Security Expert Advanced Tuning Guide

EcoStruxure™ Security Expert

Best Practice Guide

April 2022

Internal
Table of Contents
Legal Information .......................................................................................................................................... 3
About this Document .................................................................................................................................... 4
Concept ......................................................................................................................................................... 5
Licensing ........................................................................................................................................................ 6
Installation .................................................................................................................................................... 6
Standard Operational Procedure for using the Maintenance Download Server.......................................... 6
Fine Tuning the System ................................................................................................................................. 7
Expectations .................................................................................................................................................. 8
Conclusion ..................................................................................................................................................... 8
SRDL Trouble Shooting .................................................................................................................................. 9

Internal
Legal Information
The Schneider Electric brand and any registered trademarks of Schneider Electric Industries SAS
referred to in this manual are the sole property of Schneider Electric SA and its subsidiaries. They
may not be used for any purpose without the owner's permission, given in writing. This manual and
its content are protected, within the meaning of the French intellectual property code (Code de la
propriété intellectuelle français, referred to hereafter as "the Code"), under the laws of copyright
covering texts, drawings and models, as well as by trademark law. You agree not to reproduce,
other than for your own personal, noncommercial use as defined in the Code, all or part of this
manual on any medium whatsoever without Schneider Electric's permission, given in writing.
You also agree not to establish any hypertext links to this manual or its content. Schneider Electric
does notgrant any right or license for the personal and noncommercial use of the manual or its cont
ent, except for a non-
xclusive license to consult it on an "as is" basis, at your own risk. All other rights are reserved.
Electrical equipment should be installed, operated, serviced, and maintained only by qualified person
nel.
No responsibility is assumed by Schneider Electric for any consequences arising out of the use of thi
s
material.
As standards, specifications and designs change from time to time, please ask for confirmation of th
e information given in this publication.
Trademarks and registered trademarks are the property of their respective owners.

As standards, specifications and designs change from time to time, please ask for confirmation of the
information given in this publication.
Trademarks and registered trademarks are the property of their respective owners.

Internal
About this Document
The following document details optimizing your Security Expert System for
performance during the configuration and running of your Security System.
This involves the concept and best practices for using a Maintenance Download
Server implementation in conjunction with the Single Record Download Service.
The Maintenance Download Server is a concept where an additional download
server is installed in parallel to the Default Security Expert download server to
facilitate faster download speeds to controllers when making configuration
changes on site.

Internal
Concept
With the release of 4.3.308.5 in conjunction with SP-C Firmware 2.08.1154, it is now possible to
install the Single Record Download Service (SRDS). Normally when you save a record in the Security
Expert software, the Security Expert Download Service performs a full download to each controller
that requires the change. In contrast, the Security Expert Single Record Download Service uses a
differential download process, only downloading the specific records and fields that have changed in
the database.

This service runs in parallel to the existing download service, providing an independent path for
single-record changes that need to be downloaded to the controller in a timely fashion. Record
changes downloaded by this service are typically received by a controller in under 30 seconds. This
reduces download times considerably, especially on large sites with many controllers.

The single record download service monitors the data service for updates to compatible record
types and sends these directly to controllers over HTTPS, independently of regular downloads by the
download service. The service can send downloads to all controllers in the system, regardless of
what site they are associated with.

The SRDS will greatly enhance the performance of the day-to-day operations of large sites; however
sites may still experience some performance issues during commissioning and system maintenance
or when making multiple changes to other Users, Schedules and Access Levels.

When configuration changes are made, these changes are sent down to the controllers though the
default download server. This process can only be tuned to a certain degree by changing the
Maximum Number of Concurrent Downloads settings.

When a new record or change to an existing record is made that is not a User, Schedule of Access
Level, the system initiates a download via the Default Download server to the SP-C(s) that record is
part of. These downloads can take from 15 seconds and up several minutes to complete depending
on the size of the site. And depending on the value set for the Concurrent Downloads it may take
many iterations for the download to be completed. We can calculate the approximate maximum
download time for a change to be downloaded to all controllers.

