7. Kepware_Security
Transcript of 7. Kepware_Security
Securing Kepware with Security Policies Plug-InSteve Lim | Sales Engineer
Basic Security feature of OPC
• OPC DA• Secured by default by DCOM settings• DCOM users dictate the users and
logins• Not firewall friendly
• OPC UA• Secured by RSA Certificate exchange• User authentication can be enabled• Firewall friendly
• Kepware Security Plugin • Enhances the security by restricting
the permission to the objects residing inside Kepware
Security Policies Plug-In
• Organize security access permissions for user groups
• Apply security access permissions to individual objects (such as channels, devices, and tags)
• Allow/Deny Dynamic Tag addressing
• Enable/Disable anonymous login for UA Client Sessions
• Allow/Deny Browsing of the project namespace
• Assign Read Only, Read/Write, or No Access permissions to the following categories of tags: • I/O Tags • System Tags • Internal Tags
Assigning Users for Kepware configuration
• Create and assign users instead of using the default administrator to protect your server configurations
• Under runtime > Options > enable show user login
Security Plugin Access
• Right click admin icon on system tray bar > Security Policies
Allows Configuration of both dynamic and static (I/O) tags
Demo System Overview for OPC UA bridging
3rd Party OPC3rd Party OPC DA
Server
3rd Party OPC3rd Party OPC DA Server
Kepware
Kepware
OPC UA Client
OPC UA Client
Security Plugin
Security Plugin
OPC DA Channel 1
OPC DA Channel 2
OPC DA Channel 1 & 2 redundant via MLR
Security Plugin restricts access and hides tags
3rd Party OPC UA Client handles the Swingovers
1
2
Grouping the level of security for the Tags
• After collecting the tags from the 3rd
Party OPC DA Server. Group the data ideally in the following manner:• LockedTags : Tags which you don’t want
anyone using the server to alter• PrivateTags : Tags that only for your eyes• PublicTags: Tags which allows for other
OPC Client to view
• Alternatively, you may do a 1 to 1 permission setting
Accessing the securities plugin
• To configure the access levels for the clients. Right click the administrator logo>Settings>Security Policies
Restricting Dynamic Tag creation
• In OPC, there are 2 kinds of tags. The Static tags and Dynamic tags.• Static Tags refer to predefined
memory addresses on the OPC Server.
• Dynamic Tags refer to tags that can be created on the fly using the OPC Clients.
• Denying the access to this will restrict the OPC Clients of this capability. Click apply after closing this window
Restricting Static Tag access
• To hide or limit the tags, point to the group or the specific tag and deny access to it.
Click apply after closing this window
Restricting the browsing
• Restrict what the client can see under Browsing permission settings
Verification for OPC DA and OPC UA
OPC DA unable to see the tagsOPC UA able to browse but unable to import.
Managing and creating users
• Manage and create users under the User manager tab next to security policies
• Restrict OPC UA or DA Clients the browsing capabilities under Anonymous clients -> Data Client• This removes complete browsing
capabilities of the clients.
OPC UA user loginBy adding in the user and password to the UA Client, the browsing capability is reinstated
Removing browsing capabilities imply that the user cannot see anything on the OPC UA Server
Product Support
• Local Phone and Email
• Demo and proof of concepts
• Local engineering and sales support
• Your local representative:
Support team with extensive Industry knowledge and experience.
Available via Phone, email and web request.
Utilize documents, conversations and remote access to fix issues.
License Recovery from Server Hardware Failure
Knowledge base available 24 hours a day, 7 days a week via web access.