This article covers Frequently Asked Questions regarding the upcoming Root TLS Certificate Migration.
List of questions:
- NEW: Is a flowchart available to guide my update/troubleshooting efforts?
- NEW: What is the exact migration schedule?
- NEW: What should we expect to happen to updated systems during migration?
- NEW: What should we expect to happen during migration to systems that were not updated?
- NEW: I'm having trouble updating a QUATRA 1000/2000 with the WAVE Field Tool. Can you help?
- What if a system isn’t updated?
- Will systems stop relaying if they aren’t updated?
- What about systems set to require Mandatory Connection?
- Why is this happening? Can’t it be avoided?
- Does this mean there is a security issue?
- Will there be additional emails announcing the effective release date for each embedded software release related to this migration?
- How will I know when the update for a particular system is available?
- How current/accurate is the report of “At Risk” systems?
- The GO G41 & G51 have Bluetooth and an ethernet port. Why do they need to be updated?
- What about systems that do not have an ethernet port or built-in modem?
- What should Distributors or Operators do with new inventory on hand?
- How is CU software updated on a system that missed cutover?
- I have a question not addressed here or in the main article. Who do I contact?
A significant majority of online systems have already been updated. However, we understand there is concern and guidance needed to facilitate final updates in the remaining days before cutover, and also how updates are to be handled for offline systems after the migration occurs.
We’ve prepared this flowchart to aid you in that process: Update Procedure & Troubleshooting Flowchart
Microsoft is actively facilitating the TLS Certificate Migration for all services on their Azure platform. The migration is expected to begin as early as September 27th. This date cannot be extended; however, it is possible that it will begin at a later date for some systems. The exact timing will ultimately depend on Microsoft’s network operations and overall execution.
Nextivity will send partners a confirmation email once the migration of all dependent systems is complete. We’ve been assured this will happen no later than October 16th. Please read below for more information on what to expect when the migration begins.
When the migration begins, systems updated to the software version outlined in the Cloud TLS Certificate Migration and Related Embedded Software Updates article will automatically transition to the new TLS Certificate and maintain their WAVE Portal connection after cutover.
Systems that have an active connection to the WAVE Portal while they begin their transition are expected to lose this connection for a short period of time. The precise duration depends on the system’s internal timing and Microsoft’s maintenance intervals. Taken together, online systems are expected to become unavailable via the WAVE Portal from 5 to 60 minutes while making the migration.
Please note that if a system has a notification policy that includes a System Not Online Alarm, these alarms may be generated for the system, depending on how long its own migration takes.
Systems that have not been updated will continue to relay cellular/RF signals per their existing configuration; however, they will not be able to directly connect to the WAVE Portal via ethernet or modem. As a result, if a Cloud connection is determined to be necessary for the system, then it will require an offline software update to regain this connection, described further in the section below.
Please note that systems that have not completed an update to the necessary software version but have an active connection to the WAVE Portal at the time of the migration, may continue to report their “Server Connection” status as “Active” following the migration. However, they will not convey updated radio data and alarms, or accept commands to change their configuration via the WAVE Portal. In this event, the “Last Update” timestamp will no longer progress, and you can therefore conclude that the system is no longer properly connected to the Cloud. We will resolve this bug in a Portal update in early October.
Software updates for QUATRA 1000/2000 systems should not be performed using WAVE Field Tool version 184.108.40.206. A new version is coming.
Based on user feedback, we’ve identified that the Software Update feature for QUATRA 1000/2000 in the WAVE Field Tool is not performing as expected. We have revised the tool’s update routine for these systems and are currently preparing to release an improved version, WAVE Field Tool version 1.6.6.
This new version will be available early next week and can be downloaded here. The “Latest version” will be updated on this page once it has been released.
As a reminder, systems that are not updated before the migration occurs will continue to perform their cellular relay functions as expected without a Cloud connection. For such systems that have not yet been deployed, the installer will need to update the equipment using WAVE Field Tool version 1.6.6 or later as part of the installation process.
As described in the main article, CEL-FI and SHIELD systems that do not receive the required software update will continue to relay cellular/RF signals per their existing configuration; however, they will not be able to directly connect to the WAVE Cloud via ethernet or modem after September 27th. As a result, these systems will not be able to receive automatic software updates from the Cloud or be remotely monitored and managed using the WAVE Portal. To regain these features, or any other improvements made available in a future software release, the system will need to be manually updated in person using the WAVE Field Tool.
No, with one rare exception related to Mandatory Connection, discussed in the next question.
While the embedded software updates are crucial for maintaining cloud communication for remote management and configuration, the primary functionality of CEL-FI and SHIELD systems as cellular/RF repeaters will remain unaffected. All Nextivity systems are capable of operating independently without a connection to the WAVE Cloud or WAVE Portal. The cellular relay performance will not be impacted if the system does not receive this software update or is not reconnected to the WAVE Cloud.
