OPC UA security policy

Manage connections between
OPC UA
 servers,
OPC UA
 clients, and other components of your system policy model.
For more information about
OPC UA
, refer to 1756-UM023 and Unified Architecture - OPC Foundation.
TIP:
You must manually copy certificates to OPC UA client certificates if you:
  • Generate and deploy an OPC UA server certificate in
    FactoryTalk Policy Manager
     and connect with the OPC UA server through a third-party OPC UA client application.
  • If you use a third-party OPC UA server that does not support UA Part 12 Discovery and Global Services.

OPC UA
 servers

In
FactoryTalk Policy Manager
,
OPC UA
 servers are device types, which you can add to the policy model and use as conduit endpoints. You can also import certificates of
OPC UA
 servers.
The certificates are exported to
C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments
OPC UA
 servers support these authentication methods:
Certificate
Authenticate with an X.509 certificate granted by a trusted certificate authority.
Username and password
Authenticate with a username and password or as an anonymous user.
OPC UA Security levels
Message security mode
Security policy
Security level
None
None- None
Low security
Sign
Basic128Rsa15
Sign & Encrypt
Basic128Rsa15
Sign
Basic256
Sign & Encrypt
Basic256
Sign
Aes128Sha256RsaOaep
Medium security
Sign & Encrypt
Aes128Sha256RsaOaep
Sign
Basic256Sha256
High security
Sign & Encrypt
Basic256Sha256
Sign
Aes256Sha256RsaPss
Sign & Encrypt
Aes256Sha256RsaPss
TIP:
Rockwell Automation
 recommends setting message security mode to Sign & Encrypt.
Each
OPC UA
 server has its own trust list and admin list. If you add an
OPC UA
 server to a zone for the first time and deploy the policy model configuration, the zone trust list and admin list overwrites the
OPC UA
 server trust list and admin list. Consecutive deployments merge the
OPC UA
 server and zone trust lists and admin lists.
For more information about
OPC UA
 server properties, see Device properties.

OPC UA
 clients

In
FactoryTalk Policy Manager
, you can add
OPC UA
 clients to the policy model and use as them conduit endpoints. You can also import and export certificates of
OPC UA
 clients.
The certificates are exported to
C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments
IMPORTANT: If you export
OPC UA
 certificates or CSRs from an
OPC UA
 device and the security policy model contains both a certificate and a CSR, only the certificate is exported.
OPC UA
 clients may support these authentication methods:
Certificate
Authenticate with an X.509 certificate granted by a trusted certificate authority.
Username and password
Authenticate with a username and password or as an anonymous user.

OPC UA security policy
 in zones and conduits

Zones and conduits follow these non-editable
OPC UA security policy
 settings:
  • OPC UA
     clients trust
    OPC UA
     servers based on certificates
  • OPC UA
     servers do not trust
    OPC UA
     servers
  • OPC UA
     clients do not trust
    OPC UA
     clients

Conduits with
OPC UA
 endpoints

With
OPC UA
 endpoints, you can create these conduits:
OPC UA
 conduits
Endpoint 1
Endpoint 2
Zone
Zone
Zone
OPC UA
 server
Zone
OPC UA
 client
Zone
Range
OPC UA
 client
OPC UA
 server
Conduits must follow these rules:
  • Conduits cannot be duplicated, each combination of endpoints must be unique.
  • One of the endpoints must be
    CIP Security
     or
    OPC UA security policy
     capable.
  • If one endpoint is a zone, the other endpoint cannot be a device within that zone.
  • Devices not assigned to any zone or onboarding devices cannot be used as endpoints.

Compatibility

OPC UA security policy
 features work with these
Rockwell Automation
 product families:
  • ControlLogix®
     5580 controllers firmware revision 36.00 or later
    TIP: 1756-L81E and 1756-L81EK controllers are not supported.
  • ControlLogix® 5580 redundant controllers firmware revision 34.00 or later
  • GuardLogix®
     5580 controllers firmware revision 36.00 or later
    TIP: 1756-L81ES and 1756-L81ESK controllers are not supported.
  • CompactLogix®
     5380 controllers firmware revision 36.00 or later
  • Compact GuardLogix®
     5380 controllers firmware revision 36.00 or later
  • ControlLogix®
     Process controllers firmware revision 36.00 or later
    TIP: 1756-L81E and 1756-L81EK controllers are not supported.
  • CompactLogix®
     Process controllers firmware revision 36.00 or later
  • FactoryTalk® Logix Echo
     version 36.00 or later
  • 1834-AENTR POINT I/O Dual Port Network Adaptor
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal