M580 NUA100 OPC-UA Module

DStobie · ‎2023-02-16

When using the NUA0100 OPC-UA module in CA mode, the CSR generated by the module has three ip addresses in the Subject Alternative Name field.

1. Backplane IP

2. Control Port IP

3. Default IP based on Mac Address.

We've recently discovered by accident that if any of the IP addresses within the Subject Alternative Name field are incorrect, the module will drop the certificate on restart and revert to a self signed and provide you absolutely no indication of why it's done this (whilst politely refusing to go into run mode).

I expect that the "Security Export" of this module contains all the modules certificates and private key and is intended to allow someone to restore the configuration onto another card in the event of failure given that a password must be entered to secure the information in the export.

If the OPC-UA module is being used in critical infrastructure, such as a water treatment plant and it fails out of hours, then i would expect an on-call maintenance technician to be able to arrive on site and replace it - especially if the module is being used as Schneider promote as the future planned link between GeoSCADA and M580 PACs.

The problem is that the technician can't get the module going again. The replacement module has a different default IP address (because it has a different MAC address) and after he restores the configuration and restarts the module the certificate is dropped and the unit will refuse to go into run.

This is pointless and means that a failed OPC module in CA mode can't be replaced out of hours without someone from ICT being woken up to generate a new certificate that matches the default IP address of the replacement unit.

It seems like an oversight and is a big enough operational risk that i would not recommend using the modules in CA mode anywhere where it forms part of a critical communication link.

The module needs to be updated to remove the default IP address from the Subject Alternative Name - it doesn't need to be there, and nothing remotely is talking to it using this IP anyway.

FrancisBreysach · ‎2023-02-17

Hello,

I saw that the Module Serial Number appears in the self-signed certificate.

So I had the same thought when the self-signed certificate is used when changing modules.

An Export/Import of the configuration will it be functional?

or a new exchange of certificates must be managed between Client and Server?

Thanks