Initialization

Starting with setup version 4.4.0, the TwinCAT OPC UA Server requires an initialization phase, which is based on the TOFU principle (Trust On First Use). This means that the server must be actively initialized by the user so that it can be used for its various functions (Data Access, Historical Access, etc.).

By default, the server allows clients to establish an unauthenticated connection ("Anonymous"). The one-time TOFU initialization now requires the configuration of an operating system user that an OPC UA client must subsequently use to successfully log on to the server.

For this purpose, the server provides only a special initialization namespace in the uninitialized state. This namespace contains an object "Initialization" with a method "TrustOnFirstUse".

Initialization 1:

The method defines the following input/output parameters:

Initialization 2:

Parameter

Description

[in] Username

Username for the operating system user to be created. If the user already exists, the server attempts to perform a test login with the specified password and, if successful, transfers the existing user to its security configuration.

[in] Password

Password for the operating system user.

The password is not stored in the server configuration, but is only available in the user database of the operating system. Please note that the type of password may depend on any security settings of the operating system (keyword "complex passwords").

[out] AddStatus

Indicates whether the creation of the operating system user was successful or whether the user already exists.

[out] LogonResult

Indicates whether the server was able to login to the operating system with the specified username/password combination. This is a good way to check if you have entered the wrong password if the user already exists.

[out] OPC UA Statuscode

The regular OPC UA Status Code when calling a method. If the method has been called successfully on OPC UA level, this status code returns GOOD, otherwise BAD.

The server is initialized by calling this method. The method tries to create a user specified by the user in the lower-level operating system of the server. If this is successful, the user is automatically added to the security configuration (TcUaSecurityConfig.xml) of the server and defined as server administrator. After an automatic restart of the server at the end of the method call, an OPC UA client can then log on to the server with this user.

If a specified user already exists in the operating system, this is indicated by an output parameter (AddStatus). In this case, the server attempts to log on to the operating system with the specified password. If this logon process is successful, the user is entered in the server's security configuration and the initialization is successfully completed by an automatic restart of the server. If the logon to the operating system fails (e.g. because the wrong password was entered), this is indicated by an output parameter (LogonResult) and the initialization is not continued. This prevents you from accidentally trying to initialize the server with a wrong username/password combination and thus "locking yourself out".

Initialization 3:

Expiration of a user password

When the OPC UA server creates an operating system user, it is not explicitly enabled for this user that the password does not expire. Here the settings of the operating system are adopted, where the maximum password age is defined in the password policies. If the maximum password age is set to 0, passwords do not expire; otherwise they do so after the number of days specified in the operating system.

The following diagram illustrates this process once again in a highly simplified form:

Initialization 4:

After restarting the server, an OPC UA client must use the operating system user used for initialization for authentication when establishing a connection.

The following screenshots show the entire process using the OPC UA client "UA Expert" as an example. In this example, we assume that the user does not yet exist in the operating system and is therefore created by the server.

Step 1: OPC UA Client connects to the server for the first time

The server has been installed and UA Expert connects to the server for the first time. Anonymous access can still be used for this connection.

Initialization 5:

After the connection has been established, the initialization object together with the TrustOnFirstUse method can be found in the server's address space.

Initialization 6:

Step 2: OPC UA Client starts TrustOnFirstUse

The TrustOnFirstUse method can be called via any OPC UA client, e.g. the UA Expert. However, Beckhoff's own configuration tools also allow the use of this initialization interface. The TwinCAT OPC UA Configurator (standalone or Visual Studio integrated) automatically detects an uninitialized server when a connection is established and enables initialization via a corresponding configuration interface:

Initialization 7:

The following steps show the same process as it can be done manually e.g. in the UA Expert software:

In the UA Expert, the TrustOnFirstUse method is called to create a user and configure the server for this user. "MyOpcUaServerUser" was used as the username in this example. The password must meet the complexity requirements of the operating system, otherwise the initialization will fail. The following screenshot shows the successful call of the method.

Initialization 8:

The parameter AddStatus indicates that the user was successfully created in the operating system's user database. The parameter LogonResult indicates that an initial test authentication of the server with the specified user information was successful.

The server restarts automatically after this successful method call.

Step 3: OPC UA client logs on to the initialized server

Initialization 9:

Username/password disables anonymous access

Please note that the UA Expert cannot automatically reconnect to the server after the method call, because the anonymous access has been disabled and from now on the logon must be done using the specified username.

Initialization 10:

Once the connection has been established, the regular namespaces and objects can be found again in the server's address space and the configuration of the application can begin.

Initialization 11:
Initialization 12:

Permissions of the TOFU user

The user configured by the TOFU mechanism has full access to the server, which may not be desirable. Beckhoff therefore recommends creating an explicit user for pure data access in the next step, see Recommended steps.