Chapter16.Security

Table of Contents

16.1. SSL and Firewalls
16.2. User Authentication
16.3. Authorization and User Permissions
16.4. How To Configure a Common Scenario
16.5. Passwords

The OPC DataHub provides a means for full access control to all DDE, TCP, OPC, and tunnel/mirror connections, using authentication and authorization. Authentication limits access to recognized users, based on a username/password combination. Authorization provides a set of permissions for each user, allowing access to certain functions while denying access to others.

The DataHub also provides full SSL (Secure Sockets Layer) encryption for TCP/IP tunnelling and mirroring connections.

16.1.SSL and Firewalls

The OPC DataHub provides the option to use SSL encryption to protect your data when tunnelling/mirroring to another DataHub across a network connection. The SSL implementation uses the default SSL-3 encryption cipher: DHE-RSA-AES256-SHA, which is a 256-bit encryption method. The Tunnel/Mirror section of this manual explains how to configure SSL for tunnelling and mirroring.

SSL Certificates

An SSL certificate is required to use SSL encryption between DataHubs. The DataHub installs a default SSL Certificate for you, but you can use your own certificate if you prefer.

Because the DataHub is often used under circumstances where it is not possible or desirable to connect to the Internet, it does not check the issuing authority for a security certificate against the IP address or DNS name of the target computer, nor does it check the expiry date of the certificate. In most control applications it is not acceptable for the DataHub to refuse access to a critical process due to a simple mismatch in machine name declaration or the expiry of a time-limited certificate. Thus, any well-formed certificate will be accepted. Most important, the data encryption will be performed regardless of the validity of the certificate.

Firewall Ports

The DataHub lets you specify which ports it will use for tunnelling/mirroring over a network. Firewalled ports can be secured, because if you open a port on the firewall, any program that attempts to connect on this port will need to be able to communicate with the DataHub that is listening on that port. As long as authentication is used for tunnelling, even a user who attempts to connect using another DataHub program will need to have access to a valid username and password.