This configuration can be pushed from the domain to each Server. The domain would need to identify all OPC Classic servers and assign appropriate access rights to the User groups (roles) associated with the clients that will be connecting.
In a domain environment it can be easily configured, but by default it is not restricted. This functionality, when it becomes available will allow management of all certificates from a single administrative application (such as a domain) by simple menu selections.ĭCOM typically bases its overall security on this type of server wide access. OPC UA has announced Global Discover Service functionality (part 12) that makes deploying certificate much easier for the non-IT person. The OPC Foundation provides tools (as well as vendors) for configuring certificates and certificate authorities (CA) allowing relatively easy configuration, especially for someone with IT experience. All Applications have a unique certificate assigned to them and a trust list that indicates which other certificates (applications) are to be trusted (allowed). This is accomplished in OPC UA by the use of Certificates. For example a standard client that is installed on two operator stations (for two different areas in a plant) would have different lists of servers that they are allowed to connect to. The access rights apply to clients as well as servers, so the same client installed on two different machines can have different servers that it is allowed to access. The same application installed on two different machines can be configured with different access rights. All applications are required to support this to be certified. In OPC UA, this is required and provided by default. There are some third party versions of DCOM available for some non-windows platforms, but in general OPC Classic is very rarely used on a non-windows platform. For one of the use cases, in which multiple operating systems are present OPC Classic is very difficult to implement since it requires COM/DCOM be available on the alternate operating system. In short OPC Classic relies on the security provided by the underlining communication protocol and the family of Windows Operating systems.
The key aspect of DCOM / Windows security is that it is based on users and the rights granted to the users (the user under which the application is executing). Some import configuration issues are to restrict DCOM to TCP and to restrict access. Documents have been generated that describe the Windows/DCOM provided security and how to apply or configure it in the world of OPC Classic (see the end of the paper for a list of related documentation). The OPC Foundation defines recommendations for how to configure the COM/DCOM layer for security via the OPC Security Specification.
0 kommentar(er)
