Security
This topic refers to the configuration of the OPC UA client regarding the security requirements when connecting to a remote OPC UA server.
Supported user authentication
The user of the OPC UA client can authenticate itself towards the remote OPC UA server using the following supported user tokens:
- Anonymous
- Username / Password
Supported security policies
The OPC UA communication can be secured using different security policies. As a default the best security policy of the server is selected. If the best policy is not regarded secure anymore or if the best is just the security policy None, a specific security policy can be selected.
The following security policies are supported:
- None
- Basic128RSA15*
- Basic256*
- Basic256Sha256
- Aes128Sha256RsaOae
- Aes256Sha256RsaPss
Note: Security policies marked with * are not considered secure anymore and are not available if best available is selected.
Supported security modes
The OPC UA client supports the security modes None, Sign and SignAndEncrypt. Depending on the environment, where the device is used, this can be used to sign the data (to ensure integrity) or encrypt the data (to ensure confidentiality). They can be configured individually for each server connection.
Certificate stores
The user can override the names of the identity stores and the trust stores. The description below uses the default names, that are used if nothing is configured.
Identity store
The identity store OPC UA client self-signed is used to keep a self-signed certificate which is generated on first start of the OPC UA client. The certificate uses the same URLs and IP addresses that are configured for the OPC UA server. The certificate in this identity store is only used, if the OPC UA client identity store is empty.
Note: The IP address and NodeName can be changed in the server settings in PLCnext Engineer and is applied during download changes. Every change results in a new certificate, which need to be accepted by the remote server.
The identity store OPC UA client can be used to provide a manually created Application Instance Certificate for the OPC UA client.
Trust store
The trust store OPC UA client is used to hold the certificates of the trusted servers. The user must add the certificates of all servers that it wants to communicate with.