Security for the CODESYS Automation Server
The CODESYS Automation Server (CAS) provides the following security features:
Encapsulation of the devices outwards. Communication takes place exclusively via the CODESYS Edge Gateway ("Edge Gateway").
Certificate-encrypted communication: The data exchange between the CODESYS Automation Server and the CODESYS Automation Serverand the Edge Gateway and also the data exchange between the Edge Gateway and the PLC is TLS-encrypted based on X.509 certificates.
Configuring communication between the CODESYS Automation Server and the Edge Gateway is configured only with authorization and in a secure environment (settings in the gateway.cfg file). For protection of the Edge Gateway device against unauthorized access, see Edge Gateway Security.
For an encrypted connection with CODESYS Automation Server the Edge Gateway requires the CA certificate, which has signed the certificate of the CODESYS Automation Server. Because the CODESYS Automation Server runs on AWS and CODESYS has issued the certificate by AWS, there are 5 possible”
Amazon Root CA"(Example: cn=Amazon Root CA 1, 0=Amazon, C=US). These certificates are automatically stored in the .pki directory when the Edge Gateway is connected to the CODESYS Automation Server via CODESYS Automation Server Connector or CODESYS Service Tool. In order for the web browser to accept the secure connection, the CA certificate used must also be valid in the browser or operating system. This is the case by default because AWS is classified as trusted. (Local Windows Certificate Store, Trusted Root Certification Authorities category, Certificates, Amazon Root CA...). View SPSen Gateways displays the thumbprint of the private key that has been generated in the local certificate store for the root certificate of the PLC.If a certificate has expired, then you can renew it in the Connect or Reconfigure Edge Gateways view. To do this, the configured Edge Gateway must be connected to the Automation Server and the configuration mode must be enabled. The new certificate is valid for 6 months. For more information, see: Connect or Reconfigure Edge Gateways
The encrypted connection between the Edge Gateway and the PLC can be configred from CODESYS Automation Server using a “Quick Setup”. For more information, see:
An overview of the certificates of all PLCs connected to the Automation Server can be found in the Security – Device Certificates view.
You can display the signing requests (CSR = Certificate Signing Request) of a PLC or create new requests. For more information, see: View: Security Signing Requirements
For more information about the general handling of certificates, see: Certificates for CODESYS and PLC
Multifactor authentication on the server for safeguarding against double access.
For more information, see: Using Multi-Factor Authentication (MFA) to Sign In to the Server
Configurable user and permission management for access control to the server and server objects. For instructions and security information, see:
Server password: The password is initially assigned after the purchase of CODESYS Automation Server. See the instructions for Ordering CODESYS Automation Server in the CODESYS Store International. It can be reset by the administrator. For more information see: Resetting the Server Password
Know-how protection for source and compiled binary code: The CODESYS Automation Server always requires a boot application to load the executable binary code onto the PLC. The current functionalitiesin the CODESYS Development System apply to the protection of the source code.
Session timeout: A session in CODESYS Automation Server is valid for 10 minutes. A session is automatically extended to run for up to 24 hours as long as the active mode is in operation (for example, as long as a tab with the CODESYS Automation Server is open). The session becomes invalid after 24 hours at the latest. Of course, you can log out intentionally in order to end a session.
Password policy: A password policy for assigning secure passwords is defined in the user management of the server.
Access to WebVisu user configuration in the PLC details dialog: If a WebVisu should be operated via the Automation Server, then the WebVisu user must also be entered in the CODESYS Automation Server user configuration. See here: Add visualization user for web visualization
AWS as a cloud provider with state-of-the-art security features according to international standards.
For security notes and instructions for setting up the connection between the Edge Gateway and the Server for the first time, see the following help page: