security with scalance s612 v3, scalance m875, softnet
TRANSCRIPT
Applications & Tools
Answers for industry.
Cover
Secure Remote Access to SIMATIC Stations with the S612 V3 via Internet and UMTS
Security with SCALANCE S612 V3, SCALANCE M875, SOFTNET Security Client, CP x43-1 Advanced V3
Application Description July 2012
2 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Siemens Industry Online Support This document is taken from Siemens Industry Online Support. The following link takes you directly to the download page of this document: http://support.automation.siemens.com/WW/view/en/24960449 Caution: The functions and solutions described in this entry are mainly limited to the realization of the automation task. In addition, please note that suitable security measures in compliance with the applicable Industrial Security standards must be taken, if your system is interconnected with other parts of the plant, the company’s network or the Internet. More information can be found under entry ID 50203404. http://support.automation.siemens.com/WW/view/en/50203404 For further information on this topic, you may also actively use our Technical Forum in the Siemens Industry Online Support. Share your questions, suggestions or problems and discuss them with our strong forum community: http://www.siemens.com/forum-applications
RemoteAccess_Radio V3.0, Entry ID: 24960449 3
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
s
SIMATIC Secure Remote Access Application Description
Task 1
Solution 2
Risk Minimization due to Security
3 Functional Details on FTPS Scenario
4 Installation of the Application
5 Installation of the Application
6 Configuration of the Hardware
7 Configuration of the Example Scenarios
8
Operating the Application 9
Literature 10
History 11
Warranty and Liability
4 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Warranty and Liability
Note The application examples are not binding and do not claim to be complete regarding configuration, equipment and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of your responsibility to use sound practices in application, installation, operation and maintenance. When using these application examples, you recognize that we will not be liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time and without prior notice. If there are any deviations between the recommendations provided in this application example and other Siemens publications – e.g. catalogs – the contents of the other documents have priority.
We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change in the burden of proof to your disadvantage. It is not permissible to transfer or copy these application examples or excerpts thereof without express authorization from Siemens Industry Sector.
Preface
RemoteAccess_Radio V3.0, Entry ID: 24960449 5
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Preface Objective of this application
This application demonstrates how a secure connection between a control center and one or several remote stations can be implemented and configured using the security components by Siemens. The following security components are available in the Siemens product portfolio: Security Module SCALANCE S The SOFTNET Security Client software PLC-CPs (CP x43-1 Advanced V3) with security functionality PC-CP (CP1628) with security functionality UMTS router SCALANCE M with security functionality EDGE/GPRS router MD741-1 with security functionality
Core topics of this application The following core points are discussed in this application: Introducing the components used regarding use, functionality and configuration Integrating the components in an example: Establishing secure connections
between a central station and several remote stations Step-by step explanation of the required configuration steps for implementing
the example.
Note The projects and documents of the previous versions are located in the archive folder on the HTML page from which you have downloaded this document.
In the application V2.0 the following diagnostic scenarios are demonstrated:
STEP 7 standard diagnostic STEP 7 program upload and download SIMOCODE Pro diagnosis via SIMATIC PDM SIMOCODE configuration via SIMATIC PDM upload and download OPC access HTML access to CP 343-1 advanced pages Smart@Service accesses to a panel via HTTP/VNC SOAP accesses to a panel via HTTP WinCC project download via HTTP/VNC
SCALANCE S612, MD741-1 and the SOFTNET security client are used as security components.
Table of Contents
6 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table of Contents Warranty and Liability..............................................................................................4 Preface......................................................................................................................5 1 Task.................................................................................................................8
1.1 Overview of the automation task ........................................................8 1.2 Description of the automation task .....................................................9
2 Solution.........................................................................................................10 2.1 Overview of the general solution......................................................10 2.2 Detailed hardware setup ..................................................................12 2.3 Description of the core function and scenarios .................................15 2.3.1 Core function...................................................................................15 2.3.2 Scenarios ........................................................................................15 2.4 Hardware and software components used .......................................18
3 Risk Minimization due to Security ...............................................................20 3.1 Conditions and requirements ...........................................................20 3.2 SIEMENS protection concept: Defense-in-Depth..............................21 3.3 Introduction of the Security Modules ................................................22 3.3.1 SCALANCE S612 V3.......................................................................22 3.3.2 CP 343-1 Advanced V3 ...................................................................24 3.3.3 SCALANCE M875 ...........................................................................26 3.3.4 The SOFTNET Security Client .........................................................29 3.4 Security Configuration Tool..............................................................30 3.4.1 Configuration scheme......................................................................30 3.4.2 Management of certificates..............................................................32 3.4.3 User management ...........................................................................35
4 Functional Details on FTPS Scenario..........................................................37 4.1 General overview.............................................................................37 4.2 Functionality scenario A...................................................................38 4.3 Functionality scenario B...................................................................43
5 Installation of the Application......................................................................45 5.1 Hardware installation .......................................................................45 5.2 Software installation.........................................................................47
6 Configuration of the Hardware.....................................................................48 6.1 Networking the components.............................................................48 6.2 Adapting the IP addresses...............................................................49 6.2.1 IP address of the service center.......................................................49 6.2.2 IP address of the components..........................................................50 6.3 Loading of the remote stations.........................................................52 6.3.1 Remote Station 1.............................................................................52 6.3.2 Remote Station 2.............................................................................55 6.4 Commissioning of VPN tunnels........................................................57 6.4.1 Requirements..................................................................................58 6.4.2 Loading and exporting of SCT configuration.....................................59 6.5 Configuration of the SCALANCE M875............................................64 6.6 Configuration of the SCALANCE M873............................................70 6.7 Configuration of the SOFTNET Security Client.................................74 6.8 Configuring the DSL Router.............................................................76 6.9 Final configuration ...........................................................................76
Table of Contents
RemoteAccess_Radio V3.0, Entry ID: 24960449 7
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7 Configuration of the Example Scenarios ....................................................77
7.1 Configuration of FTPS .....................................................................77 7.1.1 Basic configurations.........................................................................77 7.1.2 User-specific configuration...............................................................79 7.2 Configuration of NTP (secure)..........................................................81 7.2.1 Basic configuration ..........................................................................81 7.2.2 User-specific configuration...............................................................84
8 Additional Instructions.................................................................................85 8.1 Time synchronization with the SIMATIC mode .................................85 8.2 Enabling the security function in CP 343-1 Advanced V3 .................88 8.3 Configuration with the Security Configuration Tool ...........................90 8.4 Checking the VPN tunnel status.......................................................96 8.5 Importing/exporting the certificates...................................................98 8.6 Configuration of the FTP connection in NetPro...............................100 8.7 Enabling of FTPS in CP 343-1 Advanced V3..................................103 8.8 Creating a user for FTP .................................................................105 8.9 Changing the FTP parameters in the STEP 7 program................... 109
9 Operating the Application ..........................................................................110 9.1 Requirement..................................................................................110 9.2 Scenario: Standard STEP 7 PG and online functions ..................... 110 9.3 Scenario: HTML-based access to the web servers.........................116 9.4 Scenario: Secure FTP access........................................................118 9.5 Scenario: Secure time synchronization via NTP (secure) ............... 122
10 Literature ....................................................................................................123 11 History ........................................................................................................124
1 Task 1.1 Overview of the automation task
8 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
1 Task Introduction
Ethernet connections increasingly extend all the way to the field level. This offers many advantages for plant automation such as, for example, remote maintenance and remote diagnosis. The efficiency is significantly higher than sending service employees around the world regarding the workload and time, and the thus corresponding costs. Error detection and removal occurs is performed much quicker. This reduces machine downtimes and increases their availability. However, this makes production processes that have so far been secured, vulnerable from outside and inside. Reliable security can only be provided by an approach that unites security mechanisms and a comprehensive understanding of automation. Today’s internet access mechanisms (radio, broadband) united with the security components by Siemens are a successful combination.
1.1 Overview of the automation task
A typical remote service scenario is the access from a central station to distributed production plants. If the production plants are in places that are difficult to reach, access must also be guaranteed here. Basis for this are reliable, secured and economical data connections that are always available via cable-based or wireless transmission media. The figure below provides an overview of the automation task. Figure 1-1
Service centerService center
Remote S7-Station 1
Remote S7-Station 1
Remote S7-Station 2
Remote S7-Station 2
Remote S7-Station N
Remote S7-Station N
distributed plants
Internet
EGPRS/UMTS
DSL
secureconnections
1 Task 1.2 Description of the automation task
RemoteAccess_Radio V3.0, Entry ID: 24960449 9
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
1.2 Description of the automation task
Several SIMATIC remote stations are connected via a wireless transmission medium with a service center with devices (S7-CPUs, HMI device, Ethernet CPs) that can be reached via Ethernet. Via these connections a PG/PC in the service center is to perform all the functions that a cable-based PG can perform (e.g. all standard diagnostic functions, upload and download of programs, FTP, etc.).
2 Solution 2.1 Overview of the general solution
10 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2 Solution 2.1 Overview of the general solution
Schematic layout Siemens offers the following components with security functionality to secure access to and from production plants: SCALANCE S612 V3 security module, S623 V3 (as of 09/2012) and S602 V3 The SOFTNET Security Client software CP1628 communication modules, CP 343-1 Advanced V3 and CP 443-1
Advanced V3 SCALANCE M875 UMTS router EDGE/GPRS router MD741-1
Apart from the SCALANCE S602 V3 all components are VPN-capable and can establish secure connections with the help of IPSec. The application example below shows the use of this module in a selected remote access scenario. Table 2-1
Module Used in…
SCALANCE S612 V3 Service center SOFTNET Security Client Service CP 343-1 Advanced V3 Remote Station 1 SCALANCE M875 Remote Station 2
Note Instead of a S7-300 station with a CP 343-1 Advanced V3, a S7-400 with CP443-1 Advanced V3 can also be used as an alternative.
The security functions of the two CPs are virtually identical.
2 Solution 2.1 Overview of the general solution
RemoteAccess_Radio V3.0, Entry ID: 24960449 11
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Figure 2-1
Service Station
ISP
Remote Station 1 Remote Station 2
Service center
PG/PC SCALANCE S612 V3
DSLRouter
S7-PN CPU
IE
SCAL
ANC
E M
875
SCALANCE M873
HMI PanelS7-CPU & IE-CP343-1 Adv. V3
UMTSProvider
A
Internet UMTSProvider
B
VPN Tunnel 2VPN Tunnel 1
STEP 7STEP 7 VPN Tunnel 3
PG/PC
IE
IEIE
The service center is the central point here. This is where the configuration files for the controllers are saved and where the VPN connections (VPN tunnel 1/ 2) are initiated to the remote stations. Via this connection, projects are downloaded to the controllers of the external stations, data is monitored and IT functions (FTP, HTTP) are carried out. Service technicians are to be able to connect directly to the remote stations with their PGs/PCs via a secure connection (VPN tunnel 3) or with the service center in order to get access to the external stations via, for example, VNC (Virtual Network Computing).
2 Solution 2.2 Detailed hardware setup
12 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.2 Detailed hardware setup
The following figures show the setup of this application in detail.
Setup of the service center Figure 2-2
DSL-Router + ModemInternet connection withfixed IP address
SCALANCE S612Security module as VPN router
PC/PG• SIMATIC Manager
• Web browser
• FTP Server/Client
• VNC Server (optional)
xDSLSTEP 7
100MBit/s IE
100MBit/s IE
The control center consists of a standard Window PC/PG. Via the integrated Ethernet interface the PC is connected with the internal (secure) port of the SCALANCE S612 V3 and the DSL router with the external (insecure) port – recognizable by the lock icon. On the PG/PC the STEP 7 software, a standard web browser, a FTP client and a FTP server and optionally a VNC server is installed.
2 Solution 2.2 Detailed hardware setup
RemoteAccess_Radio V3.0, Entry ID: 24960449 13
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Setup of the remote station 1 Figure 2-3
SCALANCE M873UMTS router with SIM card of the provider
SIMATIC Station1• PS 307 5A• CPU 315-2 DP• CP 343-1 Advanced V3 (VPN endpoint)
MP277 8‘‘HMI Panel forvisualization
100MBit IE 1GBit IE
PG/PCNTP Server
The remote station 1 consists of a SIMATIC S7-300 station, an HMI operator panel, a PC with NTP server and – as connection to the mobile communication network – a SCALANCE M873. CP 343-1 Advanced V3 is VPN endpoint. The panel and the PG/PC are connected with a (secure) PROFINET port of the CPs, the SCALANCE M873 with the (insecure) gigabit port.
