Kaspersky IoT Secure Gateway 100
2.0
English

Contents

Configuring a connection over the OPC UA protocol

Kaspersky IoT Secure Gateway 100 receives data from the OPC UA server residing within the internal enterprise network over the OPC UA protocol, which is described by the

OPC Unified Architecture
specification. You can read about the OPC UA protocol specification on the developer's website. Kaspersky IoT Secure Gateway 100 supports OPC UA protocol version 1.04.

In this Help section

Securing a connection over the OPC UA protocol

Configuring data acquisition over the OPC UA protocol

Parameters description in the OpcUaClientSettings-0.json configuration file

Special considerations when configuring OPC UA security settings
Page top
[Topic 224290]

Securing a connection over the OPC UA protocol

To use a secure connection between the OPC UA client and the OPC UA server:

  1. Copy the OPC UA client
    certificate
    to the directory /app/Core/pki/certs/transfer/opc_ua/client on the HW-IDS partition of the microSD card.
  2. Copy the OPC UA server certificate to the directory /app/Core/pki/certs/transfer/opc_ua/client on the HW-IDS partition of the microSD card.
  3. Copy the private
    encryption key
    of the OPC UA client to the directory /app/Core/pki/private/transfer/opc_ua/client on the HW-IDS partition of the microSD card.

Data can also be transmitted over the OPC UA protocol without using an encrypted connection. However, a secure connection between the OPC UA client and the OPC UA server cannot be ensured without encryption. It is not recommended to use an unsecured operating mode for Kaspersky IoT Secure Gateway 100.

Page top
[Topic 240930]

Configuring data acquisition over the OPC UA protocol

To configure data acquisition using the OPC UA protocol:

  1. Create the OpcUaClientSettings-0.json configuration file.
  2. In the OpcUaClientSettings-0.json file, specify the OPC UA settings and their values in accordance with JSON syntax.
  3. Put the configuration file into the directory /app/Core/config/transfer/opc_ua/client on the HW-IDS partition of the microSD card.

Sample configuration file:

OpcUaClientSettings-0.json

{

"id": 0,

"name": "Kaspersky IoT Secure Gateway 100 OPC UA Client",

"description": "Collects data from CNC by Kaspersky IoT Secure Gateway 100",

"url": "opc.tcp://192.168.177.7:4840",

"readingCycle": 1,

"security": {

"mode": "SignAndEncrypt",

"policy": "Basic256Sha256",

"clientPkiData": {

"certificate": "opc-ua-client.crt",

"privateKey": "opc-ua-client.key"

},

"trustList": ["opc-ua-server.crt"]

},

"userCredentials":

{

"username": "KISG100",

"password": "0R20jN#yZd~zaLKe?2J#@~|YC"

},

"heartbeat": {

"id": 0,

"name": "Heartbeat",

"timeout": 60

},

"nodes": [

{

"id": 1,

"name": "Temperature",

"nodeId": "ns=1;s=VariableTemperature"

},

{

"id": 2,

"name": "Speed",

"nodeId": "ns=2;i=2045"

}

]

}

To edit files in JSON format, we recommend using a text editor that supports JSON syntax highlight. This will help avoid potential errors (for example, unbalanced braces).

Page top

[Topic 240931]

Parameters description in the OpcUaClientSettings-0.json configuration file

The required parameters should be explicitly defined. The other parameters are optional. For optional parameters that are not included in the configuration file, the default value prescribed by the OPC UA protocol may be used.

Parameters in the OpcUaClientSettings-0.json file

Parameter name

Required parameter

Description

Possible values and notes

id

Yes

ID of the OPC UA client that receives data from the OPC UA server.

0.

The value of this parameter must match the value of the receivingHubId parameter in the GuideSettings-0.json configuration file.

name

Yes

Name of the OPC UA client that receives data from the OPC UA server.

<OPC UA client name>.

Example: Kaspersky IoT Secure Gateway 100 OPC UA Client.

description

 

Description of the OPC UA client that receives data from the OPC UA server.

<OPC UA client description>.

Example: Collect data from CNC by Kaspersky IoT Secure Gateway 100.

url

Yes

OPC UA server address.

<network protocol>://<host>:<port>.

Example: opc.tcp://192.168.177.7:4840.

Port 4840 is used by default.

readingCycle

No

Gateway data read frequency (in seconds).

1.

Integer no less than 0.

0 is a special value signifying the use of the maximum frequency available to the client and server.

security

Yes

OPC UA client security parameter
block. Contains the mode, policy, and trustList parameters, and the clientPkiData parameter block.
  • {mode, policy, clientPkiData, trustList} parameter block.
  • null.

The security parameter block is used to configure the communication modes, security policies, utilized certificates and encryption keys for the

digital signature
and data
encryption
.

If you do not need to configure the security parameters, enter null in the security block. The security mode will be set to None in this case.

mode

No

Mode for managing the security of the client application connection.
  • Sign mode means that the connection requires a digital signature for data.
  • SignAndEncrypt mode means that the connection requires both a digital signature and data encryption.
  • None mode means that the connection does not require a digital signature or data encryption. It is not recommended to use this mode because it does not ensure a secure connection between the OPC UA client and the OPC UA server.
  • Any mode means that the connection will use any of the listed modes that are supported by the server: Sign, SignAndEncrypt, None.

policy

No

Name of the

security policy
used on the OPC UA server.
  • Basic128Rsa15
  • Basic256
  • Basic256Sha256
  • None
  • Any policy means that any of the listed policies can be used (if supported by the server).

