s71500 Communication Function Manual en-US en-US
s71500 Communication Function Manual en-US en-US
Function manuals
Documentation Guide 1
2
SIMATIC Product overview
Communications services 3
S7-1500, ET 200MP, ET 200SP,
ET 200AL, ET 200pro, 4
ET 200eco PN Communication PG communication
HMI communication 5
Function Manual
S7 communication 7
Point-to-point link 8
OPC UA communication 9
Routing 11
Connection resources 12
Diagnostics and fault
correction 13
Communication with the
redundant system 14
S7-1500R/H
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Communication
Function Manual, 05/2021, A5E03735815-AJ 3
Preface
What's new? What are the customer benefits? Where can I find the information?
Improved security for SIMATIC • Allows unique identification of each PLC Secure PG/HMI communication
PG/HMI communication (Page 92)
based on individual certificates
• Provides additional confidentiality protection
through encrypted communication
• Protection of the configuration data through
individual passwords
Security wizard for new PLC secu- • Quick and easy configuration of the new Protection of confidential configura-
rity mechanisms tion data (Page 61)
security mechanisms of the PLC in one opera-
tion
• Supporting information to select suitable
settings for own application
Certificate management via OPC • Certificate update during runtime Certificate management via Global
UA Discovery Server (GDS) (Page 185)
• Support of CRLs
Global Discovery Server (GDS)
• Access protection for certificate management
Transferring CPU alarms to OPC • Subscriptions allow clients to subscribe to CPU Providing alarms on the OPC UA
UA clients server (Page 285)
alarms as "Alarms and Conditions" from the
OPC UA server of the CPU.
• Program messages including associated val-
ues are made available by the OPC UA server
• Alarms requiring acknowledgement can be
acknowledged by the OPC UA client (can be
disabled)
• An alarm burst is displayed as "overload" and
clients can be reloaded with the refresh
method
Communication
4 Function Manual, 05/2021, A5E03735815-AJ
Preface
What's new? What are the customer benefits? Where can I find the information?
Dynamic assignment of the net- Deployment of the CPU in IT managed networks Addressing via DHCP (Page 359)
work configuration with DHCP using the following functions:
• Connection of the CPU to an existing network
without additional manual configuration of
the network interface
• Request for network parameters for the CPU
according to RFC 2131 from a DHCPv4 server
(IP address and subnet mask, default IP router
address and further optional network parame-
ters such as DNS and NTP server addresses)
Name-based addressing with • DNS server addresses can be obtained from DHCP with DNS (Page 363)
DNS
the CPU via DHCP
• The CPU can obtain host and domain names
from a DHCP server for applications that are
implemented with OPC UA or (Secure) OUC.
• The CPU may transfer configured host or
domain names to DHCP servers coupled with
DNS servers for dynamic matching (Dynamic
DNS).
• The NTP client of the CPU can address NTP
servers with names
• Network parameters can be written with the
new "CommConfig" instruction, for example,
IP address parameters, DNS server, host and
domain name
Communication
Function Manual, 05/2021, A5E03735815-AJ 5
Preface
What's new? What are the customer benefits? Where can I find the information?
IP forwarding Simple access from the control level to the field IP forwarding (Page 378)
level for configuration and parameter assignment
of devices, e.g. via PDM or Web browser.
OPC UA server expansion For S7-1500 CPUs as of firmware V2.8 and TIA Section OPC UA communication
Portal version 16, with a corresponding Runtime (Page 152)
license, you can benefit from the following ex-
pansions of the integrated OPC UA server:
• Improved diagnostics: The OPC UA user re-
ceives information on the status of the OPC
UA server via messages in the diagnostic
buffer, an OPC UA category in the Online &
Diagnostics area of TIA Portal as well as an
improved connection resources display.
• Download behavior: In RUN mode, the OPC
UA server only performs a restart during
download from the TIA Portal when the newly
downloaded data has an effect on the data
management of the OPC UA server.
• Server interface modeling: It is now possible
in the TIA Portal to model server interfaces or
import OPC UA Companion Specifications and
map them to the PLC data management.
What's new? What are the customer benefits? Where can I find information?
Description of communication You receive information on the particularities of Section Communication with the
with the redundant system communication with the redundant system S7- redundant system S7-1500R/H
S7-1500R/H 1500R/H (Page 407)
Scope of the function manual Functions with which you are familiar from the Redundant System S7-1500R/H
expanded to include the redun- SIMATIC S7-1500 automation system are imple- System Manual
dant system S7-1500R/H mented for the redundant system S7-1500R/H. (https://support.industry.siemens.co
m/cs/ww/en/view/109754833)
Communication
6 Function Manual, 05/2021, A5E03735815-AJ
Preface
What's new? What are the customer benefits? Where can I find the information?
OPC UA Companion Specification Through OPC UA Companion Specification, Section OPC UA server interface
methods can be specified in a uniform and manu- configuration (Page 243)
facturer-neutral way. Using these specified
methods, you can easily integrate devices from
various manufacturers into the plant and the
production processes.
Setting up a secure connection to You can set up a secure connection to a mail Section Secure OUC via e-mail
a mail server over the CPU inter- server without additional hardware. (Page 88)
face
Secure communication over You can establish secure TCP connections be- Section Secure OUC with Modbus
Modbus TCP tween a Modbus TCP client and a Modbus TCP TCP (Page 87)
server.
What's new? What are the customer benefits? Where can I find the information?
OPC UA server OPC UA is a uniform standard for data communi- Section OPC UA communication
cation and is independent of any particular oper- (Page 152)
ating system platforms.
OPC UA uses integrated safety mechanisms on
various automation systems, for example with
data exchange, at application level, for the legit-
imation of the user.
The OPC UA server provides a large amount of
data:
• Values of PLC tags that clients can access
• Data types of these PLC tags
• Information about the OPC UA server itself
and the CPU
In this way, clients can gain an overview of the
tag management and can read and write values.
Secure Open User Communica- Secure data exchange with other devices. Section Secure Open User Commu-
tion nication (Page 73)
Certificate handling in STEP 7 You can manage certificates for the following Section Managing certificates with
applications in STEP 7: STEP 7 (Page 49)
• OPC UA server
• Secure Open User Communication
• Web server of the CPU
Deactivating SNMP for the CPU You can deactivate SNMP for the CPU. This can Section Disabling SNMP (Page 104)
make sense under certain conditions, for example
if the security guidelines in your network do not
permit SNMP.
Communication
Function Manual, 05/2021, A5E03735815-AJ 7
Preface
Conventions
STEP 7: We refer to "STEP 7" in this documentation as a synonym for the configuration and
programming software "STEP 7 as of V12 (TIA Portal)".
"S7-1500 CPUs" also refers to the CPU variants S7 1500F, S7 1500T, S7 1500TF, S7 1500C,
S7-1500R/H, S7 1500pro, ET200S, S7 1500 Software Controller as well as
SIMATIC Drive Controller.
This documentation contains pictures of the devices described. The figures may differ slightly
from the device supplied.
You should also pay particular attention to notes such as the one shown below:
Note
A note contains important information on the product, on handling of the product and on the
section of the documentation to which you should pay particular attention.
See also
Requirements for secure communication (Page 61)
Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary
and only when appropriate security measures (e.g. firewalls and/or network segmentation)
are in place.
For additional information on industrial security measures that may be implemented, please
visit (https://www.siemens.com/industrialsecurity).
Siemens' products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customers' exposure to
cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed visit (https://www.siemens.com/industrialsecurity).
Communication
8 Function Manual, 05/2021, A5E03735815-AJ
Preface
Industry Mall
The Industry Mall is the catalog and order system of Siemens AG for automation and drive
solutions on the basis of Totally Integrated Automation (TIA) and Totally Integrated Power
(TIP).
You can find catalogs for all automation and drive products on the Internet
(https://mall.industry.siemens.com).
Communication
Function Manual, 05/2021, A5E03735815-AJ 9
Table of contents
Preface ................................................................................................................................................... 3
1 Function manuals Documentation Guide............................................................................................ 15
2 Product overview ................................................................................................................................. 20
3 Communications services .................................................................................................................... 25
3.1 Overview of communication options .................................................................................. 25
3.2 Communications protocols and port numbers used for Ethernet communication ................ 28
3.3 Overview of connection resources ..................................................................................... 32
3.4 Setting up a connection ..................................................................................................... 33
3.5 Data consistency................................................................................................................ 37
3.6 Secure Communication ...................................................................................................... 40
3.6.1 Basics of Secure Communication ........................................................................................ 40
3.6.1.1 Basics of Secure Communication ........................................................................................ 40
3.6.1.2 Confidentiality through encryption .................................................................................... 43
3.6.1.3 Authenticity and integrity through signatures .................................................................... 45
3.6.1.4 Managing certificates with STEP 7 ...................................................................................... 49
3.6.1.5 Examples for the management of certificates. .................................................................... 52
3.6.1.6 Example: HTTP over TLS ..................................................................................................... 57
3.6.2 Requirements for secure communication ........................................................................... 61
3.6.2.1 Protection of confidential configuration data...................................................................... 61
3.6.2.2 Useful information for the protection of confidential PLC configuration data....................... 63
3.6.2.3 Changing your password ................................................................................................... 65
3.6.2.4 Resetting the password ...................................................................................................... 67
3.6.2.5 Assign password via SIMATIC Memory Card ........................................................................ 68
3.6.2.6 Special features when backing up and restoring a CPU ....................................................... 70
3.6.2.7 Tips for error avoidance and error handling ........................................................................ 71
3.6.2.8 Rules for the replacement parts scenario ............................................................................ 72
3.6.3 Secure Open User Communication ..................................................................................... 73
3.6.3.1 Secure OUC of an S7-1500 CPU as TLS client to an external PLC (TLS server) ....................... 73
3.6.3.2 Secure OUC of an S7-1500 CPU as TLS server to an external PLC (TLS client) ....................... 75
3.6.3.3 Secure OUC between two S7-1500 CPUs ............................................................................ 78
3.6.3.4 Secure OUC via CP interface ............................................................................................... 81
3.6.3.5 Secure OUC with Modbus TCP ............................................................................................ 87
3.6.3.6 Secure OUC via e-mail ........................................................................................................ 88
3.6.4 Secure PG/HMI communication .......................................................................................... 92
3.6.4.1 PG/HMI communication based on standardized security mechanisms ................................. 92
3.6.4.2 Additional settings for the secure PG/HMI communication .................................................. 94
3.6.4.3 Tip for certificate-based communication between PG and CPU ............................................ 95
3.6.4.4 CPU behavior from loading to operational readiness ........................................................... 96
3.6.4.5 Using secure HMI communication ...................................................................................... 99
3.6.4.6 Using Legacy PG/PC communication for TIA Portal ............................................................ 101
3.6.4.7 Information about compatibility ....................................................................................... 102
Communication
10 Function Manual, 05/2021, A5E03735815-AJ
Table of contents
Communication
Function Manual, 05/2021, A5E03735815-AJ 11
Table of contents
Communication
12 Function Manual, 05/2021, A5E03735815-AJ
Table of contents
Communication
Function Manual, 05/2021, A5E03735815-AJ 13
Table of contents
Communication
14 Function Manual, 05/2021, A5E03735815-AJ
Function manuals Documentation Guide 1
The documentation for the SIMATIC S7-1500 automation system, the
CPUs 1513/1516pro-2 PN based on SIMATIC S7-1500, and the distributed I/O systems
SIMATIC ET 200MP, ET 200SP and ET 200AL is divided into three areas.
This division allows you easier access to the specific information you require.
Basic information
System manuals and Getting Started manuals describe in detail the configuration,
installation, wiring and commissioning of the SIMATIC S7-1500, ET 200MP, ET 200SP and
ET 200AL systems. Use the corresponding operating instructions for the
CPUs 1513/1516pro-2 PN. The STEP 7 online help supports you in the configuration and
programming.
Device information
Product manuals contain a compact description of the module-specific information, such as
properties, terminal diagrams, characteristics and technical specifications.
Communication
Function Manual, 05/2021, A5E03735815-AJ 15
Function manuals Documentation Guide
General information
The function manuals contain detailed descriptions on general topics such as diagnostics,
communication, Motion Control, Web server, OPC UA.
You can download the documentation free of charge from the Internet
(https://support.industry.siemens.com/cs/ww/en/view/109742705).
Changes and additions to the manuals are documented in product information sheets.
You will find the product information on the Internet:
• S7-1500/ET 200MP (https://support.industry.siemens.com/cs/us/en/view/68052815)
• ET 200SP (https://support.industry.siemens.com/cs/us/en/view/73021864)
Manual Collections
The Manual Collections contain the complete documentation of the systems put together in
one file.
You will find the Manual Collections on the Internet:
• S7-1500/ET 200MP (https://support.industry.siemens.com/cs/ww/en/view/86140384)
• ET 200SP (https://support.industry.siemens.com/cs/ww/en/view/84133942)
• ET 200AL (https://support.industry.siemens.com/cs/ww/en/view/95242965)
"mySupport"
With "mySupport", your personal workspace, you make the best out of your Industry Online
Support.
In "mySupport", you can save filters, favorites and tags, request CAx data and compile your
personal library in the Documentation area. In addition, your data is already filled out in
support requests and you can get an overview of your current requests at any time.
You must register once to use the full functionality of "mySupport".
You can find "mySupport" on the Internet (https://support.industry.siemens.com/My/ww/en).
"mySupport" - Documentation
With "mySupport", your personal workspace, you make the best out of your Industry Online
Support.
In "mySupport", you can save filters, favorites and tags, request CAx data and compile your
personal library in the Documentation area. In addition, your data is already filled out in
support requests and you can get an overview of your current requests at any time.
You must register once to use the full functionality of "mySupport".
You can find "mySupport" on the Internet
(https://support.industry.siemens.com/My/ww/en/documentation).
Communication
16 Function Manual, 05/2021, A5E03735815-AJ
Function manuals Documentation Guide
Application examples
The application examples support you with various tools and examples for solving your
automation tasks. Solutions are shown in interplay with multiple components in the system -
separated from the focus on individual products.
You will find the application examples on the Internet
(https://support.industry.siemens.com/cs/ww/en/ps/ae).
Communication
Function Manual, 05/2021, A5E03735815-AJ 17
Function manuals Documentation Guide
PRONETA
SIEMENS PRONETA (PROFINET network analysis) allows you to analyze the plant network
during commissioning. PRONETA features two core functions:
• The topology overview automatically scans the PROFINET and all connected components.
• The IO check is a fast test of the wiring and the module configuration of a plant.
You can find SIEMENS PRONETA on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/67460624).
Communication
18 Function Manual, 05/2021, A5E03735815-AJ
Function manuals Documentation Guide
SINETPLAN
SINETPLAN, the Siemens Network Planner, supports you in planning automation systems and
networks based on PROFINET. The tool facilitates professional and predictive dimensioning of
your PROFINET installation as early as in the planning stage. In addition, SINETPLAN supports
you during network optimization and helps you to exploit network resources optimally and to
plan reserves. This helps to prevent problems in commissioning or failures during productive
operation even in advance of a planned operation. This increases the availability of the
production plant and helps improve operational safety.
The advantages at a glance
• Network optimization thanks to port-specific calculation of the network load
• Increased production availability thanks to online scan and verification of existing systems
• Transparency before commissioning through importing and simulation of existing STEP 7
projects
• Efficiency through securing existing investments in the long term and the optimal use of
resources
You can find SINETPLAN on the Internet (https://www.siemens.com/sinetplan).
Communication
Function Manual, 05/2021, A5E03735815-AJ 19
Product overview 2
CPUs, communications modules and processors, and PC systems of the S7-1500, ,
ET 200MPET 200SPET 200pro and ET 200AL systems provide you with interfaces for
communication via PROFINET, PROFIBUS and point-to-point connections.
Figure 2-1 Interfaces of the CPU 1516-3 PN/DP and CPU 1512SP-1 PN
Communication
20 Function Manual, 05/2021, A5E03735815-AJ
Product overview
① PROFIBUS DP interface
Figure 2-2 PROFIBUS DP interface of the CM 1542-5 and CM DP (to an ET 200SP CPU)
Communication
Function Manual, 05/2021, A5E03735815-AJ 21
Product overview
Communication
22 Function Manual, 05/2021, A5E03735815-AJ
Product overview
Figure 2-4 Example of interface for point-to-point connection at the CM PtP RS422/485 BA
Communication
Function Manual, 05/2021, A5E03735815-AJ 23
Product overview
Figure 2-5 PROFINET interfaces IM 155-5 PN ST (ET 200MP), IM 155-6 PN ST (ET 200SP), and IM 157-
1 PN (ET 200AL)
Communications services
The communications services described below use the interfaces and communication
mechanisms provided by the system via CPUs, communication modules and processors.
Communication
24 Function Manual, 05/2021, A5E03735815-AJ
Communications services 3
3.1 Overview of communication options
Communication
Function Manual, 05/2021, A5E03735815-AJ 25
Communications services
3.1 Overview of communication options
Communication
26 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.1 Overview of communication options
Information on S7-1500R/H
You can find information on the communication possibilities with the redundant system
S7-1500R/H in the section Communication with the redundant system S7-1500R/H
(Page 407).
Additional information
• Application example: CPU-CPU communication with SIMATIC controllers (compendium)
You can find the application example on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/20982954).
• This FAQ (https://support.industry.siemens.com/cs/ww/en/view/102420020) describes
how to configure fetch/write communication via CP1543-1 with S7-1500.
• Additional information about the Fetch/Write services is available in the STEP 7 online
help.
• You can find additional information on the PtP link in the function manual CM PtP -
Configurations for Point-to-Point Connections
(http://support.automation.siemens.com/WW/view/en/59057093).
• You will find the description of the web server functionality in the function manual Web
server (http://support.automation.siemens.com/WW/view/en/59193560).
• You will find information about the standard protocol SNMP on the Service & Support
pages on the Internet (http://support.automation.siemens.com/WW/view/en/15166742).
• You will find information about time-of-day synchronization in this FAQ
(https://support.industry.siemens.com/cs/ww/en/view/86535497).
Communication
Function Manual, 05/2021, A5E03735815-AJ 27
Communications services
3.2 Communications protocols and port numbers used for Ethernet communication
Note
Port numbers used
The specified port numbers are the standard port numbers used by the S7-1500 CPU. Many
communication protocols and implementations enable you to use other port numbers.
The following tables show the different layers and protocols used in the S7-1500 CPUs and S7
1500 communication modules.
The following table shows the protocols supported by the S7-1500 CPUs, ET 200SP CPUs and
the CPUs 1513/1516pro 2 PN. The S7-1500 software controllers also support the protocols
listed in the following table for the Ethernet interfaces that are assigned to the software
controller.
Table 3- 2 Layers and protocols of the S7-1500 CPUs and software controllers (via PROFINET interface of the CPU)
Communication
28 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.2 Communications protocols and port numbers used for Ethernet communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 29
Communications services
3.2 Communications protocols and port numbers used for Ethernet communication
The following table shows the protocols that are supported by the S7-1500 software
controller via the Ethernet interfaces assigned to Windows.
Table 3- 3 Layers and protocols of the S7-1500 Software Controller (via Ethernet interface on the Windows side)
Communication
30 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.2 Communications protocols and port numbers used for Ethernet communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 31
Communications services
3.3 Overview of connection resources
The following table shows the protocols that are supported in addition to those listed in the
tables for the S7-1500 communications modules (e.g. CP 1543-1).
Connection resources
Some communications services require connections. Connections allocate resources on the
CPUs, CPs and CMs involved (for example memory areas in the CPU operating system). In
most cases one resource per CPU/CP/CM is allocated for a connection. In HMI communication,
up to 3 connection resources are required per HMI connection.
The connection resources available depend on the CPU being used, the CPs and CMs and
must not exceed a defined high limit for the automation system.
Communication
32 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.4 Setting up a connection
Additional information
You will find more detailed information on the allocation of connection resources and the
display of connection resources in STEP 7 in the section Connection resources (Page 391).
Automatic connection
STEP 7 sets up a connection automatically (for example PG or HMI connection) if you have
connected the PG/PC interface to an interface of the CPU physically and have made the
interface assignment in STEP 7 in the "Go online" dialog.
Communication
Function Manual, 05/2021, A5E03735815-AJ 33
Communications services
3.4 Setting up a connection
Communication
34 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.4 Setting up a connection
Communication
Function Manual, 05/2021, A5E03735815-AJ 35
Communications services
3.4 Setting up a connection
* Note that for an S7-1500 CPU you must enable the use of PUT/GET communication in the properties
of the CPU. You can find more information on this topic in the STEP 7 online help.
Additional information
You will find further information on the allocation of connection resources and the display of
connection resources in STEP 7 in the section Connection resources (Page 391).
Communication
36 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.5 Data consistency
Definition
Data consistency is important for data transfer and you need to take this into account when
configuring the communication task. Otherwise, malfunctions may occur.
A data area which cannot be modified by concurrent processes is called a consistent data
area. This means that a data area which belongs together and which is larger than the
maximum size of the consistent data area can consist in part of new and of old data at the
same time.
An inconsistency can occur when an instruction for communication is interrupted, for
example by a hardware interrupt OB with higher priority. This interrupts the transfer of the
data area. If the user program in this OB now changes the data that has not yet been
processed by the communication instruction, the transferred data originates from different
times:
The following figure shows a data area that is smaller than the maximum size of the
consistent data area. In this case, when transferring the data area, it is ensured that there is
no interruption by the user program during data access so that the data is not changed.
① The source data area is smaller than the maximum size of the consistent data area (②). The
instruction transfers the data together to the destination data area.
② Maximum size of the consistent data area
Communication
Function Manual, 05/2021, A5E03735815-AJ 37
Communications services
3.5 Data consistency
The following figure shows a data area that is larger than the maximum size of the consistent
data area. In this case, the data can be changed during an interruption of the data transfer.
An interruption also occurs if, for example, the data area needs to be transferred in several
parts. If the data is changed during the interruption, the transferred data originates from
different times.
① The source data area is larger than the maximum size of the consistent data area (③). At time
T1, the instruction only transfers as much data from the source data area into the destination
data area as fits in the consistent data area.
② At time T2, the instruction transfers the rest of the source data area to the destination data
area. After the transfer, data from different points in time exist in the destination data area. If
the data in the source data area has changed in the meantime, an inconsistency may result.
③ Maximum size of the consistent data area
Figure 3-4 Transfer of data larger than the maximum consistency area
Example of an inconsistency
The figure below shows an example of changing data during the transfer. The destination
data area contains data from different points in time.
Communication
38 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.5 Data consistency
Note
Measures in the user program
To achieve data consistency, you can copy transferred data to a separate data area (for
example, global data block). While the user program continues to work with the original data,
you can transfer the data saved in the separate data area consistently with the
communication instruction.
For the copying, use uninterruptible instructions such as UMOVE_BLK or UFILL_BLK. These
instructions ensure data consistency up to 16 KB.
Additional information
• You will also find the maximum amount of consistent data in the device manuals of the
communications modules in the Technical Specifications.
• You will find further information on data consistency in the description of the instructions
in the STEP 7 online help.
Communication
Function Manual, 05/2021, A5E03735815-AJ 39
Communications services
3.6 Secure Communication
Requirement
• CPUs that support connection description DBs with the structure of the SDT
TCON_IP_V4_SEC or SDT TCON_QDN_SEC. These are the following CPUs:
– S7-1200 as of firmware V4.4
– S7-1500 as of firmware V2.0
• Also optional via the following CPs:
– CP 1243-1 as of firmware V3.2
– CP 1243-8 IRC as of firmware V3.2
– CP 1543-1 as of firmware V2.0
– CP 1545-1
– CP 1543SP-1
Secure Communication via CP 1242-7 GPRS V2 is not possible.
Communication
40 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 41
Communications services
3.6 Secure Communication
Communication
42 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
See also
Using the S7-1500 as an OPC UA server (Page 201)
Symmetric encryption
The central aspect of symmetric encryption is that both communication partners use the
same key for message encryption and decryption, as shown in the figure below. Bob uses the
same key for encryption as Alice uses for decryption. In general, we also say that the two
sides share the secret key with which they encrypt or decrypt a message as a secret.
The process can be compared to a briefcase to which the sender and recipient have the same
key, which both locks and opens the case.
• Advantage: Symmetric encryption algorithms (such as AES, Advanced Encryption
Algorithm) are fast.
• Disadvantages: How can the key be sent to a recipient without getting into the wrong
hands? This is a key distribution problem. If enough messages are intercepted, the key can
also be worked out and must therefore be changed regularly.
If there are a large number of communication partners, there is also a large number of keys
to distribute.
Communication
Function Manual, 05/2021, A5E03735815-AJ 43
Communications services
3.6 Secure Communication
Asymmetric encryption
Asymmetric encryption works with a pair of keys consisting of one public key and one private
key. Used with a PKI, it is also known as Public Key cryptography or simply PKI cryptography.
A communication partner, Alice in the figure below, has a private key and a public key. The
public key is provided to the public, in other words any potential communication partner.
Anyone with the public key can encrypt messages for Alice. In the figure below, this is Bob.
Alice's private key, which she must not disclose, is used by Alice to decrypt an encrypted
message addressed to her.
① Alice provides Bob with her public key. No precautionary measures are required to this purpose:
Anyone can use the public key for messages to Alice if they are sure that it is actually Alice's
public key.
② Bob encrypts his message with Alice's public key.
③ Alice decrypts the encrypted message from Bob with her private key. As only Alice has the pri-
vate key and never discloses it, only she can decrypt the message. With her private key, she can
decrypt any message encrypted with her public key - not only messages from Bob.
The system can be compared to a mailbox into which anyone can put a message, but from
which only the person with the key can remove messages.
• Advantages: A message encrypted with a public key can only be decrypted by the owner
of the private key. As another (private) key is required for decryption, it is also much
harder to work out the decryption key on the basis of large numbers of encrypted
messages. This means that the public key does not have to be kept strictly confidential,
unlike with symmetric keys.
Another advantage is easier distribution of public keys. No specially secured channel is
required in asymmetric cryptography to transfer the public key from the recipient to the
sender encrypting the messages. Less work is thus required in managing the keys than
would be the case in symmetric encryption procedures.
• Disadvantages: Complex algorithm (e.g. RSA, named after the three mathematicians
Rivest, Shamir and Adleman), and therefore poorer performance than with symmetric
encryption.
Communication
44 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Abuse of encryption
You cannot tell what identity is assigned to a public key from the bit string. A fraud could
provide their public key and claim to be someone else. If a third party then uses this key
thinking that they are addressing their required communication partner, confidential
information could end up with the fraud. The fraud then uses their private key to decrypt the
message that was not intended for them, and sensitive information falls into the wrong
hands.
To prevent this type of abuse, the communication partners must be confident that they are
dealing with the right communication partner. This trust is established by using digital
certificates in a PKI.
Communication
Function Manual, 05/2021, A5E03735815-AJ 45
Communications services
3.6 Secure Communication
Self-signed certificates
Self-signed certificates are certificates whose signature comes from the certificate subject
and not from an independent certificate authority.
Examples:
• You can create and sign a certificate yourself, for example, to encrypt messages to a
communication partner. In the example above, Bob (instead of Twent) could himself sign
his certificate with his private key. Using Bob's public key, Alice can check that the
signature and public key from Bob match. This procedure is sufficient for simple internal
plant communication that is to be encrypted.
• A root certificate is, for example, a self-signed certificate, signed by the certificate
authority (CA), that contains the public key of the certificate authority.
Communication
46 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Certificate content
A certificate to the X.509 V3 standard, the standard that is also used by STEP 7 and the
S7-1500 CPUs, consists primarily of the following elements:
• Public key
• Details of the certificate subject (i.e. the holder of the key), for example, the Common
Name (CN) of Subject .
• Attributes such as serial number and validity period
• Digital signature from the certificate authority (CA) confirming that the information is
correct.
There are also extensions, for example:
• Specification of what the public key may be used for (Key Usage), for example, signing or
key encryption.
When you create a new certificate with STEP 7, for example in the context of Secure Open
User Communication, select the correct entry from the list of possible usages, e.g. "TLS".
• Specification of a Subject Alternative Name (SAN), which is used in secure communication
with Web servers (HTTP over TLS), for example, to ensure that the certificate in the
address bar of the Web browser also belongs to the Web server specified in the URL.
Communication
Function Manual, 05/2021, A5E03735815-AJ 47
Communications services
3.6 Secure Communication
3. This hash value is then compared with the hash value that is determined by means of the
public key of the certificate issuer and the signature algorithm for checking the signature.
4. If the signature check produces a positive result, both the identity of the certificate subject
as well as the integrity, meaning authenticity and genuineness, of the certificate content are
proven. Anyone who has the public key, i.e. the certificate from the certificate authority, can
check the signature and thus recognize that the certificate was actually signed by the
certificate authority.
The figure below shows how Alice uses the public key in the certificate from Twent (who
represents the certificate authority, CA) to verify the signature on Bob's public key. All that is
required for verification is therefore the availability of the certificate from the certificate
authority at the moment of checking. The validation itself is executed automatically in the
TLS session.
Figure 3-10 Verification of a certificate with the public key of the certificate of a certificate authority
Signing messages
The method described above for signing and verifying also uses the TLS session for signing
and verifying messages.
If a hash value is generated by a message and this hash value is signed with the private key of
the sender and attached to the original message, the recipient of the message is able to
check the integrity of the message. The recipient decrypts the hash value with the public key
of the sender, puts together the hash value from the message received and compares the
two values. If the values are not the same, the message has been tampered with on the way.
Communication
48 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 49
Communications services
3.6 Secure Communication
Special features of the section "Protection & Security > Certificate manager"
Only in this section of the Inspector window do you switch between the global, i.e. project-
wide, and the local, i.e. device-specific, certificate manager (option "Use global security
settings for the certificate manager"). The option decides whether you have access to all the
certificates in the project or not.
• If you do not use the certificate manager in the global security settings, you only have
access to the local certificate memory of the CPU. You do not have access, for example, to
imported certificates or root certificates. Without these certificates only a restricted
functionality is available. You can, for example, only generate self-signed certificates.
• If you use the certificate manager in the global security settings and you are logged on as
an administrator, you have access to the global, project-wide certificate memory. You can,
for example, assign imported certificates to the CPU, or create certificates that are issued
and signed by the project CA (certificate authority of the project).
Communication
50 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
The figure below shows how the "Global security settings" are shown in the project tree after
the "Use global security settings for certificate manager" option has been activated in the
Inspector window of the CPU.
When you double-click "User login" in the project tree below the global security settings and
log in, a line called "Certificate manager" is displayed, among other data.
When you double-click the "Certificate manager" line, you obtain access to all the certificates
in the project, divided into the tabs "CA" (certificate authorities), "Device certificates" and
"Trusted certificates and root certificate authorities".
Communication
Function Manual, 05/2021, A5E03735815-AJ 51
Communications services
3.6 Secure Communication
Private keys
STEP 7 generates private keys while generating device certificates and server certificates
(end-entity certificates). The location where the private key is stored encrypted depends on
the use of the global security settings for the certificate manager:
• If you use global security settings, the private key is stored encrypted in the global
(project-wide) certificate memory.
• If you do not use global security settings, the private key is stored encrypted in the local
(CPU-specific) certificate memory.
The existence of the private key, which is required to decrypt data, for example, is displayed
in the "Private key" column of the "Device certificates" tab of the certificate manager in the
global security settings.
