Using Security Profiles

Available from 2022.0 LTS for the PLCnext Control AXC F x152 series,
and from 2023.0 LTS also for RFC 4072S

Security configurations can be edited and stored by users in persistent profiles which need to be activated and deactivated via the Web-based Management (WBM) on demand via the Security profiles page.

If no security profile is active all security-related settings are managed by the Security Profile Manager (SPM).

Prerequisites and limitations

Note: Activating a security profile triggers the system to be reset to factory defaults type 1, but

an IP configuration is retained
an HTTPS certificate is retained
any licenses are retained

After reset, the System Services WBM page may show less services due to inactive services for the current security profile.

Make sure the Netload Limiter service stays active for further configuration!

Please note the guidelines in our PLCnext Security Info Center.
For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the security context.

Licensing the Security Profile

Note: This step is only necessary if working on PLCnext Control devices running on 2022.0 LTS firmware.

Getting a Security Profile license

Before activating a security profile:

To enable the Security Profile, you must activate the license for the PLCnext Security Profile. To get the Security Profile license, proceed as follows:

Please contact Phoenix Contact.
Your personal contact will send you a ticket ID.
Go to the CodeMeter License Central WebDepot, enter your ticket ID and click the Next button.
Follow the further instructions.

Activating a Security Profile license

Return to topicHow do I get to the WBM again? Click here for more information...

Establishing a connection to the Web-based Management (WBM):

Open a web browser on your computer.
In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
for example: https://192.168.1.10/wbm.

For further information, see WBM.

Open the License Management page (Administration → License Management).
Open the Offline Activation tab.

On the Offline Activation tab, licenses can be activated and deactivated offline with license files provided by the PLCnext Store.

The Offline Activation Wizard will guide you through the activation process and provides further information.

Offline Activation step 1: Create license context

Note: There are two options to create a license container. Option 1 is the standard procedure. Option 2 is the alternative approach. Only use Option 2 when you are asked to do so by the Phoenix Contact support.

Option1

If no container was found, create one directly via the standard procedure Option 1.

Select from the drop-down menu whether you want to create a license container for the PLCnext device or the SD card (available from 2021.9).
Click on Create container.

Option2

Option 2 is only needed when you are asked by the licenser to import a specific *.WibuCmLIF file.

A *.WibuCmRaC license context file will be created.

Download the license context file and save it on your PC.

Switch to the PLCnext Store

Upload the *.WibuCmRaC license context file in the PLCnext Store.

The PLCnext Store will generate a *.WibuCmRaU (license update) file based on the information from the uploaded license context file.

Download the generated update file and save it on your PC.

Offline Activation step 2: Upload license update

Upload the *.WibuCmRaU license update by clicking on the Browse... button.

Offline Activation step 3: Create license receipt

A *.WibuCmRaR (license receipt) file is generated and provided for download.

Download the *.WibuCmRaR license receipt file from the WBM and save it on your PC.

Switch to the PLCnext Store

To complete the offline licensing, upload the license receipt file (*.WibuCmRaR) in the PLCnext Store.

If activating the license was successful, it is listed on the View Containers tab on the License Management page:

After activating a security profile, a newly generated Netload Limiter configuration contains default values with all limits disabled (depending on the controller type). These configuration should be checked and adjusted.

Note: As long as a security profile is active, do not downgrade to a firmware version previous to 2022.0 LTS!

Note: If your PLCnext Control works with an SD card and you want to use data from that SD card on another controller, make sure that controller is also equipped with firmware 2022.0 LTS or higher!

Configuring a Security Profile

Activating a Security Profile generates an XML file with settings for the Secure Shell (ssh) to be used for the connection. The default is port number 22.

This XML file should not be altered manually. An additional to the WBM page for this will be available soon.

Activating a Security Profile

If the above steps are done properly, you're ready to activate a Security Profile on your PLCnext Control.

This is done by means of the Security Profile WBM page.