Hey guys,
For Automation Studio v4.12, I was wondering if there is any way of preventing the end user of the PLC from uploads and downloads? The PLC I’d like to do this to is the 4PPC30.043F-21B.
Thanks,
Jack
Hey guys,
For Automation Studio v4.12, I was wondering if there is any way of preventing the end user of the PLC from uploads and downloads? The PLC I’d like to do this to is the 4PPC30.043F-21B.
Thanks,
Jack
Hi,
you can’t lock them out just for transfer services, because the online protocol ANSL don’t has different access rights for read and write access or different types of operations.
But you can secure the complete online services (including up- and download, but also watch, online monitor and so on) by the ANSL online protocol features “user role authentication” or “certificate-based TLS encryption”, or a combination of both.
Best regards!
Hey Alexander,
Thank you this worked, but perhaps a bit too well… This PLC will be connected via ethernet to an Ignition Server, and it will talk to it with OPCUA tags. Securing the ANSL protocol also secures the OPC server:
I’ve tried both the secure and non-secure options.
I can connect with Ignition again if I reconfigure this OPC connection with the Administrator login I created, but I actually do not want that for this project. I want the OPCUA tags to be freely accessible, and only the ability to upload and download to be secured. Would that be possible at all?
Secondary Question:
After doing some research, I learned that B&R PLCs only store compiled code, so uploading from them isn’t even possible. I’m assuming that if I never upload code backup to its flash onboard, then an end user wouldn’t be able to upload programmable code from the PLCs by any means?
Thanks you,
Jack
Hi,
as I know, OPC UA server and ANSL operate completely independent.
So securing ANSL via TLS should not influence OPC UA and vice versa (you can / should create own TLS configurations with different certificates for each protocol).
Yes you’re right, the system works with compiled code, so uploading modules is not possible and won’t enable source code access.
Nevertheless, securing online connection is not a bad idea, because you can also prevent that for example that variable values can be accessed / changed, and to suspress other reverse engineering techniques.
Best regards!
Hmm, so it seems like an ANSL setting got messed up in on my last download… Every time I try to transfer, I get this error:
Online settings no longer asks me for a Username and Password, even though I’m pretty sure I left Online Authentication on. I believe my situation might be similar to what’s described in this thread:
A connection via ANLS is needed to execute transfer properly error - Ask Questions / Mechatronics & Motion - B&R Community
but the /INA=0 trick is not working for me. Where could I have went wrong to get this error?
This question is more of a troubleshooting one, let me know if I should post it as a seperate thread.
Thanks,
Jack
Hi,
it looks like you’re now online via INA, yes.
This can be the case, if INA as online protocol is still activated (in Automation Studio 4), and ANSL is not (longer) reachable.
For example when using ArSim, Automation Studio will try to fallback to INA if ANSL is not reachable (this is what is prevented by /INA=0, but this does not change the availability of an ANSL connection).
If you have setup ANSL TLS with a SSL configuration and tranferred this setup.to the PLC, then you have to change your Automation Studio Online setting also to this new setup.
As I remember in a SSL setup you have to:
EDIT: I just created a small HowTo about setup and online connection.
If you additionally have an user role authentication setup, the user + password dialog will pop up earliest after a SSL communication to the PLC was established.
So from issue description, I would recommend to check the online settings in Automation Studio and set them to the parameters needed for a TLS online communication, if you’ve configured this on the PLC (I think so).
Best regards!
PS, independent of your actual issue: when securing an online connection to prevent unauthorized online access, you have then also to deactivate INA in the PLCs ETH interfaces parameters.