Example Configuration - SSA for Managers

  1. Create a project or use an existing project.
  2. Use the CA as well as the available certificates you have created.
    CAUTION: The certificates must be located on the same partition as the WinCC OA project. When a project is, e.g., saved on D:, also the certificates must be saved on D:.
    CAUTION: The certificates must not be saved in the project due to security reasons. The certificates for the web server are an exception. These are automatically copied into the project. The web server certificates are used for all features that require the web server. Such features are, for example, the Desktop UI and ULC UX.
  3. You need the following certificates:
    • ca-chain.cert.pem. You need the ca-chain.cert.pem file only for the server. The file serves for checking the certificates.
      Figure 1. ca-chain.cert.pem file
    • Use the certificates norole.cert.pem, para.cert.pem, revoked.cert.pem as well as rootuser.cert.pem and crl.cert.pem files.
      Figure 2. norole.cert.pem, para.cert.pem, revoked.cert.pem as well as rootuser.cert.pem file
      Figure 3. crl.cert.pem file
    • You also need the keys:

      • norole.key.pem
      • para.key.pem
      • revoked.key.pem
      • rootuser.key.pem
    Note: Keys must only exist on a computer where a manager uses the keys to authenticate. On the server (if the server only starts its managers as the user root), only one rootuser.key.pem is required. The other keys are only needed on the clients connecting to the server. To authenticate these clients, the server only needs the chain file.
    Figure 4. norole.key.pem, para.key.pem, revoked.key.pem, rootuser.key.pem
  4. Set the following config entries:
    [general]
     accessControlPlugin = "AccessControlPlugin"
    
    [webClient] 
    clientSideAuth = 0
    httpsPort = "443"
    httpPort = "0"
    rootPanel = "vision/login.pnl"
    mobileRootPanel = "vision/login.pnl"
    
    [ui]
    httpServer = "https://localhost:443"    
    CAUTION: When you use the server-side authentication for UI Managers, use the config entry [general] accessControlPlugin = "AccessControlPluginUser"

    The following server settings:

    [general]
    ssaChainFile = "SSA_cert/ca-chain.cert.pem"
    ssaCRL = "SSA_cert/crl.cert.pem" 
    Note: In this example a chain file is used (see above). If you use Windows Certificate Store certificates, you need the config entry "ssaChertCheck".

    The following settings for all Control Managers:

    [general]
    ssaPrivateKey = "file:SSA_cert/rootuser.key.pem"
    ssaCertificate = "file:SSA_cert/rootuser.cert.pem" 
    
    The following settings for the UI manager:
    [httpServer]
    uiArguments = "-p vision/login.pnl -centered -iconBar -menuBar -ssa"
            
    The following settings for different Control managers:
    [ctrl_3]
    ssaPrivateKey = "file:SSA_cert/para.key.pem"
    ssaCertificate = "file:SSA_cert/para.cert.pem"
    
    [ctrl_4]
    ssaPrivateKey = "file:SSA_cert/revoked.key.pem"
    ssaCertificate = "file:SSA_cert/revoked.cert.pem"
    
    [ctrl_5]
    ssaPrivateKey = "file:SSA_cert/norole.key.pem"
    ssaCertificate = "file:SSA_cert/norole.cert.pem"
    
    [ctrl_6]
    ssaPrivateKey = "file:SSA_cert/para.key.pem"
    ssaCertificate = "file:SSA_cert/para.cert.pem"  
    Figure 5. Config file with Config entries
  5. Create 3 scripts with e.g. the following code, in the script editor:
    void main()
    {
       DebugTN("The script 1 is running");
    }
  6. In the console, add 5 CTRL managers and one UI manager to the console with the following manager options:
    CTRL -num 2 webclient_http.ctl
    UI -m gedi -ssa
    CTRL -num 3 script1.ctl -user para:
    CTRL -num 4 script2.ctl -user para: //The option does not work since the wrong certificate is available, no //certificate for the user para but for the user "revoked"
    CTRL -num 5 script3.ctl -user para: //The option does not work since the wrong certificate is available, no //certificate for the user para, but for the user "norole".
    CTRL -num 6 script1.ctl -user operator: //The option does not work since this is the wrong user
    //not the user para but the user "operator"   
    Figure 6. Console with started managers
    If you start the script 1, the following is output in the log viewer:
    WCCOActrl (3), 2017.12.04 15:36:41.746, SYS, INFO, 103, User names/passwords initialized
    WCCOActrl3:2017.12.04 15:36:41.878["The script 1 is running"]
    WCCOActrl (3), 2017.12.04 15:36:43.879, SYS, INFO, 181, Closing connection to (SYS: 0 Data -num 0 CONN: 1)