Professional Documents
Culture Documents
SIMATIC Logon en PDF
SIMATIC Logon en PDF
https://support.industry.siemens.com/cs/wwen/109480490
This entry originates from the Siemens Industry Online Support. The conditions of
use specified there apply (http://www.siemens.com/terms_of_use).
Security Siemens offers products and solutions with industrial security functions which
Notes support the secure operation of plants, solutions, machines, devices and/or
networks. They are important components in a comprehensive industrial security
concept. The Siemens products and solutions continue to be developed under
this aspect. Siemens recommends that you keep yourself regularly informed
about product updates.
For the safe operation of Siemens products and solutions it is necessary to take
appropriate security measures (cell protection concept, for example) and to
integrate each component in an overall industrial security concept which is state
of the art. This should also cover the third-party products used. Additional
information about industrial security is available at:
http://www.siemens.com/industrialsecurity.
In order to keep yourself informed about product updates, we recommend
subscribing to our product-specific newsletter. Additional information about this is
available at http://support.industry.siemens.com.
ã Siemens AG 2015 All rights reserved
Contents
1 Introduction .................................................................................................... 3
1.1 Requirements .................................................................................... 3
2 Installation and Configuration of SIMATIC Logon ........................................ 4
2.1 Software Installation .......................................................................... 4
2.2 Configuration of SIMATIC Logon ....................................................... 4
2.2.1 Requirements .................................................................................... 4
2.2.2 Configuration of the Encryption .......................................................... 4
2.2.3 Authentication and Handling of Certificates ........................................ 6
3 HMI Runtime Settings..................................................................................... 7
4 Generation of Certificates and Keys.............................................................. 8
4.1 Certificates and Private Keys ............................................................. 8
4.1.1 Create Certificates ............................................................................. 8
5 Troubleshooting ........................................................................................... 13
1 Introduction
SIMATIC Logon
SIMATIC Logon enables centralized plant-wide user administration.
The user data is stored and managed on a central logon server via the user
administration of the Windows operating system.
SIMATIC Logon V1.5 SP3 and higher provides the following options among others:
· Establish an encrypted connection using Transport Layer Security (TLS v1.2).
With TLS V1.2 you can encrypt all the communication between the server
"SIMATIC Logon computer" and the client.
· Add/remove certificates and private keys.
Manual
More information about "SIMATIC Logon" is available in Entry ID 34519648.
Product news
More information about "SIMATIC Logon V1.5 SP3" is available in Entry ID
107601962.
ã Siemens AG 2015 All rights reserved
1.1 Requirements
Software requirements
The following software versions must be installed:
· WinCC TIA V13 SP1 Update 4 or higher for configuring the HMI operator
panels
· SIMATIC Logon V1.5 SP3 (with TLS V1.2) or higher.
HMI requirements
The HMI operator panels must be configured with WinCC V13 SP1 or higher.
Secure and encrypted communication connections between SIMATIC Logon and
HMI operator panels are supported with:
· Comfort Panels.
· KTP Mobile Panels.
· RT Advanced V13 SP1 Update 4 or higher.
Note With WinCC up to and including V13, configured HMI operator panels can
establish only unencrypted connections to a SIMATIC Logon server V1.5 SP3
(with TLS V1.2).
· "Logon_Administrator"
Certificates
You already have valid certificates for SIMATIC Logon and your HMI operator
panel.
Note The section entitled "Certificates and Private Keys" shows you the options for
procuring or creating certificates.
Table 2-1
No. Description
1. In the Windows Start menu you click "Start>All Programs>Siemens
Automation>SIMATIC>SIMATIC Logon>Configure SIMATIC Logon".
2. Enter your logon data in the input fields of the Logon dialog.
No. Description
3. Select the "Certificate" tab.
Note
Information about certificates is available in the section entitled "Certificates and
Private Keys".
4. In the "Certificate" field you select the certificate file ending in "CERT.pem" and in
the "Private key" field you select the key ending in "KEY.pem".
