Open Source Software
Table of Contents
Overview 1 SICAM Enrollment over Secure Transport (EST) 2 GridPass SICAM GridPass 3
V1.50 Workflow Step-by-Step 4
User Management 5
Manual Certificate Management 6
Managing EST 7
Other Features 8
Glossary A
E50417-H8940-C598-A6 NOTE i For your own safety, observe the warnings and safety instructions contained in this document, if available.
Disclaimer of Liability Copyright Subject to changes and errors. The information given in Copyright © Siemens 2018 – 2020. All rights reserved. this document only contains general descriptions and/or The disclosure, duplication, distribution and editing of this performance features which may not always specifically document, or utilization and communication of the content reflect those described, or which may undergo modifica- are not permitted, unless authorized in writing. All rights, tion in the course of further development of the products. including rights created by patent grant or registration of a The requested performance features are binding only when utility model or a design, are reserved. they are expressly agreed upon in the concluded contract. Document version: E50417-H8940-C598-A6.01 Trademarks Edition: 05.2020 SIPROTEC, DIGSI, SIGRA, SIGUARD, SIMEAS SAFIR, SICAM, Version of the product described: V1.50 and MindSphere are trademarks of Siemens. Any unauthor- ized use is prohibited. Open Source Software
The product contains, among other things, Open Source Software developed by third parties. The Open Source Software used in the product and the license agreements concerning this software can be found in the Readme_OSS. These Open Source Software files are protected by copyright. Your compliance with those license conditions will entitle you to use the Open Source Software as foreseen in the relevant license. In the event of conflicts between Siemens license conditions and the Open Source Software license conditions, the Open Source Software conditions shall prevail with respect to the Open Source Software portions of the soft- ware. The Open Source Software is licensed royalty-free. Insofar as the applicable Open Source Software License Conditions provide for it you can order the source code of the Open Source Software from your Siemens sales contact – against payment of the shipping and handling charges – for a period of at least 3 years after purchase of the product. We are liable for the product including the Open Source Software contained in it pursuant to the license conditions applicable to the product. Any liability for the Open Source Software beyond the program flow intended for the product is explicitly excluded. Furthermore any liability for defects resulting from modifications to the Open Source Software by you or third parties is excluded. We do not provide any technical support for the product if it has been modified.
SICAM, GridPass, Manual 3 E50417-H8940-C598-A6, Edition 05.2020 Table of Contents
Open Source Software...... 3
1 Overview...... 6 1.1 General...... 7 1.2 Public Key Infrastructure (PKI)...... 7 1.3 Certification Authority (CA)...... 7 1.4 PKI Workflow...... 8
2 Enrollment over Secure Transport (EST)...... 10 2.1 Function...... 11 2.2 Authentication...... 11 2.3 CRL...... 12
3 SICAM GridPass...... 13 3.1 Overview...... 14 3.2 Workflow...... 14 3.3 Integration...... 15 3.4 Operating Overview...... 16
4 Workflow Step-by-Step...... 18 4.1 Setup...... 19 4.1.1 Preconditions...... 19 4.1.2 Description...... 19 4.1.3 Setup...... 19 4.1.4 Licensing Description...... 26 4.1.5 Licensing...... 26 4.2 Login Procedure...... 30 4.2.1 Initial Login...... 30 4.3 Create Operational CA...... 35 4.4 Create a Server Certificate for Web UI and EST Server...... 40 4.5 Download and Trust the CA Certificate...... 45 4.6 Set the Created Server Certificate as SICAM GridPass Web-Server Certificate...... 53 4.7 Configure Centralized Syslog Logging...... 55
5 User Management...... 56 5.1 Introduction...... 57 5.1.1 Overview...... 57 5.2 User Administration...... 57 5.2.1 Local User Administration...... 57 5.2.2 Logout...... 60
