Kaspersky IoT Secure Gateway 100

Special considerations for the configuration of data acquisition using the OPC UA protocol

Kaspersky IoT Secure Gateway 100 does not establish a connection in the following cases:

• The server does not have a certificate, and an unsafe connection is not allowed.
• The trustList parameter lacks a server certificate, and the AllowAll value is not set.
• The client certificate, server certificate or keys do not comply with the settings of the selected security policy.

The OPC UA server and client establish an unsafe connection in the following cases:

• The null value is set for the security and userCredentials settings blocks (and the server supports this type of connection).
• The Any value is set for the mode and policy fields (and the server offers the choice for an unsafe connection).

Any weakening of the security settings reduces the security of the connection. For example, the following settings reduce the security of a connection over the OPC UA protocol:

• Use of the null value for the security settings block will result in the use of a connection without encryption and without a signature.
• Use of the AllowAll value for the trustList field disables server certificate verification.
• Use of the null value for the userCredentials settings block disables the capability to connect to a server by using a login and password.
• Use of the Basic128Rsa15 or Basic256 values for the policy field of the OPC UA v.1.4 protocol specification is considered to be obsolete because the SHA-1 hashing algorithm is no longer considered to be secure.
• Use of the None value for the policy or mode fields will result in the following:
  • Use of a connection without encryption and without a data signature
  • Transmission of a plaintext password to the server.
• Use of the Any value for the policy or mode fields may result in the use of an unencrypted connection without a signature if this option is offered by the server as the priority option.