Why should firmware be updated before setup?
Updating to the latest firmware provides several important benefits:
- Ensures PIN syncing works correctly
- Enables additional dual-mode features (such as Manager + One)
- Includes the latest bug fixes
- Improves activation reliability on slow networks (firmware 2.0.2.5 and newer)
- Fixes lock sensor errors
Best Practice:
Update firmware before adding the lock system to the software whenever possible.
How are firmware updates performed?
- If the system is NOT activated, firmware updates must be completed over USB.
- For Apexx systems, USB updates currently require a client connected to a licensed backend.
If USB updating is not possible, firmware can generally be updated after activation.
Why is eBox commissioning important?
- The eBox must be commissioned for the system to operate correctly.
- A common issue is that installers add the lock but do not commission the eBox.
The customer must also receive and retain the admin/commission code used during setup in order to:
- Configure networking
- Add devices
- Remove devices
- Shelve devices
Without this code, activation may not be possible.
What network settings should be configured?
Recommended settings:
- Enable = ON
- Mode = Local Server
- Verify the Local Endpoint server IP address is correct
Does the server need to respond to ping requests?
No.
Some servers block pings. The system can still function properly as long as ports 5001 and 8883 are open through all:
- Firewalls
- Routers
- Switches
- Gateways
What does the blinking green light on the eBox mean?
A blinking green light indicates the eBox is successfully receiving an IP address from the router.
This is required for proper operation if:
- Networking is enabled
- The eBox is commissioned
Which firewall ports must be open?
Ports 5001 and 8883 must be allowed through all:
- Firewalls
- Routers
- Switches
- Gateways
How can connectivity be tested?
Connect a PC to the same Ethernet jack used by the eBox and test ports 5001 or 8883 using:
- Telnet
- PuTTY
When is a public IP address required?
A static public IP address and associated domain name are required if eBoxes or clients connect from outside the server’s local network.
Examples include:
- Remote users
- Separate customer locations
- External VPN access
How should configuration files be updated for public access?
Edit appsettings.json files:
Locations:
C:\Program Files (x86)\dormakaba\APEXX API
C:\Program Files (x86)\dormakaba\APEXX Broker
Make the following changes:
- Replace "*" in the Kestrel URL with the server domain name
- Replace "localhost" with "127.0.0.1" in:
- ApiSettings
- BrokerHostSettings
Edit ApexxClient.dll.config
Location:
C:\Program Files (x86)\dormakaba\APEXX Client\ApexxClient.dll.config
Change:
- "localhost" to "127.0.0.1" in:
- APIURL
- MQTTEndpoint
When are default configuration files acceptable?
Default configuration files are generally fine when:
- All components are on the same network
- Different subnets can communicate
- Devices communicate through a VPN
What should be checked with certificates?
Check:
- Expiration dates
- SAN (Subject Alternative Name) entries
The SAN list should include:
- Local IP addresses
- Public IP address (if applicable)
- DNS name for the public IP
- 127.0.0.1 or localhost
Note: The IP address or DNS used by the eBox or client must appear in the SAN list.
Where are Apexx Services (API & MQTT Broker) certificates located?
If using NT SERVICE accounts:
C:\Windows\ServiceProfiles\APEXX API\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
C:\Windows\ServiceProfiles\APEXX MQTT Broker\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
If using another user account:
C:\Users\username\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
What are the most common certificate-related problems?
Expired Certificates
Expired certificates are one of the most common causes of systems unexpectedly going offline.
To resolve:
- Delete expired certificates
- Restart Apexx services
- Re-register the software
Important Note for Software Version 108.x and Newer
Do NOT delete:
- Apexx Web API MQTT Client certificate
This certificate may not regenerate automatically.
Only delete:
- Apexx MQTT Broker certificate
- Apexx Web API Service certificate
What if my lock system goes offline after about a year?
The eBox certificate may have expired.
For newer software:
Check:
- Application Settings → Certificate Management
For firmware 2.0.2.5 or older:
- Deactivate and reactivate the eBox
- Use the claim code from the Lock Systems screen
Newer firmware and software versions automatically renew certificates.
What are the most common login and startup problems?
“Login Not Found” Error
Possible causes:
- Client cannot reach the server
- Services are not running
- User is not authorized
If the client was connected to another server previously, the client certificate may be invalid.
To fix:
- Open certmgr.msc
- Locate Apexx MQTT Client certificate
- Delete the certificate
- Restart the client software
Services Will Not Start
Common causes include:
Invalid Kestrel URL
- Do not use an IP address in the Kestrel URL
- Use a domain name instead
Incorrect Endpoint Settings
If using a domain name:
- Do NOT use "localhost"
- Use "127.0.0.1" instead
SQL Permissions
If not using NT SERVICE accounts:
- Service login users must have SQL sa permissions
Configure this in:
- SQL Server Management Studio (SSMS)
- Security → Logins
Google Sign-In Problems
If Google authentication fails:
Delete:
C:\Users\<username>\AppData\Roaming\Google.Apis.Auth
Then:
- Relaunch the client
- Select “Sign in with Google”
- Complete the browser login process
The Google account must:
- Be a valid software user
- Have Login Provider set to Google