4 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Table of Contents
5.2.3 Initial Login with a Local Account...... 61
6 Certificate Management...... 63 6.1 Overview of Import, Export, and Creation of Certificates...... 64 6.2 Remote Requests...... 65 6.3 Local Requests...... 66 6.3.1 Create a Certificate...... 66 6.3.2 Import a CSR and Issue a Certificate...... 70 6.3.3 Import a Certificate with CA Chain...... 73 6.3.4 Export a Certificate...... 76 6.3.5 Revoke a Certificate...... 78 6.4 Certification Authorities...... 79 6.4.1 Create a Root-CA...... 79 6.4.2 Import a Certification Authority...... 79 6.4.3 Export a CA Certificate...... 80 6.4.4 Create a CRL Manually...... 82 6.4.5 Revoke Certification Authority...... 82 6.5 CRL Distribution Point...... 83 6.6 Subject Alternative Name...... 84
7 Managing EST...... 87 7.1 Introduction...... 88 7.1.1 Overview...... 88 7.2 EST Administration...... 88 7.2.1 Managing EST Clients...... 88 7.2.2 Managing EST Server...... 89 7.2.3 Managing Remote Requests...... 90 7.2.4 Certificate Revocation List (CRL)...... 91
8 Other Features...... 94 8.1 Local User Management...... 95 8.2 Remote User Management...... 97 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory...... 100 8.3.1 Configuration...... 100 8.3.2 Certificate Export to LDAP...... 101 8.4 Attribute Certificates...... 106 8.5 Auto Logout...... 114 8.6 Backup and Restore...... 114 8.7 Signing Server...... 119 8.8 Logging...... 119 8.9 Update to a New SICAM GridPass Version...... 122 8.10 Roles and Area of Responsibility according to IEC 62351-8...... 123
A Glossary...... 126
SICAM, GridPass, Manual 5 E50417-H8940-C598-A6, Edition 05.2020 1 Overview
1.1 General 7 1.2 Public Key Infrastructure (PKI) 7 1.3 Certification Authority (CA) 7 1.4 PKI Workflow 8
6 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Overview 1.1 General
1.1 General
Enrollment over secure transport, followed shortened as EST, is defined in RFC 7030 and profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile describes a simple yet functional certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. Enrollment over Secure Transport (EST) describes the use of Transport Layer Security (TLS) and Hypertext Transfer Protocol (HTTP) to provide an authenticated and authorized channel for simple Public Key Infrastruc- ture (PKI) Requests and Responses. Architecturally, the EST service is located between a Certification Authority (CA) and a client. It performs several functions traditionally allocated to the Registration Authority (RA) role in a PKI. EST specifies how to transfer messages securely via HTTP over TLS (HTTPS), where the HTTP headers and media types are used in conjunction with TLS.
1.2 Public Key Infrastructure (PKI)
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
1.3 Certification Authority (CA)
Parts of a PKI amongst others are one or more Certification Authorities (CA) which are entities issuing digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
Digital Certificate A digital certificate is a data structure that binds a public key value to a subject. A binding is achieved by a trusted certification authority (CA) verifying the identity of the subject and digitally signing the certificate. The digital certificate has a limited lifetime that is checked by the relying party along with the signature.
[sc_digital_certificate, 2, en_US] Figure 1-1 Digital Certificate
SICAM, GridPass, Manual 7 E50417-H8940-C598-A6, Edition 05.2020 Overview 1.4 PKI Workflow
Registration Authority A registration authority (RA) verifies the identity of entities requesting digital certificates and sends the certifi- cate signing request to the CA. CA and RA are often co-located.
Certificate Revocation List (CRL) A certificate revocation list is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. The CRL distribution point, for example a Web server link, is stored inside the certificate. A CRL has a validity and has to be updated from the CA and downloaded from the entity before getting invalid. Often an interval of 24 hours is used.
