Rack Locks

What kind of experience do people have with rack access control systems
(electronic locks)? Anything I should pay attention to with the
products?

Hope this questions hasn't already been answered. Not to picky about
what/who. The APC solution seems to start getting pricy with multiple
racks. I see arduino has an RFID reader but haven't found the door
opener.

The racks in question are standard APC (SX?) racks.

Background
We have half a dozen racks, mostly ours. Mostly I want something to log
who opened what door when. Cooling overhaul is next on the list but one
at a time. Even with cameras those janky make nobody happy.

If someone knows a better place to ask this that would be nice too.

Thanks for your time!

Kevin Burke
802-540-0979
Burlington Telecom - City of Burlington
200 Church St, Burlington, VT 05401

What kind of experience do people have with rack access control systems
(electronic locks)? Anything I should pay attention to with the

Overpriced, overkill for most real-world uses?
High-Tech technology for technology's sake?

Avoid them if you can. Within six months or so, at least once, there will
probably be some glitch delaying or denying required prompt access.
[snip]

Background
We have half a dozen racks, mostly ours. Mostly I want something to log
who opened what door when. Cooling overhaul is next on the list but one

It probably makes sense if there are more than a handful of people with
unobserved physical access, and high frequency of access, or there's a
trust issue, high-risk consideration. Or you have to satisfy a
"Checkbox Auditor".

You're not going to be able to look at a log and see Joe opened it at 2:45AM
12 months ago, and ever since then, the servers are not quite right.

Consider manual procedures

Example: Electronic access control to the actual rooms.
A Robo-Key system (RKS), Keyvault, or Realtor lockboxes on
each server rack

Physical locks on cabinets. Key vault that supports multiple combinations.
Then you don't need exotic hardware, just a good lock, and sound key control
procedures.

I am imaging if you need to automate control of individual keys;
that there will be more competing solutions for this than specialty rack locks.

Logging procedures for key access...
Send an e-mail when someone opens the vault.

Simple magnetic reed switches on all cabinet doors.
Send an e-mail when a cabinet door is opened.
Quite a few standard alarm panels can do those types of things.

Assign someone to periodically check handwritten logs and check for
discrepancies.

And I would have got away with it to, if it wasn't for you kids and
your pesky logs.

Joe

http://www.netbotz.ca/rackbotz.htm

Just make sure you put one on both the front and back. Otherwise one could
just open the back and unplug the Ethernet cable.

Hi Kevin,

Well I¹m happy to provide my experience. When I decided to build a new
data centre business back in 2010, I started with a simple premise. That
the core data centre experience must be controlled by browser and phone.
That system was (and still is called) ONEDC.

A key component of this is for the ability for our customers to:

* Remotely lock and unlock racks from their phone (great for remote hands)
* Use Facility Prox swipe cards to lock/unlock racks in facility at swipe
points at end of aisle (did that back in 2008)
* Needed to provide users/customers the ability to add/remove their staff
(and their customers) access to racks including time of day, time of week
access as well as a per rack access granular level (handy if you have 10
racks in a row with 5 different customers so you can limit their access,
or a contractor with time of day access such as a tape swap out service)
* Full data output allowing me to provide real time audit logs (yes audit
logs for security).

We did some pretty cool stuff with power management/measurement etc. and
made a little video 3 years ago (my kids are playing soccer in the
background ;))
https://www.youtube.com/watch?v=58vvIJOfBcE The product has come on a lot
since it launched (I left the company 2 years ago now).

So what did we do. I used to use a relay type system in 2007-10 in my
previous data centre life. It¹s pretty good but a bit ³industrial². It¹s
also so 2007 (even 1990) and doesn¹t scale well when you are trying to do
3,000 racks and 6,000 doors per facility. I looked at the APC electronic
locking system, but the big issue is that some fool in product decided to
remove radius authentication, allowing a decent independent
command/control capability.

The product I went with was TZ rack locking because:
* Solid product with background in remote post office/delivery locking
systems
* Use ³Shape Memory Alloy² system in which the lock mechanism is a fluid
type alloy that changes shape with voltage, rather than old school
mechanical locking
* They look really cool, fit most racks and have some great features
(like delayed lock for 5 seconds in case you realise you left your screw
driver in the rack :))
* Provided API Access so I can integrate it into our rack management
system (ONEDC)
* Full log interface

They will try to ship you the entire product suite, but if you can commit
to decent scale they are flexible (API access, support etc.) and let you
integrate into the locks. I think NEXTDC has probably deployed about
10,000 doors and one of the old team at NEXTDC is now working for TZ and
he eats this stuff for breakfast. I can pass on his details if you wish.

Anyway I can definitely recommend TZ http://ixp.tz.net . In looking at
their website their product set and locking systems have expanded in the
last 2 years or so. Hope this helps.

Cheers

[b]

On 21/11/2015 11:55 am, "NANOG on behalf of Jimmy Hess"

Possibly NSFW-language depending on your W but just an image no audio:

  http://www.soveryfunny.com/wp-content/uploads/2014/09/too_many_fucking_security_cameras.jpeg

or

  http://tinyurl.com/ngnvs4s

Our datacenter build used RCI rack locks/handles and over the last year of production since going live haven't had any issues.

http://www.rutherfordcontrols.com/en/products/electric-locks/3525/

We used the non-RFID model and put a standard card reader at the end of every row. Our Access control system handles the locking and unlocking as well as log generation (HIPAA compliant facility). These handles would work just as well with some form of relay controller. Locking the rack level also removed the need to allow building cages ( which would be a waste of space in our facility).

Mike Poublon
Senior Datacenter Network Engineer
269-375-8996 Main

Secant Technologies
6395 Technology Ave. Suite A
Kalamazoo, MI 49009

So what did we do. I used to use a relay type system in 2007-10 in my
previous data centre life. It¹s pretty good but a bit ³industrial². It¹s
also so 2007 (even 1990) and doesn¹t scale well when you are trying to do
3,000 racks and 6,000 doors per facility.
Part of the scaling issue was the door locks on that system were conventional solenoids, which from memory needed about 1A @ 12VDC to fire. If a customer had 30-40 racks (and a couple did in that facility), you'd need to potentially fire 60-80 doors, or need 60-80 amps available (I have a recollection we used a 12V SLA battery to ride out those peaks). Additionally, monitoring lock status would have needed separate wiring and separate inputs. Cabling was a star topology (each rack directly back to the controller).
The TZ locks use a fraction of that power - from memory, only a few amps to do a pod of 30 or so racks. Firing a lock is measured in milliamps, not amps. The locks are controlled over RS485, so you get lock control and monitoring over a single cat-5. From memory the cable topology is technically hierarchical, but you could loosely consider it to be a bus. Overall, vastly superior to the 'industrial' style system.
I looked at the APC electronic
locking system, but the big issue is that some fool in product decided to
remove radius authentication, allowing a decent independent
command/control capability.
At the time the available version of the product didn't deal with too many racks, which also meant a lot of under-floor power outlets to feed the controllers). I think they were coming up with a denser version, but I didn't see it.