Security - User Authentication page

Accessibility

This WBM page is accessible with user role:

  • Admin
  • SecurityAdmin (from firmware 2022.0 LTS)
  • UserManager

How to get into the WBMHow to get into the WBM

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

↑ Firmware release 2022.0 LTS or newer

Show WBM page in former firmware releasesShow WBM page in former firmware releases

WBM Benutzerauthentifizierung.png

General configuration

User authentication

If user authentication is enabled, authentication with a user name and password is required for access to certain components of the controller and certain functions in PLCnext Engineer.

If User Authentication is disabled, authentication is not necessary to access the WBM, the OPC UA server of the controller, or to access the controller using PLCnext Engineer.

But access to the file system via SFTP and access via Secure Shell (SSH) requires authentication (with administrator rights) even if user authentication is disabled.

User authentication is enabled by default. In the delivery state, the admin user is already created with administrator rights.

Recommended:

  • Use the administrator password printed on the controller only for initial login into WBM. Once you have logged in successfully, change the administrator password to prevent unauthorized administrator access.

The modified administrator access data is stored in the overlay file system which is usually located on the internal parameterization memory. If you operate the controller with an SD card, the overlay file system is located on the SD card.

Recommended:

  • If operating the controller with an SD card, make sure to restrict access to the control cabinet, and to the SD card once it has been taken off the controllers' card slot.
IconSecurity note: Enabled user authentication only provides a limited degree of protection against unauthorized network access. Due to the communication interfaces of the controller, the controller should not be used in security-critical applications unless additional security appliances are set.

Enabling/disabling user authentication

To enable/disable user authentication, proceed as follows:

  • Click on the Enable/Disable button next to the User Authentication check box.

The Enable/Disable User Authentication dialog opens.

Benutzerauthentifizierung_aktiv_deaktiv.png

  • To enable user authentication, enable the User Authentication check box.
  • To disable user authentication, disable the User Authentication check box.
  • Click the Save button to apply the setting.

System use notification

Available from firmware 2021.0 LTS

The system use notification is displayed each time a user wants to log on to the controller via WBM, PLCnext Engineer or via SFTP and SSH. The system use notification is independent of the language of the user interface in WBM and PLCnext Engineer. You should therefore take all required languages into account when editing.

To edit the system use notification, proceed as follows:

  • Click the Edit Notification button.
  • Edit the System Use Notification in the input window that opens.
  • Confirm the entry by clicking the Save button.

The text is then transferred to the controller and stored.

Note: The displayed text is stored in a .txt file on the controller by default and can also be changed or replaced if necessary. The file can be found on the file system of the controller under /opt/plcnext/config/System/Um/UmSystemUseNotifcation.txt. To change the file, you must be logged in as Linux user admin.

User Management tab

Available from firmware 2022.0 LTS

Via the User Management tab of the firmware 2022.0 LTS or newer (former releases had no tabs in this page), the access data of all users who are authorized to access the controller is managed, and the required access permissions are assigned to each user. 

Storage for user data

The access data of all newly created users is stored in the overlay file system which is located on the internal parameterization memory. If you operate the controller with an SD card, the overlay file system is located on the SD card. If an SD card is inserted into another controller of the same type, the access data stored on the SD card is used for access to that other controller.

Before inserting the SD card into another controller please note:

If you have changed the administrator access data after logging into WBM for the first time, the modified access data stored on the SD card will be used for access to the controller. In this case, it is no longer possible to log in with the admin user name and the administrator password printed on the device.

User management table

  • The User column shows all existing user names. From firmware release 2022.6, can also show warning icons on the right side of a user name:

     

    •  A warning indicates that a user password will expire soon.
       
    •  An urgent warning indicates that a user password is already expired.
  • The Roles column shows all assigned User roles for each user.
  • The Password Policy column shows the currently set Password complexity rule set for each user.
  • The rightmost columns contains the buttons for the user management functions that are described in the sections below.
Note: The Activation is rejected in case the maximum PLCnext session count is reached.
  • For firmware up to 2021.9 the maximum session count is set to 32.
  • From firmware 2022.0 LTS, the maximum count can be set by admin users (see Session Configuration tab) so it might be exceeded earlier or later.
 If user authentication seems to fail for unknown reasons, see Authentication failure handling.

Adding a user

Proceed as follows to add a user:

  • Click on the Add User button below the table.