Setup of the remote station 2 Figure 2-4
SCALANCE M875UMTS router and VPN router with SIM card of the mobile communication provider
100MBit/s IE
SIMATIC Station• PS307 2A• CPU 319-3 PN/DP
The remote station 2 consists of a SIMATIC station. VPN endpoint is the SCALANCE M875. The CPU is connected with the SCALANCE M875 via the integrated interface.
2 Solution 2.2 Detailed hardware setup
14 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Setup of the service station Figure 2-5
Any internet
access
PC/PG• SIMATIC Manager
•Web browser
•SOFTNET Security Client
•VNC Client (optional)
IE Standard Cable
ISP
UMTSProvider
The service station is representative for a PG/PC that has to connect to the plant from outside. For this purpose it should be possible to connect with the PGs/PCs via a secured connection directly to the remote stations or the service center in order to get access to the external stations from there. Access to the external stations via the service center requires a routing between the secure connections and the use of remote maintenance software (VNC). The VPN client software SOFTNET Security Client is installed on the PG/ PC as well as optionally a VNC client.
Topics not covered by this application Access of the service technician to the remote stations is not part of this application. For direct access to the remote stations the document „Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS” is available which is located on the same HTML page as this document. More information on access to the remote stations via the service center can be found in the document “Remote Control Concept with SCALANCE S Modules over IPsec secured VPN Tunnel” (see /6/ in chapter 10 (Literature)).
Note A fixed DSL IP address at the control center is a prerequisite for this application.
Assumed knowledge Basic knowledge of automation technology, SIMATIC, Ethernet and configuration with STEP 7 V5.5 SP2 HF1 is assumed. Basics on security terms can be found under /14/ in chapter 10 (Literature).
2 Solution 2.3 Description of the core function and scenarios
RemoteAccess_Radio V3.0, Entry ID: 24960449 15
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.3 Description of the core function and scenarios
2.3.1 Core function
For remote maintenance or diagnostic via an unsecured network, reliable security for the data transmission has highest priority. Confidential and sensitive information must not be sent in plaintext via the internet and therefore be read and/or manipulated by unauthorized third parties. To guarantee secure and reliable data transmission, this application uses a VPN solution. VPN is the abbreviation for virtual private network and is a combination of two separate networks to one closed, logic network. The configuration of this solution is performed via the security configuration tool.
Figure 2-6
2.3.2 Scenarios
The implementation of a VPN solution makes a secure data transmission between central station and remote stations or service station possible. This application shows the functionality of this solution via selected scenarios: Standard STEP 7 PG and online functions HTML-based access to the web servers in the modules Secure data exchanged via FTP Secure time synchronization via NTP (secure)
2 Solution 2.3 Description of the core function and scenarios
16 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Standard PG and online functions The service center or the service technician can
– carry out all online system diagnosis functions just as in the cable-based IE-LAN (diagnostic buffer of the CPU, module state, operating state, monitoring/controlling, etc.),
– monitor and control variables (variable table), – monitor program states and – Download of the complete STEP 7 programs and upload of the standard
STEP 7 program (without security parts). Figure 2-7
Central stationRemoteStation
Web access PROFINET CPUs, CPs and SCALANCE M modules are provided with an integrated web server for configuring, monitoring, evaluating and diagnosing. The PG in the central station can access the server via a standard web browser. Figure 2-8
Central stationRemoteStation
Secure FTP (FTPS) FTP (File Transfer Protocol) is a method for exchanging data between a client and a server. The communication modules CP x43-1 Advanced V3 provide a client and server function for the file management and access to the blocks in the CPU. Figure 2-9
Central stationRemoteStation
As of version 3 of the CPs the communication modules also support the secure FTP over SSL (explicit mode).
2 Solution 2.3 Description of the core function and scenarios
RemoteAccess_Radio V3.0, Entry ID: 24960449 17
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
In this application, process data simulated by the CPU is sent to the central station (CP as FTP client) or the file system of the CP 343-1 Advanced V3 (CP as FTP server) is accessed from the central station.
NTP (secure) The network time protocol is a method for synchronizing the time of devices in a network. The current time is provided by a server. The CP x43-1 Advanced V3 communication module also supports NTP apart from the SIMATIC process for time synchronization. Figure 2-10
NTP Server (Central station)
CP x43-1 Adv.
(RemoteStation)
As of version 3 of the CPs the communication modules can also synchronize the time via a NTP (secure).
Advantages of this solution Optimized service of remote plants. External stations can be reached world wide. All remote stations can be configured and diagnosed with standard STEP 7
tools.
High communication availability due to standardized mobile communication and internet technology.
UMTS and internet secure short transmission times. Cost-effective data transmission due to payment based on data volumes VPN functionality enables a secure, protected and encrypted data connection
via the standard Ethernet. High degree of security by means of an integrated firewall. Simple and user-friendly configuration of the VPN tunnel with the Security
Configuration Tool.
2 Solution 2.4 Hardware and software components used
18 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.4 Hardware and software components used
The application document was generated using the following components:
Standard components Table 2-2
Component Qty. MLFB/order number Note
CPU 319-3 PN/DP 1 6ES7 318-3EL00-0AB0 CPU 317-2 PN/DP 1 6ES7 317-2EH14-0AB0 Power supply PS307 5A
3 6ES7 307-1EA00-0AA0
Micro Memory Card 2 6ES7 953-8LF11-0AA0 Min. 1MB PG 1 6ES7 712-XXXXX-XXXX Configurator Multi Panel MP277 8’’ 1 6AV6 643-0CB01-1AX1 SCALANCE M873 1 6GK5 873-0AA10-1AA2
Security Table 2-3
Component Qty MLFB/order number Note
SCALANCE S612 V3 1 6GK5 612-0BA10-2AA3 Software Security Configuration Tool V3
1 - SCT is included in delivery.
Software SOFTNET Security Client V4
1 6GK1 704-1VW04-0AA0
SCALANCE M875 1 6GK5 875-0AA10-1AA2 CP 343-1 Advanced V3 1 6GK7 343-1GX31-0XE0
Software Table 2-4
Component Qty. MLFB/order number Note
STEP 7 V5.5 SP2 HF1 1 6ES7810-4CC08-0YA5 Or higher HSP1058 1 Hardware support package for
CP 343-1 Advanced V3; is included with the module.
FTP Client Software 1 With FTP(e)S (secure FTP) support FTP server software With FTP(e)S (secure FTP) support NTP Server 1 With NTP (secure) support
LAN components Table 2-5
Component Qty. MLFB/order number Note
IE FC TP STANDARD CABLE 5 6XV1840-2AH10 Connecting line IE Minimum order quantity 20 m
RJ45 plug-in connector 10 6GK1901-1BB10-2AA0 Can be tailored
2 Solution 2.4 Hardware and software components used
RemoteAccess_Radio V3.0, Entry ID: 24960449 19
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Infra structure & accessories Table 2-6
Component Qty. MLFB/order number Note
DSL router + modem with VPN passthrough function (port forwarding)
1 Alternatively router with integrated modem or individually
Internet provider 1 Fixed IP address 1 Contract with your Internet provider ANT 794-4MR 2 6NH9860-1AA00 Omnidirectional quad-band antennae
with 5m cable SIM card 2 Station contract with a GSM network
operator; released for UMTS/GPRS
Example files and projects The following list includes all files and projects used in this example.
Table 2-7
Component Note
24960449_S612_RemoteAccess_UMTS_CODE_V30.zip This zip file contains the STEP 7 project.
24960449_S612_RemoteAccess_UMTS_DOKU_V30_e.pdf This document.
3 Risk Minimization due to Security 3.1 Conditions and requirements
20 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3 Risk Minimization due to Security Ethernet-based communication has a central role in the automation environment and has many advantages due to the use of open standardized IT technologies. However, the increasing openness and consistency also increases the risk of undesired manipulation. This is why a security concept is needed that reliably protects industrial communication on one hand but on the other hand also takes the special requirements of automation technology into account.
Note Nobody can guarantee 100 % security. Nevertheless, there are many options, to keep the risk as low as possible.
3.1 Conditions and requirements
Requirements Among others, the requirements to security are: Data confidentiality: user data must be encrypted and protected from
unauthorized access Station authorization: Only defined station must participate in the data
communication. Authentication is required. Packet identification: It must be ensured, that data packets arrive at their target
address unchanged. Secrecy: Networks behind the VPN Gateways should be hidden from third
parties.
Conditions for automation technology The special requirements of automation technology are: taking into account the effectiveness and economy by using the existing
infrastructure reaction-free integration: The existing network infrastructure must not be
changed and existing components must not be reconfigured. conserving data security by protecting from unauthorized access availability: particularly for remote control technology it is essential that the
connection between central station and production plant is robust, secure and reliable.
3 Risk Minimization due to Security 3.2 SIEMENS protection concept: Defense-in-Depth
RemoteAccess_Radio V3.0, Entry ID: 24960449 21
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.2 SIEMENS protection concept: Defense-in-Depth
Multilevel security concept More and more networking and the use of tried and tested technologies of the “office world” in automation plants require an increased need in security. It is not sufficient only to offer superficial and limited protection, since attacks from outside can take place on several levels. For optimal protection profound security awareness is required. To achieve the demanded security targets Siemens is working according to the defense-in-depth strategy. This strategy pursues the approach of a multi-layer security model: plant security, network security and system integrity.
The advantage is that an attacker has to pass several security mechanisms first and that the security requirements of the individual layers can be taken into account individually.
Instruments of the defense-in-depth strategy To implement this security concept, e.g. two security tools from the network security area should be mentioned: the firewall and the VPN tunnel. The firewall is used to control data traffic. By filtering, packets can be discarded and network accesses can be blocked or granted. To secure communication the tunneling method is a frequent application.
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
22 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.3 Introduction of the Security Modules
The modules SCALANCE S612 V3, SCALANCE M875, SOFTNET Security Client, CP1628 and CP x43-1 Advanced V3 are components of the Siemens security concept. They protect automation cells, networks or devices without independent protection from unauthorized accesses, espionage or manipulation. The Security Configuration Tool (SCT) is used to configure the SCALANCE S modules, CP x43-1 Advanced V3, CP1628 and to create the configuration files for the SCALANCE M875 and the SOFTNET Security Client. All nodes can be combined to groups here. These assignments also define which modules communicate via a VPN tunnel.
3.3.1 SCALANCE S612 V3
Description The SCALANCE S product family is used to protect automation cells/networks from unauthorized access. The model S612 can be used as VPN-capable peer to SCALANCE M875, CP x43-1 Advanced V3, SOFTNET Security Client, CP1628 or other SCALANCE S (apart from SCALANCE S602). Figure 3-1
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
RemoteAccess_Radio V3.0, Entry ID: 24960449 23
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Properties SCALANCE S612 V3 was provided with a number of functions for the integration of modules to the remote control system. Protection of devices with or without independent security functions through
the integrated firewall: – Check of the data packets based on the source and target address
(stateful packet inspection) – Supporting Ethernet “Non-IP” messages – Band width limitation – Global and local firewall rules – User-specific firewall rules
Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. SCALANCE S612 V3 can be either server or client and manage up to 128 VPN tunnels.
Protection of several devices at the same time: Through the integration of SCALANCE S as connecting link between two networks, the devices located behind are automatically protected. – Router mode to operate the SCALANCE S in a routed infrastructure.
Internal and external network are each independent subnetworks. – Bridge mode to operate the SCALANCE S module in a flat network. The
internal and external network are located in a subnet. Flexible internet access:
– SCALANCE S612 V3 supports the configuration of a fixed IP address for the DSL access and also the PPPoE.
– The SCALANCE S V3 is dynamic DNS client and can transfer its current IP address to a DNS server.
Interfaces SCALANCE S has two separate Ethernet interfaces. Each port is treated differently and must not be confused: Port 1 - external network: Top RJ45 connector, red marking = insecure network
area (key icon) Port 2 – internal network: Bottom RJ45 connector, green marking = network
protected by SCALANCE S; When swopping the ports, the device loses its protective function.
Note For further information, please refer to the SCALANCE S manual (see /3/ and /6/ in chapter 10 (Literature)).
