Example: Secured OPC UA Communication
On the 'Security' page of the 'OPC UA' PLANT tree node, you can specify settings regarding certificates and authentication which must be performed successfully in order to establish a secure connection between OPC UA clients and the OPC UA server. Furthermore, you can define which encryption algorithms the OPC UA server will provide to its clients to secure transmitted data.
After modifying these settings and writing them to the controller (as part of the PLCnext Engineer project), the controller (i.e., OPC UA server) generates the self-signed certificate (if needed) when switching its state from Stop
to Run
and applies it.
Certificate | Configures the certificate management on the OPC UA server.
|
Trust Stores | These fields are only visible if 'Server certificate' is set to 'Provided by OPC UA GDS' (see row above). You have to define the names of the TrustStore and the Identity Store which the OPC UA server shall use to store data it receives from the Global Discovery Server (GDS). Enter the freely definable names into the text fields. You can inspect the current content of these stores via the Web Based Management (WBM) interface of the PLCnext Technology device.
Note: The OPC UA standard uses different terms. The standard mentions a TrustList the content of which is very similar to the content of a TrustStore of the PLCnext Technology device. The standard specifies a CertificateGroup which is very similar to the information within an IdentityStore of the PLCnext Technology device.
|
Type of subject | These fields are only visible if 'Server certificate' is set to 'Self-signed by controller' or 'Provided by OPC UA GDS'.
Note: In case of 'Provided by OPC UA GDS' it depends on the implementation of the Global Discovery Server involved whether the subject settings made here are considered or not.
A subject specifies the owner of a certificate. A subject can be accompanied by alternative names. Within certificates according to the X.509 standard these alternative names are recorded within a so-called "subjAltName"-Extension within the certificate. Using these input fields, you can specify alternative names the OPC UA server shall include in the self-signed certificate it generates or in the certificate signing request it generates for a Global Discovery Server.You can specify up to five alternative names for the subject. Each alternative name shall describe a DNS name or IP address the OPC UA server is reachable at. The OPC UA server automatically also includes the DNS name specified in the basic settings as an alternative name regardless of the settings here. This way, you can enable up to four communication paths (provided that this is supported by your network architecture, for example, using a router, existing port forwarding (firewall in router to OPC UA server) and implemented local DynDNS). When establishing the connection, OPC UA clients verify whether the address (DNS name or IP address) from the URL they wanted to connect to is contained in the server certificate. If several possibilities exist for connecting the OPC UA server from outside or inside the domain, each possible address part of a URL must be contained in the certificate. Otherwise, the authentication fails. Any specified DNS name or IP address (depending on the selection in 'Type of subject') is written into the self-signed certificate. If 'not set' is selected in a subject field, it is ignored by the server when generating the certificate. When specifying 'not set' for all subjects, no alternative name will be included in the self-signed certificate except for the DNS name from the Basic Settings which is always included. Note: If clients use short URLs (because they are located in the same domain as the OPC UA server), list these short names here as alternative names.
|
Security Policies | Defines the encryption algorithm(s) (Cipher Suite), the OPC UA server offers to its clients. The encryption algorithm is applied to and secures the data transfer between OPC UA server and client. Select 'Yes' in the relating drop-down list to make the respective algorithm available for clients. If set to 'No', the encryption algorithm cannot be selected in the OPC UA client settings. From top to bottom, the encryption and signature strength increases:
|