Ecostruxure Process Expert [2021] Compatibility issue of OPC UA and OPC DA configuration on the same machine
This knowledge base explains the user on why the OPC UA and OPC DA is not recommended to configure on the same machine.
By default, Plant SCADA operates under the virtual user account (VSA) NT SERVICE\Citect Runtime Manager when running as a service. However, an OPC DA server uses specific DCOM settings that are not compatible with this VSA. To support this functionality at runtime, OPC DA server will have to be run as a service under a specific interactive user account.
However, to setup an OPC UA server, encryption has to be enabled. The OPC UA server needs to be run as a low privilege VSA to create encrypted outgoing connections using the PCS based certificates. When encryption is enabled, the OPC DA server cannot be run as an interactive user as it needs to access the private key of the certificate required for encryption. This causes the OPC DA server to stop if it runs as an interactive user. Permission to read the certificate cannot be granted to the interactive user and doing so, would introduce a potential security flaw. Because of these sharp contrast in the requirements, it is not recommended to configure OPC DA server and OPC UA server on the same machine.
The suggested workaround is to configure the OPC UA and OPC DA servers on different machines.
This is applicable to all versions of Plant Scada/Citect SCADA.
By default, Plant SCADA operates under the virtual user account (VSA) NT SERVICE\Citect Runtime Manager when running as a service. However, an OPC DA server uses specific DCOM settings that are not compatible with this VSA. To support this functionality at runtime, OPC DA server will have to be run as a service under a specific interactive user account.
However, to setup an OPC UA server, encryption has to be enabled. The OPC UA server needs to be run as a low privilege VSA to create encrypted outgoing connections using the PCS based certificates. When encryption is enabled, the OPC DA server cannot be run as an interactive user as it needs to access the private key of the certificate required for encryption. This causes the OPC DA server to stop if it runs as an interactive user. Permission to read the certificate cannot be granted to the interactive user and doing so, would introduce a potential security flaw. Because of these sharp contrast in the requirements, it is not recommended to configure OPC DA server and OPC UA server on the same machine.
The suggested workaround is to configure the OPC UA and OPC DA servers on different machines.
This is applicable to all versions of Plant Scada/Citect SCADA.
פורסם עבור: שניידר אלקטריק ישראל