The Add User dialog opens.
Benutzer_hinzufuegen.png

  • Enter the user name and password into the respective input field;
    note the length limitation of 63 bytes* for user names, and 127 bytes* for passwords.
    From firmware 2022.0 LTSPassword complexity rules apply additionally.
    Observe the following rules when assigning the user name (otherwise the new user will be rejected):
    • It must consist of at least one character
    • It must not be longer than 63 characters (excluding terminating character at position 64)
    • It must not contain characters from the set: \ , ( , ) , $
  • To add the user in the user manager, click on the Add button.

* The characters are encoded using UTF-8 so the number of bytes used for a character depends on which character is entered. Characters can be coded with one byte (e.g. letters a-z or digits 0-9) and up to four bytes (e.g. special characters, umlauts, etc.). The length limitation therefore limits the number of bytes and not the number of characters. 

 

Changing a user password

  • Click on the Set Password button in the line of the desired user on the User Authentication page.

The Set User Password dialog opens.

BenutzerPW_setzen.png
  • Enter the new password in the New Password and Confirm Password input fields;
    note the length limitation of 127 bytes* for passwords.
    From firmware 2022.0 LTSPassword complexity rules apply additionally.
  • To save the new password, click on the Save button.

* The characters are encoded using UTF-8 so the number of bytes used for a character depends on which character is entered. Characters can be coded with one byte (e.g. letters a-z or digits 0-9) and up to four bytes (e.g. special characters, umlauts, etc.). The length limitation therefore limits the number of bytes and not the number of characters. 

Modifying user roles

You can select one or more user roles with different permissions for each user.
These permissions control access to aspects of the controller:

  • Access to the file system of the SD card in the controller (if an SD card is used)
  • Access to the controller by means of PLCnext Engineer or via Secure Shell (SSH)
  • Access to the embedded human-machine interface (eHMI) set up with PLCnext Engineer
  • Access to the pages of the Web-based Management (WBM) on the controller
  • Access to the OPC UA server on the controller

For two controllers in a system redundancy context, user roles set on the primary controller are automatically synchronized with the backup controller.

To assign one or more user roles to a user, proceed as follows:

With firmware ≥ 2022.0 LTSWith firmware ≥ 2022.0 LTS
  • In the table row of the user in question, click on the Edit User button.

TheEdit User Configuration dialog opens.

Edit user configuration dialog
  • Enable/disable the check box behind the user role(s) that you would like to assign/retract.
  • Click on the Save button to save the selected user role(s) for the user.
  With firmware ≤ 2021.9With firmware ≤ 2021.9
  • In the table row of the user in question, click on the Modify Roles button.

The Modify Roles dialog opens.

Up to firmware 2021.9:
Modify User Role
  • Enable/disable the check box of the user role(s) that you would like to assign/retract.
  • Click on the Save button to save the selected user role(s) for the user.
Note: 
You can manage access permission to the PLCnext Engineer HMI application via the EHmiLevel1...EHmiLevel10,  EHmiViewer and EHmiChanger user roles. The assigned user roles specify if and to what extend a user can read and write to the HMI application. 
For detailed information on restrictions in a PLCnext Engineer HMI application as well as on handling HMI user roles, please refer to the PLCnext Engineer help function.

User roles and their assigned access permissions in the various applications

The following overview shows the user roles implemented in the firmware. Some user roles have been introduced with recent firmware updates.

Note: Additional roles may be necessary, e.g. for the Device and Update Management.

Application or
component of the controller

Access permission User role
Admin Security
Admin
Security
Auditor
Certificate
Manager
User
Manager
Engineer Commissioner Service Data
Viewer
Data
Changer
Viewer File
Reader
File
Writer
EHmi
Level1..10
EHmi
Viewer
EHmi
Changer
SD card/
parameterization memory

SFTP access to the file system with an SFTP client

Please note:
Authentication with a user name and password is always required for SFTP access, even if user authentication is disabled.

                             
Shell

SSH access to the shell

Please note:
Authentication with a user name and password is always required for SSH access, even if user authentication is disabled.

