Generate SSL Certificate for Server-Side Authentication

[kfyraj]

Hi,

I am trying to set up the Server-Side authentication, but I am having some difficulties regarding the guide in help generate certificates (Security->Authentication->Server-Side Authentication for Manager->Generate Certificate).

When I generate the rootuser certificate I enter as CN=rootuser. Then for the intermediate-certificate CN=para, however the roleOccupant is not requested. Afterwards I follow the same steps as for the intermediate-certificate for the respective user, for instance, if I have a operator user the I will create a certificate with CN operator, is that right?

Moreover, I copied the openssl.cnf file from the WinCC OA installation file.

Finally in the config file looks as follow:

Code: Select all

[general]
pvss_path = "C:/Siemens/Automation/WinCC_OA/3.16"
proj_path = "C:/WinCC_ws/CertificationExample"
proj_version = "3.16"

langs = "de_AT.utf8"

accessControlPlugin = "AccessControlPlugin"

ssaChainFile = "ca.cert.pem"
ssaChainFile = "ca-chain.cert.pem"

ssaCertificate = "file:certs/para.cert.pem"
ssaPrivateKey = "file:certs/para.key.pem"

[webClient]
serverSideAuth = 1

After the configurations, I am not able to even start the archive managers.

[kfyraj]

This is an answer to my own question

First of all I tried to generate the certificates from the command line as was depicted in the help of WinCC OA, however through the CMD I was not able to define the role/user of each client/host certificate and that's why I was not granted access to different managers.

Anyway, I generated the certificates through the GEDI panel, which worked. First, I generated a root certificate and then with this certificate I generated the host certificates. Just a note, the role/user should be defined for a specific user that is also defined in the user management, otherwise the user will not be granted any access.

Finally, in the config as a ssaChainFile the root certificate can be defined or a user with root role.

Regards
Klajdo

[jmad]

Hi,

see also this thread: Thread 9243 (Server-side Authentication ... not work) .

The CN name is not evaluated for checking user names. This is done on the field "roleOccupant" which is set either on command line (refer to online help for example) or with the panel from System Management.

As a best practice do not use CA certificates as user authentication certificates same time. Please provide a CA certificate and based on that generate the user certificates.

BR. Jörgen

[kfyraj]

Thanks for your reply.

I followed the example from online help, but the "roleOccupant" is not asked from the CMD. That's why I did it through the GEDI panel and it worked.

The thread you posted is similar to my question, but I could not understand where can I define the roleOccupant.

Regards
Klajdo