When the hardware configuration is loaded, the device certificate, the public key as well as
the private key are loaded into the CPU.
NOTICE
Enabling the "Use global security settings for certificate manager" option -
Consequences
The "Use global security settings for certificate manager" option influences the previously
used private key: If you have already created certificates without using the certificate
manager in the global security settings and then change the option for using the certificate
manager, the private keys are lost and the certificate ID can change. A warning draws your
attention to this fact. Therefore specify at the beginning of the project configuration which
option is required for the certificate manager.
Communication
52 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Therefore the CA certificates required to verify the transmitted device certificate must be
located in the certificate memory of the respective communication partner.
Note
The current date/time must be set in the CPU.
When using secure communication (for example, HTTPS, secure OUC, OPC UA), make sure
that the corresponding modules have the current time of day and the current date.
Otherwise, the modules will evaluate the certificates used as invalid and secure
communication will not work.
Procedure
STEP 7 automatically loads the required CA certificates together with the hardware
configuration to the participating CPUs so that the requirements for certificate verification
exist for both CPUs. You therefore only have to generate the device certificates for the
respective CPU; STEP 7 does the rest for you.
1. Mark PLC_1 and activate the "Use global security settings for certificate manager" option in
the "Protection & Security" section.
2. Log in as a user in the project tree in the "Global security settings" section. For a new project,
the "Administrator" role is planned for the first login.
3. Return to the PLC-1 in the "Protection & Security" section. Click in an empty line in the
"Certificate subject" column in the "Device certificates" table to add a new certificate.
Communication
Function Manual, 05/2021, A5E03735815-AJ 53
Communications services
3.6 Secure Communication
4. In the drop-down list for selecting a certificate click the "Add" button.
The "Create Certificate" dialog opens.
5. Leave the default settings in this dialog. They are tailored to the usage of Secure Open User
Communication (usage: TLS).
Tip: Supplement the default name of the certificate subject, in this case the CPU name. In
order to differentiate you better leave the default CPU name in case you have to manage a
large number of device certificates.
Example: PLC_1/TLS becomes PLC_1-SecOUC-Chassis17FactoryState.
6. Compile the configuration.
The device certificate and the CA certificate are part of the configuration.
7. Repeat the steps described above for PLC_2.
In the next step you have to create the user programs for the data exchange and load the
configurations together with the program.
Communication
54 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Secure Open User Communication between S7-1500 CPU as a TLS client and an external device
as a TLS server
Two devices are to exchange data with each other via TLS connection or TLS session, for
example, exchanging recipes, production data or quality data:
• An S7-1500 CPU (PLC_1) as TLS client; the CPU uses Secure Open User Communication
• An external device, for example a Manufacturing Execution System (MES), as TLS server
The S7-1500 CPU establishes the TLS connection / session to the MES system as TLS client.
① TLS client
② TLS server
The S7-1500 CPU requires the CA certificates of the MES system to authenticate the TLS
server: The root certificate and, if appropriate, the intermediate certificates for verifying the
certificate path.
You have to import these certificates into the global certificate memory of the S7-1500 CPU.
Proceed as follows to import certificates of the communication partner:
1. Open the certificate manager in the global security settings in the project tree.
2. Select the appropriate table (trusted certificates and root certificate authorities) for the
certificate to be imported.
3. Right-click in the table to open the shortcut menu. Click "Import" and import the required
certificate or the required CA certificates.
Through the import the certificate has a certificate ID assigned to it and can be assigned to
a module in the next step.
4. Mark PLC_1 and navigate to the "Certificates of partner devices" table in the "Protection &
Security" section.
5. Click in an empty line in the "Certificate subject" column to add the imported certificates.
6. Select the required CA certificates of the communication partner from the drop-down list
and confirm the selection.
Optionally the MES system can also request a device certificate of the CPU to authenticate the
CPU (i.e., the TLS client). In this case, the CA certificates of the CPU must be made available to
the MES system. The prerequisite for importing the certificates into the MES system is a
preceding export of the CA certificates from the STEP 7 project of the CPU. Follow these
steps:
1. Open the certificate manager in the global security settings in the project tree.
2. Select the matching table (CA certificate) for the certificate to be exported.
Communication
Function Manual, 05/2021, A5E03735815-AJ 55
Communications services
3.6 Secure Communication
Secure Open User Communication between an S7-1500 CPU as TLS server and an external device
as TLS client
If the S7-1500 CPU acts as TLS server and the external device, for example an ERP system
(Enterprise Resource Planning System) establishes the TLS connection / session, you require
the following certificates:
• For the S7-1500 CPU, you generate a device certificate (server certificate) with a private
key and download it with the hardware configuration into the S7-1500 CPU. You use the
"Signed by certificate authority" option when generating the server certificate.
The private key is required for the key exchange as explained in the figure for the example
"HTTP over TLS".
• You have to export the CA certificate of the STEP 7 project for the ERP system and import /
load it into the ERP system. With the CA certificate the ERP system verifies the server
certificate of the S7-1500 that was transferred from the CPU to the ERP system during the
establishment of the TLS connection / session.
① TLS server
② TLS client
Figure 3-12 Secure OUC between an S7-1500 CPU and ERP system
Communication
56 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Figure 3-13 Secure OUC between a S7-1500 CPU and a mail server
Requirement for secure e-mail connection is the importing of the root certificate and the
intermediate certificates of the mail server (provider) into the global certificate memory of
the S7-1500 CPU. By means of these certificates the CPU can check the server certificate that
is sent by the mail server during the establishment of the TLS connection / session.
Proceed as follows to import certificates of the mail server:
1. Open the certificate manager in the global security settings in the project tree.
2. Select the appropriate table (trusted certificates and root certificate authorities) for the
certificate to be imported.
3. Right-click in the table to open the shortcut menu. Click "Import" and import the required
certificate or the required CA certificates.
As a result of the import, the certificate has a certificate ID assigned to it and can be
assigned to a module in the next step.
4. Mark PLC_1 and navigate to the "Certificates of partner devices" table in the "Protection &
Security" section.
5. Click in an empty line in the "Certificate subject" column to add the imported certificates.
6. Select the required CA certificates of the communication partner from the drop-down list
and confirm the selection.
In the next step you have to create the user programs for the e-mail client function of the
CPU and load the configurations together with the program.
Communication
Function Manual, 05/2021, A5E03735815-AJ 57
Communications services
3.6 Secure Communication
Note
The current date/time must be set in the CPU.
When using secure communication (for example, HTTPS, secure OUC, OPC UA), make sure
that the corresponding modules have the current time of day and the current date.
Otherwise, the modules will evaluate the certificates used as invalid and secure
communication will not work.
Communication
58 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 59
Communications services
3.6 Secure Communication
The figure does not show the measures taken at Alice's end (browser) to verify the certificate
sent by the Web server. Whether Alice can trust the Web server certificate received and
therefore the identity of the Web server, and can accept the exchange of data, depends on
positive verification.
The steps for verifying the authenticity of the Web server:
1. Alice must know the public keys of all relevant certificate authorities, which means she
requires the complete certificate chain to verify the Web server certificate (i.e. the end-entity
certificate of the Web server):
Alice will generally have the required root certificate in her certificate memory. When a
Web browser is installed, a range of trusted root certificates is also installed. If she does
not have the root certificate, she must download it from the certificate authority and
install it in the certificate authority of the browser. The certificate authority can also be the
device on which the Web server is located.
You have the following options for obtaining the intermediate certificates:
– The server itself sends the required intermediate certificates to Alice along with its end-
entity certificate – in the form of a signed message so that Alice can verify the integrity
of the certificate chain.
– The certificates often contain the URLs of the certificate issuer. Alice can load the
required intermediate certificates from these URLs.
When you work with certificates in STEP 7 it is always assumed that you have imported
the intermediate certificates and the root certificate into the project and assigned them to
the module.
2. Alice validates the signatures in the certificate chain with the public keys of the certificates.
3. The symmetric key must be generated and transferred to the Web server.
4. If the Web server is addressed by its domain name, Alice also verifies the identity of the Web
server in accordance with the Internet PKI rules defined in RFC 2818. She is able to do this
because the URL of the Web server, in this case the "Fully Qualified Domain Name" (FQDN),
is saved in the end-entity certificate of the Web server. If the certificate entry in the "Subject
Alternative Name" field corresponds to the entry in the address bar of the browser,
everything is fine.
The process continues with the exchange of data with the symmetric key, as shown in the
figure above.
Communication
60 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 61
Communications services
3.6 Secure Communication
Requirement
• TIA Portal as of version V17
• CPU supports secure PG/HMI communication (for S7-1500 CPUs as of firmware version
2.9)
• The CPU is not yet loaded or the CPU is reset to factory settings with the option "Delete
password for protection of confidential PLC configuration data"
Procedure
1. Open the CPU properties in the network view or in the device view.
2. Navigate to the area "Protection & Security > Protection of the PLC configuration data".
Result: The "Protect confidential PLC configuration data" option is enabled first and the
empty field for password entry is highlighted in red.
3. Configure the password (recommended) via the "Set" button or disable the "Protect
confidential PLC configuration data" option.
4. Complete the configuration and create the user program.
5. Load the CPU.
When loading the hardware configuration, you will be asked once to re-enter the password.
Background: The configured password is used in the TIA Portal to generate the key
information to protect confidential configuration data and thus to protect this data. For
security reasons, however, neither the password nor the key information is saved in the
project. In order for the key information to reach the CPU, it is re-generated when the
hardware configuration is loaded, so that the password must be entered once at this point.
Communication
62 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
See also
Useful information for the protection of confidential PLC configuration data (Page 63)
3.6.2.2 Useful information for the protection of confidential PLC configuration data
The concept for Secure Communication protected by security standards comprises the
following components:
• A password-based key information that is used for protecting confidential configuration
data (e.g. private keys for certificates, passwords).
• A standardized log (TLS) that ensures communication between the participants (e.g.
programming device and CPU).
Communication
Function Manual, 05/2021, A5E03735815-AJ 63
Communications services
3.6 Secure Communication
Communication
64 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirement
• The CPU is not yet loaded
Procedure
1. Open the CPU properties in the network view or in the device view.
2. Navigate to the area "Protection & Security > Protection of the PLC configuration data".
3. Click the "Change" button or deactivate the option "Protect confidential PLC configuration
data".
4. Enter the previously valid password in the dialog. In case of a password change, also enter
the new password and confirm the new password.
As long as you have not yet loaded a configuration into the CPU, the CPU is in a provisioning
phase (see CPU behavior from loading to operational readiness (Page 96)) and you can load
any valid configuration with your configured password.
Requirements
• You have write access to the CPU
• The CPU must be in STOP mode.
Procedure
1. Select the CPU in the network view.
2. Select the "Online & Diagnostics" command from the shortcut menu.
Communication
Function Manual, 05/2021, A5E03735815-AJ 65
Communications services
3.6 Secure Communication
3. If you also change the project on the memory card, i.e. then want to reload the
configuration:
– Select the "Reset to factory settings" area in the opened online and diagnostics view.
– Activate the option "Delete password to protect confidential PLC configuration data".
To avoid a repeated start-up of the CPU, also select the "Format memory card" option.
– Then load the project with the changed configuration and the desired password.
4. If you do not have to change the project on the memory card, i.e. only the wrong password
is set:
– In the Online and diagnostics view, you specify the area "Password for the protection of
confidential PLC configuration data".
– Click the "Delete" button. If the "Delete" button is not available, no password has been
set in the CPU yet.
– Enter the required password and click the "Set" button.
If the correct password has been entered, the CPU can use the protected PLC configuration
data.
Note
Reset to factory settings with mode selector of the CPU
Restoring the factory settings of the CPU via the mode selector also deletes the IP address of
the CPU, but not the password for protecting confidential PLC configuration data.
See also
Rules for the replacement parts scenario (Page 72)
Communication
66 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirement
• The CPU is not yet loaded
Procedure
1. Open the CPU properties in the network view or in the device view.
2. Navigate to the area "Protection & Security > Protection of the PLC configuration data".
3. Click "Reset".
Please note that the certificates of the CPU (e.g. certificates for web server, for OPC UA
server, for PG/PC communication and HMI communication) may no longer be used after
the reset and may have to be created again and reassigned.
– If you use the global security settings for the certificate manager, you must reassign
the certificates from the certificate manager.
– If you do not use the global security settings for the certificate manager, you must
recreate and reassign the certificates.
4. Confirm the reset of the password.
The option for the protection of confidential PLC configuration data is still activated.
Requirements
• You have write access to the CPU
• The CPU must be in STOP mode.
Procedure
1. Select the CPU in the network view.
2. Select the "Online & Diagnostics" command from the shortcut menu.
Communication
Function Manual, 05/2021, A5E03735815-AJ 67
Communications services
3.6 Secure Communication
3. In the area "Password to protect confidential PLC configuration data", click the "delete"
button.
If the "Delete" button is not available, no password has been set in the CPU yet.
NOTICE
Deleting the password for confidential configuration data
If the password is deleted and a loaded project requires a corresponding password, this
project may no longer work without password.
See also
Changing your password (Page 65)
Requirement
• TIA Portal as of version V17
Communication
68 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Basic procedure
1. Creating a SIMATIC memory card with "SET PASSWORD" job
This action creates a folder and file structure following a special pattern and writes a
password for the protection of the confidential PLC configuration data as plain text to a
special file on the SIMATIC memory card. See description below.
2. Insertion of a prepared SIMATIC memory card in the CPU and switch on the CPU.
The PLC reads the password, processes it and stores the result in the internal memory. Any
existing entry is overwritten.
3. Remove the SIMATIC memory card and restart the CPU.
Results (S7-1500): While the CPU is reading the SIMATIC memory card, the LED shows the
same behavior as with a firmware update. The RUN/STOP LED flashes while the CPU is
setting the password. After the process has been completed successfully, the RUN/STOP
LED lights up yellow and the MAINT LED flashes yellow.
The result of the operation is displayed in the diagnostics buffer as success or error message.
If the password could not be set, the error LED flashes together with the other LEDs.
Note
Safe storage of the SIMATIC memory card
Store the SIMATIC memory card in a safe location to which only authorized persons have
access.
Communication
Function Manual, 05/2021, A5E03735815-AJ 69
Communications services
3.6 Secure Communication
Remedy
If the above error occurs, that is, the password for protecting confidential PLC configuration
data does not match the backup, you must delete the password to protect confidential PLC
configuration data in the CPU and then set the correct password. After a restart the CPU, the
backup is functional.
See also
Changing your password (Page 65)
Communication
70 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Typical "pitfalls"
You should pay attention to the following circumstances in order to avoid or correct errors:
• Configuration loaded?
Regardless of whether you protect your confidential configuration data with a password
or not: without a loaded configuration, the CPU does not leave the provisioning phase.
• You are trying to load the CPU with a configured password and the CPU has already
received another password.
Example: CPU is exchanged for another CPU from the stock. The replacement CPU was not
completely reset (reset to factory settings with option "Delete password for protection of
confidential PLC configuration data").
Remedy:
– Always prepare replacement CPUs with the appropriate option (password deleted).
– For the configuration to be loaded, use the same password that was already used for
the configuration already loaded.
– It is also possible that the wrong project / CPU configuration was loaded. Check
whether the correct CPU configuration is available.
– Use the online function "Set password to protect confidential PLC configuration data"
to delete the password or to set the same password as in the CPU configuration. Then,
restart the device.
• The same error occurs if your CPU configuration does not use a password and the already
loaded configuration requires a user-defined password.
Remedy:
– Use the online function "Set password to protect confidential PLC configuration data"
to delete the password or to set the same password as in the CPU configuration. Then,
restart the device.
Communication
Function Manual, 05/2021, A5E03735815-AJ 71
Communications services
3.6 Secure Communication
See also
Assign password via SIMATIC Memory Card (Page 68)
Communication
72 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
3.6.3.1 Secure OUC of an S7-1500 CPU as TLS client to an external PLC (TLS server)
The following section describes how you can set up Open User Communication via TCP from
an S7-1500 CPU as TLS client to a TLS server.
Setting up a secure TCP connection from an S7-1500 CPU as TLS client to a TLS server
S7-1500 CPUs as of firmware version V2.0 support secure communication with addressing via
a Domain Name System (DNS).
For secure TCP communication over the domain name you need to create a data block with
the TCON_QDN_SEC system data type yourself, assign parameters and call it directly at one of
the instructions TSEND_C, TRCV_C or TCON.
Requirements:
• Current date and time are set in the CPU.
• Your network includes at least one DNS server.
• You have configured at least one DNS server for the S7-1500 CPU.
• TLS client and TLS server have all the required certificates.
To set up a secure TCP connection to a TLS server, follow these steps:
1. Create a global data block in the project tree.
2. Define a tag of the data type TCON_QDN_SEC in the global data block.
The example below shows the global data block "Data_block_1" in which the tag
"DNS ConnectionSEC" of the data type TCON_QDN_SEC is defined.
3. Set the connection parameters of the TCP connection in the "Start value" column. Enter the
fully qualified domain name (FQDN) of the TLS server, for example, for "RemoteQDN".
Communication
Function Manual, 05/2021, A5E03735815-AJ 73
Communications services
3.6 Secure Communication
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "ExtTLSCapabilities": If you enter the value 1, the client validates the
subjectAlternateName in the X.509-V3 certificate of the server to verify the identity of
the server. This validation is executed in the context of the instruction.
– "TLSServerCertRef": ID of the X.509-V3 certificate (usually a CA certificate) that is used
by the TLS client to validate the TLS server authentication. If this parameter is 0, the
TLS client uses all (CA) certificates currently loaded in the client certificate store to
validate the server authentication.
Figure 3-19 Certificate handling from the perspective of the S7-1500 as a TLS client
Communication
74 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
5. Create one of the instructions TSEND_C, TRCV_C or TCON in the program editor.
6. Interconnect the CONNECT parameter of one of the instructions TSEND_C, TRCV_C or TCON
with the tags of the data type TCON_QDN_SEC.
In the example below, the CONNECT parameter of the TCON instruction is interconnected
with the tag "DNS connectionSEC" (data type TCON_QDN_SEC).
Additional information
You can find more information on the TCON_QDN_SEC system data type in the STEP 7 online
help.
For additional information on secure communication, refer to the section Secure
Communication (Page 40).
3.6.3.2 Secure OUC of an S7-1500 CPU as TLS server to an external PLC (TLS client)
The following section describes how you can set up Open User Communication via TCP from
an S7-1500 CPU as TLS server to a TLS client.
Setting up a secure TCP connection via the domain name of the communication partner
S7-1500 CPUs as of firmware version V2.0 support secure communication with addressing via
a Domain Name System (DNS).
For secure TCP communication over the domain name you need to create a data block with
the TCON_QDN_SEC system data type yourself, assign parameters and call it directly at one of
the instructions TSEND_C, TRCV_C or TCON.
Requirements:
• Current date and time are set in the CPU.
• Your network includes at least one DNS server.
• You have configured at least one DNS server for the S7-1500 CPU.
• TLS client and TLS server have all the required certificates.
Communication
Function Manual, 05/2021, A5E03735815-AJ 75
Communications services
3.6 Secure Communication
3. Set the connection parameters of the TCP connection in the "Start value" column. Enter, for
example, the local ID of the TCP connection for "ID".
Communication
76 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerReqClientCert": Request for an X.509-V3 certificate from the TLS client.
– "TLSServerCertRef": ID of the own X.509-V3 certificate.
Figure 3-22 Certificate handling from the perspective of the S7-1500 as TLS server
Communication
Function Manual, 05/2021, A5E03735815-AJ 77
Communications services
3.6 Secure Communication
Additional information
You can find more information about the system data types TCON_QDN_SEC in the STEP 7
online help.
For additional information on secure communication, refer to the section Secure
Communication (Page 40).
Figure 3-24 Certificate handling for Secure OUC between two S7-1500 CPUs
Communication
78 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
3. Set the connection parameters of the TCP connection in the "Start value" column. For
example, enter the IPv4 address of the TLS server for "RemoteAddress".
Note
Connection parameter Interface ID
Note that you can enter the value "0" for the interface ID in the data type
TCON_IP_V4_SEC. In this case, the CPU itself searches for a suitable local CPU interface.
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerCertRef": Enter the value 2 (reference to the CA certificate of the TIA Portal
project (SHA256) or the value 1 (reference to the CA certificate of the TIA Portal project
(SHA1)). If you use a different CA certificate, enter the corresponding ID from the
certificate manager of the global security settings.
– "TLSClientCertRef": ID of the own X.509-V3 certificate.
Communication
Function Manual, 05/2021, A5E03735815-AJ 79
Communications services
3.6 Secure Communication
5. Create one of the instructions TSEND_C, TRCV_C or TCON in the program editor.
6. Interconnect the CONNECT parameter of one of the instructions TSEND_C, TRCV_C or TCON
with the tags of the data type TCON_IP_V4_SEC.
3. Set the connection parameters of the TCP connection in the "Start value" column. For
example, enter the IPv4 address of the TLS client for "RemoteAddress".
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerReqClientCert ": Request for an X.509-V3 certificate from the TLS client.
Enter the value "true".
– "TLSServerCertRef": ID of the own X.509-V3 certificate.
– "TLSClientCertRef": Enter the value 2 (reference to the CA certificate of the TIA Portal
project (SHA256) or the value 1 (reference to the CA certificate of the TIA Portal project
(SHA1)). If you use a different CA certificate, enter the corresponding ID from the
certificate manager of the global security settings.
Communication
80 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
5. Create one of the instructions TSEND_C, TRCV_C or TCON in the program editor.
6. Interconnect the CONNECT parameter of one of the instructions TSEND_C, TRCV_C or TCON
with the tags of the data type TCON_IP_V4_SEC.
In the example below, the CONNECT parameter of the TSEND_C instruction is
interconnected with the "SEC connection 1 TLS client" tags (data type TCON_IP_4_SEC).
Additional information
You can find more information about the system data types TCON_IP_4_SEC in the STEP 7
online help.
For additional information on secure communication, refer to the section Secure
Communication (Page 40).
Communication
Function Manual, 05/2021, A5E03735815-AJ 81
Communications services
3.6 Secure Communication
Example: Setting up a secure TCP connection between two S7-1500 CPUs via CP interfaces
For secure TCP communication between two S7-1500 CPs you need to create a data block
with the TCON_IP_V4_SEC system data type yourself in every CPU, assign parameters and call
it directly at one of the instructions TSEND_C, TRCV_C or TCON.
Requirements:
• Both S7 1500 CPUs have at least firmware version V2.0. If you use the CP 1543SP-1:
Firmware version as of V1.0.
• Both CPs (for example CP 1543-1) must have at least firmware version V2.0
• TLS client and TLS server have all the required certificates.
– A device certificate (end-entity certificate) for the CP must be generated and be located
in the certificate memory of the CP. If a communication partner is an external device
(for example an MES or ERP system), a device certificate also has to exist for this
device.
– The root certificate (CA certificate) with which the device certificate of the
communication partner is signed must also be located in the certificate memory of the
CP or in the certificate memory of the external device. If you use intermediate
certificates, you have to ensure that the complete certificate path exists in the
validating device. A device uses these certificates to validate the device certificate of
the communication partner.
• The communication partner must always be addressed via its IPv4 address, not via its
domain name.
Communication
82 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
The following figure shows the different certificates in the devices for the case that both
communication partners communicate via a CP 1543-1. In addition, the figure shows the
transfer of the device certificates during establishment of the connection ("Hello").
Figure 3-28 Certificate handling in secure OUC between two S7-1500 CPUs via CP interfaces.
Communication
Function Manual, 05/2021, A5E03735815-AJ 83
Communications services
3.6 Secure Communication
3. Set the connection parameters of the TCP connection in the "Start value" column. For
example, enter the IPv4 address of the TLS server for "RemoteAddress".
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerCertRef": Enter the value 2 (reference to the CA certificate of the TIA Portal
project (SHA256) or the value 1 (reference to the CA certificate of the TIA Portal project
(SHA1)). If you use a different CA certificate, enter the corresponding ID from the
certificate manager of the global security settings.
– "TLSClientCertRef": ID of the own X.509-V3 certificate.
Communication
84 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
5. Create one of the instructions TSEND_C, TRCV_C or TCON in the program editor.
6. Interconnect the CONNECT parameter of one of the instructions TSEND_C, TRCV_C or TCON
with the tags of the data type TCON_IP_V4_SEC.
3. Set the connection parameters of the TCP connection in the "Start value" column. For
example, enter the IPv4 address of the TLS client for "RemoteAddress".
Communication
Function Manual, 05/2021, A5E03735815-AJ 85
Communications services
3.6 Secure Communication
4. Set the parameters for secure communication in the "Start value" column.
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerReqClientCert ": Request for an X.509-V3 certificate from the TLS client.
Enter the value "true".
– "TLSServerCertRef": ID of the own X.509-V3 certificate.
– "TLSClientCertRef": Enter the value 2 (reference to the CA certificate of the TIA Portal
project (SHA256) or the value 1 (reference to the CA certificate of the TIA Portal project
(SHA1)). If you use a different CA certificate, enter the corresponding ID from the
certificate manager of the global security settings.
5. Create one of the instructions TSEND_C, TRCV_C or TCON in the program editor.
6. Interconnect the CONNECT parameter of the instruction TSEND_C, TRCV_C or TCON with the
tags of the data type TCON_IP_V4_SEC.
Communication
86 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirements:
• S7-1500 CPU CPU firmware version V2.5 or higher
• The Modbus client (TLS client) can reach the Modbus server (TLS server) over IP
communication in the network.
• TLS client and TLS server have all the required certificates.
3. Set the connection parameters of the TCP connection in the "Start value" column. Enter the
IPv4 address of the mail server, for example, for the "MailServerAddress".
Communication
Function Manual, 05/2021, A5E03735815-AJ 87
Communications services
3.6 Secure Communication
4. Set the parameters for secure communication in the "Start value" column. Enter the
certificate ID of the CA certificate of the communication partner, for example, for
"TLSServerCertRef".
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. In
this case you can set up an unsecured Modbus TCP connection.
– "TLSServerCertRef": Reference to the X.509 V3 (CA) certificate of the Modbus TCP
server, which is used by the TLS client to validate the authentication of the Modbus
TCP server.
5. Create an MB_CLIENT instruction in the program editor.
6. Interconnect the CONNECT parameter of the MB_Client instruction with the tags of the data
type TCON_IP_4_SEC.
Requirements:
• TMAIL_C instruction version V5.0 or higher
• STEP 7 V15 and higher
• S7-1500 CPU V2.5 and higher
• You have assigned all the CA certificates of the mail server (TLS server) to the CPU (TLS
client) and have downloaded the configuration to the CPU.
• Current date and time are set in the CPU.
Communication
88 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Process Port
SMTPS: 4651
STARTTLS Any (≠465)2
1 The instruction TMAIL_C uses SMTPS only for Port 465. For all other ports STARTTLS is used.
2 According to RFC, mail servers use Ports 25 and 587 for secure connections with STARTTLS. The use
of other port numbers for SMTP is not RFC-compliant, successful communication with such a mail
server is not guaranteed.
Communication
Function Manual, 05/2021, A5E03735815-AJ 89
Communications services
3.6 Secure Communication
To set up a secure connection via the IP4 address of the mail server, follow these steps:
1. Create a global data block in the project tree.
2. Define a tag of the data type TMAIL_V4_SEC in the global data block.
The example below shows the global data block "MailConnDB" in which the tag
"MailConnectionSEC" of the data type TMAIL_V4_SEC is defined.
3. Set the connection parameters of the TCP connection in the "Start value" column. Enter the
IPv4 address of the mail server, for example, for the "MailServerAddress".
Note
Connection parameter Interface ID
Note that as of instruction version V5.0 of TMAIL_C instruction in the TMAIL_V4_SEC data
type, you need to enter the value "0" for the Interface ID. In this case, the CPU itself
searches for a suitable local CPU interface.
4. Set the parameters for secure communication in the "Start value" column. Enter the
certificate ID of the CA certificate of the communication partner, for example, for
"TLSServerCertRef".
– "ActivateSecureConn": Activation of secure communication for this connection. If this
parameter has the value FALSE, the subsequent security parameters are irrelevant. You
can set up a non-secure TCP or UDP connection in this case.
– "TLSServerCertRef": Reference to the X.509 V3 (CA) certificate of the mail server, which
is used by the TLS client to validate the authentication of the mail server.
Communication
90 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Setting up a secure connection to a mail server over the interface of a communication module
For secure communication to a mail server over a communication module, you need to create
a data block with one of the system data types TMAIL_V4_SEC, TMAIL_QDN_SEC or
TMAIL_V6_SEC yourself, assign parameters and call it directly at the TMAIL_C instruction.
Requirements:
• TMAIL_C instruction with version V4.0
• S7-1500 CPU as of firmware version V2.0 with communication module CP 1543-1 as of
firmware version V2.0
• ET 200SP CPU as of firmware version V2.0 with communication module CP 1542SP-1 (IRC)
as of firmware version V1.0
• You have assigned all the CA certificates of the mail server (TLS server) to the CP (TLS
client) and have downloaded the configuration to the CPU.
• Current date and time are set in the CPU.
The STEP 7 online help describes how to set up a secure connection to a mail server over the
interface of a communication module.
Application example
This application example (https://support.industry.siemens.com/cs/ww/en/view/46817803)
show how you can use the CP of an S7-1500 or S7-1200 station to set up a secure connection
to an email server and send an email with the default application "TMAIL_C" from the S7 CPU.
Communication
Function Manual, 05/2021, A5E03735815-AJ 91
Communications services
3.6 Secure Communication
Additional information
You can find more information about the system data types TMail_V4_SEC and
TMAIL_QDN_SEC in the STEP 7 online help.
For additional information on secure communication, refer to the section Secure
Communication (Page 40).
Communication
92 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
WARNING
Without password, weak protection of private keys
Note that without a password to protect trusted configuration data, the private keys for
certificates required for secure communication are only weakly protected.
See also
Protection of confidential configuration data (Page 61)
Communication
Function Manual, 05/2021, A5E03735815-AJ 93
Communications services
3.6 Secure Communication
Procedure
1. In the CPU properties, navigate to the area "Protection & Security > Connection
mechanisms".
2. Select the option you want to use.
Procedure
If you want to have a new certificate generated by the TIA Portal or if you want to select
another existing certificate:
1. In the "PLC communication certificate" field, click the three points to expand the field.
2. Select the certificate you want or click the "Add" button.
3. When adding a certificate, a dialog appears with setting options for the certificate.
The purpose is set to "TLS server", you can change other parameters (such as name, hash
algorithm).
The general rules for certificate management apply. For example, if you want to generate a
CA certificate, the option "Global settings for the certificate manager" must be selected. You
also have the option of generating a self-signed PLC certificate.
See also
Managing certificates with STEP 7 (Page 49)
Communication
94 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirement
You can use the certification authority of the TIA Portal to create device certificates for a CPU
and use the existing CA certificates to sign the device certificates. However, you can also
import another certification authority into TIA Portal and use it.
Enabling the global security policies for the certificate manager is a requirement. Only with
this setting you can generate CA-signed certificates.
See also here: Managing certificates with STEP 7 (Page 49)
Communication
Function Manual, 05/2021, A5E03735815-AJ 95
Communications services
3.6 Secure Communication
Adding device certificates to the TIA Portal certificate revocation list (CRL)
You have the option to add individual device certificates to a certificate revocation list (CRL),
for example, because the associated key is no longer considered secure.
