Siemens SIMATIC S7-1500 Function Manual page 159

OPC UA communication
9.2 Security at OPC UA
Establishing the secure channel
The secure channel is established as follows:
1. The server starts establishing the secure channel when it receives a request to this effect
from the client. This request is signed or signed and encrypted, or the message is sent in
plain text (security mode of the selected server end point). With "Sign" and "Sign &
Encrypt", the client sends a "secret" (random number) with the request.
2. The server validates the client certificate (contained in the request, unencrypted) and
checks the identity of the client. If the server trusts the client certificate,
– it decrypts the message and checks the signature ("Sign & Encrypt"),
– checks the signature only ("Sign"),
– or leaves the message unchanged ("No security")
3. The server then sends a response to the client (same level of security as the request).
The server secret is contained in the response. The client and server calculate a
symmetric key from the client and server secret. The secure channel is now established.
The symmetric key (instead of the private and public key of client and server) is now used for
signing and encrypting messages.
Establishment of the session
The session is executed as follows:
1. The client starts establishing the session by sending a CreateSessionRequest to the
server. This message contains a Nonce, a random number that is only used once. The
server must sign this random number (Nonce) to prove that it is the owner of the private
key. The private key belongs to the certificate that the server uses to establish the secure
channel. This message (and all subsequent messages) is secured in line with the security
policies of the selected server endpoint (selected security policies).
2. The server responds with the CreateSession Response. This message contains the
public key of the server and the signed Nonce. The client checks the signed Nonce.
3. If the server passes the test, the client sends a SessionActivateRequest to the server.
This message contains the information that is required for user authentication:
– User name and password, or
– X.509 certificate of the user (not supported in STEP 7), or
– No data (if anonymous access is configured).
4. If the user has the necessary rights, the server returns a message to the client
(ActivateSessionResponse). This activates the session.
The secure connection between the OPC UA client and server has been established.
Establishing a connection to PLCopen function block
The PLCopen specification defines a range of IEC 61131 function blocks for OPC UA clients.
The instruction UA_Connect initiates both a secure channel and a session following the
pattern described above.
158
Function Manual, 11/2019, A5E03735815-AH
Communication