Encryption of Panels

The encryption of panels ensures that panels cannot be opened or changed in the GEDI by unauthorized persons.

When opening an encrypted and a password-protected panel or script via the project view of GEDI, the password is queried. The hash value of the password is compared to the hash value of the panel or script file and you can edit a file only if both values match.

If the values do not match, a message is shown and the process is stopped for a second in order to prevent brute-force attacks.

The following encryption options are provided to encrypt one or several panels (.pnl and .xml):

  • Using the context menu option Encrypt Panel in the Project View of the GEDI.

Before encrypting a panel using the context menu option Encrypt Panel, you should decide how the panel should be encrypted:

  • Encryption with password-protection and without additional license - the panel is encrypted with password protection for GEDI. The panel can only be edited and viewed when you enter the right password. See Encryption without additional license.
  • Encryption with license. You can open the panel only if you have the corresponding license - see Encryption with license key.
  • By setting command line options - also allows the recursive encryption of several panels at the same time, located in a particular directory - see Command line options for panel encryption.

Encrypted panels are now skipped on xml conversion, since they are binary ("-xmlConvert=XML -p panelName").

When a panel is encrypted, the scripts of the shapes can now be shown and edited in GEDI.

Note: Note, however:
  • Scripts of shapes in encrypted panel references are not shown in GEDI, since the password for the panel references is not checked when loading it. Therefore, an encrypted panel references cannot be reconfigured. The panel references cannot be reconfigured even if the panel references are encrypted via the password protection and can be loaded in GEDI when the user knows the password.
  • Scripts of non-encrypted panel references can be edited.
  • Scripts of shapes in encrypted panelRefs cannot be queried during runtime.

Panel encryption via Project View

Encryption without additional license

To encrypt a panel so that an additional license will not be required, execute the following steps:

  1. Open the Project View in the GEDI.
  2. Right-click the panel that should be encrypted and click on the Encrypt Panel context menu option.
    Figure 1. Encrypt Panel
  3. The window for license key and password input is opened. Enter the password, check the check box "Keep password for this Session" and leave the "License key" field empty. Then click on OK. Since you checked the check box, the window is not shown when editing the panel within the current session and the panel is opened without showing a note.
    Figure 2. Define License Key and Password
  4. After the successful encryption a dialog informs you that the panel was encrypted without license key. Click OK.
    Figure 3. Panel was encrypted confirmation
  5. If the check box Keep password for this Session was not checked and if you try to open a panel via a double-click, you must enter a password in order to edit the panel.
Figure 4. Enter Password

Encryption with license key

  1. Open the Project View in the GEDI.
  2. Right-click the panel that should be encrypted and click on the Encrypt Panel context menu option.
  3. This opens the window for license key input. Enter the license key the user must possess to open this panel. The license key may have maximum 10 characters. Click OK.
    Figure 5. Define License Key
  4. Subsequently, WinCC OA generates a coded key from your license key to protect against possible misuse (for further information see License key in a License Container). After successful encryption a dialog informs with which coded key the panel was encrypted. Write it down and click OK (The key is also copied to the clipboard, so you can paste it anywhere for safe-keeping).
    Figure 6. Encryption confirmation message
  5. Without a valid license the panel cannot be opened in GEDI or in VISION. After adding the coded key to a license container, the panel can be opened.

If a new license keyword is being used when the panel/script is encrypted and this keyword does not exist in a license container yet, either the existing license has to be changed (extended) or you have to get a new license.

The following information is required for the license request:

  1. When the container is extended: send the new keyword to ETM.
  2. New license: send the required license options as well as your new license keywords to ETM.

Command line options for panel encryption

Start a UI manager with the following command line options to encrypt one or several panels.

Command line option Function

-proj [project name]

-encrypt [licenseKey]

-p <panelName>-passPhrase [password]

Specify the project name by using the -proj.

Alternatively you can use the option -config.

The option encrypts panels and uses password-protection for the encrypted panels.

The [licenseKey] is an optional parameter. This can be specified if the panel should be encrypted by using an additional license key.

Enter the panel name for the <panelName> parameter if the panel is saved in the \panels directory of the project. If not, enter the absolute path to the panel, e.g. C:\WinCC_OA_Proj\myProj\panels\gedi\myPanel.pnl.

-proj [project name]

-encrypt [licenseKey]

-p <startDir>-passPhrase [password]

Specify the project name by using the -proj.

Alternatively you can use the option -config.

The option encrypts all panels recursively from a particular directory and uses password-protection for the encrypted panels.

The [licenseKey] is an optional parameter. This can be specified if the panels should be encrypted by using an additional license key.

Enter for the <startDir> parameter the start directory from which the panels should be encrypted recursively if the directory is saved in the \panels directory of the project. If not, enter the absolute path to the directory, e.g. C:\WinCC_OA_Proj\myProj\panels\myPanels\gedi.

Note: To encrypt all panels from the installation directory \panels, the absolute path must end with a backslash, e.g. -encrypt -p C:\Siemens\Automation\WinCC_OA\3.10\panels\.

-noBackup Prevents that a backup file (.bak file) of the unencrypted, original panel is created.

The option encrypts panels and uses password-protection for the encrypted panels:

WCCOAui.exe -proj WinCC_OA_Proj -encrypt -p MyPanel.pnl MySecurePassword

The option encrypts panels and uses a license key and password-protection for the encrypted panels:

WCCOAui.exe -proj WinCC_OA_Proj -encrypt LicenseKey -p MyPanel.pnl MySecurePassword

The option encrypts all panels recursively from a particular directory and uses password-protection for the encrypted panels:

WCCOAui.exe -proj WinCC_OA_Proj -encrypt -p C:\Projects\WinCC_OA_Proj\panels\MyPanel.pnl MySecurePassword

The option encrypts all panels recursively from a particular directory and uses a license key and password-protection for the encrypted panels:

WCCOAui.exe -proj WinCC_OA_Proj -encrypt LicenseKey -p C:\Projects\WinCC_OA_Proj\panels\MyPanel.pnl MySecurePassword

License Key in a License Container

The license key entered by the integrator is not visible for the future end user to prevent the end user from creating customized encrypted panels which use the license key of the integrator. I.e. the end user only sees the coded key that was generated via WinCC OA during the encryption. The coded key is entered into a license container.

The coded key begins with "pe_" and ends with "_pe".

Example

The integrator chooses "myFeature" as license key.

WinCC OA generates the coded key during the encryption, e.g.:

pe_87sdfhsdkrzlkjh4w_pe = 1

The license container must contain the coded key after the encryption of the panel. If a new license keyword is being used when the panel/script is encrypted and this keyword does not exist in the license container yet ,either the existing license has to be changed (extended) or you have to get a new license.

The panel file contains the actual license key on the first line. The key is not visible for the end user as the entire panel is encrypted. The actual license key, which is encrypted with the ETM password when loading the panel is compared with the coded key in the license container. If these keys match, the panel is opened in VISION.