Special considerations when configuring OPC UA security settings

Kaspersky IoT Secure Gateway 100 does not establish a connection over the OPC UA protocol in the following cases:

• The server does not have a certificate, and an unsafe connection is not allowed.
• The trustList parameter lacks a defined server certificate, and the AllowAll value is not set.
• The client certificate, server certificate or encryption keys do not comply with the settings of the selected security policy.

The OPC UA server and client establish an unsafe connection in the following cases:

• The null value is set for the security and userCredentials settings blocks, and the server supports this type of connection.
• The Any value is set for the mode and policy fields, and the server offers the choice for an unsafe connection.

Any weakening of the security settings reduces the security of the connection. For example, the following settings reduce the security of a connection over the OPC UA protocol:

• Use of the null value for the security settings block will result in the use of a connection without encryption and without a signature.
• Use of the AllowAll value for the trustList field disables server certificate verification.
• Use of the null value for the userCredentials settings block disables the capability to connect to a server by using a username and password.
• The Basic128Rsa15 and Basic256 values for the policy field are considered to be obsolete in the OPC UA version 1.4 protocol specification because the SHA-1 hashing algorithm is no longer considered to be secure.
• Use of the None value for the policy or mode fields will result in the following:
  • use of a connection without encryption and without a data signature;
  • transmission of a plaintext password to the server.