When the TIA Portal establishes a connection to a CPU whose device certificate is in the
certificate revocation list, a dialog appears in the TIA Portal asking whether you still want to
trust the certificate. If you decline, the connection will not be established.
To add a device certificate to the certificate revocation list, follow these steps:
1. Copy the device certificate to the following directory:
C:\ProgramData\Siemens\Automation\Certstore\CRL
2. Start TIA Portal.
In the "Info" tab of the Inspector window, a message appears for each certificate which
provides information about whether the certificate could be successfully transferred to the
CRL store of TIA Portal.
However, no detailed causes are output in case of failure.
See also
Examples for the management of certificates. (Page 52)
Communication
96 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 97
Communications services
3.6 Secure Communication
When a project is loaded into the CPU, the CPU receives the project data:
• Hardware configuration including configured certificates for secure communication
(OPC UA, HTTPS, Secure OUC, Secure PG/HMI Communication)
• User program
Communication
98 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirement
• CPU and HMI device support secure HMI communication.
• A current project is available on the CPU (TIA Portal V17 and higher).
Communication
Function Manual, 05/2021, A5E03735815-AJ 99
Communications services
3.6 Secure Communication
Note
Without an alarm view you cannot identify the errors during connection establishment.
2. Configure the CPU with the required security settings. Select a PLC communication
certificate to protect the HMI connection or have the TIA Portal generate a PLC
communication certificate.
3. Configure the HMI connection between the CPU and the HMI device.
4. Download the project to the CPU and the HMI device. During the project transfer, the PLC
communication certificate and, if necessary, a CA (Certificate Authority) certificate is
transferred to the CPU and the HMI device.
Communication
100 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Requirement
• There may be no online connections to the CPUs.
• For CPUs that are to be reached online, the option "Only permit secure PG/PC and HMI
communication" must be disabled (CPU parameters in the area "Connection
mechanisms").
• The communication partners are in a protected environment, for example, during the
commissioning phase.
Communication
Function Manual, 05/2021, A5E03735815-AJ 101
Communications services
3.6 Secure Communication
Communication
102 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 103
Communications services
3.7 SNMP
3.7 SNMP
Disabling SNMP
To disable SNMP for one of the integrated interfaces of an S7 1500 CPU, proceed as follows:
1. In STEP 7, create a data block that contains the structure of data record B071H.
– The following table shows the structure of the data record B071H.
2. Transfer the data record B071H in the startup OB (OB100) with the WRREC instruction (write
data record) to the CPU.
Use the hardware ID of an integrated interface of the CPU here.
Communication
104 Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.7 SNMP
Task
As the security guidelines in your network do not allow SNMP, you want to disable SNMP for
a CPU 1516-3 PN/DP.
Requirements
• CPU 1516-3 PN/DP with firmware version V2.0
• STEP 7 as of V14
Solution
First, create a data block that contains the structure of data record B071H. The figure below
shows the data block "Deactivate SNMP". The data block "Deactivate SNMP" contains the data
record B071H as well as additional tags that you use to transfer the data record. The tag
"snmp_deactivate" is used to trigger the job for WRREC. Place this tag in the retentive memory
area so that the value is also available in the startup OB (OB100).
Communication
Function Manual, 05/2021, A5E03735815-AJ 105
Communications services
3.7 SNMP
Transfer the data record B071H in the startup OB (OB100) to CPU 1516-3 PN/DP with the
WRREC instruction (write data record).
In the following program code, the data record B071H is transferred with the WRREC
instruction in a REPEAT UNTIL loop.
ORGANIZATION_BLOCK "Startup"
TITLE = "Complete Restart"
{ S7_Optimized_Access := 'TRUE' }
VERSION : 0.1
BEGIN
REPEAT
"WRREC_DB_1"
(REQ := "Deactivate SNMP".snmp_deactivate,
//Transfer data record
INDEX:=16#B071,
//Data record number for SNMP deactivation
ID:="Local~PROFINET_interface_1",
//any integrated PROFINET Interface
DONE => "Deactivate SNMP".snmp_done,
ERROR => "Deactivate SNMP".snmp_error,
STATUS => "Deactivate SNMP".snmp_status,
RECORD := "Deactivate SNMP".snmp_record)
//Data record
UNTIL "Deactivate SNMP".snmp_done OR "Deactivate SNMP".snmp_error
END_REPEAT;
END_ORGANIZATION_BLOCK
Re-enabling SNMP
With small changes, you can use the program code used above to enable SNMP.
In the user program, assign the "Deactivate SNMP".snmp_record.SNMPControl tag the value
"1":
"Deactivate SNMP".snmp_record.SNMPControl := 1;
SNMP will then be enabled again the next time the CPU is started.
Communication
106 Function Manual, 05/2021, A5E03735815-AJ
PG communication 4
Properties
Using PG communication, the CPU or another module capable of communication exchanges
data with an engineering station (for example PG, PC). The data exchange is possible via
PROFIBUS and PROFINET subnets. The gateway between S7 subnets is also supported.
PG communication provides functions needed to load programs and configuration data, run
tests, and evaluate diagnostic information. These functions are integrated in the operating
system of the module capable of communication.
Note
As of TIA Portal version V17, the TLS (Transport Layer Security) protocol is supported for
PG/HMI communication to secure the data exchange between PG/PC and CPU using
standardized security mechanisms.
For more information, refer to the following sections:
• Requirements for secure communication (Page 61)
• Secure PG/HMI communication (Page 92)
Requirements
• The PG/PC is physically connected to the communication-capable module.
• If the communication-capable module is to be reached via S7 routing, the hardware
configuration has to be loaded in the participating stations (S7 router and end point).
Communication
Function Manual, 05/2021, A5E03735815-AJ 107
PG communication
3. In the "Go online" dialog, make the following settings for your online connection:
– Select interface type (e.g. PN/IE) in the "Type of PG/PC interface" drop-down list.
– In the "PG/PC interface" drop-down list, select the PG/PC interface (e.g. Ind. Ethernet
card) you want to use to establish the online connection.
– Select the interface or the S7 subnet with which the programming device/PC is
physically connected from the "Connection to interface/subnet" drop-down list.
– If the communication-capable module can be reached via an S7 router (gateway),
select the S7 router that connects the subnets in question from the "1st gateway" drop-
down list.
Communication
108 Function Manual, 05/2021, A5E03735815-AJ
PG communication
Additional information
You can find more information on "Go online" in the STEP 7 online help.
Communication
Function Manual, 05/2021, A5E03735815-AJ 109
HMI communication 5
Properties
Using HMI communication, one or more HMI devices (for example HMI Basic/Comfort/Mobile
Panel) exchanges data with a CPU for operator control and monitoring with via the PROFINET
or PROFIBUS DP interface. The data exchange is via HMI connections.
If you want to set up several HMI connections to a CPU, use for example:
• The PROFINET and PROFIBUS DP interfaces of the CPU
• CPs and CMs with the relevant interfaces
Note
As of TIA Portal version V17, the TLS (Transport Layer Security) protocol is supported for
PG/HMI communication to secure the data exchange between PG/PC and CPU using
standardized security mechanisms.
For more information, refer to the following sections:
• Requirements for secure communication (Page 61)
• Secure PG/HMI communication (Page 92)
Communication
110 Function Manual, 05/2021, A5E03735815-AJ
HMI communication
Additional information
You can find information on S7 routing for HMI connections in the section S7 Routing
(Page 373).
You can find more information on setting up HMI connections in the STEP 7 online help.
Communication
Function Manual, 05/2021, A5E03735815-AJ 111
Open User Communication 6
6.1 Overview of Open User Communication
Information on S7-1500R/H
You can find information on Open User Communication with the S7-1500R/H redundant
system in section Communication with the redundant system S7-1500R/H (Page 407).
Communication
112 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.2 Protocols for Open User Communication
Communication
Function Manual, 05/2021, A5E03735815-AJ 113
Open User Communication
6.2 Protocols for Open User Communication
Modbus TCP
The Modbus protocol is a communication protocol with linear topology based on a
master/slave architecture. In the Modbus TCP (Transmission Control Protocol), the data is
transmitted as TCP/IP packets.
Communication is controlled solely by suitable instructions in the user program.
Communication
114 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.3 Instructions for Open User Communication
Introduction
You set up Open User Communication via the corresponding connection (for example, TCP
connection) as follows:
• By programming in the user programs of the communications partners or
• By configuring the connection in STEP 7 in the hardware and network editor
Regardless of whether you set up the connection by programming or configuring,
instructions are always required in the user programs of both communications partners for
sending and receiving the data.
Communication
Function Manual, 05/2021, A5E03735815-AJ 115
Open User Communication
6.3 Instructions for Open User Communication
There are two ways in which you can specify the DB with the data structure:
• Recommendation: Have the data block created automatically in the properties in the
program editor during parameter assignment of the connection for the TSEND_C, TRCV_C
and TCON instructions.
• Create the data block manually, assign parameters to it and write it directly to the
instruction
Necessary for:
– Secure OUC
– Connection over DNS
– E-mail
– FTP
You can modify the connection parameters in the "connection description DB".
This FAQ (https://support.industry.siemens.com/cs/ww/en/view/58875807) describes how to
program the TCON instruction to set up a connection for Open User Communication between
two S7-1500 CPUs.
Protocols, system data types and employable instructions for programmed setup
The following table shows the protocols of the Open User Communication and the matching
system data types and instructions.
Communication
116 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.3 Instructions for Open User Communication
The following table shows you the different connections of the Secure Open User
Communication and the matching system data types and instructions.
• TCON_QDN_SEC • MB_Server
Communication
Function Manual, 05/2021, A5E03735815-AJ 117
Open User Communication
6.3 Instructions for Open User Communication
• TUSEND/TURCV
UDP Send/receive data via:
• TSEND_C/TRCV_C or
• TUSEND/TURCV
FDL Send/receive data via:
• TSEND_C/TRCV_C or
• TSEND/TRCV or
• TUSEND/TURCV
Modbus TCP Not supported
E-mail Not supported
FTP Not supported
Communication
118 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.4 Open User Communication with addressing via domain names
Additional information
The STEP 7 online help describes:
• The user and system data types
• The instructions for open communication
• The connection parameters
You will find information about the allocation and release of connection resources in the
section Allocation of connection resources (Page 395).
See also
Secure Open User Communication (Page 73)
Communication
Function Manual, 05/2021, A5E03735815-AJ 119
Open User Communication
6.4 Open User Communication with addressing via domain names
Figure 6-1 Entering DNS server addresses using a CPU 1516-3 PN/DP as an example
Communication
120 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.4 Open User Communication with addressing via domain names
Setting up a TCP connection via the domain name of the communication partner
For TCP communication via the domain name you need to create a data block with the
TCON_QDN system data type yourself, assign parameters and call it directly at the instruction.
The TCON, TSEND_C and TRCV_C instructions support the system data type TCON_QDN:
To set up a TCP connection via the domain name of the communication partner, follow these
steps:
1. Create a global data block in the project tree.
2. Define a tag of the data type TCON_QDN in the global data block.
The example below shows the global data block "Data_block_1" in which the tag
"DNS Connection1" of data type TCON_QDN is defined.
3. Program the parameters of the TCP connection (for example the fully qualified domain
name (FQDN)) in the tag of data type TCON_QDN.
4. Create a TCON instruction in the program editor.
5. Interconnect the CONNECT parameter of the TCON instruction with the tag of the data type
TCON_QDN.
In the example below, the CONNECT parameter of the TCON instruction is interconnected
with the tag "DNS connection1" (data type TCON_QDN).
Communication
Function Manual, 05/2021, A5E03735815-AJ 121
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
Addressing a UDP connection via the domain name of the communication partner
For S7-1500 CPUs as of firmware version V2.0, you can address the recipient with its fully
qualified domain name (FQDN) when sending data via UDP. With the instruction TUSEND at
the parameter ADDR, you hereby reference a structure of the type TADDR_SEND_QDN.
The receiver can return an IPv4 or an IPv6 address. With the TURCV instruction at the ADDR
parameter, you therefore reference a structure of the TADDR_RCV_IP type. Only this structure
can include both IP address types.
Note
Network load
In contrast to the TCP the UDP protocol does not work connection-oriented. For every edge at
the block parameter REQ, the TUSEND or TURCV command performs queries of the DNS
server. This can lead to high network load or load on the DNS server.
Additional information
You can find more information about the system data types TCON_QDN, TADDR_SEND_QDN
and TADDR_RCV_IP in the STEP 7 online help.
How to set up a secure TCP connection via the domain name of the communication partner is
described in the section Secure Open User Communication (Page 73).
Communication
122 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
3. Select the "Connection parameters" group. Until you select a connection partner, only the
empty drop-down list for the partner end point is enabled. All other input options are
disabled.
The connection parameters already known are displayed:
– Name of the local end point
– Interface of the local end point
– IPv4 address of the local end point
Communication
Function Manual, 05/2021, A5E03735815-AJ 123
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
4. In the drop-down list box of the partner end point, select a connection partner. You can
select an unspecified device or a CPU in the project as the communication partner. Certain
connection parameters are then entered automatically.
The following parameters are set:
– Name of the partner end point
– Interface of the partner end point
– IPv4 address of the partner end point
If the connection partners are networked, the name of the subnet is displayed.
5. In the "Configuration type" drop-down list, select between using program blocks or
configured connections.
Communication
124 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
6. Select an existing connection description DB in the "Connection data" drop-down list or for
configured connections select an existing connection under "Connection name". You can
also create a new connection description DB or a new configured connection. Later, you can
still select other connection description DBs or configured connections or change the names
of the connection description DBs in order to create new data blocks:
– You can also see the selected data block at the interconnection of the CONNECT input
parameter of the selected TCON, TSEND_C or TRCV_C instruction.
– If you have already specified a connection description DB for the connection partner
using the CONNECT parameter of the TCON, TSEND_C or TRCV_C instruction, you can
either use this DB or create a new DB.
– If you edit the name of the displayed data block in the drop-down list, a new data block
with the changed name but with the same structure and content is generated and
used for the connection.
– Changed names of a data block must be unique in the context of the communication
partner.
– A connection description DB must have the structure TCON_Param, TCON_IP_v4 or
TCON_IP_RFC, depending on CPU type and connection.
– A data block cannot be selected for an unspecified partner.
Additional values are determined and entered after the selection or creation of the
connection description DB or configured connection.
The following is valid for specified connection partners:
– ISO-on-TCP connection type
– Connection ID with default of 1
– Active connection establishment by local partner
– TSAP ID
for S7-1200/1500: E0.01.49.53.4F.6F.6E.54.43.50.2D.31
The following is valid for unspecified connection partners:
– TCP connection type
– Partner port 2000
The following applies for a configured connection with a specified connection partner:
– TCP connection type
– Connection ID with default of 257
– Active connection establishment by local partner
– Partner port 2000
The following applies for a configured connection with an unspecified connection partner:
– TCP connection type
– Local port 2000
Communication
Function Manual, 05/2021, A5E03735815-AJ 125
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
Note
You must enter a unique value for the connection ID at a known connection partner. The
uniqueness of the connection ID is not checked by the connection parameter settings and
there is no default value entered for the connection ID when you create a new
connection.
8. Select the desired connection type in the relevant drop-down list. Default values are set for
the address details depending on the connection type. You can choose between the
following:
– TCP
– ISO-on-TCP
– UDP
– ISO (only with Configuration mode "Use configured connection")
You can edit the input boxes in the address details. Depending on the selected protocol,
you can edit the ports (for TCP and UDP) or the TSAPs (for ISO-on-TCP and ISO).
9. Use the "Active connection establishment" check box to set the connection establishment
characteristics for TCP, ISO and ISO-on-TCP. You can decide which communication partner
establishes the connection actively.
Changed values are checked immediately for input errors by the connection configuration
and entered in the data block for the connection description.
Note
Open User Communication between two communication partners can only work when the
program section for the partner end point has been downloaded to the hardware. To achieve
fully functional communication, make sure that you load not only the connection description
of the local CPU on the device but also that of the partner CPU as well.
Communication
126 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.5 Setting up Open User Communication via TCP, ISO-on-TCP, UDP and ISO
Additional information
The STEP 7 online help describes:
• The instructions for open communication
• The connection parameters
This FAQ (https://support.industry.siemens.com/cs/ww/en/view/109479564) describes how
the instructions TSEND_C and TRCV_C behave in the S7-1500.
Communication
Function Manual, 05/2021, A5E03735815-AJ 127
Open User Communication
6.6 Setting up communication over FDL
Requirements
• Configuration software: STEP 7 Professional V14
• End point of the connection: CPU S7-1500 firmware version V2.0 or higher with
communication module CM 1542-5 with firmware version V2.0
Communication
128 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.6 Setting up communication over FDL
3. Program the parameters of the FDL connection (e.g. the PROFIBUS addresses) in the tag of
the data type TCON_FDL.
4. Create a TCON instruction in the program editor.
5. Interconnect the CONNECT parameter of the TCON instruction with the tag of the data type
TCON_FDL.
In the example below, the CONNECT parameter of the TCON instruction is interconnected
with the tag "FDL_Connection" (data type TCON_FDL).
Communication
Function Manual, 05/2021, A5E03735815-AJ 129
Open User Communication
6.7 Setting up communication with Modbus TCP
Communication
130 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.7 Setting up communication with Modbus TCP
4. Assign the parameters of the MB_CLIENT or MB_SERVER instruction. Observe the following
rules:
An IPv4 server address must be specified for each MB_CLIENT connection.
Each MB_CLIENT or MB_SERVER connection must use a unique instance DB with one of
the data structures TCON_IP_v4, TCON_QDN or TCON_Configured.
Each connection requires a unique connection ID. The connection ID and instance DB
belong together in pairs and must be unique for each connection.
Communication
Function Manual, 05/2021, A5E03735815-AJ 131
Open User Communication
6.7 Setting up communication with Modbus TCP
Reference
• This FAQ (https://support.industry.siemens.com/cs/ww/en/view/94766380) describes how
to program and configure the Modbus TCP communication between two S7-1500 CPUs.
• This FAQ (https://support.industry.siemens.com/cs/ww/en/view/102020340) describes
how to program and configure Modbus TCP communication between an S7-1500 CPU and
an S7-1200 CPU.
Communication
132 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.8 Setting up communication via e-mail
Note
Connection parameter Interface ID
Note that you can enter the value "0" for the interface ID with instruction version V5.0 or
higher of the instruction TMAIL_C in the data type TMAIL_V4_SEC. In this case, the CPU
itself searches for a suitable local CPU interface.
Additional information
The STEP 7 online help describes:
• The system data types
• The instructions for open communication
• The connection parameters
Communication
Function Manual, 05/2021, A5E03735815-AJ 133
Open User Communication
6.9 Setting up communication via FTP
Communication
134 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.9 Setting up communication via FTP
Communication
Function Manual, 05/2021, A5E03735815-AJ 135
Open User Communication
6.9 Setting up communication via FTP
Application examples
• Application example: FTP communication with S7-1500 and CP 1543-1
You can find the application example on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/103550797).
• Application example: FTP client communication with S7-1200/1500
You can find the application example on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/81367009).
Additional information
The STEP 7 online help describes:
• The system data types
• The instructions for open communication
• The connection parameters
Communication
136 Function Manual, 05/2021, A5E03735815-AJ
Open User Communication
6.10 Establishment and termination of communications relations
Communication
Function Manual, 05/2021, A5E03735815-AJ 137
S7 communication 7
Characteristics of S7 communication
S7 communication as homogeneous SIMATIC communication is characterized by vendor-
specific communication between SIMATIC CPUs (not an open standard). S7 communication is
used for migration and for connecting to existing systems (S7-300, S7-400).
For data transfer between two S7-1500 automation systems, we recommend that you use
open communication (see section Open User Communication (Page 112)).
Properties of S7 communication
Using S7 communication, the CPU exchanges data with another CPU. Once the user has
received the data at the receiver end, the reception data is automatically acknowledged to
the sending CPU.
The data is exchanged via configured S7 connections. S7 connections can be configured at
one end or at both ends.
S7 communication is possible via:
• Integrated PROFINET or PROFIBUS DP interface of a CPU
• Interface of a CP/CM
Communication
138 Function Manual, 05/2021, A5E03735815-AJ
S7 communication
Note
Data blocks for PUT/GET instructions
When using the PUT/GET instructions, you can only use data blocks with absolute
addressing. Symbolic addressing of data blocks is not possible.
You must also enable this service for protection in the CPU configuration in the
"Protection" area.
Communication
Function Manual, 05/2021, A5E03735815-AJ 139
S7 communication
Communication
140 Function Manual, 05/2021, A5E03735815-AJ
S7 communication
3. Select the "Connection parameters" group. Until you select a connection partner, only the
empty drop-down list for the partner end point is enabled. All other input options are
disabled.
The connection parameters already known are displayed:
– Name of the local end point
– Interface of the local end point
– IPv4 address of the local end point
Communication
Function Manual, 05/2021, A5E03735815-AJ 141
S7 communication
4. In the drop-down list box of the partner end point, select a connection partner. You can
select an unspecified device or a CPU in the project as the communication partner.
The following parameters are automatically entered as soon as you have selected the
connection partner:
– Name of the partner end point
– Interface of the partner end point. If several interfaces are available, you can change
the interface as required.
– Interface type of the partner end point
– Subnet name of both end points
– IPv4 address of the partner end point
– Name of the connection which is used for the communication.
5. If required, change the connection name in the "Connection name" input box. If you want to
create a new connection or edit an existing connection, click on the "Select connection"
button on the right side next to the input box for the connection name.
Note
The PUT and GET instructions between two communication partners can only run if both
the hardware configuration and the program part for the partner end point have been
loaded into the hardware. To achieve fully functional communication, make sure that you
load not only the connection description of the local CPU on the device but also that of the
partner CPU as well.
Communication
142 Function Manual, 05/2021, A5E03735815-AJ
S7 communication
7. In the program editor, call the relevant instructions for S7 communication in the user
program of the communication partner (configured at one end) or in the user programs of
the communication partners (configured at both ends). Select the BSEND and BRCV
instructions from the "Communication" area of the "Instructions" task card, for example, and
drag them to a network of OB1.
8. At the ID parameter of the instruction, assign the local ID of the configured connection to be
used for the transmission of data.
9. Assign the parameters for the instructions indicating which data will be written to where
and which data will be read from where.
10.Download the hardware configuration and user program to the CPU(s).
Communication
Function Manual, 05/2021, A5E03735815-AJ 143
S7 communication
Communication
144 Function Manual, 05/2021, A5E03735815-AJ
S7 communication
4. Select the "Connections" button and the "S7 connection" entry from the drop-down list.
5. Using drag-and-drop in our example, connect PLC_1 in the left S7 subnet (PROFIBUS) to
PLC_3 in the right S7 subnet (PROFINET).
The S7 connection between CPU 1 and CPU 3 is configured.
Communication
Function Manual, 05/2021, A5E03735815-AJ 145
S7 communication
Additional information
You can find detailed information on configuring S7 connections and how to use the
instructions for S7 communication in the user program in the STEP 7 online help.
Communication
146 Function Manual, 05/2021, A5E03735815-AJ
Point-to-point link 8
Functionality
A point-to-point connection for S7-1500, ET 200MP and ET 200SP is established via
communications modules (CMs) with serial interfaces (RS232, RS422 or RS485):
• S7-1500/ET 200MP:
– CM PtP RS232 BA
– CM PtP RS422/485 BA
– CM PtP RS232 HF
– CM PtP RS422/485 HF
• ET 200SP:
– CM PtP
The bidirectional data exchange via a point-to-point connection works between
communications modules or third-party systems or devices capable of communication. At
least 2 communication partners are required for communication ("point-to-point"). With
RS422 and RS485, more than two communications partners are possible.
Communication
Function Manual, 05/2021, A5E03735815-AJ 147
Point-to-point link
Communication
148 Function Manual, 05/2021, A5E03735815-AJ
Point-to-point link
Communication
Function Manual, 05/2021, A5E03735815-AJ 149
Point-to-point link
Communication
150 Function Manual, 05/2021, A5E03735815-AJ
Point-to-point link
Additional information
• You can find more detailed information on communication via point-to-point connections
and basics of serial data transmission in the function manual CM PtP communication
module - Configurations for point-to-point connections
(http://support.automation.siemens.com/WW/view/en/59057093).
• You can find a description of how to use the instructions for point-to-point connections in
the user program in the STEP 7 online help.
• You can find information about the communications modules with a serial interface in the
manual of the particular communications module.
Communication
Function Manual, 05/2021, A5E03735815-AJ 151
OPC UA communication 9
9.1 What you need to know about OPC UA
Communication
152 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Communication
Function Manual, 05/2021, A5E03735815-AJ 153
OPC UA communication
9.1 What you need to know about OPC UA
Scalability
OPC UA can be used for devices of different performance classes:
• Sensors
• Embedded systems
• Controllers
• PC systems
• Smartphones
• Servers running MES or ERP applications.
The performance class of the devices is differentiated by profiles. Different OPC UA profiles
offer the possibility to scale OPC UA for very small and simple devices as well as for very high-
performance devices.
An OPC UA profile describes functions and services that must be supported by the server and
client. In addition, other functionalities/services that are not required by the profile can be
optionally provided.
OPC UA profiles differ from PROFINET profiles; the latter define additional cross-vendor
properties and behavior for installations and systems in the sense of a vendor-neutral
software interface.
Communication
154 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Type-instance concept
OPC UA offers a fully networked (full-meshed network), object-oriented information model
for namespaces, including metadata for the object description. Any object structures can be
generated via referencing of the instances among each other and their types. Because servers
disclose their instance and type systems, clients can navigate through this network and
obtain all the information they need. Both instances and their type definitions are available in
runtime.
Procedures or concepts on how to handle references to types are optimized over time. These
optimizations lead to new versions of the OPC UA Specification (e.g. V1.03 => V1.04).
See also
OPC Foundation (https://opcfoundation.org)
Communication
Function Manual, 05/2021, A5E03735815-AJ 155
OPC UA communication
9.1 What you need to know about OPC UA
Communication
156 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Communication
Function Manual, 05/2021, A5E03735815-AJ 157
OPC UA communication
9.1 What you need to know about OPC UA
Communication
158 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Figure 9-2 Example: Access of OPC UA clients to the OPC UA server of the CPU
Communication
Function Manual, 05/2021, A5E03735815-AJ 159
OPC UA communication
9.1 What you need to know about OPC UA
Example: Access of OPC UA clients to OPC UA servers via S7-1500 CPU with activated IP
Forwarding
OPC UA client and OPC UA server can also be connected to one another via an S7-1500 CPU,
in which case the S7-1500 CPU operates as an IP Forwarder. This configuration option allows
for flexible expansion of existing systems.
Figure 9-3 Example: Access of OPC UA clients to OPC UA servers via S7-1500 CPU with activated IP Forwarding
Additional information
Additional information on access options via the virtual interface and via IP forwarding can be
found in the following sections:
• IP forwarding (Page 378)
• Virtual interface for IP-based applications (Page 387)
Communication
160 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Node ID (NodeId)
Nodes in the OPC UA address space are uniquely identified by a NodeId (Node Identifier).
The NodeId consists of an identifier, identifier type and a namespace index. Namespaces are
used to avoid naming conflicts.
The OPC Foundation has defined a wide range of nodes that provide information about the
given OPC UA server. These nodes can be found in the namespace of the OPC Foundation and
have the index 0.
The OPC Foundation also defines data types and tag types.
Namespace (Namespace)
In addition to the above-described namespace of the OPC Foundation, the namespace for
accessing CPU data is of interest: All the tags or methods of an S7-1500 OPC UA server are
contained in the namespace (Namespace) of the standard server interface
"http://www.siemens.com/simatic-s7-opcua".
By default this namespace has the Index 3. The index may change later if additional
namespaces are inserted into the server or if existing ones are deleted. It is therefore
necessary for an OPC UA client to request the current index of the namespace (e.g.
"http://www.siemens.com/simatic-s7-opcua") from the server before reading or writing its
values.
The following figure shows an example of the result of such a request.
Communication
Function Manual, 05/2021, A5E03735815-AJ 161
OPC UA communication
9.1 What you need to know about OPC UA
Identifier
The Identifier corresponds to the name of the PLC tag in quotation marks. The quotation
mark is the only sign that is not permitted as part of a name in STEP 7. Quotation marks avoid
naming conflicts.
The following example reads the value of the "StartTimer" tag:
The Identifier can consist of several components. The individual components are then
separated by a dot.
The following example reads the "MyDB" array data block completely. This data block
contains an array with ten integer values. All ten values should be read in one pass.
Therefore, "0:9" is entered at the array range.
Communication
162 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Figure 9-4 PLC tags in the address space of the OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 163
OPC UA communication
9.1 What you need to know about OPC UA
Communication
164 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Communication
Function Manual, 05/2021, A5E03735815-AJ 165
OPC UA communication
9.1 What you need to know about OPC UA
For "Array Range" you specify which components of the array you want to overwrite. The
"Good" status code indicates that the values were transferred successfully. However, you can
only write the values to the S7-1500 but not the time stamps of these values. The time
stamps can only be read.
Communication
166 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
In accordance with the same scheme, the "RegisteredRead" function can also be used, which
is particularly useful for recurring data readouts. Take into account, however, that depending
on the application it may be advisable to use a Subscription instead.
Recommendation: It is best to place registrations in the startup program of the OPC UA client,
since the registration takes up time.
Please note that you can set the maximum number of registered nodes in the properties of
the S7-1500 CPU and that the Clients have to respect this number, see General settings of the
OPC UA server (Page 222).
Subscription
The term "Subscription" is used for a function in which only those tags for which an OPC UA
client has registered at the OPC UA server are transferred. The OPC UA server only sends a
message to the OPC UA client for these registered tags (monitored Items) when a value has
changed. The monitoring of these tags makes constant sampling by the OPC UA client
(Polling)superfluous, which reduces the network load.
You have to create a Subscription to use this function. For this purpose, you specify the
"Publishing Interval" at the UA client and click the "Create" button. The publishing interval is
the time interval in which the server sends new values to the client in a notification (data
change notification).
In the following example a subscription has been created: The client receives a message with
the new values (publishing interval 50 ms) every 50 milliseconds here.
Communication
Function Manual, 05/2021, A5E03735815-AJ 167
OPC UA communication
9.1 What you need to know about OPC UA
The "Voltage" tag contains the value of a voltage that is detected by an S7-1500 CPU.
The sampling interval ("Sampling Interval") contains a negative value (-1). This determines
that the default setting of the OPC UA server is used for the sampling interval. The default
setting is defined by the transmission interval ("Publishing Interval") of the subscription. If you
want to set the smallest possible sampling interval, select the value "0".
In this example, the length of the queue is set to "1": Only one value is read from the CPU at
an interval of 50 milliseconds and subsequently sent to the OPC UA client when the value has
changed.
The "Deadband" parameter in this example is "0.1": Changes in value have to amount to 0.1
Volt; only then does the sender send the new value to the client. The server does not send
smaller changes in value. You can use this parameter, for example, to disable signal noise:
Slight changes in a process variable which do not have a real meaning.