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
24 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.3.2 CP 343-1 Advanced V3
Description Compared to the basis components, the CP 343-1 Advanced modules (as of version 3) offer integrated security functions for the protection of automation cells/networks from unauthorized access. The communication processors can be used as VPN-capable peers for SCALANCE M875, S612, SCALANCE S (apart from S602), SOFTNET Security Client (as of V4 HF1), CP1628 or other CP x43-1 Advanced (as of version 3). Figure 3-2
Function CP 343-1 Advanced V3 acts as its previous modules and was additionally expanded by the following security functions: Protection of devices with or without independent security functions through
the integrated firewall: – Check of the data packets based on the source and target address
(stateful packet inspection) – Supporting Ethernet “Non-IP” messages – Band width limitation – Global and local firewall rules
Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. The CP supports the VPN server and VPN client role. The module can manage up to 32 VPN tunnels overall.
Secure IT functions: Encryption and authentication guarantee secure data transfer (FTPS), web access (HTTPS) and time synchronization (NTP (secure)).
Protection of several devices at the same time: Through the integration of the CP as connecting link between two networks, the devices located behind are automatically protected.
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
RemoteAccess_Radio V3.0, Entry ID: 24960449 25
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Interfaces CP 343-1 Advanced V3 has over 100 Mbit/s PROFINET and a 1000 Mbit/s gigabit interface. Both PROFINET interfaces are designed as IRT-capable 2 port switches and furthermore enable the integration of the CP in a line topology or a ring with media redundancy. Each port can be disabled individually in the configuration. The gigabit interface works independently of the PROFINET interface and can be used as connection for a PG/PC or a superior company network. The gigabit interface enables the secure connection to external insecure networks via firewall and VPN.
Using the CP as IP router The CP can be used for passing on IP messages from a local network (PROFINET interface) to a superior network (gigabit interface) and vice versa. The CP regulates the access permission according to configuration.
Note More information can be found in the manual on CP 343-1 Advanced V3 (see /2/ in chapter 10 (Literature)).
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
26 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.3.3 SCALANCE M875
Description SCALANCE M875 provides a secure, wireless IP data connection between remote stations and service center via GSM or UMTS (3G). They can be used as VPN-capable peers to the SCALANCE S (apart from S602), SCALANCE M875, SOFTNET Security Client, CP1628 and CP x43-1 Advanced V3. Figure 3-3
Basic requirements for operation The operation of the SCALANCE M875 is possible from anywhere where a mobile communication network is available that provides packet-oriented data services. Under UMTS these are the data services HSPA data service or UMTS data service. Under GSM these are the data services EGPRS or GPRS. For the wireless data connection a SIM card is needed that is activated for the respective services.
Note Whether the router logs into GSM or UMTS networks depends on the network coverage of the provider. Information on the network coverage of the provider can usually be found on the internet page of the provider.
In the web-based management of the SCALANCE M875 you can see in which network the module dialed itself into.
For further information, please refer to the SCALANCE M875 manual (see /1/ in chapter 10 (Literature)).
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
RemoteAccess_Radio V3.0, Entry ID: 24960449 27
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
The GSM/UMTS router SCALANCE M875 together with the quad band antenna ANT 794-4MR covers all four bands of the GSM networks.
– 850 MHz – 900 MHz – 1800 MHz – 1900 MHz
the following frequencies under UMTS: – 800 MHz – 850 MHz – 1700 (AWS) MHz – 1900 MHz – 2100 MHz
Note Please also note the country approvals for the SCALANCE M875 (see /8/ in chapter 10 (Literature))
Function For a secure radio data connection the router provides the following core functions: Protection of devices with or without independent security functions through
the integrated firewall. Example: – Check of the data packets based on the source and target address
(stateful packet inspection) – Anti spoofing (falsifying IP address/identity) – port forwarding
Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. SCALANCE M875 supports the VPN client and server role. The module can manage 10 VPN tunnels overall.
Radio modem for flexible data communication via UMTS, HSPA, EGPRS or GPRS:
Bi-directional data connection
Cyclic processing of protocol data for maintaining or monitoring the connection (NAT-T Keep Alive, Dead Peer Detection, Rx-Tx-Delay Trigger)
Support by DNS and dynamic DNS.
Note For further information, please refer to the SCALANCE M875 manual (see /1/ in chapter 10 (Literature)).
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
28 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Requirements to the VPN gateway of the remote network In order for an IPSec connection to be established successfully, the VPN peer has to support IPSec with the following configuration: Authentication via X.509 certificates, CA certificates or preshared keys ESP Diffie-Hellman group 1, 2 or 5 3DES or AES encryption MD5 or SHA-1 hash algorithms Tunnel mode Quick mode Main mode SA lifetime (1 second up to 24 hours)
Microsoft Windows 2000 High Encryption Pack or at least service pack 2 has to be installed if the peer is a computer with the operating system Windows 2000. If the peer is located behind a NAT router, the peer has to support NAT-T. Or the NAT router has to know the IPSec protocol (IPSec/VPN passthrough).
Explanation of important terms In this section, the most important features of the SCALANCE M875 are briefly explained.
Table 3-1
Feature Description
Anti-spoofing Anti-spoofing prevents misuse of IP addresses and obscuring of identities. NAT-T Keep Alive The SCALANCE M875 sends UDP packets through tunnel port 4500 within a
fixed cycle (in this example, at 90-second intervals), so as to maintain the connection at the APN. The period after which the provider disconnects a connection without data transfer activities is not defined and must be adapted accordingly. For NAT-T Keep Alive no response is expected from the peer so the existence of the VPN tunnel cannot be proven this way.
Dead Peer Detection (DPD)
The M875 sends (here in this application at the latest after 150 sec) an UDP packet to port 4500. A response from the peer is expected and hence the status of the VPN tunnel is monitored. If a failure of the VPN tunnel is detected, the SCALANCE M875 tries to reestablish the tunnel.
3 Risk Minimization due to Security 3.3 Introduction of the Security Modules
RemoteAccess_Radio V3.0, Entry ID: 24960449 29
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.3.4 The SOFTNET Security Client
Description The SOFTNET security client is a PC software for secure remote accesses from PC/PG to automation devices. The software can be used as VPN-capable peer to SCALANCE S (apart from S602), SCALANCE M875, CP1628 and CP x43-1 Advanced V3 (as of SSC V4 HF1). Figure 3-4
Function By means of the SOFTNET Security Client a PC/PG is automatically configured in a way so that it can established a secure IPSec tunnel communication in the VPN (Virtual Private Network) to one or several VPN servers. Thus, PG/PC applications such as NCM diagnosis or STEP 7 can access devices or networks that are located in a protected, internal network via a secure tunnel connection.
3 Risk Minimization due to Security 3.4 Security Configuration Tool
30 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4 Security Configuration Tool
3.4.1 Configuration scheme
Groups With the security configuration tool Siemens offers a convenient software for the configuration of IPSec tunnel connections between modules. All modules that communicate via a VPN tunnel with each other are divided into groups. The figure below shows the logical end points of the VPN connection: Figure 3-5
CP 343-1 Adv.Remote Station1
SCALANCES612 V3
VPN TunnelVPN Tunn
el
SCALANCE M875Remote Station2
- All groups
Group 1
Group 2
SCT
Project display(Security Configuration Tool)
Logic display
In the group properties in the expanded mode it can be selected between the two encryption methods preshared key and certificate.
Authentication For preshared key an own key can be defined. The certificates can be generated by the security configuration tool, distributed to the group members and certified by the group certificate (CA certificate). Alternatively, own certificates can be imported.
Note In this example the authentication occurs via the use of certificates.
3 Risk Minimization due to Security 3.4 Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 31
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Figure 3-6
M875Remote Station2CP 343-1 Adv.
Remote Station1SCALANCE
S612 V3
Security Configuration
ToolCertificates
Download of certificates
Saving thecertificates
Import of certificates
Certificates= *.p12 –File (public & private key) and *.cer-File
PG/PC
Download of certificates
STEP 7
Note A detailed description of the VPN configuration can be found in chapter 8.3 (Configuration with the Security Configuration Tool).
3 Risk Minimization due to Security 3.4 Security Configuration Tool
32 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4.2 Management of certificates
Overview of certificates In the certificate manager of the security configuration tools all certificates that are required for the project are managed. All certificates include details on: Applicant Issuer Validity Location of usages in SCT Existence of a private key.
Figure 3-7
NOTICE The validity of the certificates indicates up to what date the certificate may be classified valid.
When using secure communication (e.g. HTTPS, VPN...) make sure that the affected security modules have the current time and the current date. Otherwise the certificates used are not classified valid and the secure communication will not work.
The CA certificate is a certificate that was issued through a certification authority the so called "Certificate Authority", and it always includes a private key. The device certificates can be derived from it.
3 Risk Minimization due to Security 3.4 Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 33
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Structure of the certificates The certificate manager divides the certificates into different groups: Certification authorities Device certificates Trustworthy certificates and root certification authorities
“Certification authorities” tab All CA certificates are visible in the certification authorities tab. CA certificate of a project:
When creating a new SCT project a CA certificate is created for the project. From this certificate the device certificates for the individual security modules are derived. When using the SCT integrated in STEP 7, creating a new project is performed by the first activation of the security function of the CP x43-1 Advanced V3.
CA group certificates: When creating a new VPN group a CA certificate is created for the group.
Figure 3-8
“Device certificates” tab All device-specific certificates that have been created by SCT for a security module are under this tab. This includes: SSL certificates: For each created security module a SSL certificate is
created that is derived from a CA certificate of the project. SSL certificates are used for the authentication for the communication between PG/PC and security module, when loading the configuration (not for CPs) and for logging in.
Group certificates: Additionally, a group certificate is created for each security module per VPN group in which it is located.
3 Risk Minimization due to Security 3.4 Security Configuration Tool
34 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Figure 3-9
“Trustworthy certificates and root certification authorities” tab This is where the SCT imported third party certificates are displayed. Imported can be e.g. server certificates from external FTP servers or project certificates from other SCT projects.
3 Risk Minimization due to Security 3.4 Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 35
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4.3 User management
Overview The configuration of the security functions and the secure IT functions (FTPS, NTP (secure) and HTTPS) can only be performed after logging in with user name and password. In the user administration of the security configuration tool, you can create new users for this purpose who can be assigned system or user defined roles. The module rights can be specified per security module. Figure 3-10
System-defined roles The following roles are pre-defined: administrator standard diagnostics remote access
The roles are assigned certain rights that are the same for all modules and which the administrator cannot change or delete. Information can be found in the security manual (see /3/ in chapter 10 (Literature)).
3 Risk Minimization due to Security 3.4 Security Configuration Tool
36 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
User-defined role In addition to the system-defined roles, user-defined roles can also be created. For each project used in the security module the respective rights are specified individually and the role of the users is assigned manually. The following screenshot shows the creation of a user-defined role for the FTP data transmission. The ftp_user user is assigned only FTP rights for the CP 343-1 Advanced V3 module.
Figure 3-11
Note For detailed instruction, please refer to chapter 8.8 (Creating a user for FTP).
4 Functional Details on FTPS Scenario 4.1 General overview
RemoteAccess_Radio V3.0, Entry ID: 24960449 37
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4 Functional Details on FTPS Scenario This chapter describes the implementation of the secure FTP data transmission for this example application.
Note CP x43-1 Advanced V3 only uses the explicit FTPS.
If the name "FTPS" is used in the present documentation, “FTPS in explicit mode” is meant (FTPES).
4.1 General overview
Schematic diagram Figure 4-1
FTP Client FTP Server
FTP Server FTP Client
Process data
File structure
Scenario A
Scenario B
Description The FTPS scenario is divided in two transmission directions. In scenario A the CP 343-1 Advanced V3 is the active station as FTP client and sends the process data simulated by the CPU as binary file to a computer to the central station. The reverse way is shown in scenario B. Here, the computer in the central station is the active partner and it accesses the file system of the CP in order to e.g. copy, delete or insert files.
4 Functional Details on FTPS Scenario 4.2 Functionality scenario A
38 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.2 Functionality scenario A
Description Scenario A shows the secure data transmission from a CP (FTP client) to a PG/PC as FTP server. As an example, process data from the CPU is to be saved on the FTP server. For FTPS a secure connection via SSL is to be established between the communication partners. Figure 4-2
FTP Client FTP Server
Process data
Scenario A
Secure connectionSSL
Requirement
For secure data access via FTP it is essential that both FTP server and FTP client understand the explicit FTPS. the existing server certificate for the verification of the FTP server is stored by
the FTP client. an unspecified FTP connection is configured in CP. the security function is activated in CP 343-1 Advanced V3. a user is created in the FTP server software that has been assigned the rights
for the FTP functions. In this application ftp_user was used as user name and password.
