Encrypting Communication, Changing Security Settings¶

Requirement: Encrypted communication with the controller and user management are enforced on the controller. However, there is no individual password yet, no certificate installed on your computer, and the connection to the controller is not configured yet.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Select the Communication Settings tab.

3. Click the Scan network button.

4. Select a controller.

   ⇒ A dialog opens, informing you that the certificate of the device does not have a trusted signature for communication. You are prompted whether or not to install this certificate as trusted in the local “Controller Certificates” store on your computer.

   Hint

   A controller certificate installed in this way is valid for only 30 days. This gives you time for the following longer-term solutions:

   • Creation of an additional self-signed certificate with a longer term (for example, 365 days). You can do this on the security screen if you have installed the CODESYS Security Agent, even if a certificate already exists.
   • Importing a signed certificate. This is currently only possible via the PLC shell commands of the runtime system. Therefore we recommend to use self-signed certificates first.

5. Click OK to confirm the dialog prompt.

   ⇒ The certificate is listed as trusted.

   After accepting the self-signed certificate for the first time, you can establish an encrypted connection with the controller again and again without further prompts.

6. If user management is currently enforced, then you are prompted to login. When you login for the first time, enter “Administrator” as your user name and password. Then the Password expired, please enter a new one! dialog opens to define an individual password.

   ⇒ You can now login to the controller as usual.

7. All saved controller certificates (from step 5) are kept in the local Windows Certificate Store on your computer. You can access this by means of Execute, certmgr.msc command.

   ⇒ All registered certificates for encrypted communication with controllers are listed here in Controller Certificates.

1. Double-click in the status bar or click View ‣ Security Screen .

   ⇒ The Security Screen view opens.

2. In the User tab, select the user profile for which the communication will be encrypted. By default, the specified user profile is the one you have used on your computer to sign into Windows. You can also create a new user profile with .

3. Click the button in the Encrypted communication area.

   ⇒ The Certificate Selection dialog opens.

4. Select a certificate with a private key from the list Available certificates in the local Windows Certificate Store. Certificates with a private key are identified by the symbol.

5. Click the button.

6. The certificate is added to the upper part of the dialog.

7. Click OK to confirm your selection.

   ⇒ The selected certificate is displayed in the Security Screen in the Encrypted communication area.

Requirement: You are connected to a controller.

1. In the first steps, you check if a qualified certificate is already on the controller. If no certificate is available, then you create a new certificate.

   Open the device editor by double-clicking the controller in the device tree, and select the PLC Shell tab.

   ⇒ The tab appears with a blank display window. Below that is a command line.

2. Type the following command in the command line: cert-getapplist.

   ⇒ All used certificates are listed. The list includes information about the runtime component and whether or not the certificate is available.

3. If a certificate still does not exist for the component CmpSecureChannel, then type the following command in the input line:

   cert-genselfsigned <Number of the Component in the applist>

4. Click the Log tab and then the refresh button ().

   ⇒ The display shows whether or not the certificate was generated successfully.

5. Change again to the PLC Shell tab and type the command cert-getapplist.

   ⇒ The new certificate for the component CmpSecureChannel is displayed.

6. In the next two steps, activate encrypted communication in the security screen of CODESYS.

7. Open the security screen by double-clicking in the status bar.

8. On the User tab, select the Enforce encrypted communication option in the Security level group.

   ⇒ The communication to all controllers is encrypted. If there is not a certificate on a controller, then you cannot login to it.

   The connecting line between the development system, the gateway, and the controller is displayed in yellow in the Communication Settings tab of the device editor of the controller.

9. As an alternative to the Enforce encrypted communication option which applies to all controllers, you can also define encrypted communication for specific controllers only. To do this, select the Communication Settings tab in the editor of the respective controller. Then click Encrypted communication in the Device drop-down list.

   ⇒ The communication to this controller is encrypted. If there is not a certificate on the controller, then you cannot login to it.

   The connecting line between the development system, the gateway, and the controller is displayed in yellow in the Communication Settings tab of the device editor of the controller.

10. When you login to the controller for the first time, a dialog opens with information that the certificate of the controller is not signed by a trustworthy authority. In addition, the dialog displays information about the certificate and prompts for you to install it as a trustworthy certificate in the local store in the Controller Certificates folder.

    When you confirm the dialog, the certificate is installed in the local store and you are logged in to the controller.

    In the future, communication with the controller will be encrypted automatically with this control certificate.

11. To increase security for key exchange for controllers < V3.5 13.0, you can generate Diffie–Hellman parameters on the controller. To do this, type the command cert-gendhparams in the input line.

    This is no longer required for controllers >= V3.5.13.0.

    Hint

    Caution: Generating the Diffie-Hellman parameters can last for several minutes or even several hours. However, this process must be executed only one time for each controller. The Diffie-Hellman parameters increase security for key exchange and for future attacks against encrypted data recording.

Requirement: The connection to the device is established.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Select the Communication Settings tab.

3. Open the Device menu in the header of the editor. Click Change communication policy.

   ⇒ The Change communication policy dialog opens.

4. In the upper part of the dialog, you can toggle between the Optional encryption, Enforced encryption, and No encryption settings.

5. In the lower part of the dialog, you can toggle between the Optional user management and Enforced user management settings.

Requirement: The device supports encrypted communication.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Select the Communication Settings tab.

3. Open the “Device” menu in the header of the editor. Click Encrypted communication. The status toggles between enabled and disabled.

   ⇒ If the Encrypted communication option is enabled, then the connection line between the development system, the gateway, and the device is highlighted in the editor in bold and in color in the graphical representation.