Communication
168 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Example
A tag has the SIMATIC data type "COUNTER". You read COUNTER → UInt16 in the table. You
now know that you do not need to convert; the COUNTER value is sent over the line as a
UInt16 data type.
The client detects from the attribute "DataType" that the tag is actually the SIMATIC data type
"COUNTER". With this knowledge, the client reconstructs the data type.
Communication
Function Manual, 05/2021, A5E03735815-AJ 169
OPC UA communication
9.1 What you need to know about OPC UA
Arrays
A read or write job with OPC UA is always an array access, which means that it always has an
index and length. A single tag is a special case of an array (index 0 and length 1). The data
type is simply sent repeatedly on the line. For the tags, the "DataType" attribute indicates the
basic data type. The attributes "ValueRank" and "ArrayDimensions" show whether or not you
are dealing with an array and how large the array is.
Communication
170 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.1 What you need to know about OPC UA
Structures
Structures are transferred as ExtensionObject. The S7-1500 server uses binary representation
for transmission of the ExtensionObjects over the line; the individual structure elements
come one after the other. At the front is the NodeId of the data type; this is used by the client
to establish the structure.
For OPC UA Specification <= V1.03, a client has to read, decode and interpret the complete
DataTypeDictionary for this (unless it has already learned this library offline through an XML
import).
Starting in OPC UA V1.04, the DataTypeDescription attribute is also available for this, which
can be read and interpreted more quickly and easily. A client only determines the setup of the
structure once, before or during the first access, and then uses this information for the
duration of the session.
Additional information
More details on mapping of basic data types, arrays and structures can be found in the OPC
UA Specification Part 6, "Mappings" (see OPC UA BINARY there).
What must be considered with arrays and data types DTL and LDT in the OPC UA server of a
SIMATIC S7-1500? FAQ (https://support.industry.siemens.com/cs/ww/en/view/109766726)
Communication
Function Manual, 05/2021, A5E03735815-AJ 171
OPC UA communication
9.2 Security at OPC UA
Addressing risks
OPC UA allows the exchange of data between different systems, both within the process and
production levels and to systems at the control and enterprise level.
This possibility also entails security risks. That is why OPC UA provides a range of security
mechanisms:
• Verification of the identity of OPC UA server and clients.
• Checking of the identity of the users.
• Signed/encrypted data exchange between OPC UA server and clients.
These security policies should only be bypassed in cases where it is absolutely necessary:
• During commissioning
• In stand-alone projects without external Ethernet connection
If you have selected the endpoint "None" for "UA Sample Client" of the OPC Foundation, for
example, the program issues a clear warning:
When STEP 7 compiles your project it also checks whether you have considered the setting
options for the protection and warns you of possible risks. This also includes an OPC UA
security policy with the setting "no security", which corresponds to the end point "None".
Note
Disabling security policies you do not want
If you have enabled all security policies in the secure channel settings of the S7-1500 OPC UA
server – thus, also the end point "None" (no security) – unsecured data traffic (neither signed
nor encrypted) between the server and client is also possible. The OPC UA server of the
S7-1500 CPU also sends its public certificate to the client at "None" (No security). And some
clients check this certificate. However, the client is not forced to send a certificate to the
server. The identity of the client may possibly remain unknown. Each OPC UA client can then
connect to the server irrespective of any subsequent security settings.
When configuring the OPC UA server, make sure that only security policies that are
compatible with the security concept of your machine or plant are selected. All other security
policies should be disabled.
Recommendation: Use the setting "Basic256Sha256 - Sign and Encrypt", which means that
the server only accepts Sha256 certificates. The security policies "Basic128Rsa15" and
"Basic256" are deactivated by default and should not be used as an end point. Select end
points with a higher security policy.
Communication
172 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Man-in-the-middle attacks
A "man-in-the-middle" could have positioned itself between server and client. A man-in-the-
middle is a program that intercepts communication between server and client and claims to
be a client or server, and is thus able to obtain information about the S7 program or to set
values in the CPU and attack a machine or plant.
OPC UA uses digital certificates that meet standard X.509 of the International
Telecommunication Union (ITU).
This allows the identity of a program, a computer or an organization to be proven
(authenticated).
Communication
Function Manual, 05/2021, A5E03735815-AJ 173
OPC UA communication
9.2 Security at OPC UA
X.509 certificates
An X.509 certificate includes the following information:
• Version number of the certificate
• Serial number of the certificate
• Information on the algorithm used by the certificate authority to sign the certificate.
• Name of the certificate authority
• Start and end of the validity period of the certificate
• Name of the program, person or organization for which/whom the certificate has been
signed by the certificate authority.
• The public key of the program, person or organization.
An X509 certificate thus links an identity (name of a program, person or an organization) to
the public key of the program, person or organization.
Note
The validity period stored in the certificate is also checked. The CPU clock must therefore be
set and date/time must be within the validity period, otherwise no communication takes
place.
Communication
174 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Signing
The signature makes it possible to prove the integrity and source of a message as detailed
below.
Signing starts with the sender creating a hash value from the plain text (plain text message).
The sender then encrypts the hash value with its private key and subsequently transfers the
plain text together with the encrypted hash value to the recipient. To verify the signature, the
recipient needs the public key of the sender (this is contained in the X509 certificate of the
sender). The recipient uses the sender's public key to decrypt the hash value received. The
recipient then forms the hash value themselves from the plain text received (the hash
process is contained in the sender's certificate). The recipient compares the two hash values:
• If the two hash values are identical, the plain text message has reached the receiver
unchanged and has not been manipulated.
• If the two hash values do not match, the plain text message has not reached the receiver
unchanged. The plain text message has been manipulated or has been distorted during
transfer.
Encryption
Encrypting data prevents unauthorized parties from reading the content. X509 certificates
are not encrypted; they are public and can be viewed by anyone.
Encryption involves the sender encrypting the plain text message with the public key of the
recipient. To do so, the sender requires the recipient's X509 certificate, as it contains the
public key of the recipient. The recipient decrypts the message with their private key. Only
the recipient can decrypt the message: They alone hold the private key. The private key must
therefore never be disclosed.
Communication
Function Manual, 05/2021, A5E03735815-AJ 175
OPC UA communication
9.2 Security at OPC UA
Secure channel
OPC UA uses the private and public key of client and server to establish a secure connection,
the secure channel. Once the secure connection has been established, the client and server
generate an internal key only known to them which they both use for signing and encrypting
messages. This symmetric process (a shared key) is much faster than asymmetric processes
(private and public key).
See also
Creating self-signed certificates (Page 178)
Certificates with OPC UA (Page 177)
Secure Communication (Page 40)
Using certificates with TIA Portal
(https://support.industry.siemens.com/cs/ww/en/view/109769068)
Communication
176 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Note
The OPC UA server of the S7-1500 uses application certificates even for the security
setting "None" (no security). This ensures compatibility to OPC UA V1.1 and earlier
versions.
Note
Software certificates are not supported in STEP 7.
Note
User certificates are not supported in STEP 7.
The described certificates are end-entity certificates: They identify, for example, a person, an
organization, a company or an instance (installation) of a software.
Communication
Function Manual, 05/2021, A5E03735815-AJ 177
OPC UA communication
9.2 Security at OPC UA
See also
Handling of the client certificates of the S7-1500 CPU (Page 344)
Communication
178 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Using OpenSSL
OpenSSL is a tool for Transport Layer Security that you can use to create certificates. You can
also use other tools, for example XCA, a type of key management software with a graphical
user interface for an improved overview of certificates issued.
To work with OpenSSL under Windows, follow these steps:
1. Install OpenSSL under Windows. If you are using a 64-bit version of the operating system,
install OpenSSL in the "C:\OpenSSL-Win64" directory, for example. You can obtain OpenSSL-
Win64 as a download from various providers for open source software.
2. Create a directory, for example "C:\demo".
3. Open the command prompt. To do so, click "Start" and enter "cmd" or "command prompt" in
the search field. Right-click "cmd.exe" in the results list and run the program as an
administrator. Windows opens the command prompt.
4. Change to the "C:\demo" directory. To do this, enter the following command: "cd C:\demo".
5. Set the following network variables:
– set RANDFILE=c:\demo\.rnd
– set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
The figure below shows the command line with the following commands:
6. Now start OpenSSL. If OpenSSL has been installed in the C:\OpenSSL-Win64 directory, enter
the following: C:\OpenSSL-Win64\bin\openssl.exe The figure below shows the command
line with the following command:
Communication
Function Manual, 05/2021, A5E03735815-AJ 179
OPC UA communication
9.2 Security at OPC UA
7. Generate a private key. Save the key to the "myKey.key" file. The key in this example is
1024 bits long; for greater RSA security, use 2048 bits in practice. Enter the following
command: "genrsa -out myKey.key 2048" ("genrsa -out myKey.key 1024" in the example).
The figure below shows the command line with the command and the output of OpenSSL:
8. Generate a CSR (Certificate Signing Request). To do this, enter the following command: "req
-new -key myKey.key -out myRequest.csr". During execution of this command, OpenSSL
queries information about your certificate:
– Country name: for example "DE" for Germany, "FR" for France
– State or province name: for example "Bavaria".
– Location Name: for example "Augsburg".
– Organization Name: Enter the name of your company.
– Organizational Unit Name: for example "IT"
– Common Name: for example "OPC UA client of machine A"
– Email Address:
Note
Note for S7-1500 CPU as server with firmware version V2.5
The IP address of the client program has to be stored in the "Subject Alternative Name" field
of the created certificate for S7-1500 CPUs version V2.5 (only for this version); otherwise, the
CPU will not accept the certificate.
The information you enter is added to the certificate. The figure below shows the command
line with the command and the output of OpenSSL:
The command creates a file in the C:\demo directory containing the Certificate Signing
Request (CSR); in the example, this is "myRequest.csr".
Communication
180 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
The command generates an X.509 certificate with the attributes that you transfer with the
CSR (in the example "myRequest.csr"), for example with a validity of one year (-days 365).
The command also signs the certificate with your private key ("myKey.key" in the example).
Your communication partners can use your public key (contained in your certificate) to check
that you are in possession of the private key that belongs to this public key. This also prevents
your public key from being misused by an attacker.
With self-signed certificates, you yourself confirm that the information in your certificate is
correct. There is no independent body that checks your information.
See also
Handling of the client certificates of the S7-1500 CPU (Page 344)
Communication
Function Manual, 05/2021, A5E03735815-AJ 181
OPC UA communication
9.2 Security at OPC UA
Communication
182 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Layers required
The figure below shows the three layers that are always required for establishing a
connection: the transport layer, the secure channel and the session.
Figure 9-6 Necessary layers: transport layer, secure channel and session
• Transport layer:
This layer sends and receives messages. OPC UA uses an optimized TCP-based binary
protocol here. The transport layer is the basis for the subsequent secure channel.
• Secure channel
The secure channel receives the data received from the transport layer, and forwards that
data to the session. The secure channel forwards data of the session that is to be sent to
the transport layer.
In "Sign" security mode, the secure channel signs the data (messages) that is sent. When a
message is received, the secure channel checks the signature to detect any manipulations.
With a "SignAndEncrypt" security policy, the secure channel signs and encrypts the send
data. Data received is decrypted by the secure channel, and the secure channel then
checks the signature.
With the "No security" security policy, the message packages pass the secure channel
unchanged (the messages are received and sent in plain text).
• Session
The session forwards the messages from the secure channel to the application, or receives
from the application the messages that are to be sent. The application uses the process
values or provides the values.
Communication
Function Manual, 05/2021, A5E03735815-AJ 183
OPC UA communication
9.2 Security at OPC UA
Communication
184 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Discovery server
To connect to an OPC UA server, an OPC UA client requires information about its endpoint
such as the endpoint URL and the security policy. When a large number of possible servers
are available in the network, a discovery server can take over the search and management of
this server information.
• OPC UA servers register with the discovery server.
• OPC UA clients request a list of accessible servers from the discovery server and then
connect to the desired OPC UA server.
Communication
Function Manual, 05/2021, A5E03735815-AJ 185
OPC UA communication
9.2 Security at OPC UA
Certificate management
Certificate management has the task of automating the administration and distribution of
certificates and trust lists for OPC UA applications.
In this context, a distinction is made between the following roles:
• Certificate manager - an OPC UA application that provides certificate management
functions
• Certificate recipient – an OPC UA application that receives certificates, trust lists and CRLs
from the certificate manager.
There are two models for certificate management: Pull and push management.
• With pull management, the OPC UA application acts as a client of the GDS server and uses
certificate management methods to request certificate updates and trust list updates.
• With push management, the OPC UA application acts as a server and provides methods for
an OPC UA GDS as OPC UA client. The GDS in the role of certificate manager uses these
methods to transfer ("push") certificates and trusted list updates, see explanation of the
concept for automated certificate update below.
As of firmware version V2.9, the S7-1500 CPU currently only supports push management for
the OPC UA server of the CPU.
You cannot transfer certificates for the OPC UA client instructions of the CPU to the CPU via
push management.
① Root CA - device that issues certificates for the system (these certificates can also be transmitted
in other ways, for example, by email)
② OPC UA GDS with certificate manager creates or signs device certificates, manages trust lists
and certificate revocation lists (CRLs), and writes certificates and lists to the devices (push func-
tion). This device requires OPC UA client functionality for the push function.
③ Device with OPC UA application receives "pushed" certificates and lists
Communication
186 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Concept for automated certificate update for STEP 7 version V17 and higher
GDS and certificate manager are usually combined into one application; however, in the
figure below, they are two separate components.
Devices such as "normal" OPC UA clients are also suitable as certificate managers, but they
need to support the Bytestring data type that is required to transfer certificates, for example,
an S7-1500 CPU firmware V2.9 and higher as OPC UA client or the UA Expert tool (Unified
Automation) with GDS plugin.
The OPC UA server of the S7-1500 CPU as certificate receiver provides the standardized
methods and attributes that the OPC UA client certificates need to read and write trust lists
and CRLs.
The focus in the context of the OPC UA server of the S7-1500 CPU is the description of the
push function in contrast to the usual manner in which certificates are provided to the CPU:
By loading the hardware configuration.
The figure below shows how to transfer certificates and lists for OPC UA in an S7-1500 CPU
FW V2.9 or higher:
• Either by loading the hardware configuration in STOP of the CPU; the certificates are part
of the hardware configuration.
• Or via GDS push methods in RUN or in STOP mode of the CPU.
It is not possible to use both transmission paths in parallel.
See also
Certificates with OPC UA (Page 177)
Communication
Function Manual, 05/2021, A5E03735815-AJ 187
OPC UA communication
9.2 Security at OPC UA
Example
You want to grant access to the OPC UA server for up to 62 OPC UA clients and fill the trusted
list accordingly.
When you add a Certificate Revocation List entry in the trusted list, you can only trust up to
61 client certificates.
Additional OPC UA certificates can not be transferred by loading the hardware configuration
to the CPU.
Tip
To keep the number of required certificates low, we recommend having the OPC UA client
certificates signed by the same CA.
In this case, the CPU as OPC UA server only needs the corresponding CA certificate and CRLs.
With these elements, the OPC UA server can then verify all client certificates signed by the
CA. This means you do not have to add the individual client certificates to the trusted list.
Communication
188 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Requirement
• STEP 7 (TIA Portal) V17 or higher
• S7-1500 CPU firmware V2.9 or higher
• Timet/date of the CPU is set (generally applies to certificate-based communication)
• The OPC UA server is enabled.
• At least one endpoint with the "Sign & Encrypt" security policy must be configured. The
partner must use this endpoint.
• An authenticated user with sufficient function rights is configured
The user must have a role that has the function right "Manage certificates".
This function right, in turn, has the following requirements:
– Project protection must be enabled in the project tree: Project tree: "Security settings
> Settings > Project protection".
– In the "OPC UA > General" area of the CPU settings, the following general user
management setting must be enabled: "Enable additional user management via project
security settings"
The Users and roles with OPC UA function rights (Page 238) section describes how to set the
function rights.
Activating GDS
When the requirements listed above are met, you must still enable the GDS:
1. In the Inspector window (CPU parameters), go to the "OPC UA > Server > General" area.
2. Enable the "Enable Global Discovery Services (Push)" option.
Communication
Function Manual, 05/2021, A5E03735815-AJ 189
OPC UA communication
9.2 Security at OPC UA
Download to CPU
When downloading the configuration to the CPU, you can delete the certificates that are
managed via GDS before the download. When you confirm the deletion, the download is
followed by a provisioning phase (see section on commissioning).
When you download the memory card outside of the CPU (card reader), this certificate store
is always deleted.
When Global Discovery Services (Push) is activated and no pushed certificates are available,
then no separate certificate, trust list or CRL is available for the OPC UA server.
See also
GDS commissioning (Page 190)
Requirement
Only authorized users with sufficient function rights can set up a connection in the
provisioning phase. The users must have a role with the function right "Manage certificates".
See also Setting and loading GDS parameters (Page 189).
Communication
190 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Communication
Function Manual, 05/2021, A5E03735815-AJ 191
OPC UA communication
9.2 Security at OPC UA
You can only use the two nodes as marked in the figure for diagnostics if the requirements
for GDS are met (endpoint security signed & encrypted plus administrator function rights
available).
ProvisioningModeEnabled: Indicates that a provisioning phase is supported
ProvisioningModeActive: Indicates that the OPC UA server of the CPU is in the provisioning
phase.
Communication
192 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
NOTICE
Recommended procedure to generate certificates
Transport of private keys should be avoided; a private key should not leave a device.
We, therefore, recommend the generation of a certificate without creating a new key pair or
with the creation of a key pair inside the CPU.
Communication
Function Manual, 05/2021, A5E03735815-AJ 193
OPC UA communication
9.2 Security at OPC UA
NOTICE
Different keys for different target systems
Always use newly generated keys for a production system. If you simulate and test your
project, e.g. with PLCSIM Advanced on your PC, do not under any circumstances use the
keys used for the simulation also for a productive system.
Restrict the access to PC-based controllers by setting up appropriate permissions.
Communication
194 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
Requirement
The following requirements must be met for the relevant methods and attributes to become
visible for the GDS push functionality:
• GDS is enabled
• The set security policy supports the integrity and confidentiality of the data through a
signature and encryption (Sign & Encrypt)
• Access with runtime function right "Manage certificates"
Communication
Function Manual, 05/2021, A5E03735815-AJ 195
OPC UA communication
9.2 Security at OPC UA
CreateSigningRequest
The method has the following parameters:
Communication
196 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
UpdateCertificate
Applications:
• Generation of certificate with CreateSigningRequest. No private key is available.
• New private key and new certificate were generated outside of the server. Both are
updated with UpdateCertificate.
• Certificate generated and signed with the private key of the existing certificate. No private
key is available.
Communication
Function Manual, 05/2021, A5E03735815-AJ 197
OPC UA communication
9.2 Security at OPC UA
Apply Changes
The method has no parameters.
GetRejectedList
The method has the following parameters:
Communication
198 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
You can change the Display Name of the "OpcUaServerGroup" group in STEP 7 (TIA Portal):
1. In the Inspector window (CPU properties), go to the "OPC UA > Server > Certificates" area.
2. Select the option "Use certificates managed by certificate management server during
runtime".
3. Change the group name (DisplayName) of the certificate group in the table below. 1-64
characters in 7-bit ASCII format are permitted.
"CertificateTypes" node
The "CertificateTypes" variable specifies the NodeIds of the certificate types that are assigned
to the server application.
Currently, only "RsaSha256ApplicationCertifcateType" is supported.
"TrustList" node
The node for the trust list object (TrustList file) defines an OPC UA file type (Binary encoded
stream) that contains information on the certificates and CRLs that can be read and updated
in the "pki store\trusted/issuer" directory of the Memory Card. This node provides methods
and attributes that make reading and updating possible.
The node is an instance of the OPC UA data type "TrustListDataType" with the following
structure:
Communication
Function Manual, 05/2021, A5E03735815-AJ 199
OPC UA communication
9.2 Security at OPC UA
Communication
200 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
9.3.1 Interesting information about the OPC UA server of the S7-1500 CPUs
Communication
Function Manual, 05/2021, A5E03735815-AJ 201
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Node classes
OPC UA servers provide information in the form of nodes. A node can be, for example, an
object, a tag, a method or a property.
The example below shows the address space of the OPC UA server of an S7-1500 CPU (extract
from the OPC UA client "UaExpert" from Unified Automation).
Figure 9-7 Example of the address space of the OPC UA server of an S7-1500 CPU
Communication
202 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Address space
The nodes are linked over references, for example, the reference "HasComponent, which
represents a hierarchical relationship between a node and its subordinate nodes. With their
references, the nodes form a network that can, for example, take the form of a tree.
A network of nodes is also called an address space. Starting from the root, all nodes can be
reached in the address space.
Note
Select an endpoint with as strict as possible a security policy
Select an application-appropriate security policy for the end point and disable the less strict
security policy at the OPC UA server.
A Sha256 certificate is required for the most secure end points (Basic256Sha256) of the S7-
1500 CPU OPC UA server.
Communication
Function Manual, 05/2021, A5E03735815-AJ 203
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
A connection to a server end point is only established if the OPC UA client complies with the
security policies of that end point.
Communication
204 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 205
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Examples
• You only want to add another code module to the program.
Neither data blocks nor inputs, outputs, flags, times or counters are affected.
Reaction during loading: A running OPC UA server is not interrupted.
• You want to load a new data module and you have flagged the data module as non-OPC-
UA-relevant:
Reaction during loading: A running OPC UA server is not interrupted.
• You want to overwrite a data module.
Reaction during loading: A warning appears that the server will be restarted.
Background: STEP 7 cannot determine whether the changes refer to OPC-UA-relevant data
or not.
Communication
206 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
In addition to the operating mode of the CPU you can, for example, read out information in
the manual (DeviceManual) or firmware version (HardwareRevision).
Communication
Function Manual, 05/2021, A5E03735815-AJ 207
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Figure 9-10 Enabling PLC tags and DB tags for OPC UA tags
This array can be read completely in one pass by OPC UA clients (see Addressing nodes
(Page 161)). The check boxes at "Accessible from HMI/OPC UA" and "Writable from HMI/OPC
UA" are activated for all the components of the array.
Result: OPC UA clients can both read and write these components.
Communication
208 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Rules
• Only allow read access to PLC tags and tags of data blocks in STEP 7 if this is necessary for
communication with other systems (controllers, embedded systems or MES).
You should not enable other PLC tags.
• Only allow write access over OPC UA if write rights are genuinely necessary for specific
PLC tags and tags of data blocks.
• If you have reset the "Accessible from HMI/OPC UA" option for all elements of a data block,
the data block for an OPC UA client is no longer visible in the address space of the OPC UA
server of the S7-1500 CPU.
• You can also prevent access to an entire data block centrally (see Managing write and read
rights for a complete DB (Page 209)). This setting "overrules" the settings for the
components in the DB editor.
See also
Coordinating write and read rights for CPU tags (Page 211)
Communication
Function Manual, 05/2021, A5E03735815-AJ 209
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Procedure
Proceed as follows to completely hide a data block for OPC UA clients or to protect a data
block from write access from OPC UA clients:
1. Select the data block to be protected in the project tree.
2. Select the "Properties" shortcut menu.
3. Select the "Attributes" area.
4. Select/clear the "DB accessible from OPC UA" checkbox as required.
Note
Effect on settings in the DB editor
If you hide a DB using the DB attribute described here, the settings for the components in the
DB editor are no longer relevant; individual components can no longer be accessed or
written.
Communication
210 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
4. Ensure that the "Data block accessible via OPC UA" column is selected.
5. Select only the data blocks that are to be accessible via OPC UA.
Definition of write and read rights in the information model (OPC UA XML)
In the OPC UA information model, the attribute "AccessLevel" regulates access to tags.
AccessLevel is defined bit by bit:
Bit 0 = CurrentRead and Bit 1 = CurrentWrite. The meaning of the bit combinations is as
follows:
• AccessLevel = 0: no access
• AccessLevel = 1: read only
• AccessLevel = 2: write only
• AccessLevel = 3: read+write
Communication
Function Manual, 05/2021, A5E03735815-AJ 211
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Example
• AccessLevel = 1 (read only) in the OPC UA server interface
• Both "Accessible from HMI/OPC UA" and "Writable from HMI/OPC UA" are selected in the
PLC tag table
Result: This tag can only be read.
Rules
If write rights are required:
• AccessLevel = 2 oder 3
• "Writable from HMI/OPC UA" enabled
If read rights are required:
• AccessLevel = 1 (AccessLevel 3 is also possible, but misleading. The settings suggests that
an OPC UA client has write and read rights)
• "Accessible from HMI/OPC UA" enabled, "Writable from HMI/OPC UA" disabled
If neither read nor write rights are to be granted (no access):
• AccessLevel = 0
• "Accessible from HMI/OPC UA" disabled
Only one of the two conditions needs to be met to block all access. In this case, review
whether the tag in the OPC UA server interface is actually necessary at all.
Communication
212 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Access table
"Accessible from HMI/OPC UA" must be set if access over OPC UA is to be possible at all.
"Writable from HMI/OPC UA" must be set to allow an OPC UA client to write a tag / DB
element.
Please see the table for the resulting access right.
(x = don't care)
See also
Consistency of CPU tags (Page 213)
Managing write and read rights (Page 208)
Communication
Function Manual, 05/2021, A5E03735815-AJ 213
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Examples
An OPC UA tag (structure) is readable and writable; but inconsistent for reading and writing
access.
Consequently: Bits 0, 1, 8 and 9 are set: AccessLevelEx = "771" (1+2+256+512).
Another structure is read-only.
Consequently: Bits 0 and 8 are set, bit 1 and bit 9 are not set: AccessLevelEx = "257"
(1+0+256+0).
Export
During XML export of the standard SIMATIC server interface, the server sets the "AccessLevel"
attribute, which was expanded to 32 bits in V1.04 compared to V1.03, to the value of the
"AccessLevelEx" attribute.
Import
When importing a node set file (e.g. from an export of a server interface), the S7-1500 CPU
sets the attribute "AccessLevelEx" according to its own estimate of the consistency of the
imported data type, see next section. The imported value is ignored.
Communication
214 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Tags of the following data types are not consistent ("nonatomic" in the language usage of
OPC UA):
• SIMATIC structures are generally not consistent. This means that all tags which, for
example, have unknown structures or a UDT data type are not consistent.
• System data types such as DTL, IEC_Counter, IEC_TIMER, etc. are data types that are
derived from structures.
Tip: If you browse in the address space of the S7-1500 CPU (e.g. with the OPC UA Client
UaExpert), you can find data types based on structures under Types > BaseDataType >
Structure.
Communication
Function Manual, 05/2021, A5E03735815-AJ 215
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
216 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Note
As of STEP 7 (TIA Portal) V15.1, server methods are contained in the OPC UA export file (node
set) together with their input and output parameters.
Communication
Function Manual, 05/2021, A5E03735815-AJ 217
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Tip
The following FAQ contains a converter with which you can convert the export file into CSV
format. You then obtain a list of the tags of the CPU that can be accessed by OPC UA.
You can find the FAQ on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/109742903).
Requirement
• If you use certificates for secured communication, e.g. HTTPS, Secure OUC, OPC UA, make
sure that the modules involved have the current time of day and the current date.
Otherwise, the modules evaluate the used certificates as invalid and secure
communication does not work.
• You have acquired a runtime license for the operation of the OPC UA functions, see
License for OPC UA (Page 242).
Communication
218 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Application name
The application name is the name of the OPC UA application and applies to the server and the
client. The name is displayed under "OPC UA > General":
• The default for the application name is: "SIMATIC.S7-1500.OPC-UA.Application:PLC_1".
• The default consists of "SIMATIC.S7-1500.OPC-UA.Application:" and the name of the CPU
selected under "General > Product information > Name", in this case "PLC_1".
• The OPC UA server uses this application name to identify itself to a communication partner
(OPC UA client), for example, when an OPC UA client uses the discovery service to detect
accessible servers.
• The displayed application name uses the OPC UA client of the CPU when connecting to an
OPC UA Server. This means that the CPU enters this application name automatically as
"ApplicationName" for the instruction "OPC_UA_Connect" (tag of type
"OPC_UA_SessionConnectInfo" at the parameter "SessionConnectInfo" of the instruction
"OPC_UA_Connect").
When you program the instruction "OPC_UA_Connect" you must therefore assign an
empty string to the "ApplicationName". You can use the application name, for example, to
identify the client and its sessions (SessionNames) for diagnostic purposes.
If you have activated the server, you can also use a different name that is meaningful in your
project and that fulfills the requirements of your project, e.g. for worldwide uniqueness.
The example below originates from UaExpert:
Communication
Function Manual, 05/2021, A5E03735815-AJ 219
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Server addresses
The OPC UA server of the S7-1500 CPU can be reached over all integrated PROFINET
interfaces of the CPU (firmware V2.0 and higher).
Direct access to the OPC UA server of the CPU over the backplane bus of the automation
system is not possible via CPs under the following conditions:
• Configuration with TIA Portal Version V16 or higher, S7-1500 CPU firmware version 2.8 or
higher and CP 1543-1 firmware version V2.2 or higher.
For configuration, see Access to OPC UA applications (Page 157).
Direct access to the OPC UA server of the CPU over the backplane bus of the automation
system is not possible via CMs.
With SIMATIC S7-1500 SW controllers, access to the OPC UA server is possible via PROFINET
interfaces that are assigned to the software PLC.
Additional access options of SW controllers are described in the following application
example: Internal and external OPC UA connection via the virtual Ethernet interface of the
software controller V2.5 or higher
(https://support.industry.siemens.com/cs/ww/en/view/109760541).
Example for URLs (Uniform Resource Locator) that can be used to set up connections to the
OPC UA server of the CPU:
Communication
220 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Dynamic IP addresses
In the example below, the IP address for the PROFINET interface [X2] has not yet been
specified.
Communication
Function Manual, 05/2021, A5E03735815-AJ 221
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Note
General device information is readable even with deactivated standard SIMATIC server
interface
Even if you disable the standard SIMATIC server interface, OPC UA clients can read general
device information about the OPC UA server of the CPU.
Examples of such device information: DeviceManual, DeviceRevision, OrderNumber. In this
case, however, all objects of the application program remain invisible to clients.
If you want to prevent that this device information is not visible, you have to disable the OPC
UA server of the CPU.
An overview of the supported protocols and the port numbers used by the S7-1500 CPUs can
be found in section Communications protocols and port numbers used for Ethernet
communication (Page 28).
Communication
222 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Note
No error message following attempt to register more than the configured maximum
number of registrable nodes
If a client tries to register more nodes during runtime than the configured maximum number,
the server of the S7-1500 CPU only registers the configured maximum number. Starting from
the configured maximum number of registrable nodes, the server returns the regular string
node IDs unchanged to the client so that the speed advantage gained by registration for
these nodes is lost. The client does not receive an error message.
When configuring, make sure you have a sufficient reserve by taking into account the
maximum number of nodes that can be registered (for example, using the technical data of
the CPU).
Additional information
Details on which ports are used by the various services for data transfer via TCP and UDP, and
what are the points to note when using routers and firewalls can be found in the FAQ
(https://support.industry.siemens.com/cs/ww/en/view/8970169).
Communication
Function Manual, 05/2021, A5E03735815-AJ 223
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
224 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
In the example, following a value change the OPC UA server will send a new message every
200 ms if the OPC UA client requests an update.
