2. Basic Security feature of OPC
• OPC DA
• Secured by default by DCOM settings
• DCOM users dictate the users and
logins
• Not firewall friendly
• OPC UA
• Secured by RSA Certificate exchange
• User authentication can be enabled
• Firewall friendly
• Kepware Security Plugin
• Enhances the security by restricting
the permission to the objects residing
inside Kepware
3. Security Policies Plug-In
• Organize security access permissions for user
groups
• Apply security access permissions to individual
objects (such as channels, devices, and tags)
• Allow/Deny Dynamic Tag addressing
• Enable/Disable anonymous login for UA Client
Sessions
• Allow/Deny Browsing of the project
namespace
• Assign Read Only, Read/Write, or No Access
permissions to the following categories of
tags:
• I/O Tags
• System Tags
• Internal Tags
4. Assigning Users for Kepware configuration
• Create and assign users instead of using
the default administrator to protect your
server configurations
• Under runtime > Options > enable show
user login
5. Security Plugin Access
• Right click admin icon on system tray bar > Security Policies
Allows Configuration of both dynamic and static (I/O) tags
6. Demo System Overview for OPC UA bridging
3rd Party OPC
3rd Party OPC DA
Server
3rd Party OPC3rd Party OPC DA
Server
Kepware
Kepware
OPC UA Client
OPC UA Client
Security Plugin
Security Plugin
OPC DA Channel 1
OPC DA Channel 2
OPC DA Channel 1 & 2 redundant via MLR
Security Plugin restricts access and
hides tags
3rd Party OPC
UA Client
handles the
Swingovers
1
2
7. Grouping the level of security for the Tags
• After collecting the tags from the 3rd
Party OPC DA Server. Group the data
ideally in the following manner:
• LockedTags : Tags which you don’t want
anyone using the server to alter
• PrivateTags : Tags that only for your eyes
• PublicTags: Tags which allows for other
OPC Client to view
• Alternatively, you may do a 1 to 1
permission setting
8. Accessing the securities plugin
• To configure the access levels for the clients. Right click the administrator
logo>Settings>Security Policies
9. Restricting Dynamic Tag creation
• In OPC, there are 2 kinds of
tags. The Static tags and
Dynamic tags.
• Static Tags refer to predefined
memory addresses on the OPC
Server.
• Dynamic Tags refer to tags that
can be created on the fly using
the OPC Clients.
• Denying the access to this will
restrict the OPC Clients of this
capability. Click apply after closing this window
10. Restricting Static Tag access
• To hide or limit the tags,
point to the group or the
specific tag and deny access
to it.
Click apply after closing this window
12. Verification for OPC DA and OPC UA
OPC DA unable to see the tagsOPC UA able to browse but unable to import.
13. Managing and creating users
• Manage and create users under
the User manager tab next to
security policies
• Restrict OPC UA or DA Clients the
browsing capabilities under
Anonymous clients -> Data Client
• This removes complete browsing
capabilities of the clients.
14. OPC UA user login
By adding in the user and
password to the UA Client, the
browsing capability is
reinstated
Removing browsing capabilities imply that the user cannot see
anything on the OPC UA Server
15. Product Support
• Local Phone and Email
• Demo and proof of concepts
• Local engineering and sales support
• Your local representative:
Support team with extensive Industry
knowledge and experience.
Available via Phone, email and web request.
Utilize documents, conversations and remote
access to fix issues.
License Recovery from Server Hardware Failure
Knowledge base available 24 hours a day, 7
days a week via web access.