FAQ Ÿ 10/2015

How do you encrypt the

connection between
SIMATIC Logon and a
Comfort Panel or a WinCC
Runtime Advanced?
SIMATIC Logon V1.5 SP3, WinCC V13 SP1 Update 4, HMI Operator
Panels

https://support.industry.siemens.com/cs/wwen/109480490
 This entry originates from the Siemens Industry Online Support. The conditions of
use specified there apply (http://www.siemens.com/terms_of_use).

Security Siemens offers products and solutions with industrial security functions which
Notes support the secure operation of plants, solutions, machines, devices and/or
networks. They are important components in a comprehensive industrial security
concept. The Siemens products and solutions continue to be developed under
this aspect. Siemens recommends that you keep yourself regularly informed
about product updates.
For the safe operation of Siemens products and solutions it is necessary to take
appropriate security measures (cell protection concept, for example) and to
integrate each component in an overall industrial security concept which is state
of the art. This should also cover the third-party products used. Additional
information about industrial security is available at:
http://www.siemens.com/industrialsecurity.
In order to keep yourself informed about product updates, we recommend
subscribing to our product-specific newsletter. Additional information about this is
available at http://support.industry.siemens.com.
ã Siemens AG 2015 All rights reserved

Contents
1 Introduction .................................................................................................... 3
1.1 Requirements .................................................................................... 3
2 Installation and Configuration of SIMATIC Logon ........................................ 4
2.1 Software Installation .......................................................................... 4
2.2 Configuration of SIMATIC Logon ....................................................... 4
2.2.1 Requirements .................................................................................... 4
2.2.2 Configuration of the Encryption .......................................................... 4
2.2.3 Authentication and Handling of Certificates ........................................ 6
3 HMI Runtime Settings..................................................................................... 7
4 Generation of Certificates and Keys.............................................................. 8
4.1 Certificates and Private Keys ............................................................. 8
4.1.1 Create Certificates ............................................................................. 8
5 Troubleshooting ........................................................................................... 13

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 2
 1 Introduction

1 Introduction
SIMATIC Logon
SIMATIC Logon enables centralized plant-wide user administration.
The user data is stored and managed on a central logon server via the user
administration of the Windows operating system.

SIMATIC Logon V1.5 SP3 and higher provides the following options among others:
· Establish an encrypted connection using Transport Layer Security (TLS v1.2).
With TLS V1.2 you can encrypt all the communication between the server
"SIMATIC Logon computer" and the client.
· Add/remove certificates and private keys.

Manual
More information about "SIMATIC Logon" is available in Entry ID 34519648.

Product news
More information about "SIMATIC Logon V1.5 SP3" is available in Entry ID
107601962.
ã Siemens AG 2015 All rights reserved

1.1 Requirements
Software requirements
The following software versions must be installed:
· WinCC TIA V13 SP1 Update 4 or higher for configuring the HMI operator
panels
· SIMATIC Logon V1.5 SP3 (with TLS V1.2) or higher.

HMI requirements
The HMI operator panels must be configured with WinCC V13 SP1 or higher.
Secure and encrypted communication connections between SIMATIC Logon and
HMI operator panels are supported with:
· Comfort Panels.
· KTP Mobile Panels.
· RT Advanced V13 SP1 Update 4 or higher.

Note With WinCC up to and including V13, configured HMI operator panels can
establish only unencrypted connections to a SIMATIC Logon server V1.5 SP3
(with TLS V1.2).

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 3
 2 Installation and Configuration of SIMATIC Logon

2 Installation and Configuration of SIMATIC

Logon
2.1 Software Installation
The Service Pack 3 for SIMATIC Logon V1.5 and more information about the
Service Pack is available in Entry ID 107595563.

Note Refer to the "Installation Notes".

2.2 Configuration of SIMATIC Logon

2.2.1 Requirements

Windows Group Memberships

You are a member of the Windows groups:
· "Default user"
ã Siemens AG 2015 All rights reserved

· "Logon_Administrator"

Note Note on operation in a Windows domain environment

The users for installing and configuring SIMATIC Logon must be direct members
of a Windows group. They must not be members of a subgroup of a Windows
group.