If the OPC UA client requests an update every 1000 ms, the OPC UA server will only send a
message with the new values once every 1000 ms (one second).
If the OPC UA client requests an update every 100 ms, the server will still only send a
message every 200 ms (minimum publishing interval).
Communication
Function Manual, 05/2021, A5E03735815-AJ 225
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Additional information
Information about the system limits of the OPC UA server of the S7-1500 CPUs (firmware
V2.0 and V2.1) regarding subscriptions, sampling intervals and publishing intervals can be
found in the following FAQ
(https://support.industry.siemens.com/cs/ww/en/view/109755846).
When using subscriptions, certain status codes of errors provide information on the error that
occurred. For information on causes and remedies for status codes of OPC UA client that
appear, see the list of error codes in the online help of STEP 7 (TIA Portal) or in the following
FAQ (https://support.industry.siemens.com/cs/ww/en/view/109755860).
See also
Rules for subscriptions (Page 355)
Subscription diagnostics (Page 311)
Communication
226 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 227
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
228 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
8. Right-click this line and select the "Export certificate" entry from the shortcut menu.
9. Select a directory where you will store the client certificate.
Communication
Function Manual, 05/2021, A5E03735815-AJ 229
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
9. Click the "General" tab in the properties of the CPU that is acting as server.
10.Click "OPC UA > Server > Security > Secure Channel".
11.Scroll down in the "Secure Channel" dialog to the section "Trusted clients".
12.Double-click in the table on the empty row with "<add new>". A browse button is displayed
in the row.
13.Click this button.
14.Select the client certificate that you have imported.
15.Click the button with the green check mark.
16.Compile the project.
17.Load the configuration onto the S7-1500 CPU.
Result:
The server now trusts the client. If the server certificate is also considered trusted, the server
and client can establish a secure connection.
NOTICE
Setting after commissioning
In order to avoid security risks, deactivate the "Automatically accept client certificates during
runtime" option again after commissioning.
Communication
230 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
By default, a server certificate is created that uses SHA256 signing. The following security
policies are enabled:
• None
Unsecured end point
Note
Disabling security policies you do not want
If you have enabled all security policies in the secure channel settings of the S7-1500 OPC
UA server (default setting) – thus, also the end point "None" (no security) – unsecured
data traffic (neither signed nor encrypted) between the server and client is also possible.
The identity of the client remains unknown with "No security". Each OPC UA client can
then connect to the server irrespective of any subsequent security settings.
When configuring the OPC UA server, make sure that only security policies that are
compatible with the security concept of your machine or plant are selected. All other
security policies should be disabled.
Recommendation: If possible, use the setting "Basic256Sha256".
Communication
Function Manual, 05/2021, A5E03735815-AJ 231
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
• Basic128Rsa15 -Sign
Insecure end point, supports a series of algorithms that use the hash algorithm RSA15 and
128-bit encryption.
This endpoint protects the integrity of the data through signing.
• Basic128Rsa15 -Sign & Encrypt
Secure endpoint, supports a series of algorithms that use the hash algorithm RSA15 and
128-bit encryption.
This endpoint protects the integrity and confidentiality of the data through signing and
encrypting.
• Basic256Rsa15 -Sign
Secure endpoint, supports a series of algorithms that use the hash algorithm RSA15 and
256-bit encryption.
This endpoint protects the integrity of the data through signing.
• Basic256Rsa15 -Sign & Encrypt
Secure endpoint, supports a series of algorithms that use the hash algorithm RSA15 and
256-bit encryption.
This end point protects the integrity and confidentiality of the data through signing and
encrypting.
• Basic256Sha256 - Sign
Secure endpoint, supports a series of algorithms for 256-bit hashing and 256-bit
encryption.
This endpoint protects the integrity of the data through signing.
• Basic256Sha256 - Sign & Encrypt
Secure endpoint, supports a series of algorithms for 256-bit hashing and 256-bit
encryption.
This endpoint protects the integrity and confidentiality of the data through signing and
encryption.
To enable the security setting, click the check box in the relevant line.
Note
If you use the settings "Basic256Sha256 -Sign" and "Basic256Sha256 -Sign & Encrypt", the
OPC UA server and OPC UA clients must use "SHA256"-signed certificates.
For the settings "Basic256Sha256 -Sign" and "Basic256Sha256 -Sign & Encrypt", the certificate
authority of STEP 7 automatically signs the certificates with "SHA256".
"No Security" security policy and authentication via user name and password
You can set the following combination:
Security policy = "No Security" and authentication via user name and password.
• The OPC UA server of the S7-1500 supports this combination. OPC UA clients can connect
and encrypt the authentication data or not.
• OPC UA client of the S7-1500 CPU also supports this combination: However, in runtime it
only connects if it can send the authentication data encrypted via cable!
See also
Generating server certificates with STEP 7 (Page 233)
Communication
232 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 233
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
3. The dialog for generating new certificates is displayed (figure below). The values for an
example are already entered:
4. Use other parameters if this is necessary in accordance with the security specifications in
your company or your customer.
Communication
234 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 235
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
• Usage
The default is "OPC UA client & server". Keep this default for the OPC UA server. The
"Create a new certificate" dialog can be called from several points in STEP 7. If, for
example, you call this dialog for the Web server of the CPU, "Web server" is entered under
"Usage". The following entries are available in the Usage drop-down list:
– "OPC UA client"
– "OPC UA client & server"
– "OPC UA server"
– "TLS"
– "Web server"
• Subject Alternative Name (SAN)
The following is entered in the example above: "URI:urn:SIMATIC.S7-1500.OPC-
UAServer:PLC1,IP:192.168.178.151,IP:192.168.1.1". This URI must be correctly entered
because it is checked against the communicated application description.
The following entry would also be valid: "IP: 192.168.178.151, IP: 192.168.1.1". The
important thing here is that the IP addresses via which the OPC UA server of the CPU can
be accessed are entered here.
See "Access to the OPC UA server (Page 220)".
This allows OPC UA clients to verify whether a connection to the OPC UA server of the
S7-1500 is really to be established or whether in fact an attacker is trying to send
manipulated values from another PC to the OPC UA client.
Communication
236 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Note
To increase security, you should only allow access to the OPC UA server with user
authentication.
Communication
Function Manual, 05/2021, A5E03735815-AJ 237
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
See also
User authentication (Page 347)
Users and roles with OPC UA function rights (Page 238)
Requirement
Before you can edit the security settings, the project must be protected and you must be
logged on with sufficient rights, for example as administrator.
Communication
238 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 239
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
3. You will find the following function rights in the "Function rights" section:
– OPC UA server access
This function right applies on the OPC UA server of the S7-1500 CPU. Only when this
option is selected, can the user with the role "PLC-opcua-role-all-inclusive" transfer
certificates, CRLs or trusted lists to the CPU at runtime (push function). This function
right is required for automated certificate handling, for example, in the context of GDS
(Global Discovery Service).
– Managing certificates
This function right apples on the OPC UA server of the S7-1500 CPU. Only when this
option is enabled, can the user with the role "PLC-opcua-role-all-inclusive" transfer
certificates, CRLs or trusted lists to the CPU at runtime (push function). This function
right is required for automated certificate handling, for example, in the context of GDS
(Global Discovery Service).
– User authentication of the OPC UA client
This function right apples on the OPC UA client of the S7-1500 CPU (with client
instructions). Only when this option is selected, can the user with the role "PLC-opcua-
role-all-inclusive" use the user name and password for authentication to establish a
session with a server.
4. The role "PLC-opcua-role-all-inclusive" still needs to be assigned to the relevant users ("Users"
tab under "Security settings" in the project tree).
Note
"Session duration" for users with OPC UA function rights
The value in the column "Session duration" in the table for user configuration does not
evaluate the CPU for OPC UA runtime rights.
Therefore, a user is not automatically logged out after a certain period of time. For this
purpose use OPC UA specific mechanisms such as the parameter "Max. session timeout"
(area OPC UA > Server > Settings).
Communication
240 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Diagnostics
You can specify the scope of the diagnostics of the OPC UA server in the CPU settings.
To change the diagnostics scope, navigate to the "OPC UA > Server > Diagnostics" area.
Default setting
The default setting is a diagnostics behavior that supports the most important diagnostics
without appreciably increasing the communication load.
You enable diagnostics for subscriptions when the OPC UA server also uses subscriptions, i.e.
if necessary during the commissioning phase only.
Reason: A large volume of diagnostic activity generates a high communication load in the
CPU and may suppress other important messages. Or, the high volume of diagnostics may
result in important messages disappearing in the mass of messages and being ignored.
Additional information
You will find additional information on the meaning and effect of the settings shown above
here (Page 304).
Communication
Function Manual, 05/2021, A5E03735815-AJ 241
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Runtime licenses
A license is required to run the OPC UA server of the S7-1500 CPU. The type of license
required depends on the performance of the respective CPU. The following license types are
differentiated:
• SIMATIC OPC UA S7-1500 small (required for CPU 1511, CPU 1512, CPU 1513, ET 200SP
CPUs, CPU 1515SP PC)
• SIMATIC OPC UA S7-1500 medium (required for CPU 1515, CPU 1516, Software Controller
CPU 1507, CPU 1516pro-2PN)
• SIMATIC OPC UA S7-1500 large (required for CPU 1517, CPU 1518)
The required license type is displayed under "Properties > General > Runtime licenses > OPC-
UA > Type of required license":
Communication
242 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Definition
A server interface combines nodes of an OPC UA address space of a CPU into a unit, so that a
specific view on this CPU is provided for OPC UA clients.
Each server interface defines one or more namespaces in the OPC UA server of the CPU.
STEP 7 (TIA Portal) differentiates between the following types of server interfaces:
• Companion specification
For this type of server interface, you use a Companion Specification created by a
workgroup, for example.
The workgroup is typically composed of members of the OPC Foundation and another
industry organization who have jointly specified an OPC UA information model for a
specific purpose (for example, for data exchange with RFID devices or with injection
molding machines).
This information model is realized in the form of OPC UA nodes in the address space of an
OPC UA server. OPC UA clients can access these OPC UA nodes.
You can also use the server interface type "Companion specification", for example, to
download company-internal information models, e.g. in SiOME.
If you implement a certain companion specification in your project, you apply the
specifications of this companion specification into your project as server interface.
For "Companion specification"-type server interfaces, you can import multiple namespaces
which the Companion specification uses.
Additional information on companion specifications is available here (Page 245).
Communication
Function Manual, 05/2021, A5E03735815-AJ 243
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
244 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Introduction
OPC UA is universally applicable: The standard itself does not, for example, specify how PLC
tags are to be named. It is also up to the individual user (application developer) to program
and name server methods that can be called over OPC UA.
Communication
Function Manual, 05/2021, A5E03735815-AJ 245
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
The following section uses the example of Euromap 77 to detail how to apply companion
specifications in STEP 7 (TIA Portal) and create the necessary PLC tags.
Note
EUROMAP and the OPC Foundation have established the Joint Working Group "OPC UA
Plastics and Rubber Machinery".
The existing EUROMAP recommendations EUROMAP 77 (data exchange between injection
moulding machines and MES), 82.1 (temperature control devices) and 83 (general
definitions) were published under the neutral umbrella of the OPC Foundation as OPC 40077,
40082-1 and 40083.
A major change it the change of the namespace, for example, for EUROMAP 77: Currently
"http://opcfoundation.org/UA/PlasticsRubber/IMM2MES/".
The examples listed below use the previously valid designations and references.
Note
Euromap 77, Euromap 83 and OPC UA for Devices (DI)
With Release Candidate 2, some of the Euromap definitions have been transferred from
Euromap 77 to Euromap 83 (currently OPC 40083). You will therefore also need to import
the OPC UA server interface of Euromap 83.
"OPC UA for Devices" is a generally applicable information model for the configuration of
hardware and software components. The information model also serves as the basis for other
companion standards and is therefore also imported.
Communication
246 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Procedure in STEP 7
To use the new server interface, import the server interface into the STEP 7 project, see
section "Creating a server interface for companion specification (Page 253)".
When the project is loaded into the CPU, the new server interface is available for OPC UA
clients.
Communication
Function Manual, 05/2021, A5E03735815-AJ 247
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Note
The following description shows the work steps in SiOME 1.7.3.
Follow-up versions of SiOME make it easier for you, for example, to create corresponding
DBs, structures, variables or methods in the user program. Using a drag-and-drop operation,
you can transfer data, for example, from SiOME to the TIA Portal (user program). In this case,
the variables, etc. are already mapped correctly or, for methods, the corresponding FB
elements are also generated correctly in the user program.
Download the current SiOME version using the download link listed above, and follow the
instructions in the documentation included in the download.
Communication
248 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
10.Create an instance from the root object type IMM_MES_InterfaceType of the Companion
specification Euromap 77.
To do so, in the "Information model" area, right-click the "DeviceSet" directory and select
"Add Instance".
SiOME displays the "Add Instance" dialog.
11.For "Name", enter a meaningful name for your instance.
In the example, enter "IMM_Manufacturer_01234".
For "TypeDefinition", select "IMM_MES_InterfaceType".
This object type is the root object type of Euromap 77: If you generate an instance of this
object type, then use the Euromap 77 once in the address space of your OPC UA server.
Communication
Function Manual, 05/2021, A5E03735815-AJ 249
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
12.Click "OK".
SiOME shows the new instance "IMM_Manufacturer_01234" in the "Information model"
area under "DeviceSet":
Communication
250 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 251
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Result
In your STEP 7 project, you have created a tag for the Euromap 77 in the
"IMM_Manufacturer_01234" data block.
Communication
252 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 253
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
5. Change the name of the new server interface so that it is descriptive in your project.
The name should have the following structure according to Euromap 77:
"IMM_<Manufacturer>_<Serial number>".
The example uses the name "IMM_Manufacturer_01234".
6. In the "Import XML file" field, select an XML file that describes an information model.
The "Using OPC UA companion specifications (Page 245)" section describes how to create
such an XML file with the SiOME tool.
The figure below shows a section from the information model:
"IMM_MANUFACTURER_0123456" an instance (use) of the type "IMM_MES_InterfaceType"
which was defined by Euromap 77 . "InjectionUnit_1" is an instance of the
"InjectionUnitType" type of Euromap 77.
Communication
254 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
7. Click "OK".
STEP 7 (TIA Portal) imports the information model described in the selected XML file.
An error occurs when type definitions are used in the imported XML file that are not yet
present in STEP 7 (TIA Portal) and that are also not contained in the imported XML file.
In the example, an XML file is imported that uses type definitions defined in the following
namespaces (Namespaces):
– http://opcfoundation.org/UA/DI/
– http://www.euromap.org/euromap83/
– http://www.euromap.org/euromap77/
Tip: STEP 7 displays missing namespaces in the lower area of the OPC UA interface editor
("Properties" tab).
To do this, select the server interface in the project tree (here: IMM_Manufacturer_01234)
and select the "Namespaces" area in the inspector window. Missing namespaces are
selected.
If one or more namespaces are missing in your STEP 7 project, create a new server
interface of the "Reference namespace" type for each namespace.
The "Creating a server interface for reference namespace (Page 270)" section describes
the procedure.
If all reference namespaces are available, STEP 7 displays the table without errors:
Communication
Function Manual, 05/2021, A5E03735815-AJ 255
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
8. Drag the OPC UA elements from the right area of the table (OPC UA elements) to the left
part of the table (OPC UA server interface) so that the respective OPC UA elements (the local
PLC tags) are assigned to the respective OPC UA nodes of Euromap 77.
The figure below shows a section from the assignment of the local data (PLC tags) to the
OPC UA nodes of the Euromap 77:
NOTICE
Checking the mapping of CPU local data on nodes of the OPC UA server interface
When invalid assignments (mappings) exist in the server interface, they can result in
incorrect read and write operations. Check the assignments and run a consistency check.
Communication
256 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 257
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
You can only generate nodes that can be mapped to local data, which means no objects, no
folders, no methods or input/output arguments of methods.
After you have clicked the button or selected the shortcut menu, you must select in the
follow-up dialog box whether the local data should be created in a new DB or in an existing
DB.
Consistency check
You have the option to check the server interface.
STEP 7 (TIA Portal) checks whether the OPC UA node of the server interface PLC tags (data
blocks) has been assigned compatible SIMATIC data types.
To check the consistency of the server interface, click on the following icon in the toolbar of
the OPC UA server interface editor:
Export interface
You have the option of exporting the OPC UA server interface as an XML file. This XML file
contains all data type definitions referenced by the server interface.
To export the OPC UA server interface, click on the following icon in the toolbar of the OPC
UA server interface editor:
Communication
258 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Introduction
The description is based on the following example:
A protective fence surrounds the production cell "Cell_1". The fence is equipped with the gate
"Gate_1".
An S7-1500 CPU controls the entire production cell and also controls access through Gate_1.
A robot packs drugs into boxes in the production cell and then stacks the boxes on pallets.
Self-driving vehicles for automated material transport move the pallets to the central
warehouse, thereby passing through Gate_1.
The CPU publishes a server interface via which the driverless transport systems arrange for
Gate_1 to open.
The server interface contains the server method "smOpenGate" for opening the gate and the
tag "Gate_1_State" which indicates the status of the gate (open or closed).
4. Change the name of the new server interface so that it is descriptive in your project.
In the example, change the name "Server-interface_1" suggested by STEP 7 to "Cell_1".
5. Click "Server interface" and then "OK".
Communication
Function Manual, 05/2021, A5E03735815-AJ 259
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
6. Click on the triangle in front of "Program blocks" in the area "OPC UA elements" to open the
"Program blocks" folder.
STEP 7 displays the following table for editing:
Note
The following applies in general: If you store data blocks or technology objects in the left
area of the table, STEP 7 (TIA Portal) creates an object in the server interface. The
elements of the data blocks are arranged as separate nodes below this.
If you store structures in the left area of the table, STEP 7 creates a node for the structure
as a whole and nodes for each element of the structure.
The same applies to arrays: Again, STEP 7 creates a node for the array as a whole and
nodes for each element of the array.
When you place a method in the left area of the table, STEP 7 creates a single node; the
arguments of the inserted method are displayed for information purposes.
Communication
260 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
In the example, you drag the "Gate_1_State" tag from the right area to the left area to
"<Add new>".
Then, drag the server method into the left area.
This server method is located within the "smOpenGate_DB [DB3]" data block in the right
area.
STEP 7 (TIA Portal) displays the dialog as follows:
NOTICE
Checking the mapping of CPU local data on nodes of the OPC UA server interface
When invalid assignments (mappings) exist in the server interface, they can result in
incorrect read and write operations. Check the assignments and run a consistency check.
Communication
Function Manual, 05/2021, A5E03735815-AJ 261
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
You can also disable the visibility of each configured OPC UA server interface in the properties
of the server interface and thus prevent that this server interface can be used by clients
during operation.
• To do this, select the server interface and right-click on the "Properties" command.
This option lets you define multiple server interfaces centrally, for example, and enable and
download only the required server interface.
Once a server interface has been defined, you can drag it to another CPU in the project tree.
Communication
262 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 263
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
You can only generate nodes that can be mapped to local data, which means no objects, no
folders, no methods or input/output arguments of methods.
After you have clicked the button or selected the shortcut menu, you must select in the
follow-up dialog box whether the local data should be created in a new DB or in an existing
DB.
Consistency check
You have the option to check the server interface.
During the consistency check, STEP 7 checks whether the OPC UA nodes of the server
interface are each assigned to a suitable OPC UA element (identical data type) or whether the
used element still exists in the CPU.
To check the consistency of the server interface, click on the following icon in the toolbar of
the OPC UA server interface editor:
Export interface
You have the option of exporting the OPC UA server interface as an XML file. This XML file
contains all data type definitions referenced by the server interface.
To export the OPC UA server interface, click on the following icon in the toolbar of the OPC
UA server interface editor:
See also
Master copies for OPC UA communication (Page 357)
Communication
264 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 265
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
266 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
UDT "Guid"
For the basic data type "Guid", create the following PLC data type. The default values used as
examples can also be set differently.
Communication
Function Manual, 05/2021, A5E03735815-AJ 267
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
UDT "LocalizedText"
For the basic data type "LocalizedText", create the following PLC data type:
EncodingByte Meaning
0 The fields Locale and Text are empty
1 The field Locale has content, the field Text is empty
2 The field Locale is empty, the field Text has content
3 The fields Locale and Text have content
UDT "ByteString"
For the basic data type "ByteString", create the following PLC data type; in this case, for
example, a ByteString array with 12 elements:
Communication
268 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
UDT "XmlElement"
An XmlElement is a serialized XML fragment (UTF-8 string).
For the basic data type "XmlElement", create the following PLC data type:
Note
Import blocked for namespace "http://www.siemens.com/simatic-s7-opcua"
You cannot import server interfaces with the namespace "http://www.siemens.com/simatic-
s7-opcua" to an S7-1500 CPU because this namespace is reserved for S7-1500 CPUs (standard
SIMATIC server interface) and is not available for imports.
If you want to import a server interface with the namespace
"http://www.siemens.com/simatic-s7-opcua", open the server interface to be imported (OPC
UA XML file) and change the namespace in the relevant places. The file thus changed can
then be imported.
Communication
Function Manual, 05/2021, A5E03735815-AJ 269
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
WARNING
No checking of imported OPC UA XML files
Protect these OPC UA XML files against unauthorized manipulation since STEP 7 does not
check the integrity of these files.
Recommendation
To minimize risks in the case of an extension or adaptation of the server address space, follow
these steps:
1. Protect the project (project navigation: Security settings > Settings).
2. Export the corresponding server interface before the extension or adaptation.
3. Revise this OPC UA XML file.
4. Import the file again as a server interface.
Note
EUROMAP and the OPC Foundation have established the Joint Working Group "OPC UA
Plastics and Rubber Machinery".
The existing EUROMAP recommendations EUROMAP 77 (data exchange between injection
moulding machines and MES), 82.1 (temperature control devices) und 83 (general
definitions) were published under the neutral umbrella of the OPC Foundation as OPC 40077,
40082-1 and 40083. However, the examples listed below use the previously valid
designations and references.
Communication
270 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 271
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
5. For "Import XML file", select an XML file that contains the definitions of the namespace
"http://opcfoundation.org/UA/DI/".
Select the file "Opc.Ua.Di.NodeSet2.xml" in the example. You can download this file here:
(https://opcfoundation.org/UA/schemas/DI/)
Opc.Ua.Di.NodeSet2.xml (https://opcfoundation.org/UA/schemas/DI/)
The figure below shows the dialog with the entries:
6. Click "OK".
STEP 7 (TIA) now generates the new server interface.
You can find the server interface in the project navigation of STEP 7 (TIA Portal), under "OPC
UA Communication > Server interfaces > Namespace references".
If a companion specification uses additional namespaces, add a new server interface for each
namespace.
Communication
272 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
9.3.4.8 Generating OPC UA nodes based on local data mappings of FB types and UDTs
If you want to make instance data from FBs or UDTs of the CPU accessible to OPC UA clients,
you can have these instance data assignments automatically made as of TIA Portal version
V17.
You only have to map the FB types or the UDTs to suitable OPC UA data types of imported
reference namespaces. Based on these mappings created in STEP 7 (TIA Portal), generate the
required nodes in the server interface for each FB instance or for each UDT usage during the
compile.
If you extend your program and add more FB instances or UDT usages, or if you add existing
instances delete, you do not need to worry about adapting the server interface: STEP 7
automatically adjusts the server interface when compiling the program.
Example
• You create a function block (FB) in the user program of the CPU and define in the "Static"
area of the interface of the FB the parameters that form the "memory" of the FB. The
instances (values) of this parameter are to be accessible for OPC UA clients.
• You create an OPC UA data type (e.g. with SiOME) with elements that correspond to the
data type the parameters in the static area of interface of the FB. The order of the
elements does not matter. Then import the reference nodeset file (reference namespace)
as a reference name space.
The following figure shows the assignment of elements as comparison of the reference
namespace view (server interface) and the OPC UA elements view (program).
Communication
Function Manual, 05/2021, A5E03735815-AJ 273
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Automatic generation of the OPC UA server instances in the server interface: Principle
The figure below shows the compilation of the project. The instances of the user program are
also generated in the server interface.
Communication
274 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
By mapping between FB type information / UDT type information and OPC UA type
information, STEP 7 is able to create all instances present in the program as nodes in the
server interface. You have the option to generate these nodes together with a new server
interface or to generate these nodes in an existing server interface.
Rules
• Only the FB elements in the "Static" area of an FB interface can be mapped to OPC UA type
descriptions.
• When mapping the data types, OPC UA elements from the same FB interface or from the
same UDT must always be selected for an object. Mapping from different FBs or UDTs to
an object is not permitted.
Requirement
• The FB types used, defined in the "Static" area of an FB, must be configured as "Accessible
for OPC UA".
• The UDTs used must be configured as "Accessible for OPC UA".
• A nodeset file (XML file) is available with OPC UA data type definitions that match the FB
types or UDTs defined in user program (can be mapped).
• The user program with the FB instances and UDT usages is available.
Communication
Function Manual, 05/2021, A5E03735815-AJ 275
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Procedure
To map a data type from a reference namespace to an FB type or UDT data type, follow these
steps:
1. Select the CPU that you want to use as an OPC UA server.
2. Import the prepared nodeset file (XML file) with the type definitions as a reference
namespace
(See AUTOHOTSPOT).
– In the "Add new server interface" dialog, enable the option "Generate OPC UA nodes
based on the local data mapping".
Only when this option is enabled can you map FB types or UDTs by dragging them to
the OPC UA type descriptions.
3. Double-click the icon for the server interface of the "Reference namespace" type that you
just generated.
The editor for mapping between OPC UA server interface and OPC UA elements opens. In
the properties area of the editor, in the "Mapping of local data" area, the option "Generate
OPC UA nodes based on the local data mapping" is enabled. If not, enable the option now.
Edit the "Interface name" field; to do this, click on the three dots on the right edge of the
field.
Select an existing server interface or create a new server interface ("Add" button).
When adding, a new server-interface is created. If you select an existing server interface,
you can edit the properties ("Edit" button).
4. Assign the existing FB types or UDTs to the nodes of the server interface (reference
namespace) by dragging the OPC UA element (right side of the editor) to the corresponding
node of the server interface (reference namespace, "Local data" column).
Communication
276 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Consistency check
The consistency check ("Consistency check" button of the editor) also checks the mapping of
the data types and updates the display of the data types in the corresponding column of the
editor.
Communication
Function Manual, 05/2021, A5E03735815-AJ 277
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Technical specification value CPU 1510SP (F) CPU 1505 (S/SP/SP F/SP T/SP TF) CPU 1507S (F)
CPU 1511 (C/F/T/TF) CPU 1515 (F/T/TF) CPU 1517 (F/T/TF)
CPU 1512C CPU 1515 SP PC (F/T/TF) CPU 1518 (F)
CPU 1512SP (F) CPU 1516 (F/T/TF)
CPU 1513 (F)
Use of imported companion specifications (information models)
Maximum number of OPC UA server
interfaces:
• "Companion specification" type 10 10 10
20 20 20
• "Reference namespace" type
10 10 10
• "Server interface" type
Communication
278 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 279
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
280 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 281
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
A Call of the server method and management of the "Done" information (method complete)
① Asynchronous call of the server method
② Asynchronous "Done" information for the method called (method complete)
B Wait for OPC UA client calls, management of calls in the queue, forwarding of "Done" information from the cyclic
user program to the OPC UA client
③ Data transfer from the OPC UA server to the method instances of the user program and vice versa
C Check whether method has been called.
If it has, forwarding of input data from the OPC UA server to the method instance of the user program and feedback
to the method instance that the method has been called ("called")
④ Synchronous call of the instruction OPC_UA_ServerMethodPre as a multi-instance stating the storage area for the
input data from the OPC UA server.
The return value indicates whether or not the method has been called by the OPC UA client.
⑤ Check whether the method has been completed or is still active ("busy").
D Check whether the method has been completed.
If it has, the output data of the method instance is forwarded to the OPC UA server and the method instance is
notified that the method has been completed. The OPC UA server is notified.
⑥ Call of the method FB (in this case: FB Cool) with the required instance and the process parameters
Figure 9-49 Example: Calling the "Cool" server method
See also
Boundary conditions for using server methods (Page 283)
Communication
282 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 283
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Technical specification value CPU 1510SP (F) CPU 1505 (S/SP/SP F/SP T/SP TF) CPU 1507S (F)
CPU 1511 (C/F/T/TF) CPU 1515 (F/T/TF) CPU 1517 (F/T/TF)
CPU 1512C CPU 1515 SP PC (F/T/TF) CPU 1518 (F)
CPU 1512SP (F) CPU 1516 (F/T/TF)
CPU 1513 (F)
Maximum number of usable server 20 50 100
methods or max. number of server
method instances
(OPC_UA_ServerMethodPre,
OPC_UA_ServerMethodPost instructions)
Maximum number of arguments per 20 20 20
method
(More than the specified number of
arguments can be configured and loaded
into the CPU, but an OPC UA client can-
not call the method).
Communication
284 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 285
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
286 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
Function Manual, 05/2021, A5E03735815-AJ 287
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
288 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
By selecting the node for a subscription, you determine which alarm types are received by the
OPC UA client. For example, the "Server" node enables receipt of all alarms, the
"UserProgram" node only the receipt of program alarms.
Details about the OPC UA model for Alarms and Conditions are given in the next selection,
especially for the "Overloads" node, you can find more information here: Handling memory
limits for OPC UA Alarms and Conditions (Page 301).
Communication
Function Manual, 05/2021, A5E03735815-AJ 289
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Properties of events
In the address model of the OPC UA server, as of CPU firmware version V2.9, you not only
have the option to access PLC tags (read, write) via nodes and to use methods - you can also
receive events or alarms via nodes. In OPC UA terminology, these are called "events".
An event includes an event text (Message), time stamp (Time) and event source
(SourceNode).
The information supplied with an event from the server depends on the event type. OPC UA
defines a BaseEventType in part 5 of the specification (Information Model).
Other event types that provide different alarm behavior are derived from the BaseEventType.
This type information of the different event types is visible in the address space of an OPC UA
server ("Types" folder). This also applies, for example, to the event types of "Conditions" and
"Alarms", which are discussed in the next section.
The OPC UA specification defines for the BaseEventType and for derived EventTypes which
properties (fields) of an event are mandatory and which are optional.
The following figure shows the hierarchical structure of BaseEventType.
The following sections show how specialized EventTypes are derived from the root of the
derivation hierarchy, the BaseEventType. The SIMATIC-specific derivations ensure that the
information supplied in SIMATIC with an alarm and displayed on an HMI device, for example,
can also be subscribed to by an OPC UA client in the address space of the OPC UA server.
An event itself is not available as a node in the address space. Events are only triggered by
nodes or objects that have the "Event-Notifier" property. These nodes are often also referred
to as event signaling objects. Only nodes with this property can be specified as
EventMonitoredItem in a subscription to receive corresponding events in the client.
Nodes that can trigger events with an S7-1500 CPU are objects such as "Server", the
"SimaticAlarmsAndConditions" object below it, and the three objects below that,
ProcessDiagnostics, SystemDiagnostics and UserProgram. The "EventNotifier" attribute is set
for these objects in the address space of the OPC UA server of the CPU.
Communication
290 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Definition of SimaticEventType
The figure below shows that the type "SimaticEventType" is derived directly from
BaseEventType.
