Securing OPC Wizard Servers

This article only covers selected security aspects related to OPC Wizard servers. It is not meant to provide a comprehensive security guidance.

The default settings of OPC Wizard are designed for the ease of development and testing. They are not designed to be the secure settings for production use.

The main intentional "weakness" of the default OPC Wizard settings is that they allow for OPC UA communication (using the opc.tcp protocol) with the "None" message security mode, meaning that the OPC UA messages on the 'secure channel" are neither signed nor encrypted, and also that there is no requirement for the OPC UA applications to authenticate (verify the identity) of their communication peer - i.e. the OPC UA server does not have to authenticate the OPC UA client application, and vice versa. This setting makes the development and testing easier, because on the first attempts to make your server work, you do not have to deal with the complexities of establishing the application trust via certificates.

There are also other, less important aspects of the default OPC Wizard settings that differ from the required or ideal settings, security-wise.

In order to bump up the security level provided by your OPC server developed with the OPC Wizard, do the following steps:

Set the static SharedParameters Property of EasyUAServer Class to EasyUAServerSharedParameters.OpcCompliance.
Set the InstanceParameters Property of your EasyUAServer object to EasyUAServerInstanceparameters.OpcCompliance.

The OpcCompliance parameters restrict the AllowedMessageSecurityModes Property to only Secure message security modes (SecuritySign and SecuritySignAndEncrypt). This means that even if SecurityNone is specified in the MessageSecurityModes of your EasyUAServer, it will not be used (will not appear in the EffectiveMessageSecurityModes Property).

The OPC UA compliance (and the compliance testing process) actually requires that any compliant OPC UA is secure by default - that is, in its "out of the box" state. This means that if you want your server to be OPC UA compliant on this level, you cannot use the default OPC Wizard settings for the initial state of your software.

The recommended steps needed to use the OPC Wizard settings with better security are illustrated in the following example.

// This example shows how to set the OPC Wizard parameters for best OPC compliance.
// You can use any OPC UA client, including our Connectivity Explorer and OpcCmd utility, to connect to the server. 
//
// Find all latest examples here: https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
// OPC client, server and subscriber examples in C# on GitHub: https://github.com/OPCLabs/Examples-OPCStudio-CSharp .
// Missing some example? Ask us for it on our Online Forums, https://www.opclabs.com/forum/index ! You do not have to own
// a commercial license in order to use Online Forums, and we reply to every post.

using System;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.Engine;
using OpcLabs.EasyOpc.UA.NodeSpace;
using OpcLabs.EasyOpc.UA.OperationModel;

namespace UAServerDocExamples._EasyUAServer
{
    class _Parameterization
    {
        public static void OpcCompliance()
        {
            // You need to set both the shared parameters and instance parameters of the EasyUAServer to the values preset
            // for OPC compliance, as shown in the code below. The main difference from the default ("Interoperability")
            // settings is that the OPC compliance settings do not allow insecure connections, but there are other
            // differences as well.
            //
            // You will need to establish mutual trust between the OPC UA server and the client in order to successfully
            // establish a secure connection.

            // Set the shared parameters for OPC compliance.
            EasyUAServer.SharedParameters = EasyUAServerSharedParameters.OpcCompliance;

            // Instantiate the server object.
            // By default, the server will run on endpoint URL "opc.tcp://localhost:48040/".
            var server = new EasyUAServer();

            // Hook event handler for the EndpointStateChanged event. It simply prints out the event.
            server.EndpointStateChanged += (sender, args) => Console.WriteLine(args);

            // Set the instance parameters for OPC compliance.
            server.InstanceParameters = EasyUAServerInstanceParameters.OpcCompliance;

            // Define a data variable providing random integers.
            var random = new Random();
            server.Add(new UADataVariable("MyDataVariable").ReadValueFunction(() => random.Next()));

            // Start the server.
            Console.WriteLine("The server is starting...");
            server.Start();

            Console.WriteLine("The server is started.");
            Console.WriteLine();

            // Let the user decide when to stop.
            Console.WriteLine("Press Enter to stop the server...");
            Console.ReadLine();

            // Stop the server.
            Console.WriteLine("The server is stopping...");
            server.Stop();

            Console.WriteLine("The server is stopped.");
        }
    }
}

' This example shows how to set the OPC Wizard parameters for best OPC compliance.
' You can use any OPC UA client, including our Connectivity Explorer and OpcCmd utility, to connect to the server. 
'
' Find all latest examples here: https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
' OPC client and subscriber examples in VB.NET on GitHub: https://github.com/OPCLabs/Examples-QuickOPC-VBNET .
' Missing some example? Ask us for it on our Online Forums, https://www.opclabs.com/forum/index ! You do not have to own
' a commercial license in order to use Online Forums, and we reply to every post.

Imports System
Imports OpcLabs.EasyOpc.UA
Imports OpcLabs.EasyOpc.UA.Engine
Imports OpcLabs.EasyOpc.UA.NodeSpace

Namespace _EasyUAServer
    Partial Friend Class _Parameterization
        Shared Sub OpcCompliance()
            ' You need to set both the shared parameters and instance parameters of the EasyUAServer to the values preset
            ' for OPC compliance, as shown in the code below. The main difference from the default ("Interoperability")
            ' settings is that the OPC compliance settings do not allow insecure connections, but there are other
            ' differences as well.
            ' 
            ' You will need to establish mutual trust between the OPC UA server and the client in order to successfully
            ' establish a secure connection.

            ' Set the shared parameters for OPC compliance.
            EasyUAServer.SharedParameters = EasyUAServerSharedParameters.OpcCompliance

            ' Instantiate the server object.
            ' By default, the server will run on endpoint URL "opc.tcp://localhost:48040/".
            Dim server = New EasyUAServer()

            ' Hook event handler for the EndpointStateChanged event. It simply prints out the event.
            AddHandler server.EndpointStateChanged, Sub(sender, args) Console.WriteLine(args)

            ' Set the instance parameters for OPC compliance.
            server.InstanceParameters = EasyUAServerInstanceParameters.OpcCompliance

            ' Define a data variable providing random integers.
            Dim random = New Random()
            server.Add(New UADataVariable("MyDataVariable").ReadValueFunction(Function() random.Next()))

            ' Start the server.
            Console.WriteLine("The server is starting...")
            server.Start()

            Console.WriteLine("The server is started.")
            Console.WriteLine()

            ' Let the user decide when to stop.
            Console.WriteLine("Press Enter to stop the server...")
            Console.ReadLine()

            ' Stop the server.
            Console.WriteLine("The server is stopping...")
            server.Stop()

            Console.WriteLine("The server is stopped.")
        End Sub
    End Class
End Namespace

.NET

Fundamentals

Reference

Examples - Server OPC Unified Architecture