ã Siemens AG 2015 All rights reserved
Note
The certificate and private key can be contained in one or two .pem files.
No. Description
5. Enable the option "TLS-secured connection". Then click "Apply" and restart the
computer.
Note
If you are working in addition with older operating panels and SIMATIC Logon, you
ã Siemens AG 2015 All rights reserved
If you are using a secure encrypted connection, the first time a connection is
established a comparison is made between the SIMATIC Logon certificate and the
local certificate of the HMI operator panel. A positive match has to be confirmed
before a secure encrypted connection can be established.
Note - When the first connection is established, the compared certificate is stored
under: "C:\ProgramData\Siemens\CoRtHmiRTm\SimaticLogon\rejected".
Note here that the "ProgramData" folder is hidden by the operating
system!
- If you trust the certificate of the server, then copy the certificate into the
local certificate storage directory as appropriate at the locations below.
· On the PC under:
"C:\Programs\Siemens\CoRtHmiRtm\SimaticLogon\Certs".
· On HMI panels under "\flash\simatic\SimaticLogon\certs".
Table 3-1
No. Description
1. In the project navigation you double-click the Comfort Panel "HMI_1 (TP900
Comfort)" which has already been created. (1)
2. Double-click the menu item "Runtime settings". (2)
3. In the configuration area you click "User administration". (3)
4. In the SIMATIC Logon area
· Enable the "Enable SIMATIC Logon" option. (4)
· Under "Apply user administration from" you select the "Windows computer"
option. (5)
· Under "Server data", in the "Server name:" field you enter the IP address of the
SIMATIC Logon server and in the "Port number:" field you enter the number
ã Siemens AG 2015 All rights reserved
"16389". (6)
· Enable the "Encrypted transfer:" option. (7)
1
3
2
For access management with "SIMATIC Logon Remote Access" you can use a
secured connection with a valid "certificate".
· Without a valid "certificate" you can only use non-secured connections.
· There are basically two options for accessing certificates:
– You can use self-signed certificates.
– You can use certificates of a certification authority.
Note This entry shows you how to create self-signed certificates and use them with
SIMATIC Logon.
You can create your own certificates and private keys using the software
ã Siemens AG 2015 All rights reserved
Note For this entry we have used the Win64 OpenSSL 1.0.2d version and a 64-bit
operating system.
Install OpenSSL
Follow the installation steps.
In the "Select Additional Tasks" window, for "Copy OpenSSL DLLs to:" you select
the option "The Windows system directory".
1
http://slproweb.com/products/Win32OpenSSL.html
Note The steps below show how to generate the certificates and keys in a 64-bit
operating system. When using a 32-bit operating system you replace 64 with 32.
Table 4-1
No. Description
5. Call the "Input Prompt" window
· In the Windows Start menu you click "Start" > "Input prompt" and enter the
command "cmd".
· Complete the action with "Enter".
No. Description
8. Call OpenSSL
No. Description
2
ã Siemens AG 2015 All rights reserved
· With a standard installation of the OpenSSL program you will find both the
created certificates and the private keys at this location: "C:\OpenSSL-
Win64\bin\". (1)
No. Description
5 Troubleshooting
Behavior
You cannot establish an encrypted connection to SIMATIC Logon from your
operator panel or from your WinCC Runtime Advanced.
Causes
The causes might be the following:
· Your installed version of SIMATIC Logon does not support TLS V1.2 encrypted
connections.
(Version < V1.5 SP3)
· Your WinCC installation does not support TLS V1.2 encrypted connections.
(Version < V13 SP1 Update 4)
· You do not have any certificates stored in the SIMATIC Logon server.
· You have not stored any relevant or valid certificates.
· You have configured incorrect settings for your Runtime.
(For example, the "Encrypted transfer:" option field has not been enabled or
the address is incorrect.)
· The Ethernet address of the SIMATIC Logon server computer and of the
ã Siemens AG 2015 All rights reserved