Siemens SIMATIC S7-1500 Function Manual page 103

Open User Communication
6.11 Secure Open User Communication
Example: Setting up a secure TCP connection between two S7-1500 CPUs via CP interfaces
For secure TCP communication between two S7-1500 CPs you need to create a data block
with the TCON_IP_V4_SEC system data type yourself in every CPU, assign parameters and
call it directly at one of the instructions TSEND_C, TRCV_C or TCON.
Requirements:
● Both S7 1500 CPUs have at least firmware version V2.0. If you use the CP 1543SP-1:
Firmware version as of V1.0.
● Both CPs (for example CP 1543-1) must have at least firmware version V2.0
● TLS client and TLS server have all the required certificates.
– A device certificate (end-entity certificate) for the CP must be generated and be
– The root certificate (CA certificate) with which the device certificate of the
● The communication partner must always be addressed via its IPv4 address, not via its
domain name.
The following figure shows the different certificates in the devices for the case that both
communication partners communicate via a CP 1543-1. In addition, the figure shows the
transfer of the device certificates during establishment of the connection ("Hello").
Figure 6-22
102
located in the certificate memory of the CP. If a communication partner is an external
device (for example an MES or ERP system), a device certificate also has to exist for
this device.
communication partner is signed must also be located in the certificate memory of the
CP or in the certificate memory of the external device. If you use intermediate
certificates, you have to ensure that the complete certificate path exists in the
validating device. A device uses these certificates to validate the device certificate of
the communication partner.
Certificate handling in secure OUC between two S7-1500 CPUs via CP interfaces.
Function Manual, 11/2019, A5E03735815-AH
Communication