What is OPC Ua?

• Manufacturer-independent communication between devices
• Transmission protocol and data semantics are standardized
• Server describes its own data structure (data type vs. data value). Client can have a very generic structure!
• Companion Specification makes it easier for users to work with devices from different manufacturers (e.g. Balluff UHF Reader and Siemens UHF Reader)
• On-demand, subscriptions, events, methods

• The physical basis is the Ethernet interface
• OPC UA methods enable the reading and writing of transponder data and the setting of various UHF parameters
• The advantage of every OPC UA-capable machine (OPC UA client) is that communication takes place according to a known data model (machine-to-machine communication)
• The OPC UA protocol used here is based on the Companion Specification for AutoID, published by AIM Germany and the OPC Foundation

• The specification describes a client-server principle.
• An OPC UA server is a device that offers and publishes data and information.
• A client accesses this data and information with the help of so-called methods.
• Up to 50 clients can log on to the BIS U-6127 evaluation unit and access data.

When the OPC UA standard was created, the issue of security was always of central importance. Older industrial plants generally operate autonomously and without a connection to the Internet; they are also referred to as island plants. The natural isolation from the outside world (the Internet) meant that IT security played a subordinate role. Network attacks from outside were practically impossible. Due to the ever-increasing networking of systems and the connection to the Internet, it is imperative that systems are protected against network attacks.

OPC UA has provided several security mechanisms to protect the data to be transmitted and allow processes to run undisturbed:

Confidentiality:

Data is encrypted at the transport level to protect it from eavesdroppers.

Integrity:

This mechanism ensures that the data is not altered on its way to the recipient.

Authentication of the application:

Here, the communicating applications must first get to know each other. This is done by exchanging certificates. Only when the certificates have been exchanged and accepted can the data be transmitted via the communication link.

User authorization:

To gain full access to the BIS U-6127, you must log in with a user and password. This additional security mechanism ensures that only authorized users can access the device.

Attention!

To avoid invalid certificates, set the date, time and time zone correctly when creating a certificate.

Certificates have a limited validity (the validity can be displayed on a Windows PC, for example) and must be replaced when they expire.

The BIS U-6127 device was designed for operation in distributed installations and larger networks. With the increasing spread of networked devices, the risk of changes to stored or transmitted data increases:

• This applies both to the data on the data carriers used and their transmission from and to the BIS unit
• as well as the data in the BIS unit itself and its transmission to the higher-level processing system
• → To minimize risks, the device offers several security functions!

BIS U-6127 contains a variety of functions to protect against unauthorized access:

• User management with personalized user accounts
• Device-specific default password
• OPC UA → Message security, security at message level, for the binary and web service protocol (two-sided endpoint authentication, X.509 certificates)
• Insecure 007 protocol connections can be disabled
• Update-capable Linux operating system
• Signed update files
• Secure element (special hardware) for storing secret keys

With the BIS U-6127, the basic OPC UA security settings are selected in the web server. The logged-in user can change the security settings under Security settings.

The following security settings are available on the OPC UA web server tab:

Reject insecure client connections:

If the field is activated, insecure OPC UA connections are rejected. This activates the secure state.

Only accept trusted client certificates:

This field cannot be operated separately by the user. It is always activated synchronously with the Reject insecure client connections field.

Use secure element (uses the integrated security module):

A separate security module is used in the BIS U-6127 device. The public and private security keys for generating and authenticating certificates are stored on this module.

Caution!

If one of the three security settings is changed, the device must be restarted for the changes to take effect.

Information:

The fields"Reject unsecure client connections" and"Accept only trusted client certificates" are linked and allow two basic states for OPC UA:

1. Unsecure (default): All OPC UA connections are allowed.
2. Secured: Only the following security settings are allowed in the OPC UA client:
3. - Security policy: baSic256Sha256
4. - Message security mode: Sign & Encrypt

To simulate an OPC UA connection, the Ua-Expert software (freeware) is used in the following examples.

OPC UA clients:

The basic system of UaExpert includes basic functionality such as certificate mechanisms, the discovery service to find OPC UA servers, establishing connections, browsing the information model, reading attributes and references of OPC UA nodes.

1. start the UaExpert program

2. add a new server

3. switch to extended

4. specify a configuration name (e.g. Balluff BIS U-6127 RFID Provider)

5. enter the following endpoint URL: opc.tcp://192.168.10.2:4848 (default)

6. set the security policy and the message security mode in the web server to "none"

7. right-click on the server and Connect to start the connection

8. connection to the BIS U-6127 is established

1. start the UaExpert program

2. add a new server

3. switch to extended

4. specify a configuration name (e.g. Balluff BIS U-6127 RFID Provider)

5. enter the following endpoint URL: opc.tcp://192.168.10.2:4848 (default)

6. use the following security settings:

Security Policity: Basic256Sha256

Message Security Mode: Sign & Encrypt

7. set rejection of insecure client connections in the web server

8. right-click on the server and Connect to start the connection

A trust request for the server's certificate appears:

9. trust server certificate

The certificate is still not accepted in BIS U 6127. 10:

10. confirm the certificate in the web server

11. right-click on the server and Connect to start the connection

12. ignore the following message

13. connection to the BIS U-6127 is established