User Authentication - Siemens SIMATIC S7-1500 Function Manual

● Usage
The default is "OPC UA client & server". Keep this default for the OPC UA server. The
"Create a new certificate" dialog can be called from several points in STEP 7. If, for
example, you call this dialog for the Web server of the CPU, "Web server" is entered
under "Usage". The following entries are available in the Usage drop-down list:
– "OPC UA client"
– "OPC UA client & server"
– "OPC UA server"
– "TLS"
– "Web server"
● Subject Alternative Name (SAN)
The following is entered in the example above: "URI:urn:SIMATIC.S7-1500.OPC-
UAServer:PLC1,IP:192.168.178.151,IP:192.168.1.1". This URI must be correctly entered
because it is checked against the communicated application description.
The following entry would also be valid: "IP: 192.168.178.151, IP: 192.168.1.1". The
important thing here is that the IP addresses via which the OPC UA server of the CPU
can be accessed are entered here.
See "Access to the OPC UA server (Page 177)".
This allows OPC UA clients to verify whether a connection to the OPC UA server of the
S7-1500 is really to be established or whether in fact an attacker is trying to send
manipulated values from another PC to the OPC UA client.
9.3.3.7

User authentication

Types of user authentication
For the OPC UA server of the S7-1500, you can set what authentication is required for a
user of the OPC UA client wishing to access the server.
You have the following options:
● Guest authentication
The user does not have to prove their authorization (anonymous access). The OPC UA
server does not check the authorization of the client user
If you want to use this type of user authentication, select the "Enable guest
authentication" option under "OPC UA > Server > Security > User authentication".
Note
To increase security, you should only allow access to the OPC UA server with user
authentication.
Communication
Function Manual, 11/2019, A5E03735815-AH
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
193