Modbus TCP

Other devices that evaluate the data of the KOSTAL Smart Energy Meter can be connected to the Modbus TCP (LAN) interface.

“Master” mode

In the operating mode Modbus TCP > Master, the KOSTAL Smart Energy Meter writes to the registers of one or more connected devices acting as Modbus slaves. These devices may be SPS controllers or external energy management systems with standardised Modbus connections, for example, but they do not only have to be hardware specifically suited to this purpose. Web services, for example, can also receive data using this mode. However, the devices do have to be configured specifically to receive these register ranges.

It is possible to write to both the internal device power register and energy value register. You can also decide whether to transfer the sum value of all three phases only or the individual values. The relevant register ranges can be switched on and off in the tab Advanced Modbus configuration > Register configuration.

The KSEM/RM PnP registers and the SunSpec registers are not transmitted via the Modbus TCP master. You will find information about the respective registers in the KOSTAL Smart Energy Meter– Interface Description Modbus documentation in the download area for the KOSTAL Smart Energy Meter.

In Master mode, the KOSTAL Smart Energy Meter sends and writes information to the registers of the configured slaves. These are added by entering the slave IP address.

Parameter	Explanation
Slave address	Defines the address of a TCP slave. This can be specified in the form of an IP address or URL.
Port	Defines the TCP port on which the slave expects Modbus communication.
x	Deletes the line
Add	Adds a line

Up to 10 TCP slaves can be configured.

“Slave” mode

In Slave mode, the KOSTAL Smart Energy Meter provides its measurement data (Modbus register) via LAN interface (TCP/IP). This setting is used to ensure that the KSEM can be read by third parties.

The Modbus Slave can be reached at port number 502 as standard. Port number 802 must be used for encrypted connections.

Some writeable Modbus registers enable a wallbox that is controlled by the KOSTAL Smart Energy Meter to be controlled externally. Please be aware that the connection must be converted from Modbus TCP via port 502 to Modbus TCP with TLS encryption via port 802. This applies to all connections in this case.

Parameter	Explanation
Enable TCP Slave	Enabled The Modbus slave functionality on the Ethernet interface (LAN) is enabled. Data can only be retrieved from the KOSTAL Smart Energy Meter via the interface once the interface has been activated and the settings have been saved. The Modbus slave can be reached at port number 502 as standard. Deactivated The Modbus interface is deactivated.
Enable encryption (TLS)	Enabled Enables encryption using TLS for Modbus slave connections. If encryption is enabled, the Modbus slave can only be reached via port number 802. Deactivated Encryption is deactivated.

Parameter

Explanation

Enable TCP Slave

Enabled
The Modbus slave functionality on the Ethernet interface (LAN) is enabled. Data can only be retrieved from the KOSTAL Smart Energy Meter via the interface once the interface has been activated and the settings have been saved.
The Modbus slave can be reached at port number 502 as standard.

Deactivated
The Modbus interface is deactivated.

Enable encryption (TLS)

Enabled
Enables encryption using TLS for Modbus slave connections.
If encryption is enabled, the Modbus slave can only be reached via port number 802.

Deactivated
Encryption is deactivated.

Certificates

Dealing with self-signed TLS certificates

A TLS certificate and the associated private key are required to set up an encrypted Modbus TCP connection. In the most simple cases, this type of key pair can be generated using the program openssl. This is a self-signed certificate. TLS versions below Version 1.2 are not supported.

INFO

Tapping sensitive data

Unknown TLS certificates should always be carefully checked to prevent unauthorised access to measurement data on the device by third parties.

For receivers that use known certificates or certificates that are already accepted, a secure TLS connection is automatically established.

The device has a range of trustworthy certificates and certification authorities (CA). If a connection is being established with a receiver for the first time and this receiver has a self-signed certificate, the device detects the certificate and the user must actively accept it. All read and write access to the Modbus registers is refused until this is confirmed.

An overview of added and unknown certificates is provided in the Certificates drop-down table, which is located right below the Modbus TCP configuration. Certificates are described there as follows:

Status: Accepted

The status displays a green tick. This certificate is trusted by the device. The certificate can be removed from the device by going to Delete.
Receivers that use this certificate are trusted and a secure TLS connection can be established to them.
Clicking on Delete will delete the certificate from the list of trusted certificates. This certificate is no longer trusted and open connections using this certificate are terminated immediately.

Status: Not accepted

The status displays a red cross. There is an Accept button behind it. This certificate is not trusted.
In order to establish a secure TLS connection to receivers using this certificate, this certificate must first be actively trusted.
Clicking on Accept adds the certificate to the trusted certificates and it is then considered to be accepted. A secure TLS connection can now be established from receivers that use this certificate.