OPC UA security policy

In

FactoryTalk Policy Manager

,

OPC UA

servers are device types, which you can add to the policy model and use as conduit endpoints. You can also import certificates of

OPC UA

servers.

The certificates are exported to

C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments

OPC UA

servers support these authentication methods:

Certificate

Authenticate with an X.509 certificate granted by a trusted certificate authority.

Username and password

Authenticate with a username and password or as an anonymous user.

OPC UA Security levels

Message security mode	Security policy	Security level
None	None- None	Low security
Sign	Basic128Rsa15
Sign & Encrypt	Basic128Rsa15
Sign	Basic256
Sign & Encrypt	Basic256
Sign	Aes128Sha256RsaOaep	Medium security
Sign & Encrypt	Aes128Sha256RsaOaep
Sign	Basic256Sha256	Hight security
Sign & Encrypt	Basic256Sha256
Sign	Aes256Sha256RsaPss
Sign & Encrypt	Aes256Sha256RsaPss

Each

OPC UA

server has its own trust list and admin list. If you add an

OPC UA

server to a zone for the first time and deploy the policy model configuration, the zone trust list and admin list overwrites the

OPC UA

server trust list and admin list. Consecutive deployments merge the

OPC UA

server and zone trust lists and admin lists.

For more information about

OPC UA

server properties, see Device properties.

In

FactoryTalk Policy Manager

, you can add

OPC UA

clients to the policy model and use as them conduit endpoints. You can also import and export certificates of

OPC UA

clients.

The certificates are exported to

C:\ProgramData\Rockwell Automation\FactoryTalk System Services\OPC UA Deployments

OPC UA

clients may support these authentication methods:

Certificate

Authenticate with an X.509 certificate granted by a trusted certificate authority.

Username and password

Authenticate with a username and password or as an anonymous user.

Zones and conduits follow these non-editable

OPC UA security policy

settings:

OPC UA
clients trust
OPC UA
servers
OPC UA
servers do not trust
OPC UA
servers
OPC UA
clients do not trust
OPC UA
clients

With

OPC UA

endpoints, you can create these conduits:

OPC UA

conduits

Endpoint 1	Endpoint 2
Zone	Zone
Zone	OPC UA server
Zone	OPC UA client
Zone	Range
OPC UA client	OPC UA server

Conduits must follow these rules:

Conduits cannot be duplicated, each combination of endpoints must be unique.
One of the endpoints must be
CIP Security
or
OPC UA security policy
capable.
If one endpoint is a zone, the other endpoint cannot be a device within that zone.
Devices not assigned to any zone or onboarding devices cannot be used as endpoints.

OPC UA security policy

features work with these

Rockwell Automation

product families:

ControlLogix®
5580 controllers firmware revision 36.00 or later
TIP: 1756-L81E and 1756-L81EK controllers are not supported.
GuardLogix®
5580 controllers firmware revision 36.00 or later
TIP: 1756-L81ES and 1756-L81ESK controllers are not supported.
CompactLogix™
5380 controllers firmware revision 36.00 or later
Compact GuardLogix®
5380 controllers firmware revision 36.00 or later
ControlLogix®
Process controllers firmware revision 36.00 or later
TIP: 1756-L81E and 1756-L81EK controllers are not supported.
CompactLogix™
Process controllers firmware revision 36.00 or later
FactoryTalk® Logix Echo
version 36.00 or later