A system can be configured to require a “Mandatory Connection” to the WAVE Cloud. When this setting is enabled, the system will stop relaying 14 days after it loses its connection. This setting is disabled by default and is available in Options > Settings on the System page in the WAVE Portal.
Systems with Mandatory Connection enabled will generally be connected, automatically updated to the latest software, and handle the TLS certificate migration without any action required. However, if a system configured for Mandatory Connection is also opted-out of Automatic Updates, then it must be manually updated or have its configuration changed to avoid relay disruption.
This configuration combination affects fewer than 100 systems globally and is being monitored closely to ensure that all systems receive the required configuration change or manual software update to ensure continued relay operation after the September 27th cutover. The “Mandatory Connection” setting for each system is included in the partner-specific “At Risk” report.
Nextivity’s products communicate with our WAVE Cloud platform for the purposes of commissioning, monitoring, configuration management, and software updates. Enabling this communication to take place securely requires the use of certificates embedded within the device’s embedded software. This is necessary for the WAVE Cloud to trust the CEL-FI or SHIELD system, and vice versa.
Our WAVE Cloud is built within Microsoft’s cloud platform and uses Azure services which are transitioning from one set of TLS certificates to a new set. Transitions of this sort happen infrequently but are unfortunately always challenging for devices that connect to a cloud service independently. An update to embedded software is required and cannot be avoided. Once the cutover of services begins on September 27th, systems running outdated embedded software will no longer be trusted and therefore unable to connect to the WAVE Cloud.
No, this update does not indicate a security issue. The change in TLS certificates is in response to updates made by Microsoft to their Azure platform, which we utilize for our WAVE Cloud services. Regular updates like this one are part of maintaining and enhancing the security and functionality of a cloud platform and the devices that connect to it. This event and the migration of certificates are not specific to Nextivity systems.
No. Software releases related to the Root TLS Certificate Migration for all products will begin as early as June 27th and will continue to roll out into mid-July. Systems will receive auto-updates in waves and distribution will ramp up across all models in July. Future subsequent software releases for our products will continue to receive their standard individual release notifications.
Once all required embedded software updates have been published and all systems connected to the WAVE Cloud have had an opportunity to auto-update, an email will be sent to WAVE Portal users informing them of this milestone. This is expected to take place around July 26th and be accompanied by the first partner-specific report of “At Risk” systems.
Periodically during the migration, Nextivity will email WAVE Portal users a report listing those systems which are believed to need a software update. The list will include only those systems the user’s organization has access to in the WAVE Portal and is based on the software version that was reported by the system the last time it connected to the WAVE Portal.
This data is typically extremely reliable, particularly for systems that are currently connected but with auto-update disabled. However, software updates performed using the WAVE Field Tool or similar offline procedures are not captured by the WAVE Portal. As a result, some offline systems may appear on the report as At Risk but have already received manual updates not known to the WAVE Portal.
As all necessary software updates are being published following the announcement of this migration effort, recipients can be confident in the report accuracy when also tracking and removing from the list any systems they manually updated offline.
To account for any processing delay, the report will include an “as of” timestamp indicating when it was generated.
When connected to the WAVE App via Bluetooth, the GO G41 and GO G51 will still be able to connect to the WAVE Cloud to receive software updates and remote configuration changes. This is the case even after the September 27th cutover for G41 and G51 systems that did not receive the software update required for direct connection via the ethernet port.
If the GO system will need to connect to the WAVE Portal via ethernet, then a software update is required. Version 24 or later is necessary for the GO G41. Version 11 or later is necessary for the GO G51.
CEL-FI systems without an ethernet port or built-in modem (such as the GO G31 and G32) are not able to directly connect to the WAVE Cloud. These systems connect to the WAVE App using Bluetooth. The WAVE App in turn connects to the WAVE Cloud. While it is recommended to always keep your CEL-FI software updated, an update to these systems’ embedded software is not required as part of this effort. The changes required for these systems to continue communicating with the WAVE Cloud after September 27th have already been implemented in the recent WAVE App v1.30 release. App users should make certain they are running the latest version.
Systems manufactured before the July email notification that all embedded software updates have been released will require a software update to ensure continued WAVE Cloud and Portal connectivity. These systems should be updated using the WAVE Field Tool before shipment when the expected commissioning date is later than September 27th. Alternatively, when shipping products to a Nextivity Partner for professional installation (all CEL-FI QUATRA and SHIELD model families), notice/reminder may be provided to the installer that a manual software update may be required.
If a system isn’t updated before September 27th, then the NU needs to be updated manually using the WAVE Field Tool. Depending on the outdated version of software on the system, CUs may also need to receive an update. This can easily be accomplished via the WAVE Portal once the system NU regains its connection to the WAVE Cloud. Simply navigate to the System Details page and select Options > Software Update from the top right menu. The WAVE Portal will instruct the system to update all system components, including any CUs with outdated software versions.
I have a question not addressed here or in the main article. Who do I contact?
Please contact firstname.lastname@example.org with any questions.