Secure Connection

The IEC 61850 client supports TLS encryption of communication between client and server. If TLS encryption is not supported by the server, this option must not be activated.

Certificates

The certificates used for encrypting the communication are server specific and must be saved in the project directory. By default they are saved in WinCC_OA_Proj\data\IEC61850\cert. With the config entry [iec61850]certPath a custom directory can be created in WinCC_OA_Proj\data\IEC61850\. e.g.: the entry [iec61850]certPath=“myCertifcates“ will create the directory WinCC_OA_Proj\data\IEC61850\ myCertifcates.

Certificates in the *.pem format are supported.

Note: The directory is created automatically, as soon as the IEC 61850 client configuration panel is opened.

Password encryption

For all passwords mentioned below, that are saved in encrypted state on the internal datapoints the following applies: the encryption is done with a default certificate (driver_private.key), which is created in the course of the WinCC OA installation and placed in WinCC_OA_Proj/config.

CAUTION: Since these certificates are the same for all WinCC OA installations of the same version, it is imperative to make individual certificates to be protected from attacks. For more details on this, see Driver Certificate.

Security Tab

The Security Tab shows the security relevant settings for the driver. With the exception of the password, the settings applied here will be saved to the corresponding element on the internal datapoint _IEC61850_IED in the structure .Config.Security. See also the Description of the internal datapoint.

Figure 1. Security Tab
Note: The buttons next to the fields for the certificate names open either the default directory (WinCC_OA_Proj\data\IEC61850\cert) or the directory set with the config entry [iec61850]certPath. From there, choose the required certificate.

General

Authentication This sets the type of encryption. Available are:

  • None: The communication is not encrypted.
  • Password: The communication is not encrypted. The password will be saved encrypted on the internal datapoint, but sent as plain text.
  • TLS + Password: The communication between client and server is encrypted using TLS. The use of a password is optional

Password This entry is optional. The password is saved encrypted on the internal datapoint .Config/Password.

TLS Method

Sets the type of TLS encryption. This must match the encryption type used by the corresponding server. Available methods:

  • TLSv1
  • TLSv1.1
  • SSLv2
  • SSLv3
  • SSLv2and3

CA file path

File containing the certificates of the Certificate Authority (CA certificates). Can be selected using the button next to the field.

CRL file path

The Revocation List of the Certification Authority. Can be selected using the button next to the field.

Ciphers

The openSSL Cipher Suite string. If the field is left empty, the following string is used: "TLSv1:TLSv1.1:TLSv1.2:SSLv3:!SSLv2:!aNULL:!eNULL:!CAMELLIA:!EXPORT40:!EXPORT56:@STRENGTH"

CA verify depth

The Depth of certificate chaining for Certificate Authority files. Allowed values are 0-99999.

MMS

Cert path

The Certificate for the MMS encryption. Can be selected using the button next to the field.

Common name

The MMS common name. This will be expected by the server for received MMS certificates. The name will be saved in clear text on the internal datapoint.

Key file path

The Private Key for the MMS encryption. Can be selected using the button next to the field.

Key pass

The passphrase for decrypting the Private Key. Saved encrypted on the internal datapoint.

TLS

Cert path

The Certificate for the TLS encryption. Can be selected using the button next to the field.

Common name

The TLS common name. This will be expected by the server for received TLS certificates. The name will be saved in plain text on the internal datapoint.

Key file path

The Private Key for the TLS encryption. Can be selected using the button next to the field.

Key pass

The passphrase for decrypting the Private Keys. Saved encrypted on the internal datapoint.

Renegotiation count

The maximum number of exchanged MMS messages, before the encryption of the connection is reverified.

Renegotiation timeout

The maximum time in seconds, before the encryption of the connection is reverified.