Server-side Authentication for Managers, Basics
When sever-side authentication for managers is used, the managers that establish a connection to the Data or Event manager must authenticate themselves. This enhances the security especially when projects are connected over the Internet. In the server-side authentication for managers the managers must authenticate themselves by using x.509 certificates.
For this reason, you need certificates. You can create your certificates yourself. To create certificates, use the Panel for SSL Certificates You can open the panel via the System Management -> Communication tab. How to create certificates with chain files is described in the Security Guideline. Via the chain files you can create several chains and the authentication can be used e.g. in several parts of a plant. Chain files can be used for the different parts of a plant. For how to use a chain file, see Example configuration. You can also use Windows Certificate Storecertificates.
In a redundant system and in a DRS system the Access Control plug-in must be configured for both systems. In other words, the settings on both systems must be the same.
The server-side authentication for managers is used for all managers. For the authentication UI managers, see chapter Server-side Authentication for UI Managers, Basics.
Session Binding
Session binding reduces the risk of manipulated messages and unauthorized access to a WinCC OA system. The communication security is increased since the access of unauthorized managers is prevented. In session binding the WinCC OA user name is a part of the certificate, see chapter Panel for SSL Certificateson how to create a certificate with a user name.
Session Binding is activated via the server-side authentication for UI managers. When an Access Control Plug-in of ETM is loaded, the Session Binding is automatically active and cannot be deactivated. By default (standard project) the session binding is deactivated. You can activate it irrespective of the Access Control Plug-in by using the config entry serverSideAuthentication=1 in the [general] section.
| Chapter | Description |
|---|---|
| Server-side Authentication for Managers: | |
| Requirements and Installation | How to configure the server-side authentication for managers. |
| Panel for SSL Certificates | How to create SSL Certificates via a panel. |
| Example Configuration - SSA for Managers | A complete example configuration for the server-side authentication of managers. |
| Example of Config Entries - SSA for Managers | In the server-side authentication for managers the managers use SSL certificates for the authentication. Description of which config entries are needed for the authentication. |
| Error Behavior | Error messages for the server-side authentication of managers. |
| Server-side Authentication for UI Managers: | |
| Server-side Authentication for UI Managers, Basics | Overview of the server-side authentication for UI managers. |
| Requirements and Installation | How to configure the server-side authentication for UI managers. |
| Notes and Restrictions | Notes and restrictions for the usage of the server-side authentication for UI managers. |
