Securing Kepware with Security Policies Plug-InSteve Lim | Sales Engineer

Basic Security feature of OPC

• OPC DA• Secured by default by DCOM settings• DCOM users dictate the users and

logins• Not firewall friendly

• OPC UA• Secured by RSA Certificate exchange• User authentication can be enabled• Firewall friendly

• Kepware Security Plugin • Enhances the security by restricting

the permission to the objects residing inside Kepware

Security Policies Plug-In

• Organize security access permissions for user groups

• Apply security access permissions to individual objects (such as channels, devices, and tags)

• Allow/Deny Dynamic Tag addressing

• Enable/Disable anonymous login for UA Client Sessions

• Allow/Deny Browsing of the project namespace

• Assign Read Only, Read/Write, or No Access permissions to the following categories of tags: • I/O Tags • System Tags • Internal Tags

Assigning Users for Kepware configuration

• Create and assign users instead of using the default administrator to protect your server configurations

• Under runtime > Options > enable show user login

Security Plugin Access

• Right click admin icon on system tray bar > Security Policies

Allows Configuration of both dynamic and static (I/O) tags

Demo System Overview for OPC UA bridging

3rd Party OPC3rd Party OPC DA

Server

3rd Party OPC3rd Party OPC DA Server

Kepware

Kepware

OPC UA Client

OPC UA Client

Security Plugin

Security Plugin

OPC DA Channel 1

OPC DA Channel 2

OPC DA Channel 1 & 2 redundant via MLR

Security Plugin restricts access and hides tags

3rd Party OPC UA Client handles the Swingovers

1

2

Grouping the level of security for the Tags

• After collecting the tags from the 3rd

Party OPC DA Server. Group the data ideally in the following manner:• LockedTags : Tags which you don’t want

anyone using the server to alter• PrivateTags : Tags that only for your eyes• PublicTags: Tags which allows for other

OPC Client to view

• Alternatively, you may do a 1 to 1 permission setting

Accessing the securities plugin

• To configure the access levels for the clients. Right click the administrator logo>Settings>Security Policies

Restricting Dynamic Tag creation

• In OPC, there are 2 kinds of tags. The Static tags and Dynamic tags.• Static Tags refer to predefined

memory addresses on the OPC Server.

• Dynamic Tags refer to tags that can be created on the fly using the OPC Clients.

• Denying the access to this will restrict the OPC Clients of this capability. Click apply after closing this window

Restricting Static Tag access

• To hide or limit the tags, point to the group or the specific tag and deny access to it.

Click apply after closing this window

Restricting the browsing

• Restrict what the client can see under Browsing permission settings

Verification for OPC DA and OPC UA

OPC DA unable to see the tagsOPC UA able to browse but unable to import.

Managing and creating users

• Manage and create users under the User manager tab next to security policies

• Restrict OPC UA or DA Clients the browsing capabilities under Anonymous clients -> Data Client• This removes complete browsing

capabilities of the clients.

OPC UA user loginBy adding in the user and password to the UA Client, the browsing capability is reinstated

Removing browsing capabilities imply that the user cannot see anything on the OPC UA Server

Product Support

• Local Phone and Email

• Demo and proof of concepts

• Local engineering and sales support

• Your local representative:

Support team with extensive Industry knowledge and experience.

Available via Phone, email and web request.

Utilize documents, conversations and remote access to fix issues.

License Recovery from Server Hardware Failure

Knowledge base available 24 hours a day, 7 days a week via web access.