BaseEventType is the basic type definition for events with OPC UA.
All event types for OPC UA can be defined, directly or indirectly, based on BaseEventType.
Communication
Function Manual, 05/2021, A5E03735815-AJ 291
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
292 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Properties of Conditions
A prerequisite for understanding is the concept of "Events" in OPC UA.
In OPC UA, if an event alarm object provides status information in addition to its ability to fire
Events, we speak of Conditions. Conditions represent a state of a system or one of its
components. Basic states are "enabled" and "disabled", other state definitions are also
possible.
In turn, interested OPC UA clients are notified of state changes by means of events (Condition
Events).
An example of a Condition is state information, for example, that a device requires
maintenance.
Properties of Alarms
However, the properties of ConditionType are not sufficient to completely map the
characteristics of SIMATIC alarms in the OPC UA server.
From the ConditionType, which is derived from the BaseEventType, OPC UA defines further
derived event types such as AcknowledgeableConditionType and AlarmConditionType.
AcknowledgeableConditionType supplements the properties of ConditionType with the
"Acknowledgeable" characteristic (AckedState).
AlarmConditionType thus adds the "ActiveState" characteristic to the properties of
ConditionType and the AcknowledgeableConditionType. In SIMATIC terminology, this is an
incoming alarm. The ActiveState signals that the situation, which the Condition represents, is
currently present or has occurred.
Example: A temperature has exceeded a limit. If "ActiveState" is not set, the situation that
represents the condition no longer exists - this is usually referred to as a "normal state". In
SIMATIC terminology, this corresponds to an outgoing alarm.
In OPC UA, other statuses such as SilenceState and ShelvingState are defined, but these are
not relevant to mapping to the SIMATIC alarm system and will therefore not be described
further here.
The SimaticAlarmConditionType is derived from the AlarmConditionType and contains all
event fields to map the state and acknowledgment information of SIMATIC messages.
Communication
Function Manual, 05/2021, A5E03735815-AJ 293
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Definition of SimaticAlarmConditionType
The following figure shows how events of the type "SimaticAlarmConditionType" are defined
by a series of expansions to the OPC UA "BaseEventType".
Communication
294 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirements
• S7-1500 CPU firmware version V2.9 or higher
• Runtime license for OPC UA were purchased according to the license specifications and set
in the CPU properties
Procedure
To activate alarms through OPC UA Alarms and Conditions, proceed as follows:
1. In the CPU properties, go to the "OPC UA > Server > General" area.
2. Select the "Enable Alarms and Conditions on the OPC UA server" option.
The corresponding types and objects that can trigger events only become visible in the
address space when the option is activated.
3. If required, also activate the option "Allow message acknowledgment by OPC UA client".
In this case, every connected OPC UA client can acknowledge an alarm requiring
acknowledgment with the "Acknowledge" method.
See also
Methods for OPC UA Alarms and Conditions (Page 297)
Request of a remote client failed (Page 309)
Communication
Function Manual, 05/2021, A5E03735815-AJ 295
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
296 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
In the columns of the Event area, a selection of event fields is offered, for example, the event
text (Message) and whether the alarm was acknowledged (A=Acknowledged).
Special features of the display of alarms via the OPC UA server of the CPU
The following once again summarizes the special features of the alarm display via OPC UA
Alarms and Conditions for the current status.
Topic Explanation
Comment Via OPC UA, you can add a comment to a alarm using the "Add-
Comment" method or the "Acknowledge" method. This comment
is no longer available after a server restart.
Pending alarms are not lost after a The OPC UA server supports the "ConditionRefresh" method with
server restart which it makes the current state of the system available to the
OPC UA client, for example, after download of a new data block
(requires server restart and connection re-establishment).
Requirement
Using the relevant methods for the Alarms and Conditions functionality requires the
following:
• Alarms and Conditions is activated
• For the "Acknowledge" method, the acknowledgment of alarms by OPC UA clients must be
allowed on the server side.
Communication
Function Manual, 05/2021, A5E03735815-AJ 297
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Method Description
Acknowledge Method for acknowledging an alarm object that is uniquely
identified by a EventId.
ConditionRefresh Method for requesting an update of all alarm objects (in
SIMATIC language: updating of all pending alarms). All mon-
itored items of the subscription are updated.
Synchronization of pending alarm objects from the OPC UA
server of the CPU is indicated e.g. in the following situa-
tions:
• Connecting for the first time or resuming the connection
(after interrupting the communication)
• Screen change on an operator screen of an HMI device
AddComment Method for adding comments to alarm objects.
Communication
298 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Acknowledge
The Acknowledge method (MethodId: i=9111) has the following parameters:
ConditionRefresh
The ConditionRefresh method (MethodId: i=3875) has the following parameters:
Note
ConditionRefresh2 method
The OPC UA server of the S7-1500 CPU does not support the ConditionRefresh2 method
which can specifically synchronize a monitored item (MonitoredItem) in a subscription. In this
case, the OPC UA Server returns the result code "Bad_MethodInvalid". Use the method
"ConditionRefresh" instead.
Communication
Function Manual, 05/2021, A5E03735815-AJ 299
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
AddComment
You have the possibility to add comments to Alarms- objects of the
SimaticAlarmConditionType type because the support of comments is mandatory for OPC UA
Alarms and Conditions .
A comment was save in the "Comment" event field.
The following time stamp event fields belong to the comment:
• "Comment.SourceTimestamp" for the time when the comment is transferred to the CPU??
• "Time" for the time when the Alarms object was modified
When the "AddComment" method is called, "Time" and "Comment.SourceTimestamp" are
identical.
Special features of Alarms and Conditions comments for the OPC UA server of the CPU
Communication
300 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Special features of Alarms and Conditions comments for the OPC UA server of the CPU
You have the possibility to add comments to alarm objects of the
"SimaticAlarmConditionType" type with the AddComment method. A comment is also set
when the Acknowledge method is called. The "AddComment" method can be called several
times.
• A comment was save in the "Comment" event field. The "Comment.SourceTimestamp"
indicates the last time at which a comment was set.
• The "Time" time stamp marks the last modification time of the alarm object.
When the "AddComment" method is called, "Time" and "Comment.SourceTimestamp" are
identical.
When the "Acknowledge" method is called, the two time stamps may differ, since the
acknowledgment is asynchronous.
The support of comments for OPC UA Alarms and Conditions is mandatory. The SIMATIC
alarm system does not know corresponding comments for alarms. Therefore, some special
features have to be considered:
• There is only one comment:
There is only one comment for an alarm object, so that an existing comment is always
overwritten when several method calls are made in succession.
• Lifetime and time stamp:
Comments are only stored at the current alarm object. If the alarm object no longer exists,
e.g. after a server restart, the comment no longer exists either. The corresponding
"Comment" and "Comment.SourceTimestamp" event fields are then reset (zero).
The "Time" event field is then set as if the method call "AddComment" did not exist.
Example: If you comment on an unacknowledged Alarms object, the "Time" event field
receives the time of this comment change. After a server restart, the "Time" event field
does not show the time when the comment was set, but the time when the
corresponding Event arrived.
Communication
Function Manual, 05/2021, A5E03735815-AJ 301
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
• Alarms and Conditions is activated
• Event subscriptions are set up in the OPC UA client
Principle
The following figure shows a simplified process for temporarily storing ProgramAlarms to
make them available again at another time for the OPC UA Alarms and Condition System. The
nodes mentioned in the caption are visible in the following image of the address model.
① Number of active alarms is too high to make all alarms accessible via OPC UA Alarms and Conditions
② Overloads alarm (overload alarm) is triggered. This overload alarm is active until the following situation occurs:
• No more alarms are pending for the OPC UA Alarms and Conditions system (OutstandingProgramAlarms = 0)
and
• Number of alarms in the OPC UA Alarms and Conditions system < Hysteresis-cleaned maximum value for OPC
UA alarms (= MaxAlarmsInQueue - OverloadHysteresis)
Alarms that are not available in the OPC UA Alarms and Conditions system due to the overload situation are buff-
ered by the CPU as "OutstandingAlarms".
③ When an OPC UA client executes the ConditionRefresh method, not only are all alarm objects of the relevant sub-
scription synchronized, but also the alarms outstanding for OPC UA Alarms and Conditions (OutstandingAlarms) are
transferred to the Alarms and Conditions memory area - until the maximum number of alarms is reached. "Oldest"
alarms are transferred first. After that every subscription to these alarms receives the transferred alarms - not only
the OPC UA client that called the ConditionRefresh method.
④ The OPC UA client controls the handling of pending alarms via the information of the Overloads nodes.
Communication
302 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Special features
• When pending alarms go out or are acknowledged, they no longer enter the OCP UA
Alarms and Conditions system area via the ConditionRefresh method. They are then
"invisible" to OPC UA Alarms and Conditions and thus to the connected OPC UA clients.
This fact influences e.g. statistical evaluations of alarm progressions.
• To avoid a high alarm frequency for the Overloads Alarm if the number of alarms oscillates
around the maximum value, the limit for triggering the alarm is higher than the limit for
canceling this alarm: The value for this difference is displayed in the "OverloadHysteresis"
node.
Example: Maximum number of alarms: 200, OverloadHysteresis: 3.
Overloads alarm is triggered starting with 200 alarms and is only canceled if there are
fewer than 197 alarms. If the number of alarms increases again, it will be triggered again
when 200 alarms are exceeded.
Communication
Function Manual, 05/2021, A5E03735815-AJ 303
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
In the address space of the server, for example, the following nodes are available with
diagnostic information:
• ServerDiagnosticsSummary: Server diagnostics summary
– CurrentSessionCount: Number of active sessions
– SecurityRejectedSessionCount: Number of sessions rejected due to mismatching end
point security settings between client and server
• SessionsDiagnosticsSummary: Session diagnostics summary
– ActualSessionTimeout: Set time that a session lasts, e.g. in the event of disconnection
• SubscriptionsDiagnosticsArray: ARRAY with one element per subscription for each
session
Communication
304 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
The SessionsDiagnosticsSummary node also shows the properties of the client application
accessing the server within the session.
Figure 9-51 Sessions diagnostics with the properties of the client application
Communication
Function Manual, 05/2021, A5E03735815-AJ 305
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
The "Change of OPC UA server status" option is selected (OPC UA > Server > Diagnostics) in
the OPC UA properties of the CPU.
Note
If this option is selected, the CPU also automatically enters the lowest set security policy into
the diagnostic buffer after startup.
Examples
If the OPC UA server of the CPU shuts down due to a download process and then starts with a
valid new configuration, the diagnostic buffer shows new server state, e.g. Shutdown =>
Starting => Running.
If the OPC UA server shuts down due to a download process and the server cannot start
because the type dictionary is too large, the diagnostic buffer finally shows the state "Failed"
(Shutdown => Starting => Failed).
Communication
306 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
The "Change of session states" option (OPC UA > Server > Diagnostics) is selected in the OPC
UA properties of the CPU.
Communication
Function Manual, 05/2021, A5E03735815-AJ 307
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Example
A client transmits incorrect authentication data (for example, incorrect password) when a
connection is established. The new state of the "ActivationFailed" session is entered with the
corresponding session ID in the diagnostic buffer.
① Client connects to server, login with correct authentication data (correct credentials).
② Client closes connection correctly.
③ Client no longer sends messages; session ends with timeout.
④ Client connects to server, login with incorrect authentication data.
Requirements
• S7-1500 CPUs as of firmware version 2.8
• The "Check for security events" option is activated (properties of the CPU > OPC UA >
Server > Diagnostics).
Communication
308 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Example
If an attempt is made to compromise communications (for example, by session hijacking,
man-in-the-middle attacks etc.), the server detects this via analysis.
Service fault
If a service itself fails, the server returns a ServiceFault. In this case, the status code (Bad...)
and the according session ID are entered in the diagnostics buffer.
Communication
Function Manual, 05/2021, A5E03735815-AJ 309
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Communication
310 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
In the OPC UA properties of the CPU, the option "Subscriptions: Change of status" (OPC UA >
Server > Diagnostics) is selected.
Example
An OPC UA client is connected to an S7-1500 CPU as OPC UA server and generates a
subscription in the server.
The diagnostic options for subscriptions are selected in the OPC UA properties of the CPU.
The "Creating" and "Normal" states are entered one after the other with the corresponding
subscription ID in the diagnostic buffer.
Communication
Function Manual, 05/2021, A5E03735815-AJ 311
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Status Meaning
Creating Client has requested a subscription in the server; the server creates the subscrip-
tion.
Normal Subscription is created in the server and active.
Closed Client has deleted the subscription.
KeepAlive Status if the monitored items do not change over a long period of time. These
state transitions are not entered in the diagnostic buffer.
Late Client has generated a subscription with minimal sampling and publishing inter-
vals. The amount of monitored items is not transmitted to the client during this
time.
Client no longer transmits requests to send (for example, due to failure).
TimedOut The client has requested a subscription.
The server can only honor the subscription (send Publish Response) when there is
a sufficient number of send requests (Publish Requests) from the client.
When the client stops sending subscription requests, the subscription enters the
"TimedOut" state after a certain time.
Communication
312 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
In the OPC UA properties of the CPU, the option "Subscriptions: Sampling time errors" (OPC
UA > Server > Diagnostics) is selected.
Error-free subscription
In the case of an OPC UA subscription to various elements (such as tags), the OPC UA server
of the SIMATIC S7-1500 must check the elements for value changes at specified intervals
(sampling interval). This check, referred to as "sampling", requires some time, which depends
on the number and the data type of the items. After the sampling is completed and a
publishing request has been received, the server sends the elements to the client.
See also
Settings of the server for subscriptions (Page 224)
Communication
Function Manual, 05/2021, A5E03735815-AJ 313
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Requirement
The "Summarize diagnostics in case of high message volume" option is activated in the OPC
UA properties of the CPU (OPC UA > Server > Diagnostics, "Summarize diagnostics" area).
Example
An OPC UA client repeatedly "overloads" an S7-1500 CPU as OPC UA server with a sampling
rate that the server cannot handle (overload).
The "Summarize diagnostics in case of high message volume" setting is activated.
A message appears in the diagnostics buffer for this diagnostic option. It states that the
sampling rate cannot be reached; followed by the number of these events within the
configured interval.
Communication
314 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
Principle of operation
The CPU enters the first three events of an event type in the diagnostics buffer. It then
ignores all subsequent diagnostics of this group.
At the end of the monitoring time (interval), the CPU generates a group alarm in which it
enters the diagnostics and the frequency of this diagnostics during the elapsed interval. If
these diagnostics also occur in the intervals that follow, the CPU only generates one group
alarm per subsequent interval.
A diagnostic surge leaves the following pattern in the diagnostics buffer: Three individual
messages followed by a series of group alarms. This series can consist of two, three or more
group alarms depending on the selected monitoring time and duration of the diagnostic
surge.
① Diagnostic results of a group (of a type), for example "Sampling rate could not be reached".
② Interval (monitoring time): When a diagnostic event occurs the first time (or reoccurs), the
monitoring time is started (or restarted).
③ Single alarms: The first three diagnostic events from the same group are entered in the diag-
nostics buffer immediately. Starting with the fourth diagnostic event, the CPU generates only
group alarms. If a diagnostic event of this group occurs after a pause of at least one interval, the
CPU enters a single alarm in the diagnostics buffer and restarts the monitoring time.
④ Group alarms: After three diagnostic events, the CPU only generates a group alarm as a sum-
mary of all additional diagnostic events in this interval. If these diagnostic events also occur in
the intervals that follow, the CPU only generates one group alarm per subsequent interval.
Communication
Function Manual, 05/2021, A5E03735815-AJ 315
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
PLCopen specification
With these standardized instructions, you can develop an OPC UA client functions in your user
program that can be executed in an S7-1500 CPU.
In addition, it is possible with just a few adaptations to run this user program in controllers of
other manufacturers if these manufacturers have also implemented the OPC UA Specification
"PLCopen OPC UA client for IEC61131-3".
Requirements
• You have the required runtime license for OPC UA and have configured the license in STEP
7 (CPU Properties > Runtime Licenses).
• The client of the S7-1500 CPU is activated.
To use the client of the S7-1500 CPU, you must enable it:
1. Select the area "OPC UA > Client" in the properties of the CPU.
2. Select the "Enable OPC UA client" option.
If you do not enable the client, the connection is not established. You receive a
corresponding error message at the instructions, for example "OPC_UA_Connect".
For information about the application name, which also applies to the server and the client,
see here (Page 218).
Communication
316 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Overview
To use the editor and the connection parameter assignment, follow these steps:
1. First, specify a client interface. Add to this the PLC tags and PLC methods interface that you
want to access ("First step (Page 322)").
2. Next, configure the connection to the OPC UA server (Second step (Page 339)).
3. Finally, use the configured connection for the OPC UA client instructions (Third step
(Page 348)).
Communication
Function Manual, 05/2021, A5E03735815-AJ 317
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Figure 9-59 Run sequence for a method call in the OPC UA server
Optional instructions (reading out the status of a connection / reading out node IDs of
nodes with known hierarchy of the address space)
• OPC_UA_ConnectionGetStatus
• OPC_UA_TranslatePathList
① Instructions for preparation of read and write operations with inserted instruction for request-
ing, for example, the NodeIDs of nodes of the OPC UA server.
② You can determine the connection status between the establishment and termination of the
connection in parallel with other instructions.
③ Instructions for "clean-up"
Communication
318 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
OPC UA instruction Maximum number for Maximum number for Maximum number for
CPU 1510SP (F) CPU 1505 CPU 1507S (F)
CPU 1511 (C/F/T/TF) (S/SP/SP F/SP T/SP TF) CPU 1517 (F/T/TF)
CPU 1512C CPU 1515 (F/T/TF) CPU 1518 (F)
CPU 1512SP (F) CPU 1515 SP PC (F/T/TF)
CPU 1513 (F) CPU 1516 (F/T/TF)
OPC_UA_Connect 4 10 40
OPC_UA_NamespaceGetIndexLi 4* 10* 40*
st
OPC_UA_NodeGetHandleList 4* 10* 40*
OPC_UA_MethodGetHandleList 4* 10* 40*
OPC_UA_TranslatePathList 4* 10* 40*
OPC_UA_ReadList 20 in total (max. 5 per 50 in total (max. 5 per 200 in total (max. 5 per con-
connection, see connection, see nection, see OPC_UA_Connect)
OPC_UA_Connect) OPC_UA_Connect)
Communication
Function Manual, 05/2021, A5E03735815-AJ 319
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
OPC UA instruction Maximum number for Maximum number for Maximum number for
CPU 1510SP (F) CPU 1505 CPU 1507S (F)
CPU 1511 (C/F/T/TF) (S/SP/SP F/SP T/SP TF) CPU 1517 (F/T/TF)
CPU 1512C CPU 1515 (F/T/TF) CPU 1518 (F)
CPU 1512SP (F) CPU 1515 SP PC (F/T/TF)
CPU 1513 (F) CPU 1516 (F/T/TF)
OPC_UA_WriteList 20 in total (max. 5 per 50 in total (max. 5 per 200 in total (max. 5 per con-
connection, see connection, see nection, see OPC_UA_Connect)
OPC_UA_Connect) OPC_UA_Connect)
OPC_UA_MethodCall 20 in total (max. 5 per 50 in total (max. 5 per 200 in total (max. 5 per con-
connection, see connection, see nection, see OPC_UA_Connect)
OPC_UA_Connect) OPC_UA_Connect)
OPC_UA_NodeReleaseHandleLi 4* 10* 40*
st
OPC_UA_MethodReleaseHandl 4* 10* 40*
eList
OPC_UA_Disconnect 4* 10* 40*
OPC_UA_ConnectionGetStatus 4* 10* 40*
Communication
320 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
Function Manual, 05/2021, A5E03735815-AJ 321
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
The following figure shows the example in the network view of the TIA Portal:
Communication
322 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
STEP 7 names the new interface "Client interface_1". If a "Client interface_1" already
exists, the new interface receives the designation "Client interface_2" etc.
In addition, STEP 7 creates the following data blocks:
– Client_Interface_1_Configuration
The data block already contains all system data types that are needed for the
instructions of the OPC UA client.
This data block is filled when you configure the connection to the OPC UA server.
You configure a connection in the properties of the client interface, see: Example
configuration for OPC UA (Page 320).
– Client_Interface_1_Data
A data block for the PLC tags that you want to read or write from an OPC UA server as
well as for methods that you want to call in the OPC UA server.
You use this data block in your user program.
This data block is currently still empty.
5. Select a descriptive name for the new client interface.
Select "Productionline" in the example.
This also changes the names of the associated data blocks to:
– Productionline_Data
– Productionline_Configuration
6. To import an OPC UA server interface, click the "Import interface" button in the top right of
the editor.
This allows you to import an XML file which describes the server interface of an OPC UA
server.
Alternative: To determine online the server interface of a connected OPC UA server, see:
Determine server interface online (Page 331).
Communication
Function Manual, 05/2021, A5E03735815-AJ 323
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
7. STEP 7 displays a dialog with which you can select an XML file.
This XML file describes a address space of an OPC UA server.
The address space of an OPC UA server contains all PLC tags and server methods published
by an OPC UA server.
OPC UA clients can access this address space:
- Read PLC tags
- Write PLC tags
- Calling Server Methods
The address space of an OPC UA server can be divided into one or more server interfaces.
For creating server interfaces, see: Creating a server interface for companion specification
(Page 253).
8. Create a read list in this client interface.
To do this, follow these steps:
– Click "Add new read list" in the left section of the editor.
STEP 7 adds a new list named "ReadList_1".
For the example, change the name to "ReadListProduct"
– Now add the new read list of the PLC tags that you want to read from the OPC UA
server.
In the example the "NewProduct" and "ProductNumber" tags are added to the
"ReadListProduct" read list.
Select the "NewProduct" tag in the right-hand field of the editor ("OPC UA Server
interface"). Drag the "NewProduct" tag to the "ReadProduct" read list in the middle field
of the editor. Follow the same procedure with the "ProductNumber" tag.
The figure below shows the right field of the editor.
Communication
324 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Alternative:
You can also select a new read list by dragging the right field of the editor ("OPC UA Server
interface") to a node of the type Object or Folder and then dragging it to "Add new read
list" in the left field of the editor. The new read list then contains all PLC tags of the node
that has been moved.
In the example, select the object "Data_for_OPC_UA_Clients", which contains the tags
"NewProduct" and "ProductNumber". STEP 7 generates the new read list
"Data_for_OPC_UA_Clients". In addition, the object contains the tag "Temperature". Delete
the "Temperature" tag from the read list. Since they should not be read in the example.
Change the name of the read list in "ReadListProduct".
The following figure shows the content of the read list:
Note
Read and write lists do not support all node types.
The OPC UA client of the S7-1500 CPU does not support all OPC UA data types (node
types) that can be made available via an OPC UA server interface. If you place an
unsupported node type, for example, in a read list or write list a corresponding error signal
appears. In this case, you cannot include the corresponding node in the read or write list.
Which types are supported is described here: Mapping of data types (Page 169)
Communication
Function Manual, 05/2021, A5E03735815-AJ 325
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
9. If you want assign new values to PLC tags, create a write list in this client interface.
To do this, follow these steps:
– Click "Add new write list" in the left section of the editor.
STEP 7 adds a new list with the name "ReadList_1".
For the example, change the name to "WriteListStatus".
– Now add the new write list of all OPC UA server tags to which you want to assign new
values.
In the example, add the "WriteListStatus" tag to the write list "ProductionEnabled".
Select the Tag of right field of the editor ("OPC UA Server interface"). Drag the tag to
the write list in the middle field of the editor.
Alternative:
You can also create a new write list by selecting a node of the type Object or Folder in the
right field of the editor ("OPC UA server interface") and then dragging to "Add new write
list" in the left field of the editor.
The new write list then contains all tags of the relevant node.
In the example, select the object "Data_from_OPC_UA_Clients", which contains the tag
"ProductionEnabled". STEP 7 generates the new write list "Data_from_OPC_UA_Clients".
Change the name in "WriteListStatus".
The following figure shows the content of the write list:
Communication
326 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
10.If you want to call a method of this OPC UA server, generate a new method list.
To do this, follow these steps:
– In the left section of the editor, click "Add new method list".
STEP 7 adds a new list with the name "Method list_1".
For the example, change the name to "MethodListOpenDoor".
– Now add a method of the OPC UA server to the new method list.
In this example, add the method "OpenDoor" to the method list
"MethodListOpenDoor".
Select the method of right field of the editor ("OPC UA Server interface"). Drag the
method to the method list in the middle field of the editor.
Alternative:
You can also generate a new method list by selecting a method (node of the type Object)
in the right field of the editor (OPC UA Server interface) and then dragging it to "Add new
method list" in the left field of the editor. The new method list then contains the method
of the relevant node.
The following figure shows the content of the method list:
If you want to call another method of the OPC UA server, you must create a new method
list. Each method list contains only one method.
See also Useful information about server methods (Page 279).
11.Compile the project.
To do so, select the project and click the following button in the toolbar:
STEP 7 compiles the project and updates the data blocks that belong to the "Productionline"
client interface.
Note
During compilation, STEP 7 overwrites all data in the data blocks belonging to the client
interface. For this reason, you should neither add to nor correct these data blocks manually.
Communication
Function Manual, 05/2021, A5E03735815-AJ 327
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Note
Renaming nod names (DisplayNames)
In read lists, write lists and method lists you can rename the name of a node by means of the
shortcut menu. This is the "DisplayName" in the OPC UA language usage.
If you rename the name of a method list node and the node is already used in a programmed
block for the method call "OPC_UA_MethodCall", the compilation of the project leads to
consistency errors: During the compilation the UDTs of the method are generated with the
changed name. The references to the method used in the program are then no longer
correct.
To correct the consistency errors, you can either undo the name change of the method in the
client interface or navigate to the method call and assign the relevant parameters again there
under "Properties > Block parameters" ("Configuration" tab).
Communication
328 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Use the "Productionline_Data" data block in your user program and access the read values
of the "NewProduct" and "ProductNumber" PLC tags. This is explained in the following
section using an example.
Communication
Function Manual, 05/2021, A5E03735815-AJ 329
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
330 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Consistency check
Finally, check the consistency of the read/write list or method list.
1. Select the list that you want to check.
2. Click the "Consistency check" button above the "OPC UA client interface" area.
A green check mark indicates an error-free assignment of the tags or methods to the
corresponding elements of the server interface.
You can assume that the data exchange between client and server and method calls operate
without problem in runtime.
In the event of an error a list appears in the Inspector window. From this list you can jump to
the respective error.
During the consistency check, STEP 7 checks:
• Whether all elements that you use in the respective list are also present in the server.
• Do the data types used match?
• For methods: Do the number, name, order, and data types of method arguments match?
Communication
Function Manual, 05/2021, A5E03735815-AJ 331
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
4. In the left section of the editor, click "Add new read list", "Add new write list", or "Add new
method list".
5. In the right field of the editor, select "Online[]" as data source for "Source of server data":
Communication
332 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Tip: When establishing an online connection to an OPC UA server for the first time, use
the "Online access" button. When reconnecting after a disconnection, select the "Connect
to Online Server" button next to the "Online" selection field.
In the top right, enter the IP address of the OPC UA server whose server interface you
want to determine online.
7. Click "Find selected server".
STEP 7 establishes a connection to the OPC UA server and determines all security settings
(server endpoints) that the server holds in readiness.
STEP 7 displays the end points as list:
8. Click on the end point you want to use for a connection of STEP 7 to the OPC UA server.
Communication
Function Manual, 05/2021, A5E03735815-AJ 333
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
334 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
See also
Mapping of data types (Page 169)
Creating client interfaces (Page 322)
Communication
Function Manual, 05/2021, A5E03735815-AJ 335
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
336 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
When you change the editing language, the multilingual text in the imported interface will
also change according to the rules explained above.
You can then apply the nodes in the corresponding lists (read list, write list, method list) with
drag and drop.
You cannot change the language in the lists (read list, write list, method list).
Communication
Function Manual, 05/2021, A5E03735815-AJ 337
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
338 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
The structure mapped in the read list matches, both in the order and in the assigned data
types, the corresponding nodes of the node set file.
If the structure now changes on the server, for example tagA and tagB are swapped, and the
read list remains the same in the client, the assignment is no longer correct:
• The total length of the data remains the same (only the order has changed)
• The configuration of the structure is different for client and server!
WARNING
No error message in the case of different structure configuration between client and
server
If the structures of client and server do not match, this rule violation will possibly not
generate any error during compilation and also not in runtime.
Make sure not to change the configured assignments for structures in runtime. If required,
reconfigure the assignment in the read and write lists!
Communication
Function Manual, 05/2021, A5E03735815-AJ 339
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
The section "Create client interface (Page 322)" describes how to create a client interface.
2. Click the "Properties" tab (Inspector window) if the tab is not already displayed.
STEP 7 now displays the connection parameter assignment for the instructions of the OPC
UA client.
The "General" tab is open.
3. Click on the "Configuration" tab and set the connection to the OPC UA server.
Alternatively, you can enter a valid DNS name in the "Address" field. The length of the DNS
name is limited to 242 characters.
If the address is not valid, the error message is shown: "Enter a valid address".
If the string of the "Address", "Port" and "Path" fields contains more than 254 characters, an
error message is also displayed.
Communication
340 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
3. Enter a path within the OPC UA server to restrict access to this path. The information is
optional. However, some servers only establish a connection if a server path is specified.
When you specify a path, it is automatically entered at the "ServerEndpointUrl" entry in the
configuration DB for the client interface. The entry then consists of the components "OPC
Schematic Prefix", "IP address", "Port number" and "Server path", for example:
"opc.tcp://192.168.0.10:4840/example/path".
The following figure shows the entry of the IP address for the OPC UA server:
4. If the OPC UA server is not using the standard port 4840, you must insert the port number
here.
For example, enter the number 65535 in the field, if the OPC UA server to which you want
to establish a connection uses this port number.
5. In addition, you accept the default settings for session timeout (30 seconds) and monitoring
time (5 seconds).
Communication
Function Manual, 05/2021, A5E03735815-AJ 341
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
"General" area
Security mode:
Select the security mode that the connection to the OPC UA server must meet from the drop-
down list.
If the server does not meet the selected mode, a session is not established.
The following settings are available:
• No security: No secure connection!
• Sign: OPC UA server and OPC UA client sign the data transmission (all messages):
Manipulations can thus be detected.
• Sign & Encrypt: OPC UA server and OPC UA client sign and encrypt the data transmission
(all messages):
Security policy:
Set the encryption techniques for the signing and encryption of messages.
The following settings are possible:
• No security
• Basic128Rsa15
• Basic256
• Basic256Sha256
To configure a secure connection, you must observe the following items:
• A certificate is required for the client for a secure connection.
• You have to make the client certificate known to the server.
To find out how to proceed, see the section "Handling client and server certificates
(Page 227)" under "Certificate of the OPC UA client".
"Certificates" area
Client certificate:
The certificate confirms the authenticity of the OPC UA client.
To select a certificate, click the following symbol:
Communication
342 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Setting languages
UA tags of the String type can be localized with OPC UA, that is, texts (values for the UA tag)
can be available in different languages for the server. For example, localized texts can be
available for DisplayName (Name of the node) and Description (Description).
