Introduction
- The aim of this how-to is not to cover theory of secured communication
- it is how to example of a configuration in Automation studio project running in ArSim
Source of information:
- OPCUA server SSL configuration B&R Online Help
- mappView SSL configuration B&R Online Help
- mappView certificate B&R Online Help
- openSSL /docs/man1.1.1/man1/openssl.html
- openSSL - x509 config /docs/manmaster/man5/x509v3_config.html
- Wiki - OpenSSL - Wikipedia
1 OPCUA server side
- configuration of unique host name for your PLC (CPU β Ethernet Paramaters β Hostname)
- for local connection without DHCP server, IP address must be inserted manually
- new OPCUA certificate creation for OPCUA server
- important fields that must be filled in (organization,common name, etc)
- some of them are taken from your configuration (IP-Address, DNS name,β¦)
- the remaining ones are optional
- SSL configuration creation
β Select OPCUA SSL
β Use certificate and key you have created before
- Assign SSL configuration to OPCUA server, if you would like to prevent No Secure communication, just disabled it.
2. OPCUA client side (UAExpert)
- You have to validate certificate of OPCUA server (either import it manually or set it as a trusted during first connection attempt)
- Check that this is really your certificate you have created before
- Trusted certificates you can see in certificate manager of UAExpert client
- Test communication with security policy NONE, connection is refused by server
- Test with security policy, connection is established (WireShark trace of OPCUA communication)
- be careful, only security policy enabled on/supported by OPCUA server can be used
From know OPCUA client can use secure communication to OPCUA server using certificate. Disadvantage is that any OPCUA client that will trust server certificate can connect. If you would like to limit that only certain OPCUA client can establish connection, you can activate communication partner validation on OPCUA server side.
3. SSL communication partner validation (UAExpert client)
- Client must have his own certificate
- UAExpert creates one during first start up or you can use button to create new one
- This certificate must be added to project to package ThirdPartyCertificate
- In SSLConfiguration
β Enable SSL communication partner validation.
β Insert imported certificate to the list of trusted certificates.
- Download and restart.
- From know only UAExpert with this certificate can connect to OPCUA server.
4. mappView server certificate
Client certificate must contain property authorityKeyIdentifier and be in DER format.
For this reason, the client certificate must be created with an external tool, preferably OpenSSL for Windows.
- You must install openSSL, if you have GIT installed, openSSL is part of it
- OpenSSL is used for certificate creation (in my case I used one which was installed with my GIT)
- Example of certificate configuration
β connection to OPC UA server is established over IP address
NOTE: keyUsage must contain keyCertSign parameter
[ req ]
prompt = no
distinguished_name = dn
x509_extensions = x509v3[ dn ]
commonName = mapp View Server[ x509v3 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyCertSign
extendedKeyUsage = critical,serverAuth,clientAuth
subjectAltName = URI:Client_Cpp_SDK@myComputer,IP:127.0.0.1
β connection to OPC UA server is established over hostname
[ req ]
prompt = no
distinguished_name = dn
x509_extensions = x509v3[ dn ]
commonName = mapp View Server[ x509v3 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyCertSign
extendedKeyUsage = critical,serverAuth,clientAuth
subjectAltName = URI:Client_Cpp_SDK@myComputer,DNS:hostname
- Command for certificate creation
openssl.exe req -x509 -config C:\temp\ca.conf -nodes -new -keyout C:\temp\ca.key -out C:\temp\ca.cer -sha256 -days 365 -outform DER
- Output after successful creation (certificate and key)
4. mappView server β SSL configuration
- New SSL configuration must be created
- Import already created certificate and key
- Validate SSL communication can be kept off, it is anyway ignored
- Configuration of mappView server OPC UA remote connection
- If mappView server try to establish connection to OPCUA server now, it will be refused
5. SSL communication partner validation (mappView client)
- OPCUA server configuration must be adapted.
- mappView certificate must be added to SSL communication partner validation
CertificateSample.zip (107.1 KB)
happy that besides that is my description working for you