Skip to main content

Dialog: Device Security Settings (OPC UA Server)

Function: The dialog shows all device security settings which are provided by the connected controller.

Call: Communication Settings tab, DeviceSecurity Settings menu command

Requirements: You have installed CODESYS Security Agent and the active path to the controller is configured.

The following table shows the settings which affect the OPC UA Server.

Setting

Description

CommunicationPolicy

Applied OPC UA security policy. The selected policy and all more secure options are used.

  • POLICY_AES256SHA256RSAPSS: Start from Aes256Sha256RsaPSS

  • POLICY_BASIC256SHA256: Start from Basic256Sha256

  • POLICY_AES128SHA256RSAOAEP: Start from Aes128Sha256RSAOAEP (default setting)

CommunicationMode

Mode for communication

  • SIGNED_AND_ENCRYPTED: Allows only signed and encrypted communication

  • MIN_SIGNED: Allows signed or signed and encrypted communication

  • SECURE_IF_POSSIBLE: Allows communication in plain text if an X.509 certificate is not available for the OPC UA Server. Disables unsecure mode as soon as a certificate has been generated. (default setting)

  • ALL: Allows secure and unsecure communication

  • ONLY_PLAINTEXT: Allows only unsecure communication

Activation

Activation/Deactivation OPC UA Server

  • DEACTIVATED: OPC UA Server deactivated

  • ACTIVATED: OPC UA Server activated (default setting)

UserAuthentication

UserToken of the OPC UA Server

  • ENABLED: The UserTokens are generated to match the configuration of the device user management. (default setting)

  • ENFORCED: The anonymous UserToken is disabled. Regardless of whether anonymous access is allowed in the device user management.

AllowUserPasswordOnPlaintext

Transfer passwords in plain text if a OPC UA Server certificate is not available

  • YES: Transmission of passwords in plain text is allowed. This setting is not recommended.

  • NO: Transmission of passwords in clear text is not allowed. (default setting)

EnableCRLChecks

Enable/Disable check of certificate revocation lists (CRLs). CRLs are used for CA-signed certificates.

  • YES: Check of CRL enabled (default setting)

  • NO: Check of CRLs disabled

For more information, see: Configuration of the OPC UA certificates

EnableSelfSignedCertBackwardInteroperability

The OPC UA specification requires that for self-signed certificates the cA bit is set in the extensions. This allows even signed ApplicationInstanceCertificates (server or client certificate) to be misused as CA.

  • YES: Allows these certificates. This setting is less secure, but increases compatibility. (default setting)

  • NO: Forbids ApplicationInstance certificates from having the cA bit set in the extension. This setting is more secure, but decreases compatibility.

DeactivateApplicationAuthentication

The OPC UA protocol requires mutual authentication of the applications when establishing a connection. This is achieved with safeguarded connections (signing or signing+encryption) by means of the mutual validation of the application certificates (ApplicationInstanceCertificate).

You can use the DeactivateApplicationAuthentication setting to disable the check of the client certificate in the OPC UA Server. According to the UA standard, authentication must be performed at the user level in this case (use of device user management).

NO: Validation of the client certificate disabled

YES: Validation of the client certificate enabled

DeactivateSecurityPolicy

Disabling of security policies

Entry as a policy URL (for example, http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256) in a comma-separated list

ApplicationName

Defines the Common Name (CN) of the OPC UA Server certificate. If this setting is not set, then OPCUAServer@<HOSTNAME> is used.

CompanyOrOrganizationName

Defines the OrganizationalUnit (OU) of the OPC UA Server certificate

City

Defines the locality (L) of the OPC UA Server certificate

State

Defines the StateOrProvinceName (S) of the OPC UA server certificate

Country

Defines the CountryName (C) of the OPC UA server certificate

CertificateIPAdresses

Comma-separated list of IP addresses to be entered in the X.509 certificate of the OPC UA Server. The following entries are possible:

  • Entry of one or more IP addresses. For example, for the IP address of a NAT (Network Address Translation).

    Examples: "1.2.3.4, All", "Static", "1.2.3.4, 7.8.9.10"

  • All: All local IP addresses should be added to the certificate. Only network adapters which have a valid IP address when booted or when the security settings are changed are taken into account.

  • Static: Like All, with the restriction that only IP addresses which are set statically on the device are taken into account.