Requirements and Installation

The following steps are necessary for a successful configuration of the server-side authentication for managers.

Server-side configuration

The following steps were already described in the documentation of the server-side authentication for UI Managers. For details see chapter Requirements and Installation.

  1. Activation of the automatic unlock in the device management
  2. Definition of the used Access Control Plugin
  3. Starting the webclient_http.ctl script using a new or existing CTRL manager.
  4. Performing the client specific configuration, e.g. Remote user interface or ULC UX
  5. Starting the server project
  6. Starting the client

In addition to the requirements mentioned above, the following requirements must be met:

Certificates must be created. Note that you need to generate a dedicated certificate for each user you want a manager to run as. All users can be used for the authentication. See chapter Panel for SSL Certificates or use a Windows Certificate Storecertificate.

The user root cannot be used to log in, in an SSA project (UI). You can, however, use all other users, for example the user "para". You can find the predefined users created by default when creating a project in the chapter "Users". To create new users, see also chapter Users. For how to set the user permissions, read the chapter Groups.

Note that a project for the server-side authentication for managers can also be created via the project administration panel - see chapter Create project.

For authentication purposes the certificates need to contain a matching user name. The default certificates delivered with the WinCC OA installation only secure the connection and do not contain any user information. Create certificates that contain a user name either via the Panel for SSL Certificatesvia the openssl.cnf file or via the command line - see the Security Guideline.

Set the config entries ssaChainFile, ssaCertificate and ssaPrivateKey in the [general] or in a manager-specific section of the config file. If you use a certificate revocation list, set also the ssaCRL entry in the [general] or in a manager-specific section of the config file. For an example of the config entries, see chapter Config Entries for SSA for Managers and for a complete example, see chapter Example Configuration - SSA for Managers. If you use Windows Certificate Storecertificates, you also need the config entry ssaCertCheck but not the config entry ssaChainFile.

CAUTION: All managers that do not use the user "root", must use the manager option -user username. The option works without having to enter the password. See chapter Example Configuration - SSA Configuration - SSA for Managers for an example.

Debug flag

The debug flag -dbg SSA is available for the authentication.