[sc_certificate_revocation_list, 2, en_US] Figure 1-2 Certificate Revocation List
1.4 PKI Workflow
In the following figure, the PKI workflow with EST in the Siemens Energy environment is shown. In step (1) the entity creates an asymmetrical key pair to use it later for example as https server certificate. The entity creates a Certificate Signing Request (CSR) including the public key and entity information as well as the intended use of the requested certificate and sends it to the RA/CA (2). The RA/CA signs the CSR with the CA private key (3) and sends the created certificate back to the entity (4). In general certificates often will be stored in a public repository (Directory Service). In case of revoked certificates this CRL will also be stored in a public available repository (Directory Service or Web server).
8 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Overview 1.4 PKI Workflow
[sc_pki_workflow, 2, en_US] Figure 1-3 PKI Workflow
SICAM, GridPass, Manual 9 E50417-H8940-C598-A6, Edition 05.2020 2 Enrollment over Secure Transport (EST)
2.1 Function 11 2.2 Authentication 11 2.3 CRL 12
10 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Enrollment over Secure Transport (EST) 2.1 Function
2.1 Function
The EST protocol is described here as implemented for Siemens products in the Energy Automation/Digitalized Grid domain. All other flavors can be found inside the RFC 7030 of EST (https://tools.ietf.org/html/rfc7030). All other flavors can be found inside the RFC of EST. The EST protocol enables a PKI client (entity) to request a new certificate and a certificate renewal from a Certification Authority (CA). The EST Server acts as a Registra- tion Authority (RA), the EST CA is logically "behind" the EST server. As EST is based on the TLS protocol, mutual authentication based on X.509 certificates is used here to authenticate the server against the entity and vice versa.
[sc_est_workflow, 2, en_US] Figure 2-1 EST Workflow
2.2 Authentication
At the beginning, the entity and EST server have X.509 certificates. The entity has initial imprinting certificates received during production phase or got the initial certificates during engineering phase. The SICAM GridPass EST server is placed inside the customer environment and gets the EST server certificate during the environ- ment installation phase of SICAM GridPass as described in this document. The entities get the CA certificate which has issued the EST server certificate during engineering phase of the entity. The SICAM GridPass EST server gets the Siemens CA certificate during installation of SICAM GridPass in case Siemens imprinting certificates are used within the entities. In all other cases the CA certificates of all issuing CAs have to be imported beforehand. Now the chain of trust is established. The SICAM GridPass EST server can verify the entity certificates and the entities can verify the EST server certificate of SICAM GridPass. EST is based on TLS and is configured in Siemens Energy Automation products to use mutual authentication. The EST server is verifying the entity certificates and vice versa. The EST client (entity) is verifying the entity certificate during the TLS handshake. If the connection is established the CSR will be sent via the authenti- cated and secured connection. Also the signed certificate will be sent back to the entity via this connection.
SICAM, GridPass, Manual 11 E50417-H8940-C598-A6, Edition 05.2020 Enrollment over Secure Transport (EST) 2.3 CRL
2.3 CRL
The EST client and EST server check the validity of received certificates against a CRL. The CRL distribution point URL is stored inside the certificates and is generally a Web server (http). The CRL is updated continuously by the CA and the EST client has to retrieve the CRL before the next update information placed inside the CRL is reached. The CRL is signed by the CA which has issued the revoked certificate.
[sc_crl_workflow, 2, en_US] Figure 2-2 CRL Workflow
12 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 3 SICAM GridPass
3.1 Overview 14 3.2 Workflow 14 3.3 Integration 15 3.4 Operating Overview 16
SICAM, GridPass, Manual 13 E50417-H8940-C598-A6, Edition 05.2020 SICAM GridPass 3.1 Overview
3.1 Overview
To support the customer environment with all these certificate-based functionalities the Siemens SICAM Grid- Pass offers a RA/CA together with an EST server and CRL distribution point. The CA offers the possibility to sign CSRs coming from entities using the EST protocol and also the possibility to create local certificates based on X.509. The certificates can be exported manually as file or to an existing directory service like Microsoft Active Directory or OpenLDAP.
