Dialog: Device Security Settings (OPC UA Server)

Function: The dialog shows all device security settings which are provided by the connected controller.

Call: Communication Settings tab, Device → Security Settings menu command

Requirements: You have installed CODESYS Security Agent and the active path to the controller is configured.

The following table shows the settings which affect the OPC UA Server.

Setting	Description
`CommunicationPolicy`	Applied OPC UA security policy. The selected policy and all more secure options are used. `POLICY_AES256SHA256RSAPSS`: Start from Aes256Sha256RsaPSS `POLICY_BASIC256SHA256`: Start from Basic256Sha256 `POLICY_AES128SHA256RSAOAEP`: Start from Aes128Sha256RSAOAEP (default setting)
`CommunicationMode`	Mode for communication `SIGNED_AND_ENCRYPTED`: Allows only signed and encrypted communication `MIN_SIGNED`: Allows signed or signed and encrypted communication `SECURE_IF_POSSIBLE`: Allows communication in plain text if an X.509 certificate is not available for the OPC UA Server. Disables unsecure mode as soon as a certificate has been generated. (default setting) `ALL`: Allows secure and unsecure communication `ONLY_PLAINTEXT`: Allows only unsecure communication
`Activation`	Activation/Deactivation OPC UA Server `DEACTIVATED`: OPC UA Server deactivated `ACTIVATED`: OPC UA Server activated (default setting)
`UserAuthentication`	UserToken of the OPC UA Server `ENABLED`: The UserTokens are generated to match the configuration of the device user management. (default setting) `ENFORCED`: The anonymous UserToken is disabled. Regardless of whether anonymous access is allowed in the device user management.
`AllowUserPasswordOnPlaintext`	Transfer passwords in plain text if a OPC UA Server certificate is not available `YES`: Transmission of passwords in plain text is allowed. This setting is not recommended. `NO`: Transmission of passwords in clear text is not allowed. (default setting)
`EnableCRLChecks`	Enable/Disable check of certificate revocation lists (CRLs). CRLs are used for CA-signed certificates. `YES`: Check of CRL enabled (default setting) `NO`: Check of CRLs disabled For more information, see: Configuration of the OPC UA certificates
`EnableSelfSignedCertBackwardInteroperability`	The OPC UA specification requires that for self-signed certificates the `cA` bit is set in the extensions. This allows even signed `ApplicationInstanceCertificates` (server or client certificate) to be misused as CA. `YES`: Allows these certificates. This setting is less secure, but increases compatibility. (default setting) `NO`: Forbids ApplicationInstance certificates from having the `cA` bit set in the extension. This setting is more secure, but decreases compatibility.
`DeactivateApplicationAuthentication`	The OPC UA protocol requires mutual authentication of the applications when establishing a connection. This is achieved with safeguarded connections (signing or signing+encryption) by means of the mutual validation of the application certificates (`ApplicationInstanceCertificate`). You can use the `DeactivateApplicationAuthentication` setting to disable the check of the client certificate in the OPC UA Server. According to the UA standard, authentication must be performed at the user level in this case (use of device user management). `NO`: Validation of the client certificate disabled `YES`: Validation of the client certificate enabled
`DeactivateSecurityPolicy`	Disabling of security policies Entry as a policy URL (for example, `http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256`) in a comma-separated list
`ApplicationName`	Defines the `Common Name` (`CN`) of the OPC UA Server certificate. If this setting is not set, then OPCUAServer@<HOSTNAME> is used.
`CompanyOrOrganizationName`	Defines the `OrganizationalUnit` (`OU`) of the OPC UA Server certificate
`City`	Defines the `locality` (`L`) of the OPC UA Server certificate
`State`	Defines the `StateOrProvinceName` (`S`) of the OPC UA server certificate
`Country`	Defines the `CountryName` (`C`) of the OPC UA server certificate
`CertificateIPAdresses`	Comma-separated list of IP addresses to be entered in the X.509 certificate of the OPC UA Server. The following entries are possible: Entry of one or more IP addresses. For example, for the IP address of a NAT (Network Address Translation). Examples: "1.2.3.4, All", "Static", "1.2.3.4, 7.8.9.10" `All`: All local IP addresses should be added to the certificate. Only network adapters which have a valid IP address when booted or when the security settings are changed are taken into account. `Static`: Like `All`, with the restriction that only IP addresses which are set statically on the device are taken into account.