OPC UA security policy

Manage connections between servers, clients, and other components of your system policy model.
For more information about , refer to 1756-UM023 and Unified Architecture - OPC Foundation.
TIP:
You must manually copy certificates to OPC UA client certificates if you:
  • Generate and deploy an OPC UA server certificate in
    FactoryTalk Policy Manager
     and connect with the OPC UA server through a third-party OPC UA client application.
  • If you use a third-party OPC UA server that does not support UA Part 12 Discovery and Global Services.

servers

In
FactoryTalk Policy Manager
, servers are device types, which you can add to the policy model and use as conduit endpoints. You can also import certificates of servers.
The certificates are exported to
C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments
servers support these authentication methods:
Certificate
Authenticate with an X.509 certificate granted by a trusted certificate authority.
Username and password
Authenticate with a username and password or as an anonymous user.
OPC UA Security levels
Message security mode
Security policy
Security level
None
None- None
Low security
Sign
Basic128Rsa15
Sign & Encrypt
Basic128Rsa15
Sign
Basic256
Sign & Encrypt
Basic256
Sign
Aes128Sha256RsaOaep
Medium security
Sign & Encrypt
Aes128Sha256RsaOaep
Sign
Basic256Sha256
High security
Sign & Encrypt
Basic256Sha256
Sign
Aes256Sha256RsaPss
Sign & Encrypt
Aes256Sha256RsaPss
TIP:
Rockwell Automation
 recommends setting message security mode to Sign & Encrypt.
Each server has its own trust list and admin list. If you add an server to a zone for the first time and deploy the policy model configuration, the zone trust list and admin list overwrites the server trust list and admin list. Consecutive deployments merge the server and zone trust lists and admin lists.
For more information about server properties, see Device properties.

clients

In
FactoryTalk Policy Manager
, you can add clients to the policy model and use as them conduit endpoints. You can also import and export certificates of clients.
The certificates are exported to
C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments
IMPORTANT: If you export certificates or CSRs from an device and the security policy model contains both a certificate and a CSR, only the certificate is exported.
clients may support these authentication methods:
Certificate
Authenticate with an X.509 certificate granted by a trusted certificate authority.
Username and password
Authenticate with a username and password or as an anonymous user.

in zones and conduits

Zones and conduits follow these non-editable settings:
  • clients trust servers based on certificates
  • servers do not trust servers
  • clients do not trust clients

Conduits with endpoints

With endpoints, you can create these conduits:
conduits
Endpoint 1
Endpoint 2
Zone
Zone
Zone
server
Zone
client
Zone
Range
client
server
Conduits must follow these rules:
  • Conduits cannot be duplicated, each combination of endpoints must be unique.
  • One of the endpoints must be
    CIP Security
     or capable.
  • If one endpoint is a zone, the other endpoint cannot be a device within that zone.
  • Devices not assigned to any zone or onboarding devices cannot be used as endpoints.

Compatibility

features work with these
Rockwell Automation
 product families:
  • ControlLogix®
    5580 controllers firmware revision 36.00 or later
    TIP: 1756-L81E and 1756-L81EK controllers are not supported.
  • ControlLogix® 5580 redundant controllers firmware revision 34.00 or later
  • GuardLogix®
    5580 controllers firmware revision 36.00 or later
    TIP: 1756-L81ES and 1756-L81ESK controllers are not supported.
  • CompactLogix
    5380 controllers firmware revision 36.00 or later
  • Compact GuardLogix®
    5380 controllers firmware revision 36.00 or later
  • ControlLogix®
    Process controllers firmware revision 36.00 or later
    TIP: 1756-L81E and 1756-L81EK controllers are not supported.
  • CompactLogix
    Process controllers firmware revision 36.00 or later
  • FactoryTalk® Logix Echo
     version 36.00 or later
  • 1834-AENTR POINT I/O Dual Port Network Adaptor
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal