Recommended steps

After the initial commissioning, Beckhoff recommends that you pay attention to the following points to further configure the server and ensure a stable and secure operating environment.

Data Access

Data Access describes a function of OPC UA for displaying symbols and the corresponding access to them in the address space of the server. In the TwinCAT OPC UA Server, the configuration of data access devices is an elementary component and the basis for further functionalities. We therefore recommend that you read our chapter on Data Access in the next step, which also describes how you can establish a connection with the runtime.

Only use secure IdentityTokens

The one-time initialization of the server disables the IdentityToken "Anonymous". For security reasons, you should leave this disabled. The server should only be accessed by authenticated client applications, such as the username/password authentication configured by default during initialization.

Creation of a user for pure data access

The aforementioned initialization of the server configures a user for access to the server and then disables anonymous access to the server. The configured user has full access to all objects in the server namespace. In most application scenarios, this is not desired and the administrator user should be separated from the application user.

Beckhoff therefore recommends configuring an additional, dedicated user who is given the necessary permissions to access variables on a Data Access device, but who is not allowed to access the configuration namespace. This setting can be made via the configurator by adding a new user who is assigned to the "Users" group.

Recommended steps 1:
Recommended steps 2:

The newly configured user then has all the necessary permissions to access TwinCAT variables, to read the type system, but not to influence the configuration of the server. Please note that if you use the authentication provider "OS", you must also create the user in the operating system, i.e. it must exist there.

Notice

Leave insecure endpoints disabled

  • Endpoints classified as unsafe are not offered by the TwinCAT OPC UA Server by default. These can be made available in the server via a configuration switch - Beckhoff does not recommend this!
  1. Only use endpoints that are currently considered secure.
  2. Observe and follow the other safety-relevant recommendations in the following section.

The following screenshot shows you how to enable older server endpoints in the TwinCAT OPC UA Configurator.

Recommended steps 3:

You can then add the insecure endpoints back to the server configuration, for example via the context menu in the configurator in the "Security Settings" area:

Recommended steps 4:

The None/None endpoint is already disabled when the server is delivered. For security reasons, Beckhoff recommends that you also leave this endpoint disabled and only allow access to the server via a secure endpoint. If required, the None/None endpoint can be added back to the server configuration using the method described above.

Disable 'AutomaticallyTrustAllClientCertificates'

By default, the server is configured for easy commissioning so that it automatically trusts all client certificates without having to manually exchange certificates on the server side. For security reasons, Beckhoff recommends disabling this setting. This setting can be made via the TwinCAT OPC UA Configurator, as shown in the following screenshot:

Recommended steps 5:

After disabling this setting, a trust relationship must be established between the client and server by both applications trusting each other's certificates.