../pvss.htm menu.gif

  Authentication via Kerberos, basics

 

In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.

In order to prevent eavesdropping or different types of attacks, measures to secure authentication and to protect WinCC OA systems from such attacks have been developed. The Kerberos based authentication allows each WinCC OA component to verify the identity of another component. WinCC OA servers verify the identity of clients and clients verify the identity of servers. More than that, Kerberos is able to ensure that messages are not modified during transmission (preventing a capture replay attack) and can even be encrypted.

The Kerberos protocol is built on symmetric key cryptography and requires a trusted third party, the Key Distribution Center (KDC). The identity of an entity (user, computer, component) is proven by using tickets. Clients pass a ticket, issued by the trusted third party KDC, to the server. The server verifies the ticket and thus the identity of the client. Upon clients request, the server sends a proof of its identity to the client and the client can verify the identity of the server.

Session keys are used for the communication between a client and a server. Kerberos generates a session key that is used to secure the communication between the server and the client. The sent messages are signed and can be encrypted.

WinCC OA uses the Service Principal Names (SPN) "WinCC_OA/<host>". The SPN may be entered on only one computer (WinCC OA server). The <host> is the fully qualified host name including the domain. If you enable Kerberos under Windows, Pmon creates the SPNs if Pmon runs as a service under the Local system. Under Linux, you have to create the SPN by yourself. For additional information, see chapter Requirements and configuration.

Chapter

Description

Authentication via Kerberos, basics

Introduction and links to other chapters.

Requirements and configuration

Requirements and the necessary steps to complete for using Kerberos based authentication.

Config entries

Necessary config entries.

 

page_top.gif

V 3.11 SP1

Copyright ETM professional control GmbH 2013 All Rights Reserved