4 Functional Details on FTPS Scenario 4.2 Functionality scenario A
RemoteAccess_Radio V3.0, Entry ID: 24960449 39
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Procedure The following steps are required for writing a file to the FTP server: Figure 4-3
FTP Client FTP Server
Authentication and key exchangethrough certificates
Sending binary fileto the directory released
in the FTP server
Initiating a secure control channel
Transfer of LOGIN data forthe FTP user configured in the
FTP server
Establishing asecure data channel
The processing of these steps is performed in the CP through a programming solution. For the CP 343-1 Advanced V3 in the FTP client mode, special FTP blocks are available in order to process a data transfer via a configured TCP connection with activated FTP option.
4 Functional Details on FTPS Scenario 4.2 Functionality scenario A
40 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Program details For the simulation and transfer of the process data a small STEP 7 program was created. The following graphic shows the blocks used and their job: Figure 4-4
OB 1
FB 2(FTP_PROCESS)
FB 183(SIM_Process_Info)
FB 40(FTP_CMD)
SFC 20(BLKMOV)
FC 2(CONCAT)
SFC 1(READ_CLK)
DB 181(FTP_PARAM)
DB 184(PROCESS_
DATA)
DB 185(FTP_SEND_
DATA)
Table 4-1
Block Function
OB 1 Cyclic call of the functions FB 2 (FTP_PROCESS) and FB 183 (SIM_Process_Info).
FB 2 Routine for processing the FTP data transmission. 1. Copying the data from the DB 184 to the DB 185. 2. Establishing a secure connection to the FTP server: the IP address of
the server and the LOGIN data are located in DB 181. 3. Generating a file name in the form <date>file name. 4. Sending of data to the FTP server. The data to be transferred is stored
in DB 185. 5. Disconnection.
FB 183 Simulation of process data. FB 40 Global FTP block from the SIMATIC NET library of STEP 7. FC 2 Function from the standard library of STEP 7 for merging two string
variables. SFC 20 System function for copying a data area. SFC 1 System function for reading out the current time and date. DB 181 In this data block the IP address of the FTP server, the LOGIN data and the
file name are stored. The structure has been preset by FB 40: Address 0.0: IP address STRING[100] Address 102.0: Username STRING[32] Address 136.0: Password STRING[32] Address 170.0: File name STRING[220]
4 Functional Details on FTPS Scenario 4.2 Functionality scenario A
RemoteAccess_Radio V3.0, Entry ID: 24960449 41
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Block Function
DB 185 This data block contains the data that is to be sent via FTP. The structure has been preset: Section 1: FILE_DB_HEADER with a fixed structure and length of 20 bytes + structure. Section 2: User data
DB 184 In this data block the simulated process data by FB 183 are stored.
FTP block FTP_CMD With the FTP block FTP_CMD from the SIMATIC NET library all FTP commands can be executed. In detail these are the commands (incl. command number): 1: CONNECT (establish connection) 2: STORE (write file) 3: RETRIEVE (read file) 4: DELETE (delete file) 5: QUIT (disconnection) 6: APPEND (attach file) 7: RETR_PART (read file section) 17: CONNECT_TLS_PRIVATE (establish secure connection)
The block is called as follows: Figure 4-5
The parameters have the following meaning: Table 4-2
Parameter Meaning
ID ConnectionID of the TCP connection from NetPro. LADDR The address of the CP from the hardware configuration. CMD The command to be executed. NAME_STR Reference to LOGIN data or file name (depending on command). FILE_DB_Nr The number of the data block that contains the read/write data. OFFSET Only for CMD = 7: Offset in byte, from which the file is to be read. LEN Only for CMD = 7: partial length in byte that is to be read from the value
specified in "OFFSET". DONE True, if command was processed error free. ERROR True, if command was interrupted with error. STATUS Contains the status display.
4 Functional Details on FTPS Scenario 4.2 Functionality scenario A
42 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Verifying the SSL connection FTPS requires the use of the SSL protocol to secure and protect data from unauthorized third parties. The encryption of data is based on a joint key that was previously negotiated via public-key cryptography. For verification the FTP server sends its server certificate to the CP 343-1 Advanced V3. Based on the stored certificates it will check the validity of the server certificate. All certificates have been created by the security configuration tool and can be viewed via the certificate manager (see chapter 3.4.2). In order to be able to load the project certificate in the FTP server, it has to be previously exported from the certificate manager (see chapter 8.5 (Importing/exporting the certificates)). Figure 4-6
4 Functional Details on FTPS Scenario 4.3 Functionality scenario B
RemoteAccess_Radio V3.0, Entry ID: 24960449 43
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.3 Functionality scenario B
Description Scenario B shows the secure data transmission from a PC (FTP client) to CP 343-1 Advanced V3 as FTP server. The file structure of CP 343-1 Advanced V3 is to be shown as an example. For FTPS a secure connection via SSL is to be established between the communication partners. Figure 4-7
FTP Server FTP Client
File structure
Scenario B
Secure connectionSSL
Requirement For secure data access via FTP it is essential that both FTP server and FTP client understand the explicit FTPS. the security function is activated in CP 343-1 Advanced V3. a user has been created in CP 343-1 Advanced V3 who has been assigned the
rights for FTP functions. In this application ftp_user was used as user name and password.
4 Functional Details on FTPS Scenario 4.3 Functionality scenario B
44 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Procedure For access to the file system of CP 343-1 Advanced V3, the following steps are required: Figure 4-8
FTP Server FTP Client
Authentication and keyexchange through certificates
Access to file structureCP343-1 Adv. via FTP
commands (PWD, LIST etc.)
Initiating asecure control channel
Transfer of LOGIN datafor the FTP user configured
in CP343-1 Adv.
Establishing a secure data channel
Verifying the SSL connection FTPS requires the use of the SSL protocol to secure and protect data from unauthorized third parties. The encryption of data is based on a joint key that was previously negotiated via public-key cryptography. For this purpose, CP 343-1 Advanced V3 sends its SSL certificate that was certified by the certification authority to the FTP client. The certificate has been created by the security configuration tool and can be viewed via the certificate manager (see chapter 3.4.2). The following screenshot shows the properties of the SSL certificate of the CP 343-1 Advanced V3. Figure 4-9
5 Installation of the Application 5.1 Hardware installation
RemoteAccess_Radio V3.0, Entry ID: 24960449 45
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
5 Installation of the Application Preliminary remarks
At the beginning we offer you a complete STEP 7 example project for download. This software example supports you in the first steps and tests with this application. It enables a quick function test of hardware and software interfaces between the products described here. The software example is always assigned to the components used in this application and shows their basic principle of interaction. However, it is not a real application in the sense of technological problem solving with definable properties. The following chapters take you step by step through the necessary configuration.
Download The STEP 7 example project is available on the HTML page from which you downloaded this document. http://support.automation.siemens.com/WW/view/en/24960449
5.1 Hardware installation
The figure below shows the hardware setup of the application. Figure 5-1
Fixe
dIP
NetworkID: 192.168.0.0
NetworkID: 172.16.0.0
STEP 7
NetworkID: 140.70.0.0
NetworkID: 140.80.0.0
Dyn
.IPD
yn.IP
NetworkID: 192.168.22.0
UMTS Internet
12
3
4
Remote Station 2
Remote Station 1
Service center
5 Installation of the Application 5.1 Hardware installation
46 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
The following table gives you an overview of the IP addresses used. Cells with the same color belong to one subnet respectively. Modules with two addresses (internal/external) act as routers for the respective other subnet.
Table 5-1
Module Subnet mask IP address
Internal External Internal External
Touch Panel TP277 255.255.255.0 255.255.255.0 140.70.0.4 CPU 317-2 PN/DP 255.255.255.0 255.255.255.0 140.70.0.2 CP 343-1 Advanced V3
255.255.255.0 255.255.255.0 140.70.0.3 140.80.0.3
RM
T 1
SCALANCE M873 255.255.255.0 255.255.255.0 140.80.0.1 Dynamic from APN CPU319-3PN/DP 255.255.255.0 255.255.255.0 192.168.22.11
RM
T 2
SCALANCE M875 255.255.255.0 255.255.255.0 192.168.22.1 Dynamic from APN DSL router 255.255.0.0 Depending on
provider 172.16.0.1 Fixed IP from provider
SCALANCE S612 V3 255.255.255.0 255.255.0.0 192.168.0.2 172.16.41.2
Cen
tral
se
rvic
e st
atio
n
PC/ PG 255.255.255.0 255.255.255.0 192.168.0.100
In the following chapters the required configuration steps of the individual components are explained.
Table 5-2
Number Step of configuration Chapter
Configuring the DSL router 6.8
Commissioning of VPN tunnels 6.4
Configuration of the SCALANCE M875 6.5
Configuration of the SCALANCE M873 6.6
3
4
1
2
5 Installation of the Application 5.2 Software installation
RemoteAccess_Radio V3.0, Entry ID: 24960449 47
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
5.2 Software installation
Installing the software package The following software packages are required for this configuration: SOFTNET Security Client on the PC/PG of the service technician STEP 7 Security Configuration Tool
Follow the instructions of the corresponding installation program.
Note The Security Configuration Tool V3 can be used in two modes:
As standalone version for the configuration of the security module without the security CPs.
Integrated in STEP 7 for the configuration of all security modules (incl. security CPs). The project is stored in the STEP 7 project directory.
Existing standalone projects cannot be opened with the version integrated in STEP 7.
Installing the hardware support packages In this application the CP343-1 Advanced V3 is used. The use of this module requires the module catalog to be updated in the hardware configuration of STEP 7 with the HSP 1058. The instruction for installing the HSP 1058 can be found under /13/.
Installing example project Start STEP 7 and retrieve the 24960449_S612_RemoteAccess _UMTS_CODE_V30.zip file via “File > Retrieve”.
6 Configuration of the Hardware 6.1 Networking the components
48 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6 Configuration of the Hardware 6.1 Networking the components
Remote Station 1 In the first external station the components are linked with each other as follows: The HMI panel with a PROFINET interface of the CP 343-1 Advanced V3. The PG/PC with the NTP server with a PROFINET interface of the CP 343-1
Advanced V3. The gigabit interface of CP 343-1 Advanced V3 with the local interface of the
SCALANCE M873.
Remote Station 2 In the second external station the components are linked with each other as follows: The CPU via the integrated PROFINET interface with the local interface of the
SCALANCE M875.
Service center In the service center the components are linked with each other as follows: The external port of the SCALANCE S612 V3 with the local interface of the
DSL router. The internal port of the SCALANCE S612 V3 with the network interface of the
PC.
Note For the first commissioning of the individual components it is sometimes necessary to disconnect the network connection.
Pay attention to the respective notes in the configuration instructions.
6 Configuration of the Hardware 6.2 Adapting the IP addresses
RemoteAccess_Radio V3.0, Entry ID: 24960449 49
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.2 Adapting the IP addresses
6.2.1 IP address of the service center
The figure shows the network settings to which you must change the PG/PC at the end of the configuration (after chapter 6.8 (Configuring the DSL Router). Loading the various modules (SCALANCE S, SCALANCE M87x, CPUs, Multi Panel) requires changing the IP address of the PC/PG frequently.
Table 6-1
No. Action Remarks/Notes
1. Open the Internet Protocol (TCP/IP) Properties by selecting “Start -> Settings -> Network Connection ->Local Connections” Select the option field “Use following IP address” check box and fill out the field as shown in the screenshot on the right. Select the “Use following DNS Server” option field and enter the DNS server according to the screenshot. Close the dialogs with OK.
2. If your PG has an IWLAN interface,
switch it off.
6 Configuration of the Hardware 6.2 Adapting the IP addresses
50 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.2.2 IP address of the components
Requirement In order to change the IP address of the CPU, the CP and the panel, the following points are assumed: A PC with STEP 7 configuration software is required (e.g. the PG/PC of the
service center station). The PC has to be connected directly with the component or via a switch.
Note The SCALANCE S612 V3 is assigned the IP address via the security configuration tool.
The IP addresses of the two SCALANCE M87x are changed via their web-based management.
SIMATIC components For loading the STEP7 project to the CPU, the IP address of the module via which the project is loaded has to be changed. This can be the CPU itself or a CP. Furthermore, the IP address of the HMI panels has to be adjusted to the desired one for loading the WinCC flexible project.
Table 6-2
No. Action Note
1. Open the STEP 7 project in the SIMATIC Manager. In the “PLC” menu (“target system”) select the “Edit Ethernet Node…” option.
