Security Configuration

The OPCUA driver provides the ability to use user credentials when connecting to the device and also to establish secure connection between the driver and the OPC UA server using the client and server X509 certificates. In order to establish a secure connection, the driver needs access to the server certificate and the server needs access to the driver client certificate.

For more information about OPC UA security model, refer to the OPC Unified Architecture Specification, Part 2: Security Model. You can download the document from the OPC Foundation website (www.opcfoundation.org).

The configuration of the secure connection is done via Configurator. After the driver is installed, the Configurator will have a plugin "OPC UA Client Driver".

This plugin allows you to:

• Create security settings.

• Select the client certificate from the Windows certificate store.

• Import the client certificate from a file into the Windows certificate store.

• Issue Plant SCADA OPC UA client certificate, store it in the Windows certificate store and export it to a file.

• Import the server certificate from the file into the Windows certificate store.

• Test connection to the OPC UA Server.

To configure the security settings (on a local computer):

1. In the panel on the left side of the Configurator, select OPC UA Client Driver. The SETTINGS page will display.

   Select the existing settings or enter the settings name to create a new one. If there are no existing settings "Select existing settings" option is disabled.

2. Click the Next button. The USER page will display.

   On that page, you can enable user authentication and specify the user name and the password which the driver will use to connect to the OPC UA server.

   The Configurator stores the user name and the password to the ArchestraA™ Data Store (ADS) service. For the driver to be able to read the user name and the password from ADS, the I/O Server process user account needs to exist in the Citect.User.Drivers Windows group.

   The Configurator will add 'Citect.Driver.Users' Windows group if it does not exist and it will also add the currently logged in user to that group. Note that after the user has been added, you need either to restart the computer or to log in / log out so that the driver can read the user name and the password from ADS.

   In case when the Plant SCADA I/O process will be configured to run as a service, you will need to select the option ‘The driver process will run as a service’. In that case the Configurator will add the Runtime Manager service account to 'Citect.Driver.Users' group.

   When user authentication is used, it is recommended that you configure the secure communication with the client and server certificates as well. Otherwise the user name and password will be sent to the server as a plain text.

   If you do not do this, it will not be possible to proceed with the configuration after the SECURITY page and an error message will be displayed.

   There are two options to fix this:

   1. Configure a valid security mode on the SECURITY page.

   2. Set the Disable encrypted password check option on the USER page to allow the user name and password to be sent to the server as a plain text.

3. Click the Next button. The SECURITY page will display.

   Select the message security mode and the security policy.

   The security mode specifies the mode of encryption that will be used when messages between the driver and server are sent. There are three options: None, Sign and SignAndEncrypt.

   The security policy parameter specifies the endpoint security policy. The supported options are:

   • None

   • Basic256 and Basic128Rsa15

   • Basic256Sha256

   • Aes128Sha256RsaOaep

   • Aes256Sha256RsaPss.

     In the case where the security mode is set to None, the driver will establish a non-secure connection.

4. Click the Next button. The CLIENT page will display.

   On that page you will need to select the client certificate from the list of available client certificates in the Windows Certificate Store.

   If there are no client certificates available, there are two options to add a new one:

   1. Create a new Plant SCADA client certificate.

      When this option is selected and you click the "Create" button, the Configurator creates a new OPC UA Client self-signed certificate and adds it to the Windows certificate store.

      The newly created client certificate is automatically selected in the list of available certificates.

   2. Import the client certificate from a file.

      When this option is selected, you should select the file in which the client certificate is stored. Use the password box if the file is password protected.

      The imported client certificate must have a private key and its "Subject Alternative Name" field should be in the format "urn:HostMachineName:Citect.OPCUA.Client.Driver", where the HostMachineName is the host name of the computer running the driver.

      In order to install the client certificate on the OPC UA server machine, there is an option on the page to export the client certificate to a file.

      The page also provides an option to view the currently selected certificate and to export the client certificate to a file, so it can be installed on the OPC UA server machine.

      When you select the Export option, the Configurator will export the client certificate into a file with a public key. If the certificate was issued by a Certificate Authority, then the Certificate Authority certificate will be exported.

5. Click the Next button. The SERVER page will display.

   On that page you can add the OPC UA server certificate to the Windows certificate store.

   If the server certificate with a public key is already in the Windows certificate store, the driver will load it automatically.

   There are two options to import the server certificate:

   1. Import a server certificate from a file. When this option is selected, the Configurator will import the server certificate to the Windows Certificate Store.

   2. Import a server certificate directly from the OPC UA server. This option allows to select one of the available server certificates and add it to the Windows Certificate store. You will need to specify the OPC UA server URL and then click the Browse button. After that the Configurator will connect to the server and get certificates for all endpoints exposed by the server. If the operation was successful, the server certificates will be added to the drop-down list of available certificates.

      Note: Importing a server certificate directly from OPC UA server only works for self-signed server certificates.

6. Click the Next button. The FINISH page will display.

   This page informs you that the Configurator is ready to store the configured settings. After you click the Configure button, the settings will be stored in OPCUASettings file in the Plant SCADA Config folder. The Configuration Messages panel will indicate if the configuration was successful. If required, you can use the Previous button to make any changes to your settings before you complete the configuration process or create and configure new settings.

   There is also an option to check the connection to the server after the settings have been configured. You will need to specify the OPC UA server URL and then click the Test connection button. If the connection was successful, a message about that will appear in the Configuration Messages panel. Otherwise a message will indicate a specific error.

7. Use device specific SecuritySettingsName ini parameter to apply the settings to a specific I/O device. For example, you can enter:

   [OPCUA.PORT1_BOARD1.IODev1]
   SecuritySettingsName=MySettings

Note: The security settings are stored in the OPCUASetting.xml file in the Citect SCADA config folder. When upgrading Citect SCADA to a new version, that file has to be manually copied to the new Plant SCADA/Citect SCADA config folder.