[sc_gridpass_workflow, 3, en_US] Figure 3-1 SICAM GridPass Workflow
3.2 Workflow
SICAM GridPass can create own (Sub-)CA key material or can import a (Sub-)CA key material from a customer PKI. The EST server is used with a configured X.509 key material issued from a CA which is part of SICAM Grid- Pass. SICAM GridPass can support an arbitrary number of CAs created by SICAM GridPass or imported in SICAM GridPass. Imported and created CAs will be defined as trusted. An EST request from an entity that wants to be authenticated with a certificate issued by an imported or created CA will be always trusted except if it is listed in the CRL. Each authenticated and validated entity can send a CSR to the EST server. The EST server will exhibit a configured server certificate issued by an imported or created CA to the EST client (entity). The EST server uses the configured operational CA to sign the certificate signing request. It is not intended to use different CAs to sign a CSR. Summary of a CSR handling: • The EST server trusts any EST client certificate issued by any CA imported or created in SICAM GridPass • The EST server checks the offered EST client certificate against the CRL if used • The EST server itself uses a server certificate issued by an imported or created CA in SICAM GridPass • The EST server uses exactly 1 CA to sign a CSR • SICAM GridPass signs any CSR with any content (except the X509v3 extensions for CA usage; these will be set to the Basic Constraints: critical, CA:FALSE) to convey the signed CSR (the certificate) to the entity
14 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 SICAM GridPass 3.3 Integration
• SICAM GridPass can revoke an issued certificate for any reasons and will distribute a CRL after revoking to an internal running plain text Web server • In general the CRL has a validity of 24 hours and will be distributed every 12 hours in case of no new revoked certificates.
3.3 Integration
A possibility is to create a SICAM GridPass instance or any other customer CA at the Control Center (CC) level and to create the CA certificates for each substation. The CA in the CC environment can be used to support devices at a CC level via EST with certificates. All CAs based at a substation level can support the devices within the substation via EST with certificates.
NOTE i The substation level CA can be derived from a Root CA or can also be a Root CA. This depends on the company policy.
In the following figure, the design of the CAs for the CC and substation is shown. If more substations are used the Substation Control Zone can be mirrored.
[sc_gridpass_integration, 2, en_US] Figure 3-2 EST Integration
SICAM, GridPass, Manual 15 E50417-H8940-C598-A6, Edition 05.2020 SICAM GridPass 3.4 Operating Overview
3.4 Operating Overview
SICAM GridPass offers 3 different TCP based services • Web UI access SICAM GridPass operation with https listening per default on standardized TCP port 443 • CRL server (CRL distribution point) based on http listening per default on standardized TCP port 80 • EST server based on TLS/https listening on a configurable TCP port (not standardized, but TCP 8085 is selected by default)
Web UI Access After the installation of SICAM GridPass a Web interface for operation listening on each external interface is offered. Therefore it is possible to manage the certificates, CRL, and entities via a Web browser in a secure way over https. During the installation and configuration phase the self-signed certificate should be changed by a trusted certificate from SICAM GridPass to get a trusted connection with a browser:
[sc_webui_link, 2, en_US] Figure 3-3 Web UI Access Link
Depending on the firewall settings and routings you can manage your substation CA from the CC or locally within your substation. Beside the possibility to use the local-based user management in SICAM GridPass with different roles, SICAM GridPass provides also the option to change the local user management to a repository-based user manage- ment. LDAP and RADIUS access are supported. This means you can use a RADIUS repository located in the substation or CC to manage your SICAM GridPass users.
[sc_webui_user, 1, en_US] Figure 3-4 Web UI Access User
CRL Server To support the entities within the different zones a CRL distribution point is provided by SICAM GridPass listening per default on port 80 as a Web server. The CRL support will be configured within the SICAM GridPass Web-based access. This CRL distribution point is placed inside each created or signed certificate of SICAM GridPass. SICAM Grid- Pass generates for each CA a CRL at least every 12 hours. The next update field within the CRL is set to 24 hours. The possibility to provide on the same machine the EST server and the CRL distribution point (CDP) Web server is an advantage for the network configuration because each machine with access to the EST server has also access to the Web server. In general the CDP is listening on TCP port 80 and is accessible without authentica- tion via http. In general the substation CRL server will be contacted from the entities inside the same substa- tion.
