OPC UA Source System: Security Tab

Use

On this tab, you make the settings for secure connections and user authentication for OPC UA source systems.

To be able to identify the PCo system as a client to the OPC UA server and vice versa, X.509 v3 certificates are used, provided a secure connection is to be set up. In the context of OPC UA, the certificates used here are called application certificates.

Procedure

Certificates

  1. You can generate and assign an application certificate for the Application Certificate field.

    PCo can identify itself to its OPC UA server using the self-signed certificate. To generate a certificate, choose the icon Generate and Assign Application Certificate.

    The Generate Self-Signed OPC UA Client Certificate From Defaults dialog box appears and you can make the settings for certificate generation here. See also: Generate and Assign a Self-Signed Certificate.

  2. Choose Change Application Certificate Assignment to select and assign another certificate in the certificate browser.

  3. Specify the identification type for the selected application certificate. If you select the Identification by Subject option, certificate rotation is supported. (See also: Identification Type of Certificates.)

  4. If you choose Remove Application Certificate Assignment, the assignment of the generated certificate is removed. However, the certificate remains in the Microsoft certificate store and can be selected for other OPC UA source systems.

  5. Choose the Validation Options pushbutton to define which checks are to be performed for the server certificates. For more information, see Validation Options for Server Certificates.

  6. Select the Send Certificate Chain checkbox if the application certificate of the agent instance has been signed with a root certificate and is embedded in a certificate chain. This option allows you to control whether the agent instance should try to make this chain and send it to the server when a secure connection is being set up. In this case, the agent instance searches recursively in specific certificate stores for the certificate with which the application certificate or the CA certificate that was found last has been signed, and then sends the certificates that it has found to the server. The server needs to retain the missing certificates for a validation. Not every server supports the receipt of certificate chains. Deselect the checkbox if you want to connect the OPC UA agent instance with one of these servers. In this case, you need to make the certificate chain known to the server manually, if necessary.

    If you do not select the checkbox, the agent instance only sends its application certificate.

Session Authentication

In this screen area, you define the settings for authentication of the OPC UA session:

Field

Description

Authentication Mode

The authentication mode is used to authenticate the user session to the OPC UA server session. The following authentication modes are available:

  • Anonymous

    No additional entries are required for this setting.

  • Certificate

    If you choose this option, you can use the Add pushbutton to select a session certificate.

  • User Name and Password

    If you choose this option, you can enter a user name and a password.

Session Certificate

Here you can select an X.509 v3 certificate that is to be used by the OPC UA server to authenticate the user session. This field is only ready for input if you choose the Certificate option in the Authentication Mode field.

Identification Type

 Select the identification type for the selected session certificate. (See also: Identification Type of Certificates.)

User Name

User name that is used by OPC UA to authenticate the user when establishing a secure session. This field is only ready for input if you choose the User Name and Password option in the Authentication Mode field.

Password

Password that is used by OPC UA to authenticate access to a user-specific session.

Certificate Storage Configuration for the Application Certificate of the UA Server

Store for Trusted Server Certificates

You enter the store type and the folder you want here. You can configure the store location for the certificates, which the OPC UA agent is to trust, to the granularity of the source system. You have the following options:

  • Store Type Microsoft Certificate Store

    When a connection is being established, with this setting, an OPC UA client automatically searches in the Microsoft Certificate Store folder for a server certificate. You can select specific folders of the Microsoft Certificate Store here.

  • Store Type File System

    With this option, you can specify the store location for the certificates, which the OPC UA agent is to trust, in the file system. You can specify specific directories in the directory tree. In this case, a subfolder is offered by default in the directory that is usually used under MS Windows for storing all-user configurations.

    By choosing the File System setting, you define where the OPC UA agent is to search for the server certificate with a public key.

    If you choose a directory in the Folder field, the directory and the subfolder certs are created for this directory.

For a secure connection, the server uses either a self-signed X.509 v3 certificate or an X.509 v3 certificate that is embedded in a hierarchy of certificates. When the connection is being set up, the server sends the application certificate to the client in each case. The entire chain needs to be available to the client for the validation. At least one certificate from the chain needs to be in the store for trusted certificates and have been stored there accordingly by the system administrator in the subfolder certs. The remaining certificates can also be stored in the store for trusted issuers or be sent from the server.

Store for Rejected Server Certificates

If an OPC UA client wants to set up a secure connection to an OPC UA server, he or she receives a certificate with a public key from the server. The client accepts this certificate if he or she regards it as trustworthy (see the previous point).

Otherwise, the certificate is stored in the store for rejected server certificates if it is valid. With this setting, you can define the store location for rejected server certificates. If the server is using a self-signed certificate, you can, after an unsuccessful connection attempt, copy the certificate from this store location to the store for trusted certificates. This establishes the trust relationship between the server and client on the PCo side. You need to make a root certificate known in another way, for example, manually.

Store for Trusted Issuer Certificates

If the application certificate of the UA server is embedded in a certificate hierarchy, the related root certificate needs to be available to establish a trust relationship to the server. You need to store this root certificate in the subfolder certs of the directory that can be configured with this option.

As in the case of trusted server certificates, this directory should only be writable for system administrators if it is created in the file system. After an unsuccessful connection attempt, however, you do not find the root certificate in the store for rejected certificates.

The root certificate can also be stored in the store for trusted certificates. In this case, the application certificate must not be stored there. This allows you to easily set up a trust relationship to multiple servers. In this case too, the complete certificate chain must be known to the OPC UA agent instance when a certificate chain is used.

If the server certificate is not valid, for example, because the validity interval is in the past and you want to take the opportunity to suppress a failed validation of the certificate, the invalid certificate needs to be stored in the store for trusted certificates, even if there is a valid root certificate for it. In this case too, however, the server certificate is not in the store for rejected certificates. Instead, you need to import it from the server.