Encrypting Communication, Changing Security Settings¶

Requirement: Encrypted communication with the controller and user management are enforced on the controller. However, there is no individual password yet, no certificate installed on your computer, and the connection to the controller is not configured yet.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Click the Communication Settings tab.

3. Click Scan Network.

4. Select a controller.

   ⇒ A dialog opens, informing you that the certificate of the device does not have a trusted signature for communication. You are prompted whether or not to install this certificate as trusted in the local “Controller Certificates” store on your computer.

   Hint

   A controller certificate installed in this way is valid for only 30 days. This gives you time for the following long-term solutions:

   • Creation of an additional self-signed certificate with a longer term (for example, 365 days). You can do this on the security screen if you have installed the CODESYS Security Agent, even if a certificate already exists. Using the PLC shell of the device editor is not a convenient workaround.

     See below: “Configuring encrypted communication with a controller certificate with a more long-term validity period”

   • Importing a CA-signed certificate. This is currently only possible via the PLC shell commands of the runtime system. Therefore we recommend to use self-signed certificates first.

5. Click OK to confirm the dialog prompt.

   ⇒ The certificate is listed as trusted.

   After accepting the self-signed certificate for the first time, you can establish an encrypted connection with the controller again and again without further prompts.

6. If user management is currently enforced, then you are prompted to login. When you login for the first time, enter “Administrator” as your user name and password. Then the Password expired, please enter a new one! dialog opens to define an individual password.

   ⇒ You can now login to the controller as usual.

7. All saved controller certificates (from step 5) are kept in the local Windows Certificate Store on your computer. You can access this by means of Execute, certmgr.msc command.

   ⇒ All registered certificates for encrypted communication with controllers are listed here in Controller Certificates.

Requirement: You are connected to the controller.

1. At first, you check if a qualified certificate is already on the controller. If no certificate is available, then you create a new certificate.

   Open the device editor by double-clicking the controller in the device tree, and select the PLC Shell tab.

   ⇒ The tab appears with a blank display window. Below that is a command line.

2. Type the following command in the command line: cert-getapplist.

   ⇒ All used certificates are listed. The list includes information about the runtime component and whether or not the certificate is available.

3. If a certificate still does not exist for the component CmpSecureChannel, then type the following command in the input line:

   cert-genselfsigned <number of the component in the applist>

4. Click the Log tab and then the refresh button ().

   ⇒ The display shows whether or not the certificate was generated successfully.

5. Change back again to the PLC Shell tab and type the command cert-getapplist.

   ⇒ The new certificate for the component CmpSecureChannel is displayed.

6. In the next two steps, activate encrypted communication in the security screen of CODESYS.

7. Open the Security Screen by double-clicking in the status bar.

8. On the User tab, select the Enforce encrypted communication option in the Security Level group.

   ⇒ The communication to all controllers is encrypted. If there is not a certificate on a controller, then you cannot login to it.

   The connecting line between the development system, the gateway, and the controller is displayed in yellow on the Communication Settings tab of the device editor of the controller.

9. As an alternative to the Enforce encrypted communication option which applies to all controllers, you can also define encrypted communication for specific controllers only. To do this, select the Communication Settings tab in the editor of the respective controller. Then click Encrypted Communication in the Device list box.

   ⇒ The communication to this controller is encrypted. If there is not a certificate on the controller, then you cannot login to it.

   The connecting line between the development system, the gateway, and the controller is displayed in yellow on the Communication Settings tab of the device editor of the controller.

10. When you login to the controller for the first time, a dialog opens with information that the certificate of the controller is not signed by a trustworthy authority. In addition, the dialog displays information about the certificate and prompts for you to install it as a trustworthy certificate in the local store in the Controller Certificates folder.

    When you confirm the dialog, the certificate is installed in the local store and you are logged in to the controller.

    In the future, communication with the controller will be encrypted automatically with this control certificate.

11. To increase security for key exchange for controllers < V3.5 13.0, you can generate Diffie–Hellman parameters on the controller. To do this, type the command cert-gendhparams in the input line.

    This is no longer required for controllers >= V3.5.13.0.

    Hint

    Caution: Generating the Diffie-Hellman parameters can last for several minutes or even several hours. However, this process must be executed only one time for each controller. The Diffie-Hellman parameters increase security for key exchange and for future attacks against encrypted data recording.

Requirement: The connection to the device is established.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Click the Communication Settings tab.

3. Open the Device menu in the header of the editor. Click Change Communication Policy.

   ⇒ The Change Communication Policy dialog opens.

4. In the upper part of the dialog, you can toggle between the Optional encryption, Enforced encryption, and No encryption settings.

5. In the lower part of the dialog, you can toggle between the Optional user management and Enforced user management settings.

Requirement: The device supports encrypted communication.

1. In the device tree, double-click the controller.

   ⇒ The device editor opens.

2. Click the Communication Settings tab.

3. Open the “Device” menu in the header of the editor. Click Encrypted Communication. The status toggles between enabled and disabled.

   ⇒ If the Encrypted communication option is selected, then the connection line between the development system, the gateway, and the device is highlighted in the editor in bold and in color in the graphical representation.