Security profiles and certificate validation - STEP 7

Communications modules and network components
ft:publication_title
Communications modules and network components
Product
STEP 7
Version
V20
Publication date
11/2024
Language
en-US
Security profiles and certificate validation

Security profiles of the OPC UA application

Depending on the CP type, the following security profiles of the OPC UA specification are supported by the OPC UA application of the CP:

  • SecurityPolicy

    • SecurityPolicy ‑ None

    • SecurityPolicy ‑ Basic128Rsa15

      Signing and 128-bit encryption

    • SecurityPolicy ‑ Basic256

      Signing and 256-bit encryption

    • SecurityPolicy [A] ‑ Aes128-Sha256-RsaOaep

      Signing and 256-bit encryption with RSA-OAEP

    • SecurityPolicy [B] ‑ Basic256Sha256

      Signing and 256-bit encryption (SHA‑256)

    • SecurityPolicy ‑ Aes256-Sha256-RsaPss

      Signing with PSS and 256-bit encryption with RSA-OAEP

    The supplementary Conformance Units (Signing / Encryption) mean:

    • Sign

      The CP only allows communication with signed frames.

    • Sign and encrypt

      The CP only allows communication with signed and encrypted frames.

Certificate validation

In this parameter group you set the options for checking the certificates of the communications partner for the server or client application.

  • Checking the certificates

    The CP generally checks the certificate of the communications partner, except when "SecurityPolicy ‑ None" is selected.

    If the partner certificate is invalid or is not trustworthy, communication is aborted.

    If the option is enabled, the two following options for restricting the checking routines can be activated.

  • No strict certificate validation

    If the option is enabled, the CP allows communication in the following situations:

    • The IP address of the communications partner is not identical to the IP address in its certificate.

    • The use stored in the certificate (OPC UA client/server) differs from the function (OPC UA client/server) of the communications partner.

    • The current time on the CP is outside the period of validity of the partner certificate.

    Regardless of these exceptions, to establish a connection, at least the following requirements must be met:

    • The application URI sent by the requesting client must match the URI of the server application of the CP.

    • If the partner certificate is not trustworthy, the CP must at least have stored a self-signed certificate of the partner.

    • If the partner certificate was issued by several CAs, all CAs must be saved in the certificate store of the CP.

  • Do not check period of validity

    If the options is enabled the CP checks the certificate of the communications partner. The CP also allows communication in the following situation:

    • The current time on the CP is outside the period of validity of the partner certificate.

If none of the options is enabled, no certificates are checked.

In particular for the establishment of the communication with third-party applications, note the information in the certificate management on importing certificates.

Special features for the client application of the CP 443-1 OPC UA

If you use the client function of the CP, note the following:

The value of the parameter "CheckServerCertificate" that you programmed in the connection information (UASessionConnectInfo) for the client program block "UA_Connect" is overwritten by the configured settings in the "Certificate validation" parameter group. If the client is to check the certificates of the communications partner (server), you can ignore the parameter in the UDT "UASessionConnectInfo". For the certificate check only the configured values of "Certificate validation" parameter group are relevant.