Security Settings

Security Strategy

The WinCC OA OPC UA server supports following profiles:

  • None
  • Basic128Rsa15
  • Basic256
  • Basic256Sha256
  • Aes128_Sha256_RsaOaep
  • Aes256_Sha256_RsaPss

The list above is ordered from the least to the most secure mechanism.

Use the config entries [opcuasrv] uaSecurityPolicy and [opcuasrc] uaSecurityMode to set the minimum required profile and mode.

If a client tries to use a weaker profile or mode the client cannot establish a connection.

To use, for instance, the minimum required security level (Basic256Sha256 and Sign&Encrypt), the config entries must be set as follows:

[opcuasrc]
uaSecurityPolicy = 3
uaSecurityMode = 2

Message Security Concept

The WinCC OA OPC UA server supports following modes:

  • None
  • Sign
  • Sign&Encrypt

None

The communication is neither signed nor encrypted and thus it should be used only in separate networks.

Sign

The communication is signed but not encrypted.

With this mode the transmitted data is protected from manipulation, but can be read by others. Access information (e.g. password) cannot be read by others!

Sign&Encrypt

The communication is both signed and encrypted.

With this mode the transmitted data is protected from manipulation and reading is prevented by encryption.