access level, and even dine “on penetration” a couple of hours after activation.
If the card-shaped factor does not suit you, any employee can take a leather key chain, a silicone bracelet or a sticker on the phone — whichever is more convenient — and activate it independently upon receipt in the HR department using the same procedure.
In the process of this automatic replacement, of course, there are too many intermediaries, and all this can be done on one device in the form of a tablet with gsm and nfc or raspberry with a connected reader and gsm modem, but we had a bolide in the source data, and it was important for us show the possibilities of integration and automation of the access control system based on it.
Conclusions and outcomes
These decisions helped us to get rid of manual intervention in ACS; reduce to zero the risk of errors when assigning access levels and replacing / issuing keys; accelerate the issuance of new cards; increase overall system security and integrate new services.
After several years, our partner, a fairly large FMCG retail company, turned for help in such integration into our infrastructure, which we successfully did, of course, given all the difficulties that we had to deal with when implementing the system in i-Free . That is, now our solution has proved the possibility of rapid scaling in other companies, regardless of the specifics of work and the number of employees.