Home
Security
Go beyond the norm in cybersecurity.
Security Features
Maintaining the control over production and the processes in the application has the highest priority in automation. Even measures to prevent security threats must not affect this.
Server Side Authentication
Server-side Authentication for Managers
When sever-side authentication for managers is used, the managers that establish a connection to the DATA or EVENT manager must authenticate themselves. This enhances the security especially when projects are connected over the Internet. In the server-side authentication for managers the managers must authenticate themselves by using x.509 certificates.

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics, you need to know, before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
- Security Features
  Maintaining the control over production and the processes in the application has the highest priority in automation. Even measures to prevent security threats must not affect this.
  - Authorization Concept
  - Certificates
  - Login
  - Login Framework
    The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
  - Server Side Authentication
    - Server-side Authentication for UI Managers
      When using the server-side authentication for UI managers the user has to authenticate himself to the User Interface via the HTTP server. Communication between the user interface and the WinCC OA core (Data manager / Event manager) is only possible if the login credentials are verified by the HTTP server and clearance is ensured via a user interface specific token.
    - Server-side Authentication for Managers
      When sever-side authentication for managers is used, the managers that establish a connection to the DATA or EVENT manager must authenticate themselves. This enhances the security especially when projects are connected over the Internet. In the server-side authentication for managers the managers must authenticate themselves by using x.509 certificates.
  - User-defined Login
  - Authentication via Kerberos, basics
    In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
- Multiplexing Proxy
  The WinCC OA Multiplexing Proxy Manager is used to increase the security of your WinCC OA projects.
- Continuous Monitoring
  The Continuous Monitoring feature of WinCC OA provides an interface for external tools to read and validate log and error messages of Security Events that were generated by the WinCC OA.
- Security Events in WinCC OA
- Further References
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
WinCC OA Documentation
Basic information about terms and functions within the documentation.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Server-side Authentication for Managers

When sever-side authentication for managers is used, the managers that establish a connection to the DATA or EVENT manager must authenticate themselves. This enhances the security especially when projects are connected over the Internet. In the server-side authentication for managers the managers must authenticate themselves by using x.509 certificates.

For this reason, you need certificates. You can create your certificates yourself. To create certificates, use the Panel for SSL Certificates You can open the panel via the System Management -> Communication tab. How to create certificates with chain files is described in the Security Guideline. Via the chain files you can create several chains and the authentication can be used e.g. in several parts of a plant. Chain files can be used for the different parts of a plant. For how to use a chain file, see Example configuration. You can also use Windows Certificate Storecertificates.

In a redundant system and in a DRS system the Access Control plug-in must be configured for both systems. In other words, the settings on both systems must be the same.

The server-side authentication for managers is used for all managers. For the authentication UI managers, see chapter Server-side Authentication for UI Managers, Basics.

Session Binding

Session binding reduces the risk of manipulated messages and unauthorized access to a WinCC OA system. The communication security is increased since the access of unauthorized managers is prevented. In session binding the WinCC OA user name is a part of the certificate, see chapter Panel for SSL Certificates on how to create a certificate with a user name.

Session Binding is activated via the server-side authentication for UI managers. When an Access Control Plug-in of ETM is loaded, the Session Binding is automatically active and cannot be deactivated. By default (standard project) the session binding is deactivated. You can activate it irrespective of the Access Control Plug-in by using the config entry serverSideAuthentication=1 in the [general] section.