Special considerations when configuring OPC UA security settings
Special considerations when configuring OPC UA security settings
Kaspersky IoT Secure Gateway 100 does not establish a connection over the OPC UA protocol in the following cases:
- The server does not have a certificate, and an unsafe connection is not allowed.
- The
trustList
parameter lacks a defined server certificate, and theAllowAll
value is not set. - The client certificate, server certificate or encryption keys do not comply with the settings of the selected security policy.
The OPC UA server and client establish an unsafe connection in the following cases:
- The
null
value is set for thesecurity
anduserCredentials
settings blocks, and the server supports this type of connection. - The
Any
value is set for themode
andpolicy
fields, and the server offers the choice for an unsafe connection.
Any weakening of the security settings reduces the security of the connection. For example, the following settings reduce the security of a connection over the OPC UA protocol:
- Use of the
null
value for thesecurity
settings block will result in the use of a connection without encryption and without a signature. - Use of the
AllowAll
value for thetrustList
field disables server certificate verification. - Use of the
null
value for theuserCredentials
settings block disables the capability to connect to a server by using a username and password. - The
Basic128Rsa15
andBasic256
values for thepolicy
field are considered to be obsolete in the OPC UA version 1.4 protocol specification because the SHA-1 hashing algorithm is no longer considered to be secure. - Use of the
None
value for thepolicy
ormode
fields will result in the following:- use of a connection without encryption and without a data signature;
- transmission of a plaintext password to the server.
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.