2. Click the Browse… button.
6 Configuration of the Hardware 6.2 Adapting the IP addresses
RemoteAccess_Radio V3.0, Entry ID: 24960449 51
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Note
3. Select the desired module and acknowledge the selection with the OK button.
4. Enter the IP address according to Table 5-1 in
the “Set IP configurations” window which appears. Click the “Assign IP Configuration” button. Close the dialog with the Close button.
5. This is how you assign the IP address
according to Table 5-1 from the remote station 2 to the CP, the panel and the CPU.
6 Configuration of the Hardware 6.3 Loading of the remote stations
52 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.3 Loading of the remote stations
Note The IP addresses are already preset in the STEP 7 project included in delivery (see Table 5-1). To use the project your modules have to be configured with the preset addresses.
6.3.1 Remote Station 1
Required PC/PG IP address Table 6-3
No. Action Note
1. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.
2. Connect your PC/PG with the free PROFINET
interface of the CP 343-1 Advanced V3 or directly with the CPU via a standard Ethernet line.
Now the PC/PG can establish a connection to the CPU317-2 PN/DP, the CP 343-1 Advanced V3 and the panel.
Loading the SIMATIC station Table 6-4
No. Action Note
1. Change the IP address of the CPU and CP according to Table 5-1.
This is described in detail in chapter 6.2.2.
2. Select the first SIMATIC 300 station in the SIMATIC Manager (RemoteStation1) and load it via “PLC > Download” via the CP to the CPU.
6 Configuration of the Hardware 6.3 Loading of the remote stations
RemoteAccess_Radio V3.0, Entry ID: 24960449 53
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Loading of the HMI panel Table 6-5
No. Action Note
1. Open the SIMATIC HMI-Station(1) in the SIMATIC Manager and select WinCC flexible RT. Via “Right mouse button > Open Object” Open the WinCC flexible project.
2. As soon as WinCC flexible is started you get to
the transfer settings via “Project > Transfer > Transfer Settings” . Change the dialog according to the screenshot. Mode: Ethernet Computer name or IP Address: 140.70.0.4
3. Set your panel to transfer mode. Load the WinCC flexible project to the panel via the “Transfer” button.
NetPro For the FTP scenario a TCP connection has been established via NetPro in CP 343-1 Advanced V3. Figure 6-1
Note Do not change the connectionID of this communication connection. Otherwise you have to adjust the STEP 7 program (see chapter 8.9 (Changing the FTP parameters in the STEP 7 program)).
6 Configuration of the Hardware 6.3 Loading of the remote stations
54 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Default router The CP 343-1 Advanced V3 is the connecting link between the insecure wireless network and the internal network. The telegrams are automatically routed through the CP. Figure 6-2
100MBit 1GBit
IP Routing
LAN WAN
For the connection of the remote station 1 to the wireless network, the SCALANCE M873 is used which is connected with the gigabit interface of the CP. Since data communication in the wireless network and internet is routed via several public subnetworks, the gigabit interface of the SCALANCE M873 therefore has to be entered as default router. The following figure shows the entry in the network properties of the gigabit interface of the CP 343-1 Advanced V3: Figure 6-3
6 Configuration of the Hardware 6.3 Loading of the remote stations
RemoteAccess_Radio V3.0, Entry ID: 24960449 55
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.3.2 Remote Station 2
Required PC/PG IP address Table 6-6
No. Action Note
1. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.
2. Connect the PC/PG via a standard Ethernet
cable with the CPU319-3 PN/DP.
Loading the SIMATIC station Table 6-7
No. Action Note
1. Change the IP address of the CPU according to Table 5-1.
This is described in detail in chapter 6.2.2.
2. Select the second SIMATIC 300 station in the SIMATIC Manager (RemoteStation2) and load it via “PLC > Download” via the CP to the CPU.
6 Configuration of the Hardware 6.3 Loading of the remote stations
56 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Default router For the connection of the remote station 2 to the wireless network, the SCALANCE M875 is used which is connected with the PROFINET interface of the CPU. Since data communication in the wireless network and internet is routed via several public subnetworks, the SCALANCE M875 therefore has to be entered as default router in the CPU. The following screenshot shows the entry in the network properties of the CPU: Figure 6-4
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
RemoteAccess_Radio V3.0, Entry ID: 24960449 57
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.4 Commissioning of VPN tunnels
In this example application three VPN tunnels are established.
Figure 6-5
Group 1Group 2
SSC
SCALANCE M875
Remote Station 2
VPN
Tunnel 3
SCALANCE S612 V3
CP 343-1 Adv.
Remote Station 1
Group 3
Service
VPN Tunnel 1VPN Tunnel 2
In the example project included, all tunnel connections have already been configured. Instructions and further information regarding the configuration can be found in chapter 8.2 (Enabling the security function in CP 343-1 Advanced V3) and chapter 8.3 (Configuration with the Security Configuration Tool) as well as in Getting Started. SIMATIC NET Industrial Ethernet Security Setting up security Getting Started under /5/ in chapter 10 (Literature).
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
58 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.4.1 Requirements
Updating the time in CP 343-1 Advanced V3 In the switched off state, the CP loses the current time stamp and is set to 01. 01. 1984 by default. However, to establish a VPN tunnel connection to the SCALANCE S612 V3 it is essential that the CP 343-1 Advanced V3 has the current date. After the generation, the certificates required for establishing the tunnel are valid from the current day to a date that is in the future. There are two options to set the current time in CP 343-1 Advanced V3: SIMATIC mode NTP mode:
Note The SIMATIC mode is already set in the CP in this application. More information regarding configuration of this time synchronization can be found in chapter 8.1 (Time synchronization with the SIMATIC mode).
Resetting the SCALANCE S to factory settings In order to delete all already configured VPN connections or other certificates in SCALANCE S, a reset to factory settings is recommended for this module. For this purpose, the SCALANCE S has a RESET button on the back of the device. If it is pressed for more than 5 seconds (until fault flashes yellow-red) the reset process is started. During the reset process the fault display flashes yellow-red. Once the reset process is completed the device automatically restarts. The SCALANCE S loses its configuration and IP address and is set to 0.0.0.0.
Note Make sure that the power supply is not interrupted during the process.
Resetting the SCALANCE M87x to factory settings In order to delete all already configured VPN connections and other certificates in SCALANCE M875 as well as setting the SCALANCE M87x to default settings the resetting to factory settings is also recommended for these modules. For this purpose, the SCALANCE M87x has a SET button at the front of the device. The reset process will start if this button is pressed for more than 5 seconds (with a pointed object). Thus the SCALANCE M87x also loses its configured IP address and can be reached again via the factory set IP address 192.168.1.1.
Note Make sure that the power supply is not interrupted during the process.
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
RemoteAccess_Radio V3.0, Entry ID: 24960449 59
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.4.2 Loading and exporting of SCT configuration
The security configuration tool is the configuration software for all security modules. Since the example application also uses a security CP, the SCT integrated in STEP 7 is used.
Opening of the integrated SCT in STEP 7 As soon as a security CP is integrated in the hardware configuration and the security functions have been activated, the SCT integrated in STEP 7 can be opened in the hardware configuration of the CP via “Edit > Security Configuration Tool”. The login for the included SCT project is: User name: admin Password: Administrator
Changing the VPN access address The CP 343-1 Advanced V3, the SCALANCE M875 as well as the SOFTNET Security Client actively establish the VPN connection to the SCALANCE S612 V3. The access address is the fixed IP address of the DSL connection in the central station. Below it is explained, how the access address has to be changed in the same way as your DSL connection.
Table 6-8
No. Action Remarks
1. Open the Security Configuration Tool integrated in STEP 7 via the hardware configuration of the CP in the remote station 1 as described above. Select the SCALANCE S612 V3 in the content area and open the properties by doubleclicking.
2. Go to the VPN tab and change
the role to: “Wait for partner” Enter the fixed IP address of your DSL access of the service center as WAN IP address. Close the window with OK. Note: Even if the S612 is waiting for a connection, a WAN IP address has to be entered. This is necessary for the creation of the configuration data of the VPN partners.
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
60 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Loading and exporting configuration files Loading configuration data varies, depending on the security module and is explained step by step in the following sections. Table 6-9
Security Module Procedure
SCALANCE S612 V3 The configuration is directly downloaded from the Security Configuration Tool to the module.
CP 343-1 Advanced V3 The downloading is performed via the hardware configuration in STEP 7.
SCALANCE M875 The security configuration tool creates a text file with an instruction on how the SCALANCE M875 is to be configured via its web-based management. With the text file all required certificates are stored as well.
SOFTNET Security Client
The security configuration tool creates a configuration file that has to be imported to the SOFTNET Security Client. Additionally all required certificates are stored as well.
For saving the configuration data of the SCALANCE M875, proceed as follows: Table 6-10
No. Action Remarks
1. Select All modules in the navigation area and in the content area the SCALANCE M875 (remote2). Start the export of the configuration data via the Transfer to module(s) button.
2. Select the storage folder for the
configuration data. The directory can be selected freely.
3. Assign a password for the private key of the certificate.
4. Enter a password in the entry
field and repeat it. Close the window with OK.
5. The following files are stored in
the selected directory: RemoteAccess.Remote2.txt RemoteAccess.<character>.
Remote2.p12 RemoteAccess.Group2.Cen
tral.cer
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
RemoteAccess_Radio V3.0, Entry ID: 24960449 61
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
6. The further configuration of the SCALANCE M875 is performed via its web-based management.
See chapter 6.5 (Configuration of the SCALANCE M875)
For saving the configuration data of the SOFTNET Security Client, proceed as follows:
Table 6-11
No. Action Remarks
1. Select All modules in the navigation area and in the content area the SOFTNET Security Client (Service). Start the export of the configuration data via the Transfer to module(s) button.
2. Select a storage folder for the configuration data.
The directory can be selected freely.
3. Assign a password for the private key of the certificate.
4. Enter the password in the entry
field and repeat it. Close the window with OK.
5. The following files are stored in
the selected directory: RemoteAccess.Service.dat RemoteAccess.<character>.
Service.p12 RemoteAccess.Group3.cer
6. The further configuration is
performed with the SOFTNET Security Client software itself.
See chapter 6.7 (Configuration of the SOFTNET Security Client)
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
62 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
For downloading the configuration data to the SCALANCE S612 V3, proceed as follows:
Table 6-12
No. Action Remarks
1. Please change the IP address of your PC/PGs according to the screenshot.
2. Connect the PC/PG with the
external interface of the SCALANCE S612 V3 via a standard Ethernet line.
3. Select All modules in the navigation area and the SCALANCE S612 V3 (Central) in the content area. Start the download via the Transfer to module(s) button.
4. Start the transfer via Start.
5. If the download was performed
error free, the security module is automatically restarted and the new configuration is activated.
This process may take several minutes.
6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels
RemoteAccess_Radio V3.0, Entry ID: 24960449 63
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
For downloading the configuration data to the CP 343-1 Advanced V3, proceed as follows:
Table 6-13
No. Action Remarks
1. Close the security configuration tool and – if you have performed any changes in the security configuration tool – the security message.
2. Save and compile the hardware
configuration.
3. For the loading of the SIMATIC
stations, you have to change the IP address of the PG accordingly (e.g. 140.70.0.100). Connect your PC/PG with the free PROFINET interface of the CP 343-1 Advanced V3 or directly with the CPU via a standard Ethernet line.
4. Load the changes to the controller.
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
64 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.5 Configuration of the SCALANCE M875
Note In this chapter it is assumed that the SCALANCE M875 was reset to factory settings and that a SIM card has been inserted.
The SCALANCE M875 is very easily configured with the help of the saved "RemoteAccess.Remote2.txt" text file and its web-based management. Below, the configuration of the SCALANCE M is shown step by step.
Opening web-based management The SCALANCE M875 is setup via the web-based management.
Table 6-14
No. Action Remarks
1. Please change the IP address of your PC/PGs according to the screenshot.
2. Connect the PC/PG with the
LAN interface of the SCALANCE M875 via a standard Ethernet line.
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
RemoteAccess_Radio V3.0, Entry ID: 24960449 65
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
3. Open the web-based management of the SCALANCE M. Enter the address https://192.168.1.1 in an internet browser. You are prompted to enter the user name and the password. Using factory settings are: User name: admin Password: scalance
Entering pin For login to the wireless network the module needs the PIN of the SIM card.
Table 6-15
No. Action
1. Go to “External Network >UMTS/EDGE” Enter the PIN of your SIM card at PIN. Delete all providers that are not used from the provider list via the Delete button or create a new provider via New. Click Save to save the changes.
