Server-side Authentication for Managers does not work

[aserov]

Hello Colleagues!

The WinCC OA project cannot start when I activate the feature Server-side Authentication for Managers

I use pre-generated certificates and the following entries in project config:

[general]
accessControlPlugin = "AccessControlPlugin"
ssaChainFile = "certs/ca-chain.cert.pem"
ssaPrivateKey = "file:certs/rootuser.key.pem"
ssaCertificate = "file:certs/rootuser.cert.pem"

Please, see an attached screenshot to view how it looks in Project console.
I also added -dbg SSA to see a relevant info in the attached log-file.

Could you, please, help - what can be a problem here?

Kind Regards,
Andrey Serov https://www.winccoa.com/fileadmin/image ... 180817.txt

[jmad]

Hello,

please be aware that for authentication purposes the certificates need to contain a matching username.

The default certificates shipped with the installation are made only to secure the connection, and do not contain any user information.

Hence you need to generate a dedicated certificate for each user you want a manager to run as.

Please find more general information in the section Security-->Authentication of the online help.
For details on user authentication refer to the section Security-->Authentication-->Server-side Authentication for UI Managers
For details on the fully fledged authentication for UI and other managers refer to section Security-->Authentication-->Server-side Authentication for Managers

This sections also cover a step by step introduction how to create certificates suitable for authentication (containing user name information).

When you want to enable server side authentication only for users (no certificates needed for manager authentication) then please use this config entry instead:

[general]
accessControlPlugin = "AccessControlPluginUser"

You find an example config file from my example project using certificates as attachment. NOTE: Only user certificates are mentioned there. The connectivity related default certificates are used as usual.

BR. Jorgen Mad

https://www.winccoa.com/fileadmin/image ... le_acc.txt

[aserov]

Hello,

yes, I generated a dedicated certificate for user root as explained in section Security-->Authentication-->Server-side Authentication for Managers --> How to create Certificates.

The Example Configuration in this section uses accessControlPlugin = "AccessControlPlugin", not "AccessControlPluginUser".
Is it correct?
I want to enable server side authentication for managers. But when I try to use this example - I cannot start the project with the proposed settings.

Kind Regards,
Andrey Serov

[jmad]

The example I have sent recently uses the AuthCheckPlugin which has some additional functionality over the AccessControlPlugin. The usage is recommended only in some special cases. I have uploaded the sample config with the name of the plugin like it is in online help here.

The recommended name of the plugin is AccessControlPlugin. It enables manager and user authentication on server side.

When you run this command "openssl x509 -in -text -noout" on your certificate. What is the roleoccupant? In my case the output has a line:

Not After : Nov 23 12:08:32 2018 GMT
Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=validUser1/roleOccupant=para

BR. Jörgen Mad https://www.winccoa.com/fileadmin/image ... 180820.txt

[aserov]

When I run the command "openssl x509 -in rootuser1.cert.pem -text -noout" - I see the following:

Issuer: C=RU, ST=Moscow region, L=Moscow, O=Siemens, OU=DF, CN=Andrey/emailAddress=user@host.ru
Validity
Not Before: Aug 20 10:24:53 2018 GMT
Not After : Aug 30 10:24:53 2019 GMT
Subject: C=RU, ST=Moscow region, O=Siemens, OU=DF, CN=root/roleOccupant=root/emailAddress=root@host.ru


I added this root/roleOccupant=root - but it did not help, the project still does not start (Archive managers do not start)

My config-file in [general] section:

pvss_path = "C:/Siemens/Automation/WinCC_OA/3.16"
proj_path = "C:/WinCC_OA_Proj/Conf10"
proj_version = "3.16"

langs = "en_US.utf8"
langs = "ru_RU.utf8"
lang = "ru_RU.utf8"

accessControlPlugin = "AccessControlPlugin"

ssaChainFile = "certs/ca.cert.pem"
ssaChainFile = "certs/ca-chain.cert.pem"

ssaPrivateKey = "file:certs/rootuser1.key.pem"
ssaCertificate = "file:certs/rootuser1.cert.pem"

[jmad]

Please can you show also the entries of the [webClient] section or even better attach the whole config file? THX

BR. Jörgen

[aserov]

I attached the whole project (it's very small and empty) along with the certificates (in config folder). Could you, please, try to start it?

Kind Regards,
Andrey Serov https://www.winccoa.com/fileadmin/image ... Conf10.zip

[jmad]

Thanks for the project. Actually your configuration is correct. Please note that the certificates need a dedicated field for the username (2.5.4.33 - id-at-roleOccupant ) which is missing in your certificates. No Username --> No login. I attached a picture here for comparing the content of your original certificate and one working here (recently created with the panel in WinCC OA 3.16).

Please note: Your project is not correctly configured for usage of https which is necessary for user login.

(click to enlarge, thx.)

BR. Jorgen Mad

[aserov]

I regenerated a certificate and now it works! But does it mean that:
1) usage of AccessControlPlugin means that all the traffic between managers is encrypted? (e.g., traffic between Event and Archive managers after authorization).
2) for Archive managers - only certificates with root user as roleoccupant will provide possibility to authorize?

Thank you very much for helping!

Kind Regards,
Andrey Serov

[jmad]

Good to hear, that it is working. Congratulations!

Regarding your further questions:
1) No. This is the task of the mxProxy, which of course uses its own certificates different from those for authentication for securing the channel
2) No. Any user is allowed for authentication purposes (for any type of managers).

Nevertheless it is recommended to keep the core services (eg. Data, Archive, Event) running as root user.

Valid configuration is then:
*) Have the default certificate with a user with very low privileges
*) Set only for selected managers dedicated users with higher privileges

e.g. in [general] section set the user to e.g. operator or guest (typically viewing only permissions in UI) and set in [data], [event], [valarch] sections the root certificate.

Do not miss to set the -user : parameter to your managers and have for all users needed on managers a valid certificate.

BR. Jorgen Mad