16 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 SICAM GridPass 3.4 Operating Overview
EST Server SICAM GridPass provides an EST server to handle the EST client entity request for signing the entity CSRs with the configured CA private key. EST support will be configured within the SICAM GridPass Web-based access. Here the trusting between entities and EST server will be configured. The EST server signs all CSR requests coming from an entity authenticated by a trusted CA. In general the substation EST server will be contacted from the entities inside the same substation.
Entities (Products) The only way for an entity to authenticate itself to the EST server is using the preinstalled X.509 key material. It depends on the device if it is imprinted by default from the factory or imported during engineering. Also the EST server certificate issued by the CA used for the EST server has to be trusted by the entity. If the mutual trust is engineered the entity can always obtain a CA-signed certificate by sending a CSR to the EST server. Also for renewal reasons a CSR can be sent to the EST server. The EST server CA signs all certificates with all X.509 extensions without any validation, except when a CA flag is set in the CSR. An entity cannot obtain a certifi- cate useable as CA. This is the only exception.
SICAM, GridPass, Manual 17 E50417-H8940-C598-A6, Edition 05.2020 4 Workflow Step-by-Step
4.1 Setup 19 4.2 Login Procedure 30 4.3 Create Operational CA 35 4.4 Create a Server Certificate for Web UI and EST Server 40 4.5 Download and Trust the CA Certificate 45 4.6 Set the Created Server Certificate as SICAM GridPass Web-Server Certificate 53 4.7 Configure Centralized Syslog Logging 55
18 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
4.1 Setup
4.1.1 Preconditions
SICAM GridPass is released for Windows. It cannot be installed on a domain controller because no local users can be installed on a domain controller which is a prerequisite of SICAM GridPass. SICAM GridPass is released for the following Windows 64-bit x86 versions: • Windows Server 2012 R2 Standard 64-bit • Windows Server 2016 Standard • Windows Server 2019 For the Microsoft lifecycle policy and the search of the Microsoft products also refer to https://support.microsoft.com/en-us/lifecycle If you use the physical delivery of SICAM GridPass for installing the license file, you temporarily need a free USB port on your system during the installation. SICAM GridPass is always tested with the latest Windows security patch level. To operate SICAM GridPass from a remote system Siemens recommends to use Google Chrome.
4.1.2 Description
SICAM GridPass goes along with a Windows setup. The installation is possible without having a valid license file. For running SICAM GridPass, in any case you need a valid license to obtain all necessary usage of rights. To install SICAM GridPass you need administrative Windows rights and the associated license manager. SICAM GridPass installs among the program itself 3 Windows services, an SQLite database and a local SICAM GridPass user to run the services. It uses the Microsoft certificate store. If not available, also the Automation License Manager (ALM) will be installed during the installation phase. A password has to be selected for the local SICAM GridPass user. During installation the setup will adjust your firewall. The ports for EST, the CRL distribution point and the Web-based user interface for external access will be opened. All services will listen to all network interfaces. If necessary, you can adjust your firewall to limit the access to dedicated network interfaces by using the Micro- soft tool. SICAM GridPass is delivered without a local user interface and is operated via an Internet browser (Google Chrome). During the 1st login via the Web interface, a password has to be selected for database restoring.
NOTE i This option is available only during the 1st initial Web login to SICAM GridPass. Take care about the 1st initial Web login to SICAM GridPass and protect the password in a proper way regarding confidentiality and availability.
4.1.3 Setup
² Start the SICAM GridPass Setup with Run as administrator to install SICAM GridPass.
SICAM, GridPass, Manual 19 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_setup_start, 2, en_US]
As the setup is signed by Siemens AG and the signature is verified and trusted by Microsoft you will get a noti- fication if you want to proceed with the installation.