For example, if there are 100 Controllers (SP-Cs) and the maximum concurrent downloads is set
to the default setting of 4 and each download takes 30 seconds to complete, it may take up to
12.5 minutes to distribute a configuration change to all the specific controllers. (100/4 * 30s =
12.5 minutes). Because the download service is not predictable in which order the controllers

Internal
 are downloaded, it may take the full 12.5 minutes, or it may take only 30 seconds to reach the
desired controller.

To ensure that configuration changes are downloaded in a prioritized fashion you should install an
additional download server. We will call this new Download Server the “Maintenance Download
Server”. Once installed, you will select the Maintenance Download Server for the Controller(s) you
are working on. This will isolate the controller on its own download server and will ensure that the
changes are downloaded on the first download iteration, thus drastically reducing the download
time it takes changes to reach that controller. When the changes are completed and validated,
simply revert the Download server back to the default Primary Download server for normal
operation.

Licensing
A SX-SRVR license is required for the installation of the additional download server with the same
number of doors that the Main Security Expert System has configured.

Installation
There is a specific Application note that discusses the installation of adding a second Download Server
and the Single Record Download Service.

See Application Note 290 Setting up a Secondary Security Expert Download Server - Integration Guide

See Application Note 309 Security Expert - Single Record Download Server - Integration Guide

Standard Operational Procedure for using the

Maintenance Download Server
1. Once the Secondary Download is installed, rename the download servers as “Primary
Download Server” and “Maintenance Download Server”.
o Primary being the default download server and Maintenance being the secondary
download server
2. Ensure that all active SP-C controllers are set to use the Primary download server.

Internal
 3. Prior to making any configuration changes to the system (changes that are not associated
with Users, Access Levels or Schedules), the Operator should:
o Select the SP-C controller, where changes are being made
o Set the Download Server to use the Maintenance Download Server.
 This will ensure that configuration changes are downloaded immediately to
the SP-C(s) associated with the Maintenance Download server.
4. Once changes are completed and validated, the Operator then changes the Download
server back to the Primary Download Server.
5. Repeat steps 3 and 4 for additional controller configuration changes.

Example: Changes are required to the door position switch on doors located in wing 1 on
Controller_1. The first step is to change the Download server setting for Controller_1 to use the
Maintenance Download Server. Once set, the operator can make the configuration changes
required on doors in Wing 1. Upon save, the Maintenance Download Server will initiate the
download to only Controller_1. When the download has completed, the technician can commission
or validate the change at the door. Once validated the Operator would set the Download Server
back to the Primary Download Server for normal operation. This would greatly decrease the
download times to the affected SP-Cs.

Optimizing the System

Once the SRDS and the Maintenance Download server are installed you can now optimize the system for
best performance. To do this you must first understand how the SRDS behaves when changes are made
to the system. When you make a change to User, Schedule or Access Level the SRDS broadcasts the
change to all the controllers. Immediately following the broadcast, the SRDS initiates a standard
download to all the Controllers to clean up after the SRDS. This is necessary to ensure the Controllers
and the database are the same information in them.

If additional changes are made to a User, Schedule, or Access Level this process is repeated. If the
primary download server is still updating a controller(s) (cleaning up after the SRDS), the controller(s)
that are actively being downloaded to will block the SRDS broadcast as it is busy receiving a download
from the primary download server. You will see this in the Windows Event Viewer as a “DB lock”
message. In this case the new change will have to wait until the Primary Download Server completes
the initial download to all controllers before the new change is downloaded. This could take time
depending on how many Controllers are on a site and what is set for the “Maximum Number of
Concurrent Downloads” (Global->Download servers)

By default, the system sets the Maximum Number of Concurrent Downloads to 4. This means that for
every change made to the system that requires a download, the download service will connect to 4
Controllers simultaneously and send those changes repeating until all controllers have receive the
update. Again, using the example above, it may take up to 12.5 minutes for a change to download to a
Controller if a SRDS is Blocked by the Primary download server on a site with 100 Controllers.

Internal
To limit the potential of a “DB lock”, we would set the “Maximum Number of Concurrent Downloads” to
1. This will make it so the Primary download server downloads 1 Controller at a time. This will
drastically limit the chances of the SRDS being blocked.

Caution needs to be noted when setting the Maximum Number of Concurrent Downloads to 1. When
this is set all Configuration changes that are made will take a significant amount of time to download via
the primary download server. Therefore, it is imperative that a second Maintenance Server is installed
and used for these changes.