The None security policy is the most compatible with various types of data sources for an OPC UA connection.

clientPkiData

No

Parameter block containing the certificate and private encryption key of the OPC UA client for an encrypted connection.

{certificate, privateKey} parameter block.

The clientPkiData parameter block must be completed even if the None value is set for the mode and policy fields.

For secure communication over OPC UA, you will need to create a private encryption key and certificate and add them to the client and server configuration. When generating certificates for a connection between a client (Kaspersky IoT Secure Gateway 100) and the OPC UA server, make sure that the certificates comply with the following requirements:

  • The settings of encryption keys and certificates are compliant with the selected security policy.
  • DER or PEM format is used for certificates and encryption keys of the client.
  • For the client certificate, the Subject Alt Name field contains the value URI:urn:aprotech:KISG100:OpcUaClient.

certificate

No

Certificate file name.

opc-ua-client.crt.

privateKey

No

Private encryption key file name.

opc-ua-client.key.

trustList

No

Array containing the names of trusted certificate files.
  • [opc-ua-server.crt] – one or more names of trusted certificate files for the OPC UA server.
  • AllowAll – allows a connection to the OPC UA server without verifying its certificate.

If the OPC UA server configuration prescribes the use of a custom list of trusted certificates, add the client certificate to this list. If certificate verification is not required, enter the AllowAll value for this parameter.

userCredentials

No

Parameter block containing the account credentials of the OPC UA client on the OPC UA server.
  • {username, password} parameter block containing the user account credentials.
  • null is indicated if you want to allow an anonymous connection of the OPC UA client to the OPC UA server. In this case, you do not need to provide values for the username and password.

username

No

Name of the user account for authorization on the OPC UA server.

<username>.

password

No

Password of the user account for authorization on the OPC UA server.

<password>.

heartbeat

No

This parameter block is generated by the OPC UA client. It contains the parameters for the Kaspersky IoT Secure Gateway 100 heartbeat signal.
  • {id, name, timeout} parameter block.
  • null.

If you do not add the heartbeat parameter or if you enter the null value, heartbeat signals will not be sent.

id

No

Data node ID.

0.

name

No

Data node name.

<heartbeat node name>.

Example: Heartbeat.

timeout

No

Interval (in seconds) between the generation of heartbeat signals.

60.

An integer no less than 0 must be entered. The default value is 30.

nodes

Yes

Parameter block for data nodes.

{id, name} parameter block.

Completed for each data node. The ID and name of data nodes are required for building routes and transmitting data from the OPC UA server to the

MQTT broker
.

id

Yes

ID of the outbound port.

<id>.

name

Yes

Name of the outbound port. This name must match the destination port name of one of the

MQTT topics
indicated in the topics parameter block in the MqttPublisherSettings-0.json configuration file.

<node name>.

Example: Temperature.

To correctly transfer data from the OPC UA server to the MQTT broker, you need to map the OPC UA

data nodes
to their corresponding MQTT topics. The name value is used for mapping.

 

nodeId

Yes

Data node ID.

<namespace>, <nodeID>.

ns

Yes

ID of the OPC UA server namespace.

<namespace>.

nodeId

Yes

ID of the data node in the OPC UA server namespace.

<nodeID>.

Two types of IDs are possible:

  • s (string) – string value for the data node ID. For example, "nodeId": "ns=1;s=Variable temperature".
  • i (numeric) – numerical value for the data node ID. For example, "nodeId": "ns=2;i=2045".

Page top

[Topic 240932]

Special considerations when configuring OPC UA security settings

Kaspersky IoT Secure Gateway 100 does not establish a connection over the OPC UA protocol in the following cases:

  • The server does not have a certificate, and an unsafe connection is not allowed.
  • The trustList parameter lacks a defined server certificate, and the AllowAll value is not set.
  • The client certificate, server certificate or encryption keys do not comply with the settings of the selected security policy.

The OPC UA server and client establish an unsafe connection in the following cases:

  • The null value is set for the security and userCredentials settings blocks, and the server supports this type of connection.
  • The Any value is set for the mode and policy fields, and the server offers the choice for an unsafe connection.

Any weakening of the security settings reduces the security of the connection. For example, the following settings reduce the security of a connection over the OPC UA protocol:

  • Use of the null value for the security settings block will result in the use of a connection without encryption and without a signature.
  • Use of the AllowAll value for the trustList field disables server certificate verification.
  • Use of the null value for the userCredentials settings block disables the capability to connect to a server by using a username and password.
  • The Basic128Rsa15 and Basic256 values for the policy field are considered to be obsolete in the OPC UA version 1.4 protocol specification because the SHA-1 hashing algorithm is no longer considered to be secure.
  • Use of the None value for the policy or mode fields will result in the following:
    • use of a connection without encryption and without a data signature;
    • transmission of a plaintext password to the server.
Page top
[Topic 240935]