Certificates
You already have valid certificates for SIMATIC Logon and your HMI operator
panel.

Note The section entitled "Certificates and Private Keys" shows you the options for
procuring or creating certificates.

2.2.2 Configuration of the Encryption

Table 2-1
No. Description
1. In the Windows Start menu you click "Start>All Programs>Siemens
Automation>SIMATIC>SIMATIC Logon>Configure SIMATIC Logon".
2. Enter your logon data in the input fields of the Logon dialog.

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 4
 2 Installation and Configuration of SIMATIC Logon

No. Description
3. Select the "Certificate" tab.

Note
Information about certificates is available in the section entitled "Certificates and
Private Keys".
4. In the "Certificate" field you select the certificate file ending in "CERT.pem" and in
the "Private key" field you select the key ending in "KEY.pem".
ã Siemens AG 2015 All rights reserved

Note
The certificate and private key can be contained in one or two .pem files.

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 5
 2 Installation and Configuration of SIMATIC Logon

No. Description
5. Enable the option "TLS-secured connection". Then click "Apply" and restart the
computer.

Note
If you are working in addition with older operating panels and SIMATIC Logon, you
ã Siemens AG 2015 All rights reserved

must also set the option "Non-secured connection".

2.2.3 Authentication and Handling of Certificates

If you are using a secure encrypted connection, the first time a connection is
established a comparison is made between the SIMATIC Logon certificate and the
local certificate of the HMI operator panel. A positive match has to be confirmed
before a secure encrypted connection can be established.

Note - When the first connection is established, the compared certificate is stored
under: "C:\ProgramData\Siemens\CoRtHmiRTm\SimaticLogon\rejected".
Note here that the "ProgramData" folder is hidden by the operating
system!

- If you trust the certificate of the server, then copy the certificate into the
local certificate storage directory as appropriate at the locations below.
· On the PC under:
"C:\Programs\Siemens\CoRtHmiRtm\SimaticLogon\Certs".
· On HMI panels under "\flash\simatic\SimaticLogon\certs".

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 6
 3 HMI Runtime Settings

3 HMI Runtime Settings

The table below shows the Runtime settings of an encrypted connection to be
made for a WinCC V13 SP1 taking the example of a project for a Comfort Panel
TP900.
The project must have been transferred to the Comfort Panel TP900 and a
connection established to the SIMATIC Logon server.
How to use SIMATIC Logon is described in Entry ID 72928098.

Table 3-1
No. Description
1. In the project navigation you double-click the Comfort Panel "HMI_1 (TP900
Comfort)" which has already been created. (1)
2. Double-click the menu item "Runtime settings". (2)
3. In the configuration area you click "User administration". (3)
4. In the SIMATIC Logon area
· Enable the "Enable SIMATIC Logon" option. (4)
· Under "Apply user administration from" you select the "Windows computer"
option. (5)
· Under "Server data", in the "Server name:" field you enter the IP address of the
SIMATIC Logon server and in the "Port number:" field you enter the number
ã Siemens AG 2015 All rights reserved

"16389". (6)
· Enable the "Encrypted transfer:" option. (7)

1
3
2

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 7
 4 Generation of Certificates and Keys

4 Generation of Certificates and Keys

4.1 Certificates and Private Keys

For access management with "SIMATIC Logon Remote Access" you can use a
secured connection with a valid "certificate".
· Without a valid "certificate" you can only use non-secured connections.
· There are basically two options for accessing certificates:
– You can use self-signed certificates.
– You can use certificates of a certification authority.

Note This entry shows you how to create self-signed certificates and use them with
SIMATIC Logon.

4.1.1 Create Certificates

You can create your own certificates and private keys using the software
ã Siemens AG 2015 All rights reserved

OpenSSL1, for example.

Note For this entry we have used the Win64 OpenSSL 1.0.2d version and a 64-bit
operating system.

