Payload Encryption

MSA also lets you encrypt the payload (the data sent between the client and the service). This enables the secure transfer of sensitive, confidential information. Note that MSA is built on the already secure WinCC OA communication, which already provides protection against access from outside WinCC OA. MSA payload encryption further enhances security by encrypting and protecting the data within WinCC OA.

MSA also supports encrypting the payload (data sent between the client and the service). This enables the secure transfer of sensitive information.

Note that MSA is built on the already secure WinCC OA communication, which provides protection against threats from outside WinCC OA.
Note:
We recommend using this feature only for services that transmit particularly sensitive data. This could include, for example, personal user data, to keep this information confidential from other users.

If the data processed by the service consists of information that is already widely known within the project, it is not necessary to enable encryption.

Also note that communication between managers is already secure.

MSA payload encryption further increases security by encrypting and protecting data inside WinCC OA.

You can set the payload encryption mode for each service individually. All method calls use encryption according to this setting.

The payload encryption mode supports the following values:

  • 0: Payload encryption is disabled
  • 1: Payload encryption is enabled, but its use is optional
  • 2: Payload encryption is enabled and its use is mandatory

You can control the mode in several ways.

By default, the system uses Deactivated.

By configuring the config entry msaServicePayloadEncryptionMode, you can change the default for one manager instance, a manager type, or the whole system (depending on the config section used, e.g., ctrl vs ctrl_2 vs general).

You can also override the configured mode in code by using settings in sub-options.

Different Modes

If no mode is set, the configuration entry msaServicePayloadEncryptionMode uses the default value Disabled.

When Optional or Mandatory mode is selected, the MessageServer generates a key pair and shares the public key on a DPE. The client then encrypts request payloads using its own key pair and includes its public key so the server can encrypt responses.

Older clients (version 3.21.0) can still send unencrypted requests unless the service runs in Mandatory mode. Key pairs renew every 60 minutes, and the last five remain valid. In redundant setups, keys are synchronized between peer services so each can decrypt payloads encrypted by the other. The sample service VrpcGreeterDemo supports the -payloadEncryptionMode option to set this mode during service registration.

Purpose and Compatibility

Payload encryption secures communication while keeping older clients as compatible as possible.

  • Optional mode: Uses encryption if supported by the client; older clients can still connect.
  • Mandatory mode: Requires encryption; older clients cannot connect.

Use Mandatory mode for best security when all clients support it. Choose Optional mode to maintain compatibility with older clients.

Limitations

  • Startup delay of about 1–2 seconds per service for key generation.
  • Slight performance impact due to encryption.

We recommend enabling encryption mainly for services that need higher security.