In the "Languages" area of the "Configuration" tab you can, for example, influence the
language of the texts returned by the server as follows:
In the "Languages" area, enter a number of languages that the server transfers to the client
during connection setup.
The language or the local ID ("language code") associated with it that you enter in the first
line is the language preferred by the client.
• If the server can provide the UA tag in the requested language, it is transferred to the
client.
• If the server cannot provide the UA tag in the requested language, it checks whether it can
provide the UA tag in the language you have entered in the second line (first substitute
language).
• The server works its way down the list, and when it can provide neither the requested
language nor a substitute language, it will provide the default language.
Additional information
What causes the connection to an OPC UA server to fail? FAQ
(https://support.industry.siemens.com/cs/ww/en/view/109766709)
See also
Handling of the client certificates of the S7-1500 CPU (Page 344)
Communication
Function Manual, 05/2021, A5E03735815-AJ 343
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Requirements
The IP interface of the CPU is configured, an IP address is available.
Background: The IP address under which the CPU can be accessed in your system is entered
under "Subject Alternative Name (SAN)".
Communication
344 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Communication
Function Manual, 05/2021, A5E03735815-AJ 345
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Result
The server now trusts the client. If the server certificate is also considered trusted, the server
and client can establish a secure connection.
Communication
346 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
Note
STEP 7 stores user name and password unencrypted in the data block/instance data block.
Recommendation: Use the user authentication "User (TIA Portal - Security Settings)".
Communication
Function Manual, 05/2021, A5E03735815-AJ 347
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
"No Security" security policy and authentication via user name and password
You can set the following combination:
Security policy = "No Security" and authentication via user name and password.
• The OPC UA server of the S7-1500 supports this combination. OPC UA clients can connect
and encrypt the authentication data or not.
• OPC UA client of the S7-1500 CPU also supports this combination: However, in runtime it
only connects if it can send the authentication data encrypted via cable!
Result: With the following configuration, not connection can be established in runtime.
• S7-1500 as OPC UA client
• OPC UA server which supports no encryption of authentication data when "No Security"
(="none") is set as security policy.
See also
Users and roles with OPC UA function rights (Page 238)
Introduction
This section shows you how to use a configured connection for OPC UA instructions (third
step).
Requirements
• You have created a client interface and added PLC tags and PLC methods to this interface,
see ("First step (Page 322)").
• You have configured a connection to an OPC UA server (Second step (Page 339)).
Overview
To read data from an OPC UA server or write data to an OPC UA server, use the following
instructions:
• OPC_UA_Connect
• OPC_UA_NamespaceGetIndexList
• OPC_UA_NodeGetHandleList
• OPC_UA_ReadList or OPC_UA_WriteList
• OPC_UA_NodeReleaseHandleList
• OPC_UA_Disconnect
Communication
348 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
STEP 7 (TIA Portal) automatically supplies the parameters of these instructions if you are
using a client interface and a configured connection to an OPC UA server.
The procedure is shown in the following section.
Communication
Function Manual, 05/2021, A5E03735815-AJ 349
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
The editor for the Ladder Logic (LAD) programming language displays the instruction
similarly.
4. Click the toolbox symbol in the editor for FBD or LAD.
The symbol is located in the heading of the instruction:
If you are using the editor for STL or SCL: Click the small green rectangle below the first
character of the instance name:
Communication
350 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
5. For "Client interface" select the client interface that you want to use for the instruction.
We select the "ProductionLine" client interface in the example.
STEP 7 now interconnects the "ProductionLine" client interface with the parameters of the
OPC_UA_Connect instruction:
"ProductionLine" is the interface that the OPC UA client of the example (Page 320) uses for
data exchange with the OPC UA server "ProductionLine".
6. Using drag-and-drop, move the "UA_NamespaceGetIndexList" instruction into the program
editor.
You will find the instruction under "Instructions > Communication > OPC UA" in the TIA
Portal.
Select the "Multi-instance" call option.
Click the toolbox symbol (LAD and FBD) or the small green box below the instance name
(STL and SCL) if the editor is not already open.
Select the client interface that you want to use ("ProductionLine" in the example).
STEP 7 now automatically interconnects all parameters of the
"OPC_UA_NamespaceGetIndexList" instruction:
7. Using drag-and-drop, move the "UA_NodeGetHandleList" instruction into the program
editor.
Select the "Multi-instance" call option.
Click the toolbox symbol (LAD and FBD) or the small green box below the instance name
(STL and SCL) if the editor is not already open.
Select the client interface that you want to use. The example uses the "ProductionLine"
client interface.
Under "Data access > Read/Writelist" select the read list that you want to use (in the
example the read list "Product").
Communication
Function Manual, 05/2021, A5E03735815-AJ 351
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
If you want to write data to an OPC UA server, select the write list you want to use under
"Data access > Read/Writelist" (the "ProductionStatus" write list in the example).
Communication
352 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
8. Using drag-and-drop, move the "UA_ReadList" instruction into the program editor.
Select the "Multi-instance" call option.
Click the toolbox symbol (LAD and FBD) or the small green box below the instance name
(STL and SCL) if the editor is not already open.
Select the client interface that you want to use. The example uses the "ProductionLine"
client interface.
Under "Data access > Read/Writelist" select the read list that you want to use (in the
example the "Product" read list).
STEP 7 now automatically interconnects all parameters of the "OPC_UA_ReadList"
instruction.
If you want to write data to an OPC UA server, use the "OPC_UA_Write" instruction and
select the list of tags you want to send to the server under "Data access > Writelist"
("ProductionStatus" write list in the example).
9. If you use different read lists or write lists as program-controlled lists in your user program,
move the "UA_NodeReleaseHandleList" instruction to the program editor using drag-and-
drop operation.
Select the client interface that you want to use.
Now select a read list or write list that you want to release: Only release read or write lists
that you rarely use, since re-registering is time-consuming.
Then, repeat the steps starting with step 7 with the "UA_NodeGetHandleList" instruction.
10.Using drag-and-drop, move the "UA_Disconnect" instruction into the program editor.
Select the "Multi-instance" call option.
Click the toolbox symbol (LAD and FBD) or the small green box below the instance name
(STL and SCL) if the editor is not already open.
Select the client interface that you want to use. The example uses the "ProductionLine"
client interface.
STEP 7 now automatically interconnects all parameters of the "OPC_UA_Disconnect"
instruction.
Communication
Function Manual, 05/2021, A5E03735815-AJ 353
OPC UA communication
9.5 Tips and recommendations
Supported instructions
For the following instructions, STEP 7 automatically supplies the parameters if you are using a
client interface and a configured connection to an OPC UA server:
• OPC_UA_Connect
• OPC_UA_NamespaceGetIndexList
• OPC_UA_NodeGetHandleList
• OPC_UA_MethodGetHandleList
• OPC_UA_MethodReleaseHandleList
• OPC_UA_ReadList
• OPC_UA_WriteList
• OPC_UA_MethodCall
• OPC_UA_NodeReleaseHandleList
• OPC_UA_Disconnect
Communication
354 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.5 Tips and recommendations
See also
Settings of the server for subscriptions (Page 224)
Communication
Function Manual, 05/2021, A5E03735815-AJ 355
OPC UA communication
9.5 Tips and recommendations
Communication
356 Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.5 Tips and recommendations
Communication
Function Manual, 05/2021, A5E03735815-AJ 357
OPC UA communication
9.5 Tips and recommendations
See also
Creating a user-defined server interface (Page 259)
Communication
358 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP 10
In order to provide future-proof, efficient and flexible automation, more and more
components from the production area support IT standards. Worldwide Ethernet standards,
integrated communication and versatility make IT-supported automation an economical
solution for your requirements. Functional expansions of the communication options of the
S7-1500 CPUs in this direction give you more freedom for the possible uses of your system or
machine. You use IT technology to automate efficiently. With the introduction of DHCP and
the expansions of DNS for S7-1500 CPU as of firmware version V2.9, you gain more flexibility
for the design of your automation solution.
Communication
Function Manual, 05/2021, A5E03735815-AJ 359
Addressing via DHCP
For the interfaces of an S7-1500 CPU you can set that address parameters such as the
IP address with subnet mask, can be got from a DHCPv4 server (hereinafter DHCP server).
Areas of application
• Use of the S7-1500 CPU in a managed IT environment
• Adding new devices in a modular manufacturing structure
Communication
360 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.1 Principle of address assignment via DHCP
Requirement configuration
The following requirements must be met so that a PROFINET interface of the S7-1500 CPU
can obtain IP address parameters via a DHCP server:
• The address assignment via a DHCP server is configured.
Activate DHCP (Page 368)
• No PROFINET IO communication may be configured for the interface.
DHCP Discover The DHCP client searches for a suitable DHCP server via broadcast. The DHCP client
identifies itself to the DHCP server with the configured client ID or with its MAC ad-
dress.
DHCP Offer The DHCP server offers the DHCP-client IP address parameters (IPv4 address, subnet
mask, optional default router) and if necessary further data (options).
DHCP Request The DHCPclient requests the IP address parameters and options offered in the DHCP
offer.
The DHCP client of the S7-1500 CPU always accepts the first DHCP offer of a DHCP
server that meets the requirements (IP address with subnet mask).
DHCP Acknowl- The DHCP server confirms and transmits the IP address parameters and options of-
edgment fered in the DHCP offer.
The DHCP server also notifies the DHCP client how long the DHCP client can use the
address parameters (lease time).
The IP address parameters and options are stored in the load memory of the CPU. After a
general reset or restart of the CPU, the IP address parameters and options are obtained again
via DHCP.
Communication
Function Manual, 05/2021, A5E03735815-AJ 361
Addressing via DHCP
10.1 Principle of address assignment via DHCP
How long can the S7-1500 CPU use the DHCP address parameters?
In addition to the address parameters, the DHCP server also notifies the S7-1500 CPU (DHCP
client)of the lease time. The lease time defines how long the CPU can use the address
parameters.
When the lease time has fully expired, the CPU returns the assigned address parameters. The
CPU has an internal time monitoring for the lease time.
At certain times when the lease time expires, the CPU has the option of extending the lease
time:
• Renewal: Half of the lease time has expired: The CPU contacts the original DHCP server
and asks for an extension of the lease time. The original DHCP server can either confirm
the existing lease time or assign a new lease time. With a new lease time, the time
monitoring in the CPU is reset.
• Rebinding: 7/8 of the lease term has expired: The CPU contacts all available DHCP servers
via broadcast and asks for an extension of the lease time. A DHCP server can either
confirm the existing lease time or assign a new lease time. With a new lease time, the
time monitoring in the CPU is reset.
In the event of a negative response from DHCP server during rebinding or if no
DHCP server replies, the CPU returns the address parameters after 8/8 of the lease time.
If the CPU has returned the address parameters after the lease time has expired, the CPU
starts a new cycle for DHCP addressing with a new DHCP discover.
See also
Configuring the client ID (Page 368)
Communication
362 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.2 DHCP with DNS
Communication
Function Manual, 05/2021, A5E03735815-AJ 363
Addressing via DHCP
10.2 DHCP with DNS
How you set the DNS configuration for your CPU depends on how you assign the host name
and domain in your network .
• Central assignment of host name and domain
You assign the host name and domain centrally in your network, for example via a
configured DNS server. In STEP 7 you configure that the CPU obtains the host name and
domain via DHCP.
In the following configuration, only the client ID is configured in the S7-1500 CPU. At the
DHCP address assignment the DHCP-server returns the host name and domain options to
the CPU.
For this configuration, you must first activate the host name and domain configuration in
STEP 7. You then configure that the host and domain name are obtained via DHCP.
Obtain host and domain name via DHCP (Page 371)
• Local assignment of host name and domain
You can configure the host name and domain in STEP 7 or assign them in the user
program.
Note
Validity of the data obtained from DHCP
If you change the host name and/or domain in the user program, then all data obtained
via DHCP (IP suite, host name, domain, NTP server, DNS server) becomes invalid and is
retrieved again from DHCP server. Therefore, you should only change the Hostname
and/or Domain in urgent cases and not during operation.
All connections can be dropped if the IP address of the interface changes.
Communication
364 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.2 DHCP with DNS
In the following configuration, your host name and domain are configured in the S7-1500
CPU in addition to its client ID. When assigning DHCP addresses, the CPU supplies the
client ID as well as the host name and the domain to the DHCP server.. The DHCP server
receives the information to update, for example a DNS server with the address data of the
CPU.
For this configuration, you must first activate the host name and domain configuration in
STEP 7. You then configure the host name and domain in STEP 7.
• Central assignment of the domain and local assignment of host name.
– You configure in STEP 7 that the CPU gets the domain via DHCP.
– You can configure the host name in STEP 7 or assign it via the user program.
In the following configuration, the host name is also configured in the S7-1500 CPU in
addition to the client ID. When assigning DHCP addresses, the CPU supplies the client ID as
well as the host name to the DHCPv4 server. The DHCP server supplies the domain option
to the CPU.
Figure 10-5 Configure host name, obtain domain name via DHCP
Communication
Function Manual, 05/2021, A5E03735815-AJ 365
Addressing via DHCP
10.2 DHCP with DNS
For this configuration, you must first activate the host name and domain configuration in
STEP 7. Then configure the host name in STEP 7 and configure that the domain is
obtained via DHCP.
Requirements
• You have activated the address assignment via DHCP for at least one interface of the S7-
1500 CPU.
Communication
366 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.2 DHCP with DNS
Communication
Function Manual, 05/2021, A5E03735815-AJ 367
Addressing via DHCP
10.3 Activate DHCP
Requirements
• S7-1500 CPU firmware V2.9 or higher
Procedure
To activate DHCP for the PROFINET interface of an S7-1500 CPU, follow these steps:
1. Select the PROFINET interface of the S7-1500 CPU in STEP 7.
2. In the properties of the interface, navigate to "Ethernet addresses" > "Internet Protocol
Version 4 (IPv4)".
3. Select the option "IP address of DHCP server".
Result
You have set the interface so that it obtains your IP address via a DHCP server.
"Use MAC address as client ID" is set as the operating mode for DHCP on the S7-1500 CPU.
How to adjust the client ID is described under Configuring the client ID (Page 368).
The client ID
The S7-1500 CPU always identifies itself to a DHCP server with the client ID (DHCP option 61).
The client ID is interface specific.
The S7-1500 CPU supports the following two operating modes with regard to the client ID:
• Use the MAC address as the client ID: The MAC address of the CPU is used as the client ID
for the DHCP client. Note, if you execute a device exchange of the CPU in this operating
mode, the MAC address and therefore also the client ID changes.
• User-defined client ID: With this option you specify the client ID in the configuration in
STEP 7. You also have the option of adapting the client ID during runtime, for example, in
the user program using the "CommConfig" instruction.
If you perform a device exchange of the CPU in this operating mode, the new CPU is
assigned the configured client ID.
Requirement
• You have activated address assignment via DHCP for the interface.
Communication
368 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.4 Configuring the client ID
Note
Validity of data obtained via DHCP
If you change ClientId with "CommConfig", all data obtained via DHCP will be invalid: IP Suite,
domain name, NTP server, DNS server. Therefore, you should only change ClientId in urgent
cases and not during operation.
You can find more information on the instruction "CommConfig" and the UDTs
"Conf_ClientId" and "Conf_ClientId_Opaque" in the STEP 7 online help.
Communication
Function Manual, 05/2021, A5E03735815-AJ 369
Addressing via DHCP
10.5 Get addresses of the DNS servers via DHCP
Requirements
• You have activated the address assignment via DHCP for at least one interface of the
S7-1500 CPU.
Requirements
• You have activated the address assignment via DHCP for at least one interface of the
S7-1500 CPU.
Communication
370 Function Manual, 05/2021, A5E03735815-AJ
Addressing via DHCP
10.7 Obtain host and domain name via DHCP
Requirement
• You have activated the address assignment via DHCP for at least one interface of the
S7-1500 CPU.
• You have activated the host name and domain configuration in STEP 7.
Communication
Function Manual, 05/2021, A5E03735815-AJ 371
Routing 11
11.1 Overview of the routing mechanisms of S7-1500 CPUs
The following table gives an overview of the routing mechanisms of the S7-1500 CPU.
Communication
372 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.2 S7 routing
11.2 S7 routing
Definition of S7 routing
S7 routing is the transfer of data beyond S7 subnet boundaries. You can send information
from a transmitter to a receiver across several s7 subnets. The gateway from one S7 subnet
to one or more other subnets is provided by the S7 router The S7 router is a device which has
interfaces to the respective S7 subnets. S7 routing is possible via various S7 subnets
(PROFINET/Industrial Ethernet and/or PROFIBUS).
Note
Firewall and S7 routing
A firewall does not recognize the IP address of the sender during S7 routing when the sender
is located outside the S7 subnet adjacent to the firewall.
An overview of the devices that support the "S7 routing" function is provided in this FAQ
(https://support.industry.siemens.com/cs/ww/en/view/584459).
Communication
Function Manual, 05/2021, A5E03735815-AJ 373
Routing
11.2 S7 routing
Communication
374 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.2 S7 routing
The following figure shows the access from a PG via PROFINET to PROFIBUS. CPU 1 is the S7
router between S7 subnet 1 and S7 subnet 2; CPU 2 is the S7 router between S7 subnet 2 and
S7 subnet 3.
Communication
Function Manual, 05/2021, A5E03735815-AJ 375
Routing
11.2 S7 routing
Using S7 routing
For the CPU, select the PG/PC interface and the S7 subnet in the "Go online" dialog of STEP 7.
S7 routing is performed automatically.
Communication
376 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.2 S7 routing
Additional information
• The allocation of connection resources with S7 routing is described in the section
Allocation of connection resources (Page 395).
• You can find more information on setting up TeleService in the STEP 7 online help.
• You can find more information on S7 routing and TeleService adapters when you search
the Internet using the following links:
– Device manual Industrial Software Engineering Tools TS Adapter IE Basic
(http://support.automation.siemens.com/WW/view/en/51311100)
– Downloads for the TS Adapter
(http://support.automation.siemens.com/WW/view/en/10805406/133100)
See also
HMI communication (Page 110)
Communication
Function Manual, 05/2021, A5E03735815-AJ 377
Routing
11.3 IP forwarding
11.3 IP forwarding
Areas of application
• Easy access from the control level to the field level for configuration and parameter
assignment of field devices, e.g. via PDM or web browser
• Simplified integration of devices for remote access, e.g. for diagnostics during remote
maintenance or firmware update
Communication
378 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.3 IP forwarding
IP route table
When IP forwarding is enabled, the CPU forwards received IP packets that are not addressed
to itself. How the CPU forwards the IP packets is defined in its internal IP route table.
The CPU automatically creates the IP route table from the following information of the loaded
hardware configuration:
• IP configuration of the Ethernet interfaces
• Configured router
Communication
Function Manual, 05/2021, A5E03735815-AJ 379
Routing
11.3 IP forwarding
• For the PC, the IP router, the IO device and the HMI device, the IP addresses of a standard
gateway or the corresponding routes are also entered.
Communication
380 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.3 IP forwarding
This example configuration results in the following IP routing table for the CPU.
For IP communication between the PG/PC and the HMI device, you need to set up additional
IP routes to the IP subnet of the HMI device both in the PC and in the IP router. In the HMI
device, you configure the IP address of the CPU interface X1 as the standard gateway.
In a Windows computer, for example, you set up an additional IP route from the command
prompt using the command "route add <destination IP subnet> mask <subnet mask>
<gateway>". However, you need certain access rights for this. For this example, enter the
following prompt:
• "route add 192.168.2.0 mask 255.255.255.0 192.168.4.20"
In an IP router, you set up additional routes, e.g. via a web interface. Set up the following
route for this example:
• Destination IP subnet: 192.168.2.0
• Subnet mask: 255.255.255.0
• Gateway: 10.10.0.10
Communication
Function Manual, 05/2021, A5E03735815-AJ 381
Routing
11.3 IP forwarding
Restrictions
You cannot configure any additional IP routes other than the router ("Standard Gateway") for
an S7-1500 CPU. The network destination is either a connected IP subnet, or the network
destination can be reached via exactly one configurable router. Because the S7-1500 CPU
does not support additional IP routes, you cannot build bi-directional IP router cascades.
In the following configuration, you can configure either "Router 1" or "Router 2" in the CPU.
"Router 1" is configured as an example. In this case, you cannot configure "Router 2". IP
communication between the PC and the HMI device is not possible because the route is not
continuous in both directions.
Communication
382 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.3 IP forwarding
Reaching C/C++ Runtime of the CPU 1518 4 PN/DP MFP via interfaces X1 or X2
If you activate PN/DP MFP IP forwarding for the CPU 1518 4 PN/DP, you will not only reach
devices in the IP subnet of interface X3 via interfaces X1 and X2, but also C/C++ Runtime.
From the C/C++ Runtime of the CPU 1518 4 PN/DP MFP, you reach all devices in the IP subnets
of the interfaces X1, X2 and X3.
Conditions:
• IP forwarding is enabled for the CPU 1518 4 PN/DP MFP.
• The IP address of C/C++ Runtime and the IP address of interface X3 are located in the same
IP subnet.
• The routes to the IP subnets at X1 and X2 are entered in C/C++ Runtime.
In C/C++ Runtime, enter a route with the following command: "Route add-net <destination
IP subnet> mask <subnet mask> gw <gateway>
The following figure shows a configuration in which a PC accesses the C/C++ Runtime of CPU
1518-4 PN/DP MFP via interface X2.
Communication
Function Manual, 05/2021, A5E03735815-AJ 383
Routing
11.3 IP forwarding
• The CPU accesses all devices within the dark green IP subnets B and C close to the CPU via
the interfaces X1 and X2.
• A SCALANCE S router is configured in the CPU. The CPU accesses the devices in the
remote, light green IP subnet A via the router.
• The "Access to PLC via communication module" function is enabled for the CP 1543 in the
CPU. The CPU reaches all devices within the IP subnet D via W1 interface.
If IP forwarding is enabled in the CPU, then a device from IP subnet A can access any device
within IP subnets B,C and D close to the CPU.
Protect your automation system and connected devices against unauthorized access from
outside.
Separate the CPU-related IP subnets from the remote IP subnets with a firewall. For example,
use the SCALANCE S security modules with integrated firewall.
This application example (https://support.industry.siemens.com/cs/ww/en/view/22376747)
describes how to protect an automation cell with a firewall using the SCALANCE S602 V3 and
SCALANCE S623 security modules.
Communication
384 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.4 Data record routing
Enabling/disablng IP forwarding
To enable IP forwarding, proceed as follows:
1. Select the CPU in the network view of STEP 7 (TIA Portal).
2. In the properties of the CPU of the Inspector window, navigate to "General" > "Advanced
Configuration" > "IP forwarding".
3. In the "Configuration IPv4 Forwarding" area, select the check box "Activate IPv4 for
interfaces of this PLC".
Communication
Function Manual, 05/2021, A5E03735815-AJ 385
Routing
11.4 Data record routing
Example: Data record routing with the Port Configuration Tool (PCT)
You can use the Port Configuration Tool (PCT) to configure the IO link master of the ET200
and assign parameters to connected IO link devices. The subnets are connected via data
record routers. Data record routers are, for example, CPUs, CPs, IMs, IO link master.
You can learn about the constellations of data record routers supported by the PCT in this
FAQ (http://support.automation.siemens.com/WW/view/en/87611392).
The figure below shows an example configuration with the data record routing with PCT.
Figure 11-13 Example configuration for data record routing with PCT
Additional information
• The differences that exist between "normal" routing and data record routing are described
in this FAQ (https://support.industry.siemens.com/cs/ww/en/view/7000978).
• Whether or not the CPU, CP or CM you are using supports data record routing can be
found in the relevant manuals.
• The allocation of connection resources with data record routing is described in the section
Allocation of connection resources (Page 395).
• You can find additional information on configuration with STEP 7 in the STEP 7 online
help.
Communication
386 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.5 Virtual interface for IP-based applications
Communication
Function Manual, 05/2021, A5E03735815-AJ 387
Routing
11.5 Virtual interface for IP-based applications
Compared to conventional interfaces, the virtual interface has the following restrictions:
• No access to the web server over the virtual interface.
• Online backup is not possible via a connected programming device with the TIA Portal.
• If the CPU and communication partners are connected via the virtual interface, they
cannot exchange data via LLDP (Link Layer Discovery Protocol).
• The S7 routing service does not use the virtual interface W1.
Requirement
For a CPU service to be accessible via the Ethernet interface of a CP, the following
requirements must be fulfilled:
• S7-1500 CPU firmware V2.8 or higher
• CP 1543-1 firmware V2.2 or higher
R/H CPUs do not support this function because R/H CPUs do not support CPs.
After selecting the CP, the specifications and parameters for the virtual interface are
displayed. Here, you can edit the settings for the IP protocol and the PROFINET parameters.
• The IP subnet is freely selectable, just like with the CP. The IP subnet is entered via the
subnet mask and IP address of the virtual interface.
• When entering the IP subnet for the virtual interface, note that you are not using the same
IP subnet as for the local interfaces of the CPU.
Communication
388 Function Manual, 05/2021, A5E03735815-AJ
Routing
11.5 Virtual interface for IP-based applications
Once the IP address is entered, it is shown in the properties dialog of the OPC UA server in the
list of server addresses. These settings provide the CPU with the new virtual interface W1 via
which CPU services like the OPC UA server can be accessed via a communication module. The
corresponding connections and S7 communication (e.g. HMI and BSEND, BRCV) are made via
this interface. The OPC UA server does not allow selection of a specific interface (selection via
an IP address), either all or none are possible.
Note
The IP address of the virtual interface is not listed as W1 in the device display under the
currently displayed local interfaces (Xn) but is available under "Addresses" in the "Settings"
section. The virtual interface is also visible when no CP is plugged or when the virtual
interface is not activated. If no IP suite is available, the IP address and the subnet mask are
0.0.0.0.
If you change the configured and loaded IP address parameters of the virtual interface via
display, T_CONFIG instruction or online, the loaded configuration is active again after the CPU
restarts.
Communication
Function Manual, 05/2021, A5E03735815-AJ 389
Routing
11.5 Virtual interface for IP-based applications
NOTICE
Connecting to non-secure networks
If you connect the CP to a non-secure network, it is absolutely necessary to connect an
additional firewall between the CP and the non-secure network. For example, use the
security modules SCALANCE S602 V3 and SCALANCE S623 with integrated firewall.
Communication
390 Function Manual, 05/2021, A5E03735815-AJ
Connection resources 12
12.1 Connection resources of a station
Introduction
Some communications services require connections. Connections occupy resources in the
automation system (station). The connection resources are made available to the station by
the CPUs, communications processors (CPs) and communications modules (CMs).
Communication
Function Manual, 05/2021, A5E03735815-AJ 391
Connection resources
12.1 Connection resources of a station
The figure below shows an example of how individual components make connection
resources available to an S7-1500 station.
Communication
392 Function Manual, 05/2021, A5E03735815-AJ
Connection resources
12.1 Connection resources of a station
Table 12- 1 Maximum number of connection resources supported for some CPU types
Example
You have configured a CPU 1516-3 PN/DP with a CM 1542-1 communication module and a CP
1542-5 communication processor.
• Maximum connection resources of the station: 256
• Available connection resources:
– CPU 1516-3 PN/DP: 128
– CM 1542-1: 64
– CP 1542-5: 16
– Total: 208
The setup provides 208 connection resources. By adding further communication modules,
the station can support a maximum of 48 additional connection resources.
Communication
Function Manual, 05/2021, A5E03735815-AJ 393
Connection resources
12.1 Connection resources of a station
Communication
394 Function Manual, 05/2021, A5E03735815-AJ
Connection resources
12.2 Allocation of connection resources
Communication
Function Manual, 05/2021, A5E03735815-AJ 395
Connection resources
12.2 Allocation of connection resources
Table 12- 2 Maximum occupied connection resources for different HMI devices
Basic Panel 1
Comfort Panel 21
RT Advanced 21
RT Professional 3
1 If you do not use system diagnostics or alarm configuration, the station occupies only one connec-
tion resource per HMI connection.
Example: You have configured the following HMI connections for a CPU 1516-3 PN/DP:
• Two HMI connections to an HMI TP700 Comfort. (2 connection resources each)
• One HMI connection to an HMI KTP1000 Basic. (1 connection resource)
In total 5 connection resources are occupied for HMI communication in the CPU.
Note
Lack of resources due to temporary connection resources
A lack of connection resources occurs in the following situation:
• The OPC UA client of the CPU establishes or closes several connections simultaneously.
• The number of available connection resources of the station is insufficient for permanent
and temporary connection resources of the OPC UA client communication.
Ensure that there are always enough available connection resources in the station to
establish and end OPC UA connections.
Measures:
• Plan enough reserve for the OPC UA client connections.
• If necessary, establish or close the OPC UA connections one after the other.
Communication
396 Function Manual, 05/2021, A5E03735815-AJ
Connection resources
12.2 Allocation of connection resources
Data record routing also enables transfer of data beyond S7 subnets from an engineering
station connected to PROFINET to various field devices via PROFIBUS.
With data record routing, as with S7 routing, two of the special connection resources for S7
routing are also occupied on every data record router.
Note
Connection resources with data record routing
With data record routing, on the data record router, two special connection resources for S7
routing are occupied. Neither the data record connection nor the allocated connection
resources are displayed in the table of connection resources.
Communication
Function Manual, 05/2021, A5E03735815-AJ 397
Connection resources
12.2 Allocation of connection resources
Offline
During configuration of connections, STEP 7 monitors the occupation of the connection
resources. If the maximum possible number of connection resources is exceeded, STEP 7
signals this with a suitable warning.
Online
The CPU monitors the use of connection resources in the automation system. If you establish
more connections in the user program than those provided by the automation system, the
CPU acknowledges the instruction to establish the connection with an error.
Communication
398 Function Manual, 05/2021, A5E03735815-AJ
Connection resources
12.3 Display of the connection resources
Figure 12-4 Example: Reserved and available connection resources (offline view)
Communication
Function Manual, 05/2021, A5E03735815-AJ 399
Connection resources
12.3 Display of the connection resources
The warning triangle in the column of the dynamic station resources is displayed because the
sum of the maximum available connection resources of CPU, CP and CM (= 310 connection
resources) exceeds the station limit of 256.
Note
Available connection resources exceeded
STEP 7 signals the exceeding of the station-specific connection resources with a warning. To
make full use of the connection resources from the CPU, CP and CM, either use a CPU with a
higher maximum number of available station-specific connection resources or reduce the
number of communications connections.
Communication
400 Function Manual, 05/2021, A5E03735815-AJ
Connection resources
12.3 Display of the connection resources
The online view of the "Connection resources" table in addition to the offline view also
contains columns with the connection resources currently being used. Thus, the online view
displays all used connection resources in the automation system, regardless of how the
connection was set up.
The "Other communication" row displays connection resources assigned for communication
with external devices. The table is updated automatically.
Note
If a routed S7 connection goes through a CPU, the required connection resources of the CPU
do not appear in the table of connection resources.
Communication
Function Manual, 05/2021, A5E03735815-AJ 401
Connection resources
12.3 Display of the connection resources
Communication
402 Function Manual, 05/2021, A5E03735815-AJ
Diagnostics and fault correction 13
13.1 Connection diagnostics
After selecting the connection in the connections table, you obtain detailed diagnostic
information in the "Connection information" tab.
