Geo SCADA Expert OPC-XML DA Authentication

BevanWeiss · ‎2021-04-01

In a similar vein as per my SOAP authentication problem, I have a similar problem with OPC-XML DA.

I'm using the Advosol OPC-XML DA Test Client, and if 'Everyone' has full Read/Browse permissions, then I can happily issue Browse / Read requests and get all the data.

If I then remove permissions from 'Everyone' and try to use 'Basic Authentication' with username/password set as a valid username/password for full system access (domain left blank), then I'm again unable to Browse anything, and Reads come back with E_ACCESSDENIED (apart from on things related to Server / System Status). I expect this is because the http://localhost/webservices/scx endpoint doesn't force any 401 authentication challenge (to which the basic authentication might be provided).

It also appeared that the webservices weren't bound on the IPv6 localhost ::1 address which might become an issue in the eventual migration to IPv6 in the SCADA space.

Is there a custom security mechanism used for Geo SCADA Expert and OPC-XML DA?

@AdamWoodland / @sbeadle I suspect this is likely more a question for the two of you, unless this is a case of RTFM somewhere 😉

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

BevanWeiss · ‎2021-04-08

And the answer is.... using a standard OPC-XML client will be VERY difficult for this.

It currently requires the use of cookies. Which are only available from the /logon endpoint.

So it will require a bespoke OPC-XML client (as far as I'm aware none of the clients out there will allow for a different endpoint to be specified with a custom POST body to get the cookies for authentication)...

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

See Answer In Context

AdamWoodland · ‎2021-04-06

From what I remember when I asked this question in the past, OPC-XML-DA standard doesn't define any authentication mechanism so whatever those fields do its not as per the standard and they should be left blank.

So yeah, it means if you want to use OPC-XML-DA against Geo SCADA you need to allow Guest/Everyone read access at least to the data.

BevanWeiss · ‎2021-04-06

The OPC-XML DA specification does mention

Please refer to OPC Security Custom Interface Standard for additional insight into security concepts.

Which is an entirely seperate document

http://advosol.com/OpcSpecs/OPC%20Security%201.00%20Specification.pdf

Which itself mentions options being either DCOM Security or OPC Security (since it was created for OPC-DA).

For OPC-XML then DCOM Security makes limited sense, so OPC Security would have been the ideal way.

Given the portability of OPC-XML, and the Geo SCADA Expert security model not being purely NT-Token based, it would have made sense to support the Private Credential security interface (vs the NT Credential security interface), by implementing the below interface

IOPCSecurityPrivate
HRESULT IsAvailablePriv([out] BOOL *pbAvailable);;
HRESULT Logon([in, string] LPCWSTR szUserID, [in, string] LPCWSTR szPassword);
HRESULT Logoff(void);

Which I believe would have been a 1:1 connection to the existing Geo SCADA Expert web client situation (i.e. Logon, Logoff, leveraging HTTPS transport encryption), and connections being tracked and 'stateful'.

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

BevanWeiss · ‎2021-04-08

And the answer is.... using a standard OPC-XML client will be VERY difficult for this.

It currently requires the use of cookies. Which are only available from the /logon endpoint.

So it will require a bespoke OPC-XML client (as far as I'm aware none of the clients out there will allow for a different endpoint to be specified with a custom POST body to get the cookies for authentication)...

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..