Install OpenSSL
Follow the installation steps.
In the "Select Additional Tasks" window, for "Copy OpenSSL DLLs to:" you select
the option "The Windows system directory".

1
http://slproweb.com/products/Win32OpenSSL.html

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 8
 4 Generation of Certificates and Keys

Create Configuration File "openssl.cnf"

OpenSSL requires the configuration file "openssl.cnf" for generating the certificates
and private keys. All the certification settings are written to this file.
ã Siemens AG 2015 All rights reserved

Proceed as follows for a standard installation of OpenSSL:

· Copy the "openssl.cfg" file from the folder "C:\OpenSSL-Win64\bin\..." to the
folder "C:\OpenSSL-Win64\...".
· Change the name of the copied file from "openssl.cfg" to "openssl.cnf".

Note In 32-bit operating systems the folder is called "OpenSSL-Win32".

Generate Own Certificates and Private Keys

Note The steps below show how to generate the certificates and keys in a 64-bit
operating system. When using a 32-bit operating system you replace 64 with 32.

Table 4-1
No. Description
5. Call the "Input Prompt" window

· In the Windows Start menu you click "Start" > "Input prompt" and enter the
command "cmd".
· Complete the action with "Enter".

6. Open the "OpenSSL" directory

· Enter the following command: "cd c:\openssl-Win64\bin\".

· Complete the command with "Enter".

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 9
 4 Generation of Certificates and Keys

No. Description

7. Define the configuration path

· Enter the following command:

"set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg".
· Complete the command with "Enter".
ã Siemens AG 2015 All rights reserved

8. Call OpenSSL

· Enter the following command: "openssl.exe".

· Complete the command with "Enter".

9. Generate own certificates and private keys

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 10
 4 Generation of Certificates and Keys

No. Description

· Enter the following command:

· "req –x509 –newkey rsa:1024 –nodes –config ..\openssl.cnf –keyout
keynameKEY.pem –out certnameCERT.pem".(1)
Note
If you will set the period of validty oft he certificate to a desired period, use
additional the parameter "-days XXX". XXX = number of days of period of vality
from date of issue.
Here you should replace "keyname" with the desired key, "TP900", for
example, and the correct ending "KEY.pem" and replace "certname" with the
desired certificate, "TP900", for example, and the correct ending "CERT.pem".
· Complete the command with "Enter".
· You can skip the questions which follow by clicking "Enter" each time. (2)
1

2
ã Siemens AG 2015 All rights reserved

10. Close OpenSSL

· Enter the "Exit" command.

· Complete the command with "Enter".
· Then you can close the "Input Prompt" window.

11. Copy certificates and keys to SIMATIC Logon

· With a standard installation of the OpenSSL program you will find both the
created certificates and the private keys at this location: "C:\OpenSSL-
Win64\bin\". (1)

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 11
 4 Generation of Certificates and Keys

No. Description

· Store the copied files here:

"C:\Users\Public\Documents\Siemens\SIMATICLogon\certificates". (2) 2
ã Siemens AG 2015 All rights reserved

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 12
 5 Troubleshooting

5 Troubleshooting
Behavior
You cannot establish an encrypted connection to SIMATIC Logon from your
operator panel or from your WinCC Runtime Advanced.

Causes
The causes might be the following:
· Your installed version of SIMATIC Logon does not support TLS V1.2 encrypted
connections.
(Version < V1.5 SP3)
· Your WinCC installation does not support TLS V1.2 encrypted connections.
(Version < V13 SP1 Update 4)
· You do not have any certificates stored in the SIMATIC Logon server.
· You have not stored any relevant or valid certificates.
· You have configured incorrect settings for your Runtime.
(For example, the "Encrypted transfer:" option field has not been enabled or
the address is incorrect.)
· The Ethernet address of the SIMATIC Logon server computer and of the
ã Siemens AG 2015 All rights reserved

operator panel must be in the same network. (139.22.224.xyz, for example)

SIMATIC Logon, HMI-Devices

Entry ID: 109480490, V1.0, 10/2015 13