Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Edge Data Store

TABLE OF CONTENTS

Modbus TCP Security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedSep 29, 2025
  • 1 minute read

The Modbus TCP/Security specification provides a mechanism of secure transport between Modbus devices through Transport Layer Security (TLS) communication. This requires certificates for both Modbus device (server) and Adapter (client). The specification also provides an authorization scheme through role information placed within the client certificate.

Certificates

Certificates must be in PEM-encoded X.509 format. Private keys must be in PEM-encoded PKCS#1 or PKCS#8 format when unencrypted, and PKCS#8v2 when encrypted.

TLS certificates can be referenced by filename or relative path when placed in the Adapter component’s Certificates directory. Alternatively, an absolute path to the certificate can be used.

Certificate locations:

  • Windows: C:\ProgramData\OSIsoft\Adapters\Edge Data Store\Certificates

  • Linux: /usr/share/OSIsoft/Adapters/Edge Data Store/Certificates

Configuring TLS

TLS is disabled by default for each Device in the Adapter’s Data Source configuration. To use a TLS connection to a Modbus server:

  • MinTlsVersion set to “1.2” or “1.3” in the Device configuration.

  • ServerCertificate, ClientCertificate, and ClientPrivateKey specified by filename or absolute path. ClientPrivateKeyPassword can be set when the client private key is encrypted. The Adapter protects this value when it is configured via REST call, storing it as a Secret.

  • ServerCertificateDnsName set to the subject name of the server’s certificate.

For more details on using TLS in Modbus TCP EDS adapter, refer to the AVEVA Adapter for Modbus TCP documentation.

Data Source Example with TLS

{

"Devices": [

{

"Id": "Device1_TLS",

"IpAddress": "127.0.0.1",

"Port": 802,

"MinTlsVersion": "1.3",

"ServerCertificate": "C:\Certs\RootCA\ca_cert.pem",

"ServerCertificateDnsName": "aveva.com"

},

{

"Id": "Device2",

"IpAddress": "127.0.0.2",

"Port": 502

},

{

"Id": "Device3_TLS",

"IpAddress": "127.0.0.3",

"Port": 802,

"MinTlsVersion": "1.2",

"ServerCertificate": "server_selfsigned.pem",

"CertificateValidationMode": "SelfSigned "

}

],

"ClientCertificate": "client_cert.pem",

"ClientPrivateKey": "client_key.pem",

}

In This Topic
TitleResults for “How to create a CRG?”Also Available in