dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separatorAutomation Builderdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorProgramming of Applications dl-breadcrumb-item__separatorRuntime systems, OPC UA serverdl-breadcrumb-item__separatorReference dl-breadcrumb-item__separatorDialogs dl-breadcrumb-item__separatorDialog: Device Security Settings (OPC UA Server)
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Dialog: Device Security Settings (OPC UA Server) dl-permalink__symbolPermalink

Function: The dialog shows all device security settings which are provided by the connected controller.

Call: “Communication Settings” tab, “Device”“Security Settings” menu command

Requirements: You have installed CODESYS Security Agent and the active path to the controller is configured.

The following table shows the settings which affect the OPC UA Server.

Setting

Description

‎CommunicationPolicy‎

Applied OPC UA security policy. The selected policy and all more secure options are used.

  • ‎POLICY_AES256SHA256RSAPSS‎: Start from Aes256Sha256RsaPSS

  • ‎POLICY_BASIC256SHA256‎: Start from Basic256Sha256

  • ‎POLICY_AES128SHA256RSAOAEP‎: Start from Aes128Sha256RSAOAEP (default setting)

‎CommunicationMode‎

Mode for communication

  • ‎SIGNED_AND_ENCRYPTED‎: Allows only signed and encrypted communication

  • ‎MIN_SIGNED‎: Allows signed or signed and encrypted communication

  • ‎SECURE_IF_POSSIBLE‎: Allows communication in plain text if an X.509 certificate is not available for the OPC UA Server. Disables unsecure mode as soon as a certificate has been generated. (default setting)

  • ‎ALL‎: Allows secure and unsecure communication

  • ‎ONLY_PLAINTEXT‎: Allows only unsecure communication

‎Activation‎

Activation/Deactivation OPC UA Server

  • ‎DEACTIVATED‎: OPC UA Server deactivated

  • ‎ACTIVATED‎: OPC UA Server activated (default setting)

‎UserAuthentication‎

UserToken of the OPC UA Server

  • ‎ENABLED‎: The UserTokens are generated to match the configuration of the device user management. (default setting)

  • ‎ENFORCED‎: The anonymous UserToken is disabled. Regardless of whether anonymous access is allowed in the device user management.

‎AllowUserPasswordOnPlaintext‎

Transfer passwords in plain text if a OPC UA Server certificate is not available

  • ‎YES‎: Transmission of passwords in plain text is allowed. This setting is not recommended.

  • ‎NO‎: Transmission of passwords in clear text is not allowed. (default setting)

‎EnableCRLChecks‎

Enable/Disable check of certificate revocation lists (CRLs). CRLs are used for CA-signed certificates.

  • ‎YES‎: Check of CRL enabled (default setting)

  • ‎NO‎: Check of CRLs disabled

For more information, see:

‎EnableSelfSignedCertBackwardInteroperability‎

The OPC UA specification requires that for self-signed certificates the ‎cA‎ bit is set in the extensions. This allows even signed ‎ApplicationInstanceCertificates‎ (server or client certificate) to be misused as CA.

  • ‎YES‎: Allows these certificates. This setting is less secure, but increases compatibility. (default setting)

  • ‎NO‎: Forbids ApplicationInstance certificates from having the ‎cA‎ bit set in the extension. This setting is more secure, but decreases compatibility.

‎DeactivateApplicationAuthentication‎

The OPC UA protocol requires mutual authentication of the applications when establishing a connection. This is achieved with safeguarded connections (signing or signing+encryption) by means of the mutual validation of the application certificates (‎ApplicationInstanceCertificate‎).

You can use the ‎DeactivateApplicationAuthentication‎ setting to disable the check of the client certificate in the OPC UA Server. According to the UA standard, authentication must be performed at the user level in this case (use of device user management).

‎NO‎: Validation of the client certificate disabled

‎YES‎: Validation of the client certificate enabled

‎DeactivateSecurityPolicy‎

Disabling of security policies

Entry as a policy URL (for example ‎http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256‎) in a comma-separated list

‎ApplicationName‎

Defines the ‎Common Name‎ (CN) of the OPC UA Server certificate. If this setting is not set, then OPCUAServer@<HOSTNAME> is used.

‎CompanyOrOrganizationName‎

Defines the ‎OrganizationalUnit‎ (OU) of the OPC UA Server certificate

‎City‎

Defines the ‎locality‎ (L) of the OPC UA Server certificate

‎State‎

Defines the ‎StateOrProvinceName‎ (S) of the OPC UA server certificate

‎Country‎

Defines the ‎CountryName‎ (C) of the OPC UA server certificate