Our device implements the Micro embedded profile and does only support SecurityPolicy of None on the SecureChannel. In Part 4 chapter 7.36.3 UserNameIdentityToken, it says the following: “If None is specified for the UserTokenPolicy and SecurityPolicy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN.”.
The UA CTT test suite “Security – Security User Name Password” gives an warning and says: “User name password combination. Specific encryption of the password is required if not Message encryption is used.”
The specification states that the password should not be unencrypted if the SecureChannel is not secured and the UA CTT stats it is an requirement. Is it an requirement to encrypt the password for a Micro embedded device or is it just recommendation?
07/05/2017
A Micro embedded profile typically does not provide HTTPS communication (message encryption) only TCP and the network in the certification lab does not support a VPN or other outside means, thus a server is required to support encrypting the password. This might not be endpoint based but User Token Policy based encryption. And at an end user facility, the device may be configured to use a VPN or other network based security – freeing the device from performing the encryption, but this is at an end user facility.
from the Profile
|
Profiles are available here:
https://opcfoundation-onlineap…..reporting/
Paul
1 Guest(s)