[sc_setup_start_windows_message, 2, en_US]
² Proceed with the installation with Yes. The SICAM GridPass setup dialog opens.
20 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_setup_dialog_open, 3, en_US]
² Enter a password to get access.
[sc_setup_password_entry, 3, en_US]
NOTE i Use a complex password for the SICAM GridPass user which is a functional user to run the services and use the Microsoft certificate store.
² Confirm the password.
SICAM, GridPass, Manual 21 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
NOTE i Store the password in a secure way. In case of reinstalling the GridPass software use the identical password for the GridPass user. If you have lost your GridPass user password remove the GridPass user and MS cert- store entries for this user. Additionally, replace the new database with the backup database and enter the backup and restore password in a later step during the 1st login to SICAM GridPass.
Port Settings
[sc_setup_port_settings, 3, en_US]
SICAM GridPass offers 3 services that open listening TCP sockets on your system. The proposed ports have to be free on your system. The setup checks the availability of the proposed port. Multipurpose systems often have another Web service listening on port 80 or 443 TCP. With a search in the command shell (netstat –na –p TCP), you can quickly find open ports.
[sc_setup_port_cmd, 2, en_US]
You should not see the proposed port numbers behind the “:” under Local Address with State LISTENING. ² Press Next to proceed if the proposed values are free or change the values.
22 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
NOTE i In case of changing the SICAM GridPass Web service port number to another value beside port 443 later, always enter the port in your https browser URL, for example https://192.168.10.101:4711.
Destination Folder ² To start the installation check the destination folder and change the path if necessary.
[sc_setup_destination_folder, 3, en_US]
Now, SICAM GridPass is ready for installation.
Installation ² Click Install to start the installation routine.
SICAM, GridPass, Manual 23 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_setup_installation_start, 3, en_US]
[sc_setup_installation_components, 3, en_US]
SICAM GridPass and the ALM is built with Visual Studio 2013/2015 and needs therefore the VC++ 2013/2015 Redistributables if not yet installed on your system. The Redistributable package is generally part of the Siemens delivery.
24 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_setup_installation_components_ALM, 3, en_US]
SICAM GridPass is licensed with a license file delivered together with the SICAM GridPass data carrier on a USB license stick. To use the license the Automation License Manager (ALM) software has to be installed on your system. If an older version of the Automation License Manager already exists, this version is updated automatically. ² Restart your system now to finish the installation.
Checks after Installation ² Check whether all services run.
[sc_setup_services_check, 2, en_US]
² In any case also open the your SICAM GridPass Web service to check the configured ports for all interfaces (0.0.0.0).
[sc_setup_configured_ports, 2, en_US]
² Adjust your Windows Firewall to allow incoming connections to the selected ports above for the Web interface, the EST server and CRL distribution point (for this step, also refer to the Windows manual).
SICAM, GridPass, Manual 25 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_setup_firewall, 1, en_US]
4.1.4 Licensing Description
To use SICAM GridPass a valid license has to be installed on the system. The SICAM GridPass license can be ordered for a different number of accessing clients: • SICAM GridPass V1.50 – 50 clients (licenses) • SICAM GridPass V1.50 – 250 clients (licenses) • SICAM GridPass V1.50 – 1000 clients (licenses) • SICAM GridPass V1.50 – 10 000 clients (licenses)
NOTE i 1 client can be requested with 25 valid certificates in total, that means only 1 license is counted. For 26 valid certificates a 2nd client license is needed. The number of valid licenses is mapped to the certificates requested by the EST protocol. Locally generated certificates are not counted for the license.
NOTE i It is allowed to run SICAM GridPass without a valid license file under the Trial License conditions found in the General License Conditions of Siemens, Division Energy Management, for Software Products. If you are using the Trial version the CA validity is fixed to 90 days.
