PostgreSQL® Notes
Suggestions to enhance the security (only for advanced users)
- It is a good practice to create a white list for the hosts that are allowed to access the database in the file /db/wincc_oa/localdb/postgresql/pgdata/pg_hba.conf
- Restrict the permitted addresses for database communication with the setting
listen_addressesin the file /db/wincc_oa/localdb/postgresql/pgdata/postgresql.conf. within the project directory.
Set the password for the default PostgreSQL® admin user
When a PostgreSQL® database managed by WinCC OA is created (see chapter Archive to Group Mapping), the default admin user postgres is deactivated and it is not possible to log into this WinCC OA managed database with this user.
Note: Note that this indirectly deactivated admin user has no
password.
However, if your security policy requires this user to have a strong password, perform the following steps to enforce a password for the PostgreSQL® user on:
Windows:
- Start the WinCC OA project:
cmd psql -U postgres -h %LOCALAPPDATA%\.winccoa -p 15432 winccoa - Reset the password:
ALTER USER postgres WITH PASSWORD 'P@ssw0rd'; - Edit the file:
%proj_path%\db\wincc_oa\localdb\postgresql\16\pgdata\pg_hba.conf Change the line:
`local all postgres trust`to
`local all postgres scram-sha-256`- Query:
select pg_reload_conf();
Linux
- Start the WinCC OA project:
cmd `psql -U postgres -h ~/.winccoa -p 15432 winccoa` -
Query:
ALTER USER postgres WITH PASSWORD 'P@ssw0rd'; - Edit the file:
`$proj_path$/db/wincc_oa/localdb/postgresql/16/pgdata/pg_hba.conf` Change the line:
`local all postgres trust`to
`local all postgres scram-sha-256`- Query:
select pg_reload_conf();
Important: We offer security right down to machine
level. If an attacker has access to the machine, this is not the responsibility of
the WinCC OA product provider.