Expectation after System Optimization

Once the system has been optimized, the Single record download server will handle the day-to-day
operations of Users, Access Levels and Schedules on large sites. The Default Primary Download
server will handle the cleanup to ensure that the controllers have only have the records needed for
that controller. Maintenance Download server(s) can be assigned to specific Controllers where
configuration changes are actively being made to the system. This too will greatly increase the
performance of downloads for changes made to configuration records in the system.

Conclusion
Using these best practices will greatly reduce the time it takes to update controllers from changes to
Users, Schedules, and Access Levels as well IO points, Door programming and other system
configuration changes. It is important that you adhere to the SOP to ensure the best system
performance.

Internal
SRDS Trouble Shooting
1. If you are seeing issues in the event log Error messages where the SRDS cannot connect with
controllers, we need to find all the controllers that have issues with SRDL using TLS.

• First stop the SRDL service and make sure it will not rerun (not on auto restart).
Set the Startup Type to “Manual”
• Locate the SecurityExpertSV2B.exe.config file in the Security Expert install directory:
o (C:\Program Files (x86)\Schneider Electric\Security Expert\
SecurityExpertSV2B.exe.config)
• Open SecurityExpertSV2B.exe.config file using notepad++
o Change the value from “true” to “false” in the following line:
<appSettings>

<add key="sv2b:startup.service" value="true" />

• The new line should be:

<appSettings>

<add key="sv2b:startup.service" value="false" />

On the SX application server run the power shell.

Note: It may be useful to remove known-good controllers from the Download Service temporarily to
reduce the noise in the log file.

Navigate to the installation directory of SRDS typically “C:\Program Files (x86)\Schneider

Electric\Security Expert”

Type ./SecurityExpertSV2B.exe 2>&1 >> <loglocationFilename>

Where <loglocationFileName> is a filename and location/directory where the debug data output
from the SRDL will be saved.

e.g ./SecurityExpertSV2B.exe 2>&1 >> C:\Temp\SRDSlog.txt

Now go to the SX client server and make a change that will trigger SRDS to download (Hitting Save
on a user should work)

Wait 2-3 minutes and open the <loglocationFileName> file in NotePad

Search for all the controllers in this log file for https and “error” and note all the Controllers that
can’t use https or have any errors mentioning “public key” or that the controller does not support
https. Make a {List of controller IDs with issues with https}

Close the Powershell.

Internal
 For each Controller you have noted in the previous step {List of controller IDs with issues with https}
do the following steps.

A. Go to Controller Configuration tab in Security Expert Client and remove/delete the public
Key and save.
B. Login to the relevant controllers Web Interface via HTTP or HTTPS as required
C. If HTTPs is enabled, disable it, and restart the controller – Otherwise simply restart the
controller.
Repeat all the steps (1-3) for all the controllers {List of controller IDs with issues with https}.

After they have all be fixed. To re-enable the SRDL service and set startup.service value back to
“true”

<appSettings>

<add key="sv2b:startup.service" value="true" />

”
Start the Single Record Download service, and reconfigure the service to Startup Type: “Automatic

Make a change to a User, Access Level or Schedule then save to initiate the SRDS.

Wait until all controllers have been processed and their HTTPs should now be correctly setup for
SRDS.

2. If the SRDL takes a long time to start up it might be having issues due to a previously incorrect SRDS
setup or a large number of controllers/changes being processed without correct HTTPS settings, to
fix this.
Stop the SRDL service and on the SQL server run the SQL Server management Studio.
Run the following command to remove all the previous failed SRDL events.
USE SecurityExpert
BEGIN TRANSACTION
TRUNCATE TABLE DifferentialSync
TRUNCATE TABLE PendingDownloadUsers
TRUNCATE TABLE PendingRecordsForController

COMMIT

3. If you are receiving error messages in the Windows Event logs that the username/passwords do not
match for the SRDS
a. Ensure that your Username in the Security Expert Client/Server match the Log in credentials
for the SP-C * (The client/server User Name is CASE sensitive)

b. Restart the SRDS for any changes to User Name and or Passwords of Controllers.

Internal