OPC UA discovery/connection options 

Server

The eUA server provides an ApplicationDescription with the fields ApplicationUri, ApplicationName and DiscoveryUrl. These fields include the HostName, which is either the IP address of the controller or the DNS name. 

Endpoints

The eUA server offers an endpoint to which the clients can connect. In its URL, you can either configure the IP address of the controller or the DNS name. Implement the configuration in the PLCnext Engineer software:

  • In PLCnext Engineer, open the OPC UA node in the PLANT area.
  • In the Basic settings, enter either the DNS name or the IP address in the input field.
PLCE-Endpoint.png

Click here for more information on configuring the host name.

Ethernet ports at the controller

Currently, there is no mapping to a certain Ethernet adapter at the controller. Therefore, a connection is possible via all adapters.

Encryption algorithms

The eUA server provides endpoint description for each security configuration.

Supported Endpoint Configuration:

Security Policy Message Security Mode User Identity Token
None** None** Anonymous**
Basic128RSA15* Sign Username/Password, Anonymous
Basic128RSA15* Sign and Encrypt Username/Password, Anonymous
Basic256* Sign Username/Password, Anonymous
Basic256* Sign and Encrypt Username/Password, Anonymous
Basic256Sha256 Sign Username/Password, Anonymous**
Basic256Sha256 Sign and Encrypt Username/Password, Anonymous**
Aes128Sha256RsaOae Sign Username/Password, Anonymous**
Aes128Sha256RsaOaep Sign and Encrypt Username/Password, Anonymous**
Aes256Sha256RsaPss Sign Username/Password, Anonymous**
Aes256Sha256RsaPss Sign and Encrypt Username/Password, Anonymous**

*Note: By default, the Basic 128 RSA15 encryption algorithm is not activated as this algorithm is no longer regarded as secure. However, you can activate this algorithm to be able to connect the eUA server to older OPC UA clients that at most support this algorithm.

**Note: Not regarded as secure. Therefore it is disabled and not recommended but available if the PLCnext user authentication is disabled.

Server Certificate

The eUAServer identity ServerCertificate is held by the PLCnext certificate store infrastructure.
The OPC UA identity store is configured depending on the server certificate configuration:

Server Certificate Identity Store
Self signed by controller OPC UA-self-signed
File on controller OPC UA-configurable
Provided by OPC UA GDS <ServerIdentityStore>

Note the following for the server certificates:

  • Self signed by controller
    The controller stores a certificate in the Identity Store OPC UA-self-signed. This certificate is newly created during the project download if the OPC UA security settings in PLCnext Engineer have been changed. In case the identity store is empty the eUA server will generate a key pair and create a self-signed certificate if the self-signed option is selected.
    OPC UA-configurable is used as the Trust Store. Via WBM you can store the certificates for the trusted clients. As long as the trust store is empty, the firmware accepts every client. 
  • File on controller
    In this case the Identity Store OPC UA-configurable is used. Via WBM you have to store certificate and private key.
    OPC UA-configurable is used as the trust store. Via WBM you can store the certificates for the trusted clients. As long as the trust store is empty, the firmware accepts every client.
  • Provided by OPC UA GDS
    You can specify a name for an Identity Store and a Trust Store. The certificates distributed by the OPC UA GDS Server are stored there. You can find an overview of the stored certificates in the WBM. Do not make any changes in the WBM, because these two stores are managed via OPC UA GDS.

Note: The following applies to all configurations: "Reset to default setting" deletes all Identity and TrustStore settings.

To configure the server certificate configuration, refer to Server certificate.

To manage certificates, refer to Certificate authentication.

Security Policy

The eUA server supports the following security policies for message signing and encryption: 

  • Basic 128 RSA15 
  • Basic 256
  • Basic 256 SHA256
  • Aes128Sha256RsaOaep
  • Aes256Sha256RsaPss

By default, the Basic128Rsa15 and Basic256 encryption algorithms are disabled as these algorithms are no longer regarded as secure. However, they can be activated for older OPC UA clients that at most support these algorithms, through eUA server configuration.

To configure the security policies, refer to Security policies.

Security Mode

The eUA server enables message security mode Sign as well as Sign and Encrypt for encrypted endpoints by default. 
SecurityPolicy#NONE is disabled by default but is enabled if PLCnext user authentication is disabled (not recommended).

To disable user authentication refer to User Authentication.

Note: If the user authentication is disabled, the OPC UA client does not have to authenticate itself to the OPC UA server. This way, unrestricted access to the OPC UA server an the PLCnext controller is possible.

User Identity Token

The eUA server supports username identity tokens with password for encrypted endpoints by default. Username identity tokens are not supported for non-encrypted endpoints. 

The anonymous identity token is disabled by default. To enable the anonymous identity token, user authentication shall be disabled.

To disable user authentication refer to User Authentication.

 

 


•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari • 
• Published/reviewed: 2022-09-14 • Revision 046 •