Communication
Function Manual, 05/2021, A5E03735815-AJ 403
Diagnostics and fault correction
13.1 Connection diagnostics
Communication
404 Function Manual, 05/2021, A5E03735815-AJ
Diagnostics and fault correction
13.1 Connection diagnostics
Communication
Function Manual, 05/2021, A5E03735815-AJ 405
Diagnostics and fault correction
13.2 Emergency address
Additional information
You will find the description of the web server functionality in the function manual Web
server (http://support.automation.siemens.com/WW/view/en/59193560).
Requirements
• You have selected "Set IP address in the project" for the IP protocol in the device
configuration in STEP 7.
• The CPU is in STOP mode.
Result
The CPU starts up with the valid IP address.
Communication
406 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system
S7-1500R/H 14
Introduction
Communication with the S7-1500R/H redundant system basically functions as with the
S7-1500 standard system.
This chapter describes the special features and restrictions for communication with the
S7-1500R/H redundant system.
Communication
Function Manual, 05/2021, A5E03735815-AJ 407
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
Applications
You use the system IP addresses for the following applications:
• HMI communication with the S7-1500R/H redundant system: You can use an HMI device
to control or monitor the process on the redundant S7 1500R/H system.
• Open User Communication with the S7-1500R/H redundant system:
– Another CPU or an application on a PC accesses data of the S7-1500R/H redundant
system.
– The S7-1500R/H redundant system accesses a different device.
TCP, UDP and ISO-on-TCP-connections are possible.
• IP forwarding: If you use the system IP addresses as the gateway/default route for IP routes
through the S7-1500R/H redundant system, IP packets are forwarded even if one CPU fails.
Requirements
• The interface of the communication partner is connected to both CPUs, each via the same
interface (e.g. X2).
• The system IP address for the interfaces of the S7-1500R/H system is enabled.
Communication
408 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
① Open User Communication between a different CPU and the S7-1500R/H redundant system
② HMI communication with the S7-1500R/H redundant system
③ Open User Communication between the S7-1500R/H redundant system and a PC
Figure 14-1 Example: Communication of the S7-1515R redundant system via the system IP address
X2
Communication
Function Manual, 05/2021, A5E03735815-AJ 409
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
① Open User Communication between the S7-1500R/H redundant system and a different CPU
② HMI communication with the S7-1500R/H redundant system
③ Open User Communication between the S7-1500R/H redundant system and a PC
Figure 14-2 Example: Communication of the S7-1513R redundant system via the system IP address
X1
Communication
410 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
① Open User Communication between the S7-1500R/H redundant system and a different CPU.
② HMI communication with the S7-1500R/H redundant system
③ Open User Communication between the S7-1500R/H redundant system and a PC
Figure 14-3 Example: Communication of the S7-1515R redundant system via the system IP addresses
X1 and X2
Communication
Function Manual, 05/2021, A5E03735815-AJ 411
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
Communication
412 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.1 System IP addresses
Note
Uniqueness of the virtual MAC address
The redundant system S7-1500R/H uses a MAC address from the address range
00-00-5E-00-01-00 to 00-00-5E-00-01-00 for each system IP address. This address range is
also used for VRRP (Virtual Redundancy Protocol).
If you use devices with VRRP, e.g. switches, ensure the uniqueness of the MAC addresses
within an Ethernet broadcast domain.
Result: The system IP address X1 for the PROFINET interface X1 of the two CPUs is enabled.
Communication
Function Manual, 05/2021, A5E03735815-AJ 413
Communication with the redundant system S7-1500R/H
14.2 Response to Snycup
Response of communication connections via the system IP address in the system state SYNCUP
• HMI, PG- and S7-connections are temporarily closed. For a short time during the SYNCUP it
is not possible to establish connections to the S7-1500R/H redundant system.
• All existing connections of Open User Communication are interrupted:
– Connections set up by the CPUs of the redundant system as an active connection
partner are set up again after the SYNCUP.
– The S7-1500R/H redundant system sets up connection endpoints again for the passive
connection establishment after the SYNCUP.
• The processing of running instances of the instructions TSEND and TRCV is stopped. The
block parameter STATUS returns 80C4H (temporary communication error).
Note
Increased duration of connection interruption
If the remote system does not transmit actively after the primary-backup switchover, the
connection monitoring (e.g. TCP-Keep-Alive or application) may have to be performed by the
remote system until the connection can be re-established.
Communication
414 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.4 Connection resources of the redundant system S7-1500R/H
Connect via... Connection resources of Connection resources CPU Connection resources CPU
the station with redundancy ID 1 with redundancy ID 2
a system IP address X X X
a device IP address of the X X -
CPU with redundancy ID 1
a device IP address of the X - X
CPU with redundancy ID 2
Communication
Function Manual, 05/2021, A5E03735815-AJ 415
Communication with the redundant system S7-1500R/H
14.5 HMI communication with the redundant system S7-1500R/H
Figure 14-6 Display of the connection resources of the S7-1500R/H redundant system in STEP 7
Requirements
• A redundant S7-1500R/H system, e.g. CPU 1513R-1PN
• System IP address is enabled
• HMI device with PROFINETI interface
Communication
416 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.5 HMI communication with the redundant system S7-1500R/H
Procedure
To set up a HMI connection to an S7-1500R/H redundant system, follow these steps:
1. In the network view of STEP 7, select a PROFINET interface of the HMI device.
2. Using a drag&drop operation, draw a line between the PROFINET interface of the HMI device
and a PROFINET interface of the S7-1500R/H redundant system.
The HMI device and the S7-1500R/H redundant system are networked together.
Figure 14-7 Networking an HMI device with the S7-1500R/H redundant system
3. In the list of functions, click the "Connections" icon. This activates connection mode.
4. Using a drag-and-drop operation, draw a line between the HMI device and a CPU of the
S7-1500R/H redundant system.
The list "Connection partners" opens.
Communication
Function Manual, 05/2021, A5E03735815-AJ 417
Communication with the redundant system S7-1500R/H
14.5 HMI communication with the redundant system S7-1500R/H
Note
Automatic setup of HMI connection
When you drag-and-drop a tag from the S7-1500R/H redundant system into an HMI screen or
into the HMI tag table, STEP 7 automatically sets up an HMI connection. This HMI connection
exists by default between the PROFINET interface of the HMI device and the PROFINET
interface X1 of the CPU with redundancy ID 1. The connection uses the device IP address of
the PROFINET interface X1.
You can change the HMI connection to a system IP address in the properties of the HMI
connection.
Communication
418 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
Table 14- 1 Protocols, system data types and usable instructions for Open User Communication with
the redundant system S7-1500R/H
14.6.1 Setting up the connection of the Open User Communication with the
redundant S7-1500R/H system
Introduction
The S7-1500R/H redundant system can communicate with other devices via Open User
Communication.
You set up the connections in the user program, e.g. via the "TSEND_C" instruction. The
S7-1500R/H redundant system does not support configured connections.
You can either set up the connections either via the device IP addresses or via the system IP
addresses of the PROFINET interfaces.
Communication
Function Manual, 05/2021, A5E03735815-AJ 419
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
Open User Communication via a system IP address of the redundant system S7 1500R/H
If you set up the connection via a system IP address, then communication always takes place
via the primary CPU.
Recommendation: Always use a system IP address for Open User Communication.
Open User Communication via a device IP address of the redundant system S7 1500R/H
In redundant mode, the redundant system can establish or terminate connections and send
or receive data via every device IP address.
If you set up the connection via a device IP address, then communication takes place via the
associated CPU. In the event of the failure of the CPU, then the entire communication via the
device IP addresses of this CPU fails.
Requirements
• A redundant system S7 1500R/H, e.g. 2 CPUs 1513 1PN
• System IP address of the PROFINET interface X1 is enabled.
• CPU 1516-3PN/DP
• The PROFINET interfaces X1 of the CPUs 1513R and the PROFINET interface X2 of the CPU
1516-3PN/DP are located in the same subnet.
Communication
420 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
Communication
Function Manual, 05/2021, A5E03735815-AJ 421
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
4. In "Partners" under "End point:" select the CPU 1516-3PN/DP as the communication partner.
5. In "Partners" under "Interface:" select the PROFINET interface X2 of the CPU 1516-3PN/DP.
6. In "Local" under "Connection data" select the setting "<new>".
STEP 7 creates a data block for the connection data in the user program of the S7-1500R/H
redundant system, for example "PLC_1_Send_DB".
"TCP" is set by default as the connection type.
7. In "Partners" under "Connection type" select the setting "NEW".
STEP 7 creates a data block for the connection data in the user program of the other CPU, for
example "PLC_3_Receive_DB".
Communication
422 Function Manual, 05/2021, A5E03735815-AJ
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
Communication
Function Manual, 05/2021, A5E03735815-AJ 423
Communication with the redundant system S7-1500R/H
14.6 Open User Communication with the redundant system S7-1500R/H
Reference
You can find additional information on system states in the S7-1500R/H
(https://support.industry.siemens.com/cs/ww/en/view/109754833) system manual.
See also
PROFINET FUNCTION MANUAL
(https://support.industry.siemens.com/cs/ww/en/view/49948856)
Communication
424 Function Manual, 05/2021, A5E03735815-AJ
Industrial Ethernet Security with CP 1543-1 15
All-round protection - the task of Industrial Ethernet Security
With Industrial Ethernet Security, individual devices, automation cells or network segments of
an Ethernet network can be protected. Data transfer can also be protected by a combination
of different security measures:
• Data espionage
• Data manipulation
• Unauthorized access
Security measures
• Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)
– Bandwidth limitation
– Global firewall rules
All network nodes located in the internal network segment of a CP 1543-1 are protected
by its firewall. Exception: If you access the CPU via the interface of the CP with the "Access
to PLC via communication module" function, the firewall does not protect this connection.
• Logging
To allow monitoring, events can be stored in log files that can be read out using the
configuration tool or can be sent automatically to a Syslog server.
• HTTPS
For encrypted transfer of websites, for example during process control.
• FTPS (explicit mode)
For encrypted transfer of files.
• Secure NTP
For secure time-of-day synchronization and transmission.
• SNMPv3
For secure transmission of network analysis information safe from eavesdropping.
Communication
Function Manual, 05/2021, A5E03735815-AJ 425
Industrial Ethernet Security with CP 1543-1
15.1 Firewall
• VPN groups
You can combine the CP 1543-1 with other security modules into VPN groups through
configuration. IPsec tunnels are established between all the security modules of a VPN
group (VPN). All internal nodes of these security modules can communicate securely with
each other through this tunnel.
• Protection for devices and network segments
The firewall and VPN groups protective functions can be applied to the operation of single
devices, multiple devices, or entire network segments.
Additional information
An overview with links to the most important contributions on Industrial Security is available
in this FAQ (https://support.industry.siemens.com/cs/ww/en/view/92651441).
15.1 Firewall
Firewall rules
Firewall rules describe which packets are permitted or forbidden in which direction.
Communication
426 Function Manual, 05/2021, A5E03735815-AJ
Industrial Ethernet Security with CP 1543-1
15.2 Logging
15.2 Logging
Functionality
For test and monitoring purposes, the security module has diagnostics and logging functions.
• Diagnostics functions
These include various system and status functions that you can use in online mode.
• Logging functions
This involves the recording of system and security events. Depending on the event type,
the recording is made in volatile or non-volatile local buffer areas of the CP 1543-1. As an
alternative, it is also possible to record on a network server.
The parameter assignment and evaluation of these functions is only possible with a
network connection.
Functionality
To check the time validity of a certificate and the time stamp of log entries, the date and time
are maintained on the CP 1543-1 as on the CPU. This time can be synchronized with NTP. The
CP 1543-1 forwards the synchronized time to the CPU via the backplane bus of the
automation system. This way the CPU also receives a synchronized time for the time events in
program execution.
The automatic setting and periodic synchronization of the time takes place either via a secure
or non-secure NTP server. You can assign a maximum of 4 NTP servers to the CP 1543-1. A
mixed configuration of non-secure and secure NTP servers is not possible.
Communication
Function Manual, 05/2021, A5E03735815-AJ 427
Industrial Ethernet Security with CP 1543-1
15.4 SNMP
15.4 SNMP
Functionality
Like the CPU, the CP 1543-1 supports the transfer of management information using the
Simple Network Management Protocol (SNMP). To achieve this, an "SNMP agent" is installed
on the CP/CPU that receives and responds to the SNMP queries. Information about the
properties of devices capable of SNMP is contained in so-called MIB files (Management
Information Base) for which the user needs to have the appropriate rights.
With SNMPv1, the "community string" is also sent. The "community string" is like a password
that is sent along with the SNMP query. The requested information is sent when the
"community string" is correct. The request is discarded when the string is incorrect.
With SNMPv3, data can be transferred encrypted. To do this, select either an authentication
method or an authentication and encryption method.
Possible selection:
• Authentication algorithm: none, MD5, SHA-1
• Encryption algorithm: none, AES-128, DES
You can deactivate the use of SNMP for the CP/CPU. Deactivate SNMP if the security
guidelines in your network do not permit SNMP or if you use your own SNMP solution.
To find out how to deactivate SNMP for the CPU, refer to section Disabling SNMP (Page 104).
15.5 VPN
Functionality
For security modules that protect the internal network, VPN (Virtual Private Network) tunnels
provide a secure data connection through the non-secure external network.
The module uses the IPsec protocol (tunnel mode of IPsec) for tunneling.
In STEP 7 you can assign VPN groups to security modules. VPN tunnels are automatically
established between all modules of a VPN group. A module in one project can belong to
several different VPN groups at the same time in the process.
Communication
428 Function Manual, 05/2021, A5E03735815-AJ
Glossary
Automation system
Programmable logic controller for the open-loop and closed-loop control of process chains of
the process engineering industry and manufacturing technology. The automation system
consists of different components and integrated system functions according to the
automation task.
Backup CPU
If the R/H system is in RUN-Redundant system state, the primary CPU controls the process.
The backup CPU processes the user program synchronously and can take over process control
if the primary CPU fails.
Bus
Transmission medium that connects several devices together. Data transmission can be
performed electrically or via optical fibers, either in series or in parallel.
Client
Device in a network that requests a service from another device in the network (server).
CM
→ Communications module
Communications module
Module for communications tasks used in an automation system as an interface expansion of
the CPU (for example PROFIBUS) and providing additional communications options (PtP).
Communications processor
Module for expanded communications tasks covering special applications, for example in the
area of security.
Consistent data
Data that belongs together in terms of content and must not be separated when transferred.
CP
→ Communications processor
Communication
Function Manual, 05/2021, A5E03735815-AJ 429
Glossary
CPU
Central Processing Unit - Central module of the S7 automation system with a control and
arithmetic unit, memory, operating system and interface for programming device.
Device
Generic term for:
• Automation systems (PLC, PC, for example)
• Distributed I/O systems
• Field devices (for example, PLC, PC, hydraulic devices, pneumatic devices) and
• Active network components (for example, switches, routers)
• Gateways to PROFIBUS, AS interface or other fieldbus systems
Device certificates
Such certificates are signed by a certificate authority (CA).
The signature of an end-entity certificate is checked with the public key of the certificate
authority certificate.
The "Subject" attribute must not be identical to the "Issuer" attribute.
The "Subject", for example, contains the name of a program as with the OPC UA application
certificate.
"Issuer" is the certificate authority that signed the certificate.
The "CA" field must be set to "False".
DP master
Within PROFIBUS DP, a master in the distributed I/O that behaves according to the EN 50170
standard, Part 3.
→ See also DP slave
DP slave
Slave in the distributed I/O that is operated on PROFIBUS with the PROFIBUS DP protocol and
behaves according to the EN 50170 standard, Part 3.
→ See also DP master
Communication
430 Function Manual, 05/2021, A5E03735815-AJ
Glossary
Duplex
Data transmission system; a distinction is made between full and half duplex.
Half duplex: One channel is available for alternate data exchange (sending or receiving
alternately but not at the same time).
Full duplex: Two channels are available for simultaneous data exchange in both directions
(simultaneous sending and receiving in both directions).
End-entity certificate
→ See also device certificate
Ethernet
International standard technology for local area networks (LAN) based on frames. It defines
types of cables and signaling for the physical layer and packet formats and protocols for
media access control.
FETCH/WRITE
Server services using TCP/IP, ISO-on-TCP and ISO for access to system memory areas of S7
CPUs. Access (client function) is possible from a SIMATIC S5 or a third-party device/PC. FETCH:
Read data directly; WRITE: Write data directly.
Field device
→ Device
Freeport
Freely programmable ASCII protocol; here for data transfer via a point-to-point connection.
FTP
File Transfer Protocol; a network protocol for transferring files via IP networks. FTP is used to
download files from the server to the client or to upload files from the client to the server.
FTP directories can also be created and read out and directories and files can be renamed or
deleted.
HMI
Human Machine Interface, device for visualization and control of automation processes.
Communication
Function Manual, 05/2021, A5E03735815-AJ 431
Glossary
IE
→ Industrial Ethernet
IM
→ Interface module
Industrial Ethernet
Guideline for setting up an Ethernet network in an industrial environment. The essential
difference compared with standard Ethernet is the mechanical ruggedness and immunity to
noise of the individual components.
Instruction
The smallest self-contained unit of a user program characterized by its structure, function or
purpose as a separate part of the user program. An instruction represents an operation
procedure for the processor.
Interface module
Module in the distributed I/O system. The interface module connects the distributed I/O
system via a fieldbus to the CPU (IO controller/DP master) and prepares the data for the I/O
modules.
Intermediate CA certificate
This is a certificate authority certificate that is signed with the private key of a root certificate
authority.
An intermediate certificate authority signs end-entity certificates with its private key.
The signature of these end-entity certificates is verified with the public key of the
intermediate certificate authority.
The "Subject" and "Issuer" attributes of the intermediate CA certificate must not be identical.
This certificate authority has after all not signed its certificate itself.
The "CA" field must be set to "True".
Communication
432 Function Manual, 05/2021, A5E03735815-AJ
Glossary
IP address
Binary number that is used as a unique address in computer networks in conjunction with the
Internet Protocol (IP). It makes these devices uniquely addressable and individually accessible.
An IPv4 address can be evaluated using a binary subnet mask that results in a network part or
a host part as a structure. The textual representation of an IPv4 address consists, for example,
of 4 decimal numbers with the value range 0 to 255. The decimal numbers are separated by
periods.
ISO protocol
Communications protocol for message or packet-oriented transfer of data in an Ethernet
network. This protocol is hardware-oriented, very fast and allows dynamic data lengths. The
ISO protocol is suitable for medium to large volumes of data.
ISO-on-TCP protocol
Communications protocol capable of S7 routing for packet-oriented transfer of data in an
Ethernet network; provides network addressing. The ISO-on-TCP protocol is suitable for
medium and large volumes of data and allows dynamic data lengths.
MAC address
Worldwide unique device identification for all Ethernet devices. The MAC address is assigned
by the manufacturer and has a 3-byte vendor ID and 3-byte device ID as a consecutive
number.
Master
Higher-level, active participant in the communication/on a PROFIBUS subnet. The master has
rights to access the bus (token) and can request and send data.
→ See also DP master
Communication
Function Manual, 05/2021, A5E03735815-AJ 433
Glossary
Modbus RTU
Remote Terminal Unit; Open communications protocol for serial interfaces based on a
master/slave architecture.
Modbus TCP
Transmission Control Protocol; Open communications protocol for Ethernet based on a
master/slave architecture. The data are transmitted as TCP/IP packets.
Network
A network consists of one or more interconnected subnets with any number of devices.
Several networks can exist alongside each other.
NTP
The Network Time Protocol (NTP) is a standard for synchronizing clocks in automation
systems via Industrial Ethernet. NTP uses the connectionless UDP transport protocol for the
Internet.
OPC UA
OPC Unified Automation is a protocol for communication between machines, developed by
the OPC Foundation.
Operating states
Operating states describe the behavior of a single CPU at a specific time.
The CPUs of the SIMATIC standard systems have the STOP, STARTUP and RUN operating
states.
The primary CPU of the redundant system S7-1500R/H has the operating states STOP,
STARTUP, RUN, RUN-Syncup and RUN-Redundant. The backup CPU has the operating states
STOP, SYNCUP and RUN-Redundant.
Operating system
Software that allows the use and operation of a computer. The operating system manages
resources such as memory, input and output devices and controls the execution of programs.
PG
→ Programming device
PNO
→ PROFIBUS user organization
Communication
434 Function Manual, 05/2021, A5E03735815-AJ
Glossary
Point-to-point connection
Bidirectional data exchange via communications modules with a serial interface between two
communications partners (and two only).
Port
Physical connector to connect devices to PROFINET. PROFINET interfaces have one or more
ports.
Primary CPU
If the R/H system is in RUN-Redundant system state, the primary CPU controls the process.
The backup CPU processes the user program synchronously and can take over process control
if the primary CPU fails.
PROFIBUS
Process Field Bus - European Fieldbus standard.
PROFIBUS address
Unique identifier of a device connected to PROFIBUS. The PROFIBUS address is sent in the
frame to address a device.
PROFIBUS device
Device with at least one PROFIBUS interface either electrical (for example RS-485) or optical
(for example Polymer Optical Fiber).
PROFIBUS DP
A PROFIBUS with DP protocol that complies with EN 50170. DP stands for distributed I/O =
fast, real-time capable, cyclic data exchange. From the perspective of the user program, the
distributed I/O is addressed in exactly the same way as the centralized IO.
Communication
Function Manual, 05/2021, A5E03735815-AJ 435
Glossary
PROFINET
Open component-based industrial communications system based on Ethernet for distributed
automation systems. Communications technology promoted by the PROFIBUS user
organization.
PROFINET device
Device that always has a PROFINET interface (electrical, optical, wireless).
PROFINET interface
Interface of a module capable of communication (for example CPU, CP) with one or more
ports. A MAC address is assigned to the interface in the factory. Along with the IP address and
the device name (from the individual configuration), this interface address ensures that the
PROFINET device is identified uniquely in the network. The interface can be electrical, optical
or wireless.
PROFINET IO
IO stands for input/output; distributed I/O (fast, cyclic data exchange with real-time
capability). From the perspective of the user program, the distributed I/O is addressed in
exactly the same way as the centralized IO.
PROFINET IO as the Ethernet-based automation standard of PROFIBUS & PROFINET
International defines a cross-vendor communication, automation, and engineering model.
With PROFINET IO, a switching technology is used that allows all devices to access the
network at any time. In this way, the network can be used much more efficiently through the
simultaneous data transfer of several devices. Simultaneous sending and receiving is enabled
via the full-duplex operation of Switched Ethernet.
PROFINET IO is based on switched Ethernet with full-duplex operation and a bandwidth of
100 Mbps.
Programming device
Programming devices are essentially compact and portable PCs which are suitable for
industrial applications. They are identified by a special hardware and software configuration
for programmable logic controllers.
Protocol
Agreement on the rules by which the communication between two or more communication
partners transpires.
PtP
Point-to-Point, interface and/or transmission protocol for bidirectional data exchange
between two (and only two) communications partners.
Communication
436 Function Manual, 05/2021, A5E03735815-AJ
Glossary
Redundant systems
Redundant systems have multiple (redundant) instances of key automation components.
Process control is maintained if a redundant component fails.
Ring topology
All devices of a network are connected together in a ring.
Root CA certificates
→ See also root certificate
Root certificate
This is the certificate of a certificate authority: It signs end-entity certificates and intermediate
CA certificates with its private key.
The "Subject" attribute and the "Issuer" of this certificate must be identical. This certificate
authority has signed its certificate itself.
The "CA" field must be set to "True".
TIA Portal V14 has such a root CA certificate:
If you configure the OPC UA server of an S7-1500 in the TIA Portal, the TIA Portal generates
an end-entity certificate for the OPC UA server and signs that certificate with its own private
key.
The signature of this end-entity certificate can be verified with the public key of the TIA
Portal. This key can be found in the root CA certificate of the TIA Portal.
Router
Network node with a unique identifier (name and address) that connects subnets together
and allows transportation of data to uniquely identified communications nodes in the
network.
RTU
Modbus RTU (RTU: Remote Terminal Unit, transfers the data in binary form; allows a good
data throughput. The data must be converted to a readable format before it can be
evaluated.
S7 routing
Communication between S7 automation systems, S7 applications or PC stations in different
S7 subnets via one or more network nodes functioning as S7 routers.
Communication
Function Manual, 05/2021, A5E03735815-AJ 437
Glossary
SDA service
Send Data with Acknowledge. SDA is an elementary service with which an initiator (for
example DP master) can send a message to other devices and then receives acknowledgment
of receipt immediately afterwards.
SDN service
Send Data with No Acknowledge. This service is used primarily to send data to multiple
stations and the service therefore remains unacknowledged. Suitable for synchronization
tasks and status messages.
Security
Generic term for all the measures taken to protect against
• Loss of confidentiality due to unauthorized access to data
• Loss of integrity due to manipulation of data
• Loss of availability due to the destruction of data
Self-signed certificates
These are certificates that you sign with your private key and use as end-entity certificates.
The signature of these end-entity certificates is verified with your public key.
The "Subject" and "Issuer" attributes of self-signed certificates must be identical: You have
signed your certificate yourself.
The "CA" field must be set to "False".
You can, for example, use self-signed certificates as application certificates for an OPC UA
client.
The procedure required to generate a self-signed certificate with the certificate generator of
the OPC Foundation is described here (Page ).
Server
A device or more generally an object that can provide certain services; the service is
performed at the request of a client.
Slave
Distributed device in a fieldbus system that can only exchange data with a master after the
master has requested this.
→ See also DP slave
Communication
438 Function Manual, 05/2021, A5E03735815-AJ
Glossary
SNMP
Simple Network Management Protocol, uses the wireless UDP transport protocol. SNMP
works in much the same way as the client/server model. The SNMP manager monitors the
network nodes. The SNMP agents collect the various network-specific information in the
individual network nodes and makes this information available in a structured form in the
MIB (Management Information Base). This information allows a network management
system to run detailed network diagnostics.
Subnet
Part of a network whose parameters must be matched up on the devices (for example in
PROFINET). A subnet includes the bus components and all connected stations. Subnets can be
linked together, for example using gateways or routers to form one network.
Switch
Network components used to connect several terminal devices or network segments in a
local network (LAN).
Switched communication
In addition to the device IP addresses of the CPUs, the redundant system S7-1500R/H
supports system IP addresses:
• System IP address for the X1 PROFINET interfaces of the two CPUs (system IP address X1)
• System IP address for the X2 PROFINET interfaces of the two CPUs (system IP address X2)
You use the system IP addresses for communication with other devices (for example, HMI
devices, CPUs, PG/PC). The devices always communicate over the system IP address with the
primary CPU of the redundant system. This ensures that the communication partner can
communicate with the new primary CPU (previously backup CPU) in the RUN-Solo system
state after failure of the original primary CPU in redundant operation.
System states
The system states of the redundant system S7-1500R/H result from the operating states of
the primary and backup CPUs. The term system state is used as a simplified expression that
refers to the operating states that occur simultaneously on both CPUs. The redundant system
S7-1500R/H has the system states STOP, STARTUP, RUN-Solo, SYNCUP and RUN-Redundant.
TCP/IP
Transmission Control Protocol / Internet Protocol, connection-oriented network protocol,
generally recognized standard for data exchange in heterogeneous networks.
Time-of-day synchronization
Capability of transferring a standard system time from a single source to all devices in the
system so that their clocks can be set according to the standard time.
Communication
Function Manual, 05/2021, A5E03735815-AJ 439
Glossary
Tree topology
Network topology characterized by a branched structure: Two or more bus nodes are
connected to each bus node.
Twisted-pair
Fast Ethernet via twisted-pair cables is based on the IEEE 802.3u standard (100 Base-TX). The
transmission medium is a shielded 2x2 twisted-pair cable with an impedance of 100 Ohms
(22 AWG). The transmission characteristics of this cable must meet the requirements of
category 5.
The maximum length of the connection between the terminal and the network component
must not exceed 100 m. The connectors are designed according to the 100Base-TX standard
with the RJ-45 connector system.
UDP
User Datagram Protocol; communications protocol for fast and uncomplicated data transfer,
without acknowledgment. There are no error checking mechanisms as found in TCP/IP.
User program
In SIMATIC, a distinction is made between the CPU operating system and user programs. The
user program contains all instructions, declarations and data by which a system or process
can be controlled. The user program is assigned to a programmable module (for example,
CPU, FM) and can be structured in smaller units.
USS
Universal Serial Interface protocol (Universelles Serielles Schnittstellen-Protokoll); defines an
access method according to the master-slave principle for communication via a serial bus.
Web server
Software/communications service for data exchange via the Internet. The web server
transfers the documents using standardized transmission protocols (HTTP, HTTPS) to a Web
browser. Documents can be static or put together dynamically from different sources by the
web server on request from the Web browser.
Communication
440 Function Manual, 05/2021, A5E03735815-AJ
Index
Overview, 32, 391
S7 routing, 397
A Station specific, 399
Consistency of data, 37
Advanced Encryption Algorithm, 43
CP, 20
AES, 43
Applicant, 46
Asymmetric encryption, 44
D
Data consistency, 37
B Data record routing, 385
Digital certificates, 46
BRCV, 139
BSEND, 139
E
C E-mail, 25, 114, 133
End-entity certificate, 49
Certificate authorities, 46
Establishment and termination of communications, 137
Certificate subject, 46
Export file for OPC UA, 217
CM, 20
Communication
Data record routing, 385
F
HMI communication, 110
Open communication, 112 FDL, 114
Open User Communication, 112 Fetch, 25
PG communication, 107 Firewall, 426
Point-to-point connection, 147 Freeport protocol, 147
S7 communication, 138 FTP, 25, 114, 133, 134
S7 routing, 373
Communication options
Overview, 25 G
Communication via PUT/GET instruction
GDS, 185, 189
Creating and configuring a connection, 140
GET, 139
Communications
Global Discovery Server (GDS), 185, 189
Communication protocols, 113
Establishment and termination, 137
Communications module, 20
H
Communications processor, 20
Communications services Handshake Protocol, 45
Connection resources, 32 HMI communication, 25, 110
Connection
Diagnostics, 403
Instructions for Open User Communication, 115 I
Connection diagnostics, 403
IM, 24
Connection resources
Industrial Ethernet Security, 425
Data record routing, 397
Interface module, 24
HMI communication, 396
Interfaces for communication, 21
Module-specific, 400
occupying, 398
Communication
Function Manual, 05/2021, A5E03735815-AJ 441
Index
Communication
442 Function Manual, 05/2021, A5E03735815-AJ
Index
Security, 425
Security measures, 425
Firewall, 426
Logging, 427
NTP, 427
SNMP, 428
Self-signed certificates, 46
Server certificate, 233
Setting up a connection, 33
By configuring, 126
ISO connection with CP 1543-1, 127
Signature, 47
SNMP, 25, 428
SSL, 45
Symmetric encryption, 43
Syslog, 427
System data type, 116
T
TCON, 115
TCP, 25, 113, 122
TDISCON, 115
Time-of-day synchronization, 25
TLS, 45
Transport Layer Security, 45
TRCV, 115
TRCV_C, 115
TSEND, 115
TSEND_C, 115
U
UDP, 25, 113, 122
URCV, 139
USEND, 139
USS protocol, 147
W
Web server, 25
Write, 25
X
X.509, 41
Communication
Function Manual, 05/2021, A5E03735815-AJ 443