                             
PLCnext Engineer View values in the cockpit
(e.g., utilization)
               
PLCnext Engineer Transfer a project to the controller                          
PLCnext Engineer Start (cold/warm restart) or stop the controller                        
PLCnext Engineer Restart the controller (reboot)                              
PLCnext Engineer Reset the controller to default setting type 1                              
PLCnext Engineer View online variable values                  
PLCnext Engineer Overwrite variables                          
PLCnext Engineer Set and delete breakpoints                          
WBM Information - General Data          
WBM Information - Network configuration
(up to firmware 2021.0 LTS)
             
WBM Diagnostics - PROFINET          
WBM Diagnostics - Local Bus          
WBM Diagnostics - Notifications          
WBM Configuration - Network
(from firmware 2021.6)

(view only)
   
(view only)

(view only)

(view only)
               
WBM Configuration - PLCnext Store                            
WBM Configuration - Proficloud Services                            
WBM Configuration - Fan Control                            
WBM Configuration - SPLC                        
WBM Configuration - Web Services                            
WBM Security - User Authentication                          
WBM Security - Certificate Authentication                          
WBM Security - LDAP configuration                          
WBM Security - Firewall                            
WBM Security - SD Card                            
WBM Administration - Firmware Update                            
WBM Administration - License Management                            
WBM Administration - PLCnext Apps                          
PLCnext Engineer
HMI application
View online variable values                        
PLCnext Engineer
HMI application
Overwrite variables                            
OPC UA client View online variable values                  
OPC UA client Overwrite variables                        
OPC UA client Read files                    
Note Note : FileReaders can only read files via an OPC UA client if the OPC UA file transfer is activated in PLCnext Engineer (for additional information, please refer to the PLCnext Engineer online help). 
       
OPC UA client Write files                      
Note Note : FileWriters can only write files via an OPC UA client if the OPC UA file transfer is activated in PLCnext Engineer (for additional information, please refer to the PLCnext Engineer online help).
     

Removing a user

  • On the User Authentication page, click the Remove User button in the line of the user to be removed.

The Remove User dialog opens with this user's name already pre-entered.

Remove User dialog
  • Click on the Remove button to delete that user permanently.

 

Session Configuration tab

The Session Configuration tab is available from firmware version 2022.0 LTS

↑ Firmware release 2022.6 or newer

Show Screenshot from 2022.0 LTS to 2022.3Show Screenshot from 2022.0 LTS to 2022.3

In the Session Configuration tab, thorough settings for the user sessions can be made in order to allow admins to set preferences for their organisation's needs. User sessions in this context refers to all sessions which are managed by the User Management, such as access to the WBM and RSC services.

Configuring parameters

IconSecurity note: Limited session time and limited concurrent sessions, as well as incremented penalties on repeated login trials, are features to enhance the security of your controllers. When changing these settings, do it with a "security first" approach.

Applying changes and rebooting

The following parameters can be configured:

  • Maximum session time:
    Numeric value, 0 (no timeout) to the maximum of UINT32; default: 20 min
  • Exclude admin users from timeout:
    Boolean value, default: false
    Enabling this feature excludes admin users from timeout penalties when retrying to login more than 3 times.
  • Initial timeout, Timeout increment, Maximum timeout:
    Numeric values, 0 to the maximum of UINT32;
    • Initial timeout  default: 10 s
    • Timeout increment default: 30 s
    • Maximum timeout default: 3600 s
  • Maximum concurrent sessions:
    Numeric value, 2 to the maximum of UINT32, default: 32 sessions.
    Note: For security reasons, this value should always be as low as possible. But keep in mind that each communication to the PLC needs its own session, even the WBM access to change this value! To get as close to the minimum as viable, proceed as follows:
    • For counting concurrent sessions in your project, enable the Enhanced Debug Log.
    • Run the project, then open the Output.log and count the neccessary connections to the PLC. 
    • Add 2 sessions to that value for preventing from locking yourself out - that's the bare minimum.
    • Disable the Enhanced Debug Log afterwards so it cannot influence the timing of running applications.

All changes made in the Session Configuration tab are saved only with pressing the Apply and reboot button under the table. The controller will only reboot if all settings can be set in the system error-free.

If an error occurs, the firmware notifies only for the first error, but all touched settings are set back.

Password Policy tab

Available from firmware 2022.0 LTS

In the Password Policy tab, all restrictions for user passwords can be set up, grouped as specific rulesets for users on the same trust level. See Password complexity rules for all further details.

Show a screenshot for this tabShow a screenshot for this tab

 

 


•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari • 
• Published/reviewed: 2022-09-14 • Revision 046 •