Handling the Security Profile 

Activating the Security Profile

  • Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

  • Open the Security Profile page (SecuritySecurity Profile) in the WBM. 
  • Click the ACTIVATE SECURITY PROFILE button. 

    ↪ A message window opens.
  • Read the text, make sure that your system is not in production mode and then click the ACTIVATE SECURITY PROFILE button.
     

The PLCnext Control is now reset to default settings (type 1) and then rebooted. However, IP addresses and installed licenses are retained. 

After rebooting you have to log in again.

In the top bar you can see that the Security Profile is activated. 

Note: Now follow the steps from the topic Checking the integrity state.
Note: With activating the Security Profile the https certificates are deleted. Therefore you must generate the https certificates again and upload them in your browser. Refer to the topics Generating self-signed https certificates in the WBM and Uploading the certificate in the browser.

Login as Security Engineer

Once you have activated the Security Profile, you must set up the Security Engineer user role and then log in as a Security Engineer. Proceed as follows:

  • Open the SecurityUser management page in the WBM. 
  • Click the + button. 

    ↪ The dialog Add User opens.
  • Enter a username and a password following the password complexity rules
    Add user via WBM
  • Click the CREATE USER button. 
  • Select a password ruleset (the Admin ruleset is strongly recommended) and click the SET PASSWORD RULES button. 
  • Select the Security role SecurityEngineer
  • Click the SET USER ROLES button. 
    ↪ You have added a Security Engineer. 
  • When you log in as a Security Engineer, edit the user's initial password.

Effects of the Security Profile

  • With the Security Profile, some WBM pages are no longer accessible for security reasons and are disabled in the WBM navigation. 
  • There are different roles for different activities. You need at least an Engineer to program in PLCnext Engineer and a Security Engineer to access the security notifications.
  • You have no root access and no SSH access. 
  • The Security Profile follows the principle of least functionality: only components that have been considered in the threat analysis may run. This specifies exactly what is permissible. 
  • On the System Services page you may see effects of the principle of least functionality: The number of components is limited by the Security Profile. Only activate the services that you actually need. For example, you must decide which visualization mechanism is used (eHMI or OPC UA) and then activate it accordingly. Consider your respective security context. If your network is sufficiently protected by additional organizational measures , you can activate the PROFINET Controller. The PROFINET Device is activated by default.

→ Go to the topic Creating users to set up additional users and login conditions.

 For more information on the different roles and rights, refer to the User Authentication WBM topic in the PLCnext Technology ‑ Info Center.

 

 

• Published/reviewed: 2025-06-27 • Revision 018 •