2. The “Overview” mask shows you information on the connection in the EDGE or UMTS network, the signal strength and the IP address assigned by the provider
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
66 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Adjusting IP address: For this example application the SCALANCE M875 communicates with the internal network of the remote station 2 with the NetworkID 192.168.22.0. Below, the device is configured with an IP address from this network.
Table 6-16
No. Action
1. Go to “Local Network > Basic Settings > Local IPs” Change the internal IP address of the device to 192.168.22.1 Accept the settings with Save. Note: You have to adjust the IP address of your PC/PG accordingly (e.g. 192.168.22.100) and then open the web page with the new address again.
Adjusting time In order to guarantee the validity of the certificates, the SCALANCE M875 has to have the current time.
Table 6-17
No. Action
1. Go to “System > System Time” Configure the current time and accept it with Set. Click the Save button to save your setting.
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
RemoteAccess_Radio V3.0, Entry ID: 24960449 67
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Configuring the VPN connection For the further configuration, the text file created by the security configuration tool now serves as an aid.
Table 6-18
No. Action
1. Open the RemoteAccess.Remote2.txt text file. It contains a step by step instruction for the configuration of the VPN connection to the SCALANCE S612 V3. The VPN configuration is performed in 3 steps: Download certificates Specify settings Set IKE parameters
2. Download certificates
Go to “IP Sec VPN > Certificates”. Download the two certificates according to the instruction of the text file. Enter the password specified by you in Table 6-10 in the .p12 certificate.
3. The state of the loading process is shown accordingly in the web-based management.
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
68 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action
4. Specify settings Go to “IPSec VPN > Connections” and create a new connection via New.
5. Enter a name for the connection and enable it. Accept the settings with Save. Subsequently edit the VPN parameters via Edit.
6. Configure the VPN connection according to your text file and subsequently accept the changes with Save.
6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875
RemoteAccess_Radio V3.0, Entry ID: 24960449 69
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action
7. Set IKE parameters Go to “IPSec VPN > Connections” and select Edit.
8. Configure the IKE settings according to your text file and subsequently accept the changes with Save.
9. VPN connection test As soon as all settings have been transferred to the SCALANCE M875, the router automatically establishes a VPN tunnel to SCALANCE S612 V3. This can be monitored: on the green LED VPN at the module itself and in the web-based management under “IPSec VPN > Status”
6 Configuration of the Hardware 6.6 Configuration of the SCALANCE M873
70 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.6 Configuration of the SCALANCE M873
Note In this chapter it is assumed that the SCALANCE M873 was reset to factory settings and that a SIM card has been inserted.
The SCALANCE M873 is the interface of the remote station 1 to the wireless network. Here, the access to the wireless network is also set via the web-based management.
Opening web-based management The SCALANCE M873 is setup via the web-based management.
Table 6-19
No. Action Remarks
1. Please change the IP address of your PC/PGs according to the screenshot.
Connect the PC/PG with the LAN interface of the SCALANCE M873 via a standard Ethernet line.
2. Open the web-based management of the SCALANCE M. Enter the address https://192.168.1.1 in an internet browser. You are prompted to enter the user name and the password. Using factory settings are: User name: admin Password: scalance
6 Configuration of the Hardware 6.6 Configuration of the SCALANCE M873
RemoteAccess_Radio V3.0, Entry ID: 24960449 71
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Entering pin For login to the wireless network the module needs the PIN of the SIM card.
Table 6-20
No. Action
1. Go to “External Network >UMTS/EDGE” Enter the PIN of your SIM card at PIN. Enter your APN as well as the login in the entry fields provided for this purpose. Click Save to save the changes.
2. The “Overview” mask shows you information on the connection in the EDGE or UMTS network, the signal strength and the IP address assigned by the provider.
6 Configuration of the Hardware 6.6 Configuration of the SCALANCE M873
72 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Adjusting IP address: The SCALANCE M873 is to communicate with the gigabit interface of the CP 343-1 Advanced V3 in this example application and therefore has to be located in the same network. Below, the internal interface of the router is configured with a suitable IP address.
Table 6-21
No. Action
1. Go to “Local Network > Basic Settings > Local IPs” Change the internal IP address of the device to 140.80.0.1 Accept the settings with Save. Note: You have to adjust the IP address of your PC/PG accordingly (e.g. 140.80.0.100) and then open the web page with the new address again.
6 Configuration of the Hardware 6.6 Configuration of the SCALANCE M873
RemoteAccess_Radio V3.0, Entry ID: 24960449 73
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Configuring firewall The SCALANCE M873 has an internal firewall to protect from unauthorized access. The dynamic packet filter checks data packets by means of the source and target address and blocks undesired data traffic. For this example application, only data that reach the SCALANCE M873 from the gigabit interface of the CP 343-1 Advanced V3 should pass.
Table 6-22
No. Action
1. Go to “Security > Packet Filter” Enter a new entry according to the screenshot at Firewall Rules (Outgoing) via the New button. Accept the settings with Save. Note: With this firewall rule only data packets with the source address 140.80.0.3 will pass the SCALANCE M873. If you want to make any other changes in the SCALANCE or monitor the status, you have change the IP address of your PC/PG accordingly.
6 Configuration of the Hardware 6.7 Configuration of the SOFTNET Security Client
74 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.7 Configuration of the SOFTNET Security Client
Note It is assumed that the PC with the SOFTNET Security Client has an internet connection.
The SOFTNET Security Client is a VPN Client software via which the service technician can connect himself externally with the SCALANCE S612 V3.
Table 6-23
No. Action Remarks
1. In chapter 6.4.2 the required certificates and the configuration file from the security configuration tool was downloaded and stored. Transfer these files o the PC of the service technician.
2. Open the SOFTNET Security
Client on the service PC. The SOFTNET Security Client is configured via Load Configuration.
3. For this purpose navigate to the
configuration file and open the .dat file.
4. Enter the password specified by
you in Table 6-11 in the .p12 certificate.
6 Configuration of the Hardware 6.7 Configuration of the SOFTNET Security Client
RemoteAccess_Radio V3.0, Entry ID: 24960449 75
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
5. Activate the statically configured nodes.
6. The SOFTNET Security Client
now tries to establish a VPN tunnel to the SCALANCE S612 V3. The current status can be called via Tunnel Overview.
7. If the tunnel is established the
status changes from red to green.
6 Configuration of the Hardware 6.8 Configuring the DSL Router
76 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.8 Configuring the DSL Router
No specific router is discussed for the configuration as the operating screens differ from router to router. Most routers have a web page for the configuration.
Required PC/PG IP address For the configuration of the router you must assign an IP address to your PG/PC which is located in the same network as your router.
Configuration Table 6-24
No. Action Remarks/Notes
1. Open the configuration user interface of the router
This may be an additional software, “Telnet” or a web page.
2. Enter the connection data for your internet connection.
The login, password, etc. you have received from your provider.
3. Switch off the dynamic DNS. Your internet access has a fixed IP address.
4. Enter your DNS server. You will receive the address together with your access data.
5. Specify a LAN IP address for the router.
172.16.0.1
6. Switch off the DHCP server. SCALANCE S and the PC are assigned to a fixed address.
7. Allocate the UDP ports 500 and 4500 to the same ports as SCALANCE S.
UDP port 500 to UDP port 500 of 172.16.41.2 UDP port 4500 to UDP port 4500 of 172.16.41.2
Note In some routers there is the “IPSec Pass through” function. Activate this function (if it explicitly exists in your router) in order to support IPSec.
6.9 Final configuration
At the end of the configurations connect the components as described in chapter 6.1 (Networking the components) and adjust the IP address of the service center according to chapter 6.2.1 (IP address of the service center). The security components now start to establish the configured VPN tunnel. Notes on how you can check the status of the VPN connections, can be found in chapter 8.4 (Checking the VPN tunnel status).
7 Configuration of the Example Scenarios 7.1 Configuration of FTPS
RemoteAccess_Radio V3.0, Entry ID: 24960449 77
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7 Configuration of the Example Scenarios 7.1 Configuration of FTPS
7.1.1 Basic configurations
For the use of FTP with a CP 343-1 Advanced V3 as station, configuration steps have to be made upfront, depending on the operating mode. The PG/PC of the service center with the STEP 7 project serves as configuration computer.
CP-343-1 Advanced V3 as FTP client Creating an unspecified TCP connection
Figure 7-1
CP-343-1 Advanced V3 as FTP server Enabling the security function in CP 343-1 Advanced V3
Figure 7-2
Enabling the FTP server and FTPS
Figure 7-3
7 Configuration of the Example Scenarios 7.1 Configuration of FTPS
78 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Creating an FTP user Figure 7-4
All these items have already been configured in the example application. Information and precise instructions can be found in Chapter 8.2 (Enabling the security function in CP 343-1 Advanced V3) Chapter 8.6 (Configuration of the FTP connection in NetPro), Chapter 8.7 (Enabling of FTPS in CP 343-1 Advanced V3) and Chapter 8.8 (Creating a user for FTP).
Note In order for the changed configuration to be accepted when loading, “Save/Compile” has to be selected in the HW Config.
Follow the instructions in chapter 6.3.1 (Remote Station 1).
7 Configuration of the Example Scenarios 7.1 Configuration of FTPS
RemoteAccess_Radio V3.0, Entry ID: 24960449 79
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7.1.2 User-specific configuration
For the operation of the FTPS scenarios, the software tools FTP client or FTP server have to be configured accordingly for the use with the CP 343-1 Advanced V3 as communication partner and the use of FTPS. This chapter does not show a step to stop instruction since the configuration masks between the numerous FTP software tools on the market differ. Below, the points you have set in your FTP client or FTP server are mentioned.
Setting for the FTP client For the use of the FTPS scenario B (see chapter 4.3) you have to configure the following items in your FTP client software: The encryption in the FTP client has to be set to “Require explicit FTP over
SSL” (or TLS). Figure 7-5
The IP address of the FTP server is 140.80.0.3 (gigabit interface of the CP
343-1 Advanced V3). The login for the FTP server corresponds to the created user administration
from the FTP of the CP (see chapter 8.8). In this application the CP was configured as follows: User name and password: ftp_user.
7 Configuration of the Example Scenarios 7.1 Configuration of FTPS
80 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Setting for the FTP server For the use of the FTPS scenario A (see chapter 4.2) you have to configure the following items in your FTP client software: The encryption in the FTP server has to be set to “Require explicit FTP over
SSL” (or TLS). Figure 7-6
A user has to be created according to the LOGIN from the FTP_PARAM data
block DB181 (see chapter 8.9). In this application the following LOGIN was stored: User name and password: ftp_user.
Figure 7-7
Definition of a directory with respective access rights. Export the project certificate from the certificate manager and import it in the
FTP server (see chapter 8.4).
7 Configuration of the Example Scenarios 7.2 Configuration of NTP (secure)
RemoteAccess_Radio V3.0, Entry ID: 24960449 81
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7.2 Configuration of NTP (secure)
7.2.1 Basic configuration
For the use of the time synchronization via NTP with a CP 343-1 Advanced V3, three configuration steps have to be made upfront: Enabling the security function in CP 343-1 Advanced V3 Enabling the NTP (secure) function in CP 343-1 Advanced V3. Definition of a NTP server. Entering the required encryption method and key.
The PG/PC of the service center with the STEP 7 project serves as configuration computer.
Table 7-1
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1) and select the CP 343-1 Advanced V3.
2. Open the properties of the CP by
doubleclicking. Enable the security function in the Security tab.
7 Configuration of the Example Scenarios 7.2 Configuration of NTP (secure)
82 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
3. Go to the Time-of-Day Synchronization tab and enable the NTP and in addition the Expanded NTP configuration. Note: If you are asked the login, enter admin as user and Administrator as password in this example.
4. Via the Run… button you get to
the NTP Configuration. Create a new entry via the NTP server… button.
5. Add a new entry to the list that is
still empty via Add….
7 Configuration of the Example Scenarios 7.2 Configuration of NTP (secure)
RemoteAccess_Radio V3.0, Entry ID: 24960449 83
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
6. Define a new server. Enter any Name, the IP address of your NTP server and select NTP (secure) as Type. The secure NTP requests an authentication and a joint key for the encryption. The list can be added to via Add….
7. The Key ID, the Authentication
method and the Key have to be identical to the parameters of your NTP server. Enter the values according to the configuration of your NTP server. Close the dialog box with OK.
8. The list of available NTP servers
was expanded by a new entry. Close the dialog box with OK.
