How To: Security for CODESYS Automation Server

The devices are completely encapsulated from the outside. All external communication takes place exclusively via the CODESYS Edge Gateway (Edge Gateway). As a result, direct access to the devices themselves is impossible.

The data exchange between the CODESYS Automation Server, the CODESYS Automation Server Connector, and the Edge Gateway, as well as between the PLCs and the Edge Gateway, is TLS-encrypted based on X.509 certificates. Communication between the CODESYS Automation Server and the Edge Gateway is configured only with authorization and in a secure environment via settings in the gateway.cfg file.

For the encrypted connection with the CODESYS Automation Server, the Edge Gateway requires the CA certificate which has signed the certificate of the CODESYS Automation Server. Because the CODESYS Automation Server runs at AWS and CODESYS has the certificate issued by AWS, there are 5 possible "Amazon Root CA" (example: CN=Amazon Root CA 1, 0=Amazon, C=US). These certificates are automatically stored in the .pki directory when the Edge Gateway is connected to the CODESYS Automation Server via CODESYS Automation Server Connector or CODESYS Service Tool. In order for the web browser to accept the secure connection, the CA certificate used must also be valid in the browser or operating system. This is the case by default because AWS is classified as trusted. (Local Windows Certificate Store, Trusted Root Certification Authorities category, Certificates, Amazon Root CA...).

The View: PLCs – Gateways shows the thumbprint of the private key that has been generated in the local certificate store for the root certificate of the PLC.

If a certificate has expired, then you can renew it in the Connect or Reconfigure Edge Gateways view. To do this, the configured Edge Gateway must be connected to the Automation Server and the configuration mode must be enabled. The new certificate is valid for 6 months. For more information, see the following: Connect or Reconfigure Edge Gateways

The encrypted connection between the Edge Gateway and the PLC can be configured directly from the CODESYS Automation Server using the Quick Setup feature. The Quick Setup guides you step by step through the required settings and automatically generates the necessary TLS configuration based on X.509 certificates.

An overview of the certificates of all PLCs connected to the Automation Server can be found in the Security – Device Certificates view.

You can display the signing requests (CSR = Certificate Signing Request) of a PLC or create new requests. For more information, see the following: View: Security – Signing Requests

For more information about the general handling of certificates, see the following: How To: Handle certificates for the IDE and the PLC

Multifactor authentication on the server for safeguarding against double access.

For more information, see the following: Using Multifactor Authentication (MFA) to Sign In to the Server

Configurable user and permission management for access control to the server and server objects.

The server password is initially assigned after the CODESYS Automation Server has been purchased. See the instructions for Ordering CODESYS Automation Server in the CODESYS Store International.

It can be reset by the administrator. For more information, see the following: Resetting the Server Password

The CODESYS Automation Server add-on always requires a boot application to load the executable binary code onto the PLC. The current functionalities in the CODESYS Development System apply to the protection of the source code.

A session in the CODESYS Automation Server is valid for 10 minutes. A session is automatically extended to run for up to 24 hours as long as the active mode is in operation (for example, as long as a tab with the CODESYS Automation Server is open). The session becomes invalid after 24 hours at the latest. Of course, you can log out intentionally in order to end a session.

A password policy for assigning secure passwords is defined in the user management of the server.

Access to the WebVisu user configuration in the PLC Details dialog

When a WebVisu should be operated via the Automation Server, the WebVisu user must also be entered in the user configuration of the CODESYS Automation Server.

For more information, see the following: Adding a visualization user for a web visualization

AWS as a cloud provider with the latest security features according to international standards.

For security notes and instructions for setting up the connection between the Edge Gateway and the Server for the first time, see the following help page:

Connecting an Edge Gateway to the Server and Entering PLCs

Encrypted communication between the Automation Server, Edge Gateway and Automation Connector

The certificate which is required for encrypted communication between the Automation Server and the Automation Connector (via the Edge Gateway) has been automatically stored in the local PKI directory during the installation of the CODESYS Automation Server. Usually it is available as valid also in the required browser or local certificate store because AWS is classified as a trusted issuer.

For more information, see the following: Connect or Reconfigure Edge Gateways. There you will find information about the certificate status and the Renew Certificate function.

For more information, see the following: Setting up encrypted communication with the Automation Server