WinCC OA Secure Authentication - DNP3 Driver Configuration

On the Security tab configure the Secure Authentication parameters:

Secure Authentication: Use this check box to enable the authentication. If the Secure Authentication is disabled, the connection does not use Secure Authentication.

Aggressive Mode: This option is used to activate the aggressive mode. This is a mode where no separate authentication challenge and reply is required. This means that the processing of critical operations is speed up since the authentication is part of a telegram and not a separate step. Aggressive mode must be only activated if it is supported by the device. If the device does not support this mode, Allow SHA1.

Since SHA1 is considered as unsafe, it is not enabled by default. However, devices that do not support more recent MAC algorithms might still be used. Therefore, this option is available.

You can specify a list of users with different roles and keys for each device. A device can support multiple users or not.

The Actual user defines the current setting for the authentication. In DNP3 a user has a unique name and a unique number.

Note: Therefore, do not set different user names with the same number or vice versa.

Role : You can select different roles for a user, for example, Viewer, Operator, SingleUser etc.

Depending on a role, the user has specific rights. The user can, for example, only view or also edit configurations.

By default the SingleUser has all rights, meaning to monitor data, operate controls, transfer data files, change configs, change security configs, change code and to login locally. If a user may only view data, select the role Viewer. The Viewer may only monitor data.

Note: The roles are meaningful since there are function codes such as Direct Read, Write, Select Operate etc. in the address panel . You can specify in your device whether a function is critical or not. You can, for example, specify in the device that a client must authenticate in order to read.

The norm specifies the different available roles. The table below contains the different roles:

Figure 2. Different User Roles according to the Norm IEEE Std. 1815-2012 section 7

Preshared key: The preshared key must be either 16 or 32 byte long. This corresponds to either 32 or 64 HEX character.

CAUTION: The preshared key specified here and the preshared key in the device panel MUST be identical! Other settings here and in the device panel must not be identical. If the keys are not identical, you cannot write data meaning enter values since the authentication is not enabled. You can, however, read values without authentication. NOTE also that if you change the configuration on the Security tab, you must deactivate and reactivate the connection on the Connection tab via the Active check box) or restart the DNP3 driver.