7 Configuration of the Example Scenarios 7.2 Configuration of NTP (secure)
84 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
9. Back in the NTP configuration select the Time-of-day synchronization with NTP (secure) as Synchronization mode. Integrate the NTP server to the CP 343-1 Advanced V3 via Add….
10. The NTP server just defined will
appear in the reference list. Close the NTP configuration with OK. Close the CP properties and the warning that follows with OK.
11. Save and compile the hardware
configuration.
12. Load the changes to the
controller. Follow the instructions in chapter 6.3.1.
7.2.2 User-specific configuration
For using the secure time synchronization you have to configure the following items in your NTP server: The NTP server has to understand secure NTP. The key ID, the authentication method and the key have to match the NTP
server and the NTP clients.
8 Additional Instructions 8.1 Time synchronization with the SIMATIC mode
RemoteAccess_Radio V3.0, Entry ID: 24960449 85
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8 Additional Instructions The following chapter is provided for information purposes. The time synchronization, the activation of the security and FTPS function, the configuration of the NetPro connection and the configuration of the VPN connection are already configured in the supplied example project.
Note In order for the changed configuration to be accepted when loading, “Save/Compile” has to be selected in the HW Config.
Follow the instructions in chapter 6.3.1 (Remote Station 1).
8.1 Time synchronization with the SIMATIC mode
In order to establish the VPN connection, a valid time in the CP is essential. The following table shows the time synchronization with the SIMATIC mode.
Table 8-1
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1) and select the CP 343-1 Advanced V3.
2. Open the properties of the CP by
doubleclicking. Activate the SIMATIC mode in the Time-of-Day Synchronization tab and select From station as option.
3. Close the properties dialog with
OK. Confirm the note also with OK.
8 Additional Instructions 8.1 Time synchronization with the SIMATIC mode
86 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
4. Select the CPU and open the properties by doubleclicking. Go to the “Diagnostics/Clock” tab. Set As master as synchronization type in the CPU and a time interval of 1 second. Close the dialog box with OK.
5. Save and compile the hardware
configuration.
6. Load the changes to the
controller.
8 Additional Instructions 8.1 Time synchronization with the SIMATIC mode
RemoteAccess_Radio V3.0, Entry ID: 24960449 87
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
7. To check the current time in the CPU, select the CPU of RemoteStation 1 in the SIMATIC MANAGER and open the respective dialog via the “PLC > Set Time of Day…” context menu.
8. Change - if required - the time of
the controller.
9. The CP has now been set to the
correct time.
8 Additional Instructions 8.2 Enabling the security function in CP 343-1 Advanced V3
88 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.2 Enabling the security function in CP 343-1 Advanced V3
In order to use the CP 343-1 Advanced V3 as VPN node and the FTPS and NTP functions (secure), the security function in the hardware configuration of STEP 7 has to be enabled for this module.
Note The security function can only be enabled if the gigabit interface is connected.
Table 8-2
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1) and select the CP 343-1 Advanced V3.
2. Open the properties of the CP by
doubleclicking. Enable the security function in the Security tab.
3. You are prompted to create a
login for the configuration. Define a user and password and close the dialog with OK.
8 Additional Instructions 8.2 Enabling the security function in CP 343-1 Advanced V3
RemoteAccess_Radio V3.0, Entry ID: 24960449 89
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
4. Close the properties dialog of the CP with OK.
5. Confirm these changes of the
protection level with OK.
6. Save and compile the hardware
configuration.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
90 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.3 Configuration with the Security Configuration Tool
The security configuration tool is the configuration software for all security modules. Since the example application also uses a security CP, the SCT integrated in STEP 7 is used. This section shows the necessary steps in the security configuration tool, to generate three VPN tunnels.
Opening the integrated SCT As soon as a security CP is integrated in the hardware configuration and its security functions have been activated, the SCT integrated in STEP 7 can be opened in the hardware configuration of the CP via “Edit > Security Configuration Tool”.
Integrating the security modules The CP 343-1 Advanced V3 is automatically displayed when opening the SCTs integrated in STEP 7. All other components involved in VPN are now manually integrated in the SCT: SCALANCE S612 V3 SCALANCE M875 SOFTNET Security Client
Table 8-3
No. Action Remarks
1. Open the Security Configuration Tool. The created CP is already displayed in the list of the modules. Note: When you are asked for a login, enter the user and password that you created during enabling the security function in the CP (see chapter 8.2).
2. Create a new security module in the security configuration tool via the “Right mouse button > Insert Module” context menu or via the respective icon.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 91
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
3. For the integration of the SCALANCE S612 V3 change the parameters as follows: Product type: SCALANCE S Module: S612 Firmware release: V3 Name of the module: Central (a different name can also be assigned) MAC address: Enter the MAC address of your module here IP address (ext.): 172.16.41.2 Subnet mask (ext.): 255.255.0.0 Enable the Routing. IP address (int.): 192.168.0.2 Subnet mask (int.): 255.255.255.0 Close the dialog box with OK.
4. The SCALANCE S612 V3 is
displayed in the list of modules. Doubleclick the Standard router column of the SCALANCE S612 V3 and enter the internal IP address of the DSL router (172.16.0.1) here.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
92 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
5. Repeat step 2 for the configuration of the SCALANCE M875. Change the parameters as follows: Product type: SOFTNET Configuration Module: SCALANCE M87x Name of the module: Remote2 (a different name can also be assigned) IP address (ext.): Default settings Subnet mask (ext.): Default settings IP address (int.): 192.168.22.1 Subnet mask (int.): 255.255.255.0 Close the dialog box with OK.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 93
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
6. Repeat step 2 for the integration of the SOFTNET Security Clients in the configuration. Change the parameters as follows: Product type: SOFTNET Configuration Module: SOFTNET Security Client Firmware release: V4 Name of the module: Service (a different name can also be assigned) Close the dialog box with OK.
7. All modules are now integrated
in the Security Configuration Tool.
Creating the VPN groups Security modules can establish an IPsec tunnel with each other for secure communication if they are assigned to the same group in the project. For this application three groups are intended: Group 1: Communication between SCALANCE S612 V3 and
CP 343-1 Advanced V3. Group 2: Communication between SCALANCE S612 V3 and
SCALANCE M875. Group 3: Communication between SCALANCE S612 V3 and
SOFTNET Security Client.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
94 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table 8-4
No. Action Remarks
1. Select VPN groups in the navigation area and create a new group via the “Right mouse button> Insert group” context menu.
2. Create three groups the same
way.
3. Now select All modules in the
navigation area and drag one module each into the respective group via drag&drop. The following assignments apply: Group1: SCALANCE S612 V3 CP 343-1 Advanced V3
Group2: SCALANCE S612 V3 SCALANCE M875
Group3: SCALANCE S612 V3 SOFTNET Security Client
As soon as a module has been assigned to a group, the color of the key icon will change from gray to blue.
8 Additional Instructions 8.3 Configuration with the Security Configuration Tool
RemoteAccess_Radio V3.0, Entry ID: 24960449 95
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Switching to expanded mode The Security Configuration Tool differentiates two operating views: The standard mode for the use of simple predefined firewall rules and basic
setting options. The expanded mode for defining specific firewall rules with expanded setting
options. For the configuration of the example scenarios FTPS and NTP (secure) it has to be switched to the expanded mode via “View > Advanced Mode".
Note Once the current project has been switched to advanced mode it cannot be undone anymore.
Configuring the VPN parameters The VPN tunnel connection is always initiated via the VPN client. In this application the following roles are specified for the security modules: VPN Client: SOFTNET Security Client, CP 343-1 Advanced V3,
SCALANCE M875 VPN Server: SCALANCE S612 V3
The SOFTNET Security Client can only be VPN client; the CP 343-1 Advanced V3, the SCALANCE M875 and the SCALANCE S612 V3 take on both roles. For assigning the VPN role and the connection address, proceed as follows:
Table 8-5
No. Action Remarks
1. Select the SCALANCE S612 V3 in the content area and open the properties by doubleclicking. Go to the VPN tab and change the role to: “Wait for partner” Enter the fixed IP address of your DSL access of the service center as WAN IP address. Close the window with OK. Note: Even if the S612 is waiting for a connection, a WAN IP address has to be entered. This is necessary for the creation of the configuration data of the VPN partners.
8 Additional Instructions 8.4 Checking the VPN tunnel status
96 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Changing the group parameters For a VPN connection with the SCALANCE M875 and SOFTNET Security Client, the VPN group parameters are automatically adjusted by the Security Configuration Tool. The SA lifetime for phase 1 and phase 2 are set to 1440 minutes. Confirm the note that appears when saving the configuration files with OK.
8.4 Checking the VPN tunnel status
As soon as the security modules have been configured or loaded, the active partners will start to establish a connection to the VPN server. The status can be monitored several ways: In the SCALANCE M875:
– at the green LED VPN at the module itself. – in the web-based management under “IPSec VPN > Status”
Figure 8-1
In the SOFTNET Security Client
– If the status changes from red to green. Figure 8-2
In the SCALANCE S612 V3 and CP 343-1 Advanced V3:
– Via the online view in the Security Configuration Tool.
8 Additional Instructions 8.4 Checking the VPN tunnel status
RemoteAccess_Radio V3.0, Entry ID: 24960449 97
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Figure 8-3
8 Additional Instructions 8.5 Importing/exporting the certificates
98 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.5 Importing/exporting the certificates
All certificates created by the security configuration tool and can be managed via the certificate manager (see chapter 3.4.2). Other certificates can be imported but certificates can also be exported for e.g. the FTP server.
Importing certificates Table 8-6
No. Action Remarks
1. Open the Security Configuration Tool. Note: When you are asked for a login, enter the user and password that you created during enabling the security function in the CP (see chapter 8.2).
2. Open the certificate manager via “Options > Certificate manager”
3. Via the Import… button you can
insert your own certificates
8 Additional Instructions 8.5 Importing/exporting the certificates
RemoteAccess_Radio V3.0, Entry ID: 24960449 99
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Exporting certificates For the verification of the nodes for secure applications, such as e.g. for FTPS, certificates are required. They are transferred to the CP 343-1 Advanced V3 during loading of the configuration. In order to provide the certificates also to external application, the certificates created by the Security Configuration Tool can be exported.
Table 8-7
No. Action Remarks
1. Select the required certificate in the certificate manager and export it via the Export… button.
2. Select a storage place.
3. If you need the certificate on the
PC you are currently working, you can also install it directly via the “Right mouse button > Install certificate” context menu.
8 Additional Instructions 8.6 Configuration of the FTP connection in NetPro
100 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.6 Configuration of the FTP connection in NetPro
FTP is based on a TCP connection that is created via NetPro for the CP 343-1 Advanced V3.
Table 8-8
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1) and via the respective NetPro icon.
2. Select the CPU of
RemoteStation1. Click the first line of the connection table and create a new connection via the “Right mouse button > Insert New Connection” context menu
8 Additional Instructions 8.6 Configuration of the FTP connection in NetPro
RemoteAccess_Radio V3.0, Entry ID: 24960449 101
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
3. Select an unspecified connection partner and TCP as connection type. Close this dialog and the appearing message with OK.
4. Make sure that the ID was
specified with “1”. Enable the Use FTP protocol checkbox and close the dialog with OK. Note: If the ID should not be “1”, a change in the STEP 7 program is necessary (see chapter 8.9 (Changing the FTP parameters in the STEP 7 program)).
5. A new TCP connection has been
created for RemoteStation1.
8 Additional Instructions 8.6 Configuration of the FTP connection in NetPro
102 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
6. Save and compile your configuration in NetPro. If the compilation was without errors, close NetPro.
7. Load the changes to the
controller.
8 Additional Instructions 8.7 Enabling of FTPS in CP 343-1 Advanced V3
RemoteAccess_Radio V3.0, Entry ID: 24960449 103
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.7 Enabling of FTPS in CP 343-1 Advanced V3
The use of the secure FTP has to be enabled in CP 343-1 Advanced V3. Table 8-9
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1) and select the CP 343-1 Advanced V3.
2. Open the properties of the CP by
doubleclicking. Enable the security function in the Security tab.
3. Activate the FTP Server
functionality in the FTP tab and the FTPS option. Close the dialog box with OK.
8 Additional Instructions 8.7 Enabling of FTPS in CP 343-1 Advanced V3
104 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
4. Save and compile the hardware configuration.
5. Load the changes to the
controller.
8 Additional Instructions 8.8 Creating a user for FTP
RemoteAccess_Radio V3.0, Entry ID: 24960449 105
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.8 Creating a user for FTP
The connection between an FTP client and FTP server may only be used by specified users. Each user can be assigned different rights.