4.1.5 Licensing
In case of a physical delivery of SICAM GridPass transfer the licenses from the delivered license USB sticks to your computer. In case of an OSD download of SICAM GridPass connect to the OSD Web page and select the Web License Key Download in the Automation License Manager program. After that login with your OSD credentials and transfer the license online from the OSD service to your computer. Ensure that you have an Internet connection to reach the OSD server.
26 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
NOTE i If the SICAM GridPass system has no direct connection to the Internet use another computer to download the license and transfer it to the SICAM GridPass system via an USB stick. For this, use the ALM software within the downloaded ZIP file in the \ALM folder.
² Insert your license USB stick in a free USB-2 or USB-3 port in case of of a physical delivery of SICAM Grid- Pass.
[sc_license_port, 2, --_--]
Windows installs the necessary drivers to mount the USB stick. ² You can check the successful installation of the USB stick opening a Windows Explorer (LICENSE_KEY drive).
[sc_license_key_drive, 2, en_US]
² Start the Automation License Manager.
SICAM, GridPass, Manual 27 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_license_ALM, 2, --_--]
² You can find the LICENSE_KEY in the Automation License Manager list box.
² Select the LICENSE_KEY to move the license from the USB stick to your file system.
² Select the license an drag and drop it to the Local Disk (C:). The license key will now be transferred to your local disk.
[sc_license_ALM_transfer_job, 2, en_US]
² Select the Local Disk to check the successful transfer.
28 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.1 Setup
[sc_license_ALM_transfer_check, 3, en_US]
² In case of an OSD download of SICAM GridPass login in to the OSD Web page to get your license key.
NOTE i • The license cannot be transferred to a compressed drive. • If you want to install GridPass on a new system, transfer your license back to your USB stick. • If visible, do not delete the AX NFZZ folder in the root directory.
You can find more information in the ALM manual.
[sc_license_ALM_manual_ref, 2, en_US]
SICAM, GridPass, Manual 29 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.2 Login Procedure
4.2 Login Procedure
4.2.1 Initial Login
² The 1st step after the installation of SICAM GridPass is to create a valid certificate with SICAM GridPass to avoid the security notification from your Web browser. At the beginning a self-signed certificate will be created to get access to the SICAM GridPass user interface via https. First of all the self-signed certificate has to be trusted. The self-signed certificate includes all IP addresses from the installed system as Subject Alternative Name to not get in trouble with several browsers. Therefore, for the initial login, use the IP address and not the DNS name of your running system SICAM GridPass. ² Start the Google Chrome browser and enter the IP address of your system on which SICAM GridPass is installed. Use the prefix https://. If the browser is on the same system on which SICAM GridPass is installed, you can also enter https://127.0.0.1 for localhost access. Accept the security notification to continue with the first login.
NOTE i If SICAM GridPass is listening on a port other than 443, add the listening port as suffix, for example :4711. In case of a localhost it would be https://127.0.0.1:4711. This IP address is an example only. Use the correct IP address of your system.
[sc_connection_not_private, 2, en_US]
30 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.2 Login Procedure
[sc_connection_not_private_advanced, 2, en_US]
² Enter a recovery PIN for the encrypted database values.
[sc_login_recovery_password, 3, en_US]
SICAM, GridPass, Manual 31 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.2 Login Procedure
[sc_login_recovery_password_detail, 1, en_US] Figure 4-1 Set Recovery Password for Data Encryption
NOTE i Not all values are encrypted inside the database, only the confidential ones. You only have this one oppor- tunity to assign a password. Select a strong password and store it in a secure way. In case of reinstallation of the SICAM GridPass CA you need this password for recovering the database on another or newly installed Windows system.
² Log on to the SICAM GridPass Web user interface and create a local user with the corresponding role assignment for RBACMGMT. The SECADM role that provides all rights to operate SICAM GridPass fully will be assigned to in a later step.
32 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.2 Login Procedure
[sc_roles_filled, 2, en_US] Figure 4-2 Login to SICAM GridPass
² After solving the password topic, log on with your credentials.
SICAM, GridPass, Manual 33 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.2 Login Procedure
[sