Gds Commissioning - Siemens SIMATIC ET 200AL System Manual

OPC UA communication
9.2 Security at OPC UA
Download to CPU
When downloading the configuration to the CPU, you can delete the certificates that are
managed via GDS before the download. When you confirm the deletion, the download is
followed by a provisioning phase (see section on commissioning).
When you download the memory card outside of the CPU (card reader), this certificate store
is always deleted.
When Global Discovery Services (Push) is activated and no pushed certificates are available,
then no separate certificate, trust list or CRL is available for the OPC UA server.
See also
GDS commissioning (Page 190)
9.2.7.4

GDS commissioning

Part 12 of the OPC UA specification distinguishes between a provisioning phase and a run
time phase during certificate management.
In the provisioning phase, a GDS or OPC UA client provides initial trust lists and CRLs for
clients of the OPC UA server. In this phase, the OPC UA server of the CPU accepts all client
certificates and lists it is offered – similar to the "Trusted clients" setting for the OPC UA server
that all client certificates are accepted during runtime. This is the only way in which a
connection to clients not known to the server is possible. For example, clients that the server
cannot authenticate using existing certificates or trust lists until it has received the
corresponding client certificate or the corresponding trust list.
The provisioning phase is characterized by lower security; therefore, the provisioning phase is
indicated by a lit Maintenance LED and a corresponding diagnostics buffer entry
(Maintenance demanded).
During the runtime phase, the existing CRLs are updated, for example, and the certificates
and trust lists are renewed. Communication is secure in this phase.
Requirement
Only authorized users with sufficient function rights can set up a connection in the
provisioning phase. The users must have a role with the function right "Manage certificates".
See also Setting and loading GDS parameters (Page 189).
Rules for the provisioning phase
In the provisioning phase, the OPC UA server of the CPU cannot authenticate the OPC UA
clients that initiate connection establishment. Therefore, the following rules must be
observed:
• Provide a secure environment, for example, access to the CPU is limited to commissioning
personnel. Check that the right devices are communicating with one another.
• Limit the time for this phase.
The CPU signals that it is in the provisioning phase by the lit Maintenance LED as well as a
corresponding diagnostics buffer entry (Maintenance demanded).
190
Function Manual, 05/2021, A5E03735815-AJ
Communication