Note Information on user administration can be found in chapter 3.4.3.
Table 8-10
No. Action Remarks
1. In order to open the user administration, click Run… in the properties dialog of the CPs in the FTP tab. Note: You can also open the user administration via the Security Configuration Tool via “Options > User Management”.
2. The start mask lists all already
configured users with their names and roles.
8 Additional Instructions 8.8 Creating a user for FTP
106 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
3. Each user can either be assigned a system-defined or a user-defined role. Create a user-defined role in the Roles tab with the Add… button.
4. Select the
CP 343-1 Advanced V3 in the object column. Assign a Name for the role and enable or disable the Rights of the role for the new user in the respective list. Close the window with OK.
5. The new role was created and
appears in the overview table. Go back to User.
8 Additional Instructions 8.8 Creating a user for FTP
RemoteAccess_Radio V3.0, Entry ID: 24960449 107
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
6. You can create other users via Add.
7. Create a Name and Password.
Select the previously defined role from the selection list. Close the window with OK.
8. The new user is shown in the
overview table. Close the window with OK.
9. Acknowledge the warning with
OK.
10. Close the properties of the CP
343-1 Advanced V3 and the appearing message.
8 Additional Instructions 8.8 Creating a user for FTP
108 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
11. Save and compile the hardware configuration.
12. Load the changes to the
controller.
8 Additional Instructions 8.9 Changing the FTP parameters in the STEP 7 program
RemoteAccess_Radio V3.0, Entry ID: 24960449 109
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.9 Changing the FTP parameters in the STEP 7 program
Adjusting the connectionID If you are creating your own TCP connection in NetPro and the connectionID is not “1”, the STEP 7 program has to be adjusted. For this purpose, open the OB 1 of RemoteStation1 and adjust the CONN_ID parameter as previously specified in NetPro: Figure 8-4
Save the block and download it to the CPU.
Changing the file name The data that is sent via FTP to the server is saved under the name <Date>Production.bin (see also chapter 4.2 (Functionality scenario A)). If you want a different name instead of production.bin you can change it in DB 181: Figure 8-5
Save the block and download it to the CPU.
Changing the LOGIN data for the FTP server In DB 181 you can also adjust the LOGIN data and the IP address for the access to the FTP server according to your wishes. Figure 8-6
Save the block and download it to the CPU.
9 Operating the Application 9.1 Requirement
110 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
9 Operating the Application This chapter shows the following functionalities according to selected scenarios: Standard STEP 7 PG and online functions HTML-based access to the web servers in the modules. Secure data exchanged via FTP. Secure time synchronization via NTP (secure).
All scenarios are offered with the PG/PC of the service center station.
Note For direct access with the PG of the service technician to the remote stations the document „Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS” is available which is located on the same HTML page as this document.
More information on access of the service technician to the remote stations via the service center can be found in the document “Remote Control Concept with SCALANCE S Modules over IPsec secured VPN Tunnel” (see /12/ in chapter 10 (Literature)).
9.1 Requirement
For the operation of these scenarios, the following requirements apply: The IP addresses of the components have to be configured according to
Table 5-1. The final configuration has to be completed as described in chapter 6.9 (Final
configuration). The VPN tunnels have to be established (see chapter 8.4 (Checking the VPN
tunnel status)).
9.2 Scenario: Standard STEP 7 PG and online functions
Description In this scenario the following items are shown: all online system diagnosis functions (diagnostic buffer of the CPU, module
state, operating state, monitoring/controlling, etc.). Controlling and monitoring of variables. Monitoring program states. Download of the complete STEP 7 programs and upload of the standard
STEP 7 program (without security parts).
9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions
RemoteAccess_Radio V3.0, Entry ID: 24960449 111
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Online system functions Table 9-1
No. Action Remarks
1. Open the hardware configuration of the first station (RemoteStation1). Go to the online view.
2. If an access address is requested
select 140.80.0.3 (gigabit interface of the CP 343-1 Advanced V3).
3. In the online view the operating
states of the components are displayed by the respective icons.
9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions
112 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
4. Open the Diagnostic buffer of the components by double clicking the desired module.
5. The CP 343-1 Advanced V3 is
additionally provided with Special diagnostics. You can open the NCM diagnostic in the online mode on the CP and the Special Diagnostics button.
6. This is where you find further
information on operating state, connection status, clock synchronization etc..
Note The operating states, diagnostic functions, topology and further functions can also be found on the web pages of the CPU or the CPs (see chapter 9.3 (Scenario: HTML-based access to the web servers)).
9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions
RemoteAccess_Radio V3.0, Entry ID: 24960449 113
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Monitoring and controlling variables Table 9-2
No. Action Remarks
1. Open the FTP variable table in the block folder of the first station (RemoteStation1).
2. In this table you can see all variables
that are useful for the FTP scenario. Go to the online mode via the respective button. In this mode the variables can be monitored or controlled.
9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions
114 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Monitoring program Table 9-3
No. Action Remarks
1. Open the SIM_Process_Infos block FB183 in the block folder of the first station (RemoteStation1).
2. It is the program's job to simulate the
process variables. Go to the online mode via the respective button. In this mode you can monitor the program online.
9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions
RemoteAccess_Radio V3.0, Entry ID: 24960449 115
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Upload and download of the STEP 7 program Table 9-4
No. Action Remarks
1. For the program download to the CPU, select the first station (RemoteStation1) and download the STEP 7 project via the Download button to the CPU.
2. If an access address is requested
select 140.80.0.3 (gigabit interface of the CP 343-1 Advanced V3).
3. To upload the project from the CPU
open the “PLC > Upload Station to PG…” menu bar. Note: The security parts cannot be downloaded from the CPU to the PG.
9 Operating the Application 9.3 Scenario: HTML-based access to the web servers
116 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
9.3 Scenario: HTML-based access to the web servers Table 9-5
No. Action Remarks
1. Open an internet browser on the PC of the service center.
2. The web server of the RemoteStation2 has been enabled in the hardware configuration and can therefore be opened.
3. Enter the IP address of your CPU
(192.168.22.11) in the address bar. The web page is opened.
4. On the web page you find all
diagnostic and module information, topology (if configured), variable tables and other functions.
9 Operating the Application 9.3 Scenario: HTML-based access to the web servers
RemoteAccess_Radio V3.0, Entry ID: 24960449 117
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
5. The web server of the CP of the RemoteStation2 has been enabled in the hardware configuration and can therefore be opened.
6. The web page of the CP 343-1
Advanced V3 of RemoteStation1 can be reached via the IP address https://140.80.0.3. The CP requests a login for access User name and password correspond to the login of the Security Configuration Tool. In this example: User name: admin Password: Administrator Via click on the Login the web page is opened.
7. Apart from standard information you can also find details on security…
9 Operating the Application 9.4 Scenario: Secure FTP access
118 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
8. … Media redundancy…
9. …and an updating center for
firmware updates, IP access tables etc.
9.4 Scenario: Secure FTP access
The FTPS scenario is divided in two transmission directions. In scenario A the CP 343-1 Advanced V3 is the active station as FTP client and sends the process data simulated by the CPU as binary file to a computer to the central station. The reverse way is shown in scenario B. Here, the computer in the central station is the active partner and it accesses the file system of the CP in order to e.g. copy, delete or insert files.
Requirements For operating these scenarios the respective requirements (see chapter 4.2 (Functionality scenario A) and chapter 4.3 (Functionality scenario B)) have to be provided. Depending on the scenario the FTP server or FTP client has to be started on the PC.
9 Operating the Application 9.4 Scenario: Secure FTP access
RemoteAccess_Radio V3.0, Entry ID: 24960449 119
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Scenario A The file transfer from CP 343-1 Advanced V3 to a remote computer can be started in two ways: Via the FTP variable table and the START variable Via the HMI panel
Table 9-6
No. Action Remarks
1. Open the FTP variable table in the block folder of the first station (RemoteStation1).
2. In this table you can see all variables
that are useful for the FTP scenario. Go to the online mode via the respective button. In this mode the variables can be monitored or controlled.
3. Select the first variable
“iDB_FTP_PROCESS”.START and control it via “Right mouse button > Modify Address to 1”.
9 Operating the Application 9.4 Scenario: Secure FTP access
120 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remarks
4. Alternatively you can also start the FTP transfer via the panel.
5. The FTP transfer is started and a
binary file is stored on the PC once the FTP routine has been performed. The target directory was defined by the FTP server configuration.
9 Operating the Application 9.4 Scenario: Secure FTP access
RemoteAccess_Radio V3.0, Entry ID: 24960449 121
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Scenario B Table 9-7
No. Action Remarks
1. Open the FTP client on the PC and connect with the FTP server on the CP 343-1 Advanced V3.
2. Once you are asked for a password, enter ftp_user.
3. By confirming the certificate with OK you categorize the CP as trustworthy.
4. The file system of the CP 343-1
Advanced V3 is shown and can be processed (add, delete, copy files, etc.).
9 Operating the Application 9.5 Scenario: Secure time synchronization via NTP (secure)
122 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
9.5 Scenario: Secure time synchronization via NTP (secure)
For operating these scenarios the requirements from chapter 7.2 (Configuration of NTP (secure)) have to be fulfilled.
Table 9-8
No. Action Remarks
1. Start the NTP server. The PC with the NTP server should be in the same LAN as the CP.
2. You can follow the status of the time synchronization via the special diagnostic of the CP 343-1 Advanced V3.
10 Literature
RemoteAccess_Radio V3.0, Entry ID: 24960449 123
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
10 Literature The following lists are by no means complete and only provide a selection of appropriate sources.
Bibliographic References Table 10-1
Topic Title
/1/ SCALANCE M875 UMTS router SCALANCE M875 operating instructions http://support.automation.siemens.com/WW/view/en/58122394
/2/ CP 343 -1 Advanced
Manual part B CP 343-1 Advanced http://support.automation.siemens.com/WW/view/en/61199572
/3/ SIMATIC NET Security
SIMATIC NET Industrial Ethernet Security Basics and application Configuration Manual http://support.automation.siemens.com/WW/view/en/56577508
/4/ SCALANCE M873 System manual SCALANCE M873 http://support.automation.siemens.com/WW/view/en/49507278
/5/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting Started http://support.automation.siemens.com/WW/view/en/61630590
/6/ SCALANCE S V3 SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Commissioning and Hardware Installation Manual http://support.automation.siemens.com/WW/view/en/56576669
Internet links Table 10-2
Topic Title
/7/ Siemens Industry Online Support http://support.automation.siemens.com /8/ Country approval for M875 http://www.automation.siemens.com/mcms/industrial-
communication/en/support/ik-info/Documents/Online_CountryApprovals_GSM_UMTS_products.pdf
/9/ How do you integrate an HMI operator panel into a local network?
http://support.automation.siemens.com/WW/view/en/13336639
/10/ What firewall rules have to be configured for the SCALANCE S in order to get to the internet with the PG/PC via the SCALANCE S and router?
http://support.automation.siemens.com/WW/view/en/26517928
/11/ What firewall rules have to be configured for the EGPRS router MD741-1 in order to get to the internet with the PG/PC from the LAN of the MD741-1?
http://support.automation.siemens.com/WW/view/en/31525978
/12/ Remote Control Concept with SCALANCE S Modules over IPsec-secured VPN Tunnel
http://support.automation.siemens.com/WW/view/en/22056713
/13/ How do I proceed if the required modules are missing in the module catalog of the hardware configuration of STEP 7?
http://support.automation.siemens.com/WW/view/en/29594775
/14/ Security with SIMATIC NET http://support.automation.siemens.com/WW/view/en/27043887
11 History
124 RemoteAccess_Radio
V3.0, Entry ID: 24960449
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Topic Title
/15/ Information on Industrial Security http://support.automation.siemens.com/WW/view/en/50203404
11 History Table 11-1 History
Version Date Revisions
V1.0 04.04.2007 First issue V2.0 11.09.2008 Update to EGPRS router MD741-1 and SCT V2.2
Expanding the scenarios on process devices that can be configured via SIMATIC PDM
V2.1 14.02.2011 Notes and corrections have been added. V2.2 07.09.2011 Chapter 4.8.2 and 4.8.3 have been added. V3 01.07.2012 Complete revision of the documentation
Integration of the new Security Module CP 343-1 Advanced V3, SCALANCE M875 and SCALANCE S V3
New scenarios FTPS and NTP (secure)