Notes and Restrictions

Following notes and restrictions must be considered when using the server-side authentication for UI managers.:

Notes

-ssa UI Manager Parameter

The new UI manager parameter "-ssa" defines, that if the parameter "-server" is used simultaneously, no download of the project files and the associated creation of a project cache is performed. The parameter should be used if all files that are required to run the UI are already located on the Client which is used to run the UI.

Security Aspect

Please note that the usage of server-side authentication for UI managers will not single-handedly increase your plant security. The requirements described in the Security Guideline must be met to maintain an appropriately secured facility.

User Interface Authentication

The server-side authentication for UI managers only authenticates the UI manager. An authentication of other managers, e.g. dist, redu or ctrl, is not performed. However, the plugin is loaded by all managers and is therefore necessary for all manager communication.

Figure 1. DIST SSA projects and older none SSA projects

If you cannot update an older WinCC OA system - which does not yet support Server-side authentication (<=3.15) - you can drop out the Server-side authentication for this DIST connection with the config entry enforceAccessControl=0 (in the pmon section of the config file). Drop out is only allowed if the risk assessment shows that this is not relevant, e.g. in a trusted zone. We recommend that all WinCC OA systems should run using latest patches. In the figure below you can see a possilbe DIST configuration with different WinCC OA versions.

Restrictions

Following restrictions must be considered:

  • A change of user inside of the ULC UX requires the restart of the browser. Otherwise a change is not possible.
  • The server-side authentication for UI managers is not supported when Single Sign On is used.