Overview – Security

Security is included for free with all of the product features of Open Automation Software. However, there are several security considerations you need to review to ensure your data is not improperly accessed or modified.


Hardware Security

At its most basic, hardware security means ensuring your server infrastructure cannot be physically accessed by unauthorized users, and has redundant power supplies for uninterrupted operation. This can be accomplished either on site or by utilizing 3rd party hosting facilities.


File System and OS Security

At the next level above hardware security are the servers’ file system and operating system.

  • Whether you are using Windows or Linux, be sure to only allow access to log in and configure the operating system with a valid account.
  • Never distribute the system administrator or root user account credentials to anyone who is not managing server installations or performing maintenance on the server.
  • Disable remote logins in your operating system by unauthorized administrators

OAS stores server configuration files in directories of your choosing. Be sure only OAS server administrators have access to these directories and files. You can locate where these files are stored in the OAS Configuration Application under Configure > Options and selecting Default Files.


Network Security

At the most basic transport level, be sure to only allow access to the OAS server ports from only authorized systems and users. This can be done using built-in operating system firewalls or external firewalls on your company network. The following are default ports used by OAS which can be changed in the OAS Configuration Application under Configure > Options, then select Networking:

  • 58724 : Legacy server administration and server-to-server WCF communications
  • 58725 : Web product and REST API communications
  • 58727 : Server administration and server-to-server TCP communications
  • 58728 : OAS OPC UA Server Port

For secure one-way communications between OAS servers, see our documentation on setting up a Unidirectional Network Gateway.

For secure Web and REST API communications, enable SSL within OAS and apply a certificate on the HTTP listener. Learn more here.

Securing communications drivers can be done using the specific settings of each, utilizing either secure credentials as well as 3rd party issued certificates, or both.


Data Security

When logging OAS Tag data to an external database, it is recommended that you use a unique credential for each database and to not use the database administrator credential (e.g. ‘sa’ on MS SQL Server). In this way you can limit OAS Data Logging Groups from reading and writing to only the databases and tables required for your desired functionality.

See documentation on Data Logging Groups for more information.


Feature Security and Authorization

Every feature within OAS can be secured, even down to the individual Tags and Tag Groups. This is accomplished using the OAS Security Groups and Users features. In a production system, always create the groups, users, and access rules you require, then disable all features on the Default Security Group.

View the Getting Started section on Configure Security to follow simple steps and also the OAS Configuration – Security section for all property attributes for Configure-Security.

Other resources for Security: Programmatic Access Security Groups



More: