Security Settings
Security Strategy
The WinCC OA OPC UA server supports following profiles:
-
None
-
Basic128Rsa15
-
Basic256
-
Basic256Sha256
-
Aes128_Sha256_RsaOaep
-
Aes256_Sha256_RsaPss
The list above is ordered from the least to the most secure mechanism.
Use the config entries [opcuasrv] uaSecurityPolicy
and
[opcuasrc] uaSecurityMode
to set the
minimum required profile and mode.
If a client tries to use a weaker profile or mode the client cannot establish a connection.
To use, for instance, the minimum required security level
(Basic256Sha256
and Sign&Encrypt
), the
config entries must be set as follows:
[opcuasrc]
uaSecurityPolicy = 3
uaSecurityMode = 2
Message Security Concept
The WinCC OA OPC UA server supports following modes:
-
None
-
Sign
-
Sign&Encrypt
None
The communication is neither signed nor encrypted and thus it should be used only in separate networks.
Sign
The communication is signed but not encrypted.
With this mode the transmitted data is protected from manipulation, but can be read by others. Access information (e.g. password) cannot be read by others!
Sign&Encrypt
The communication is both signed and encrypted.
With this mode the transmitted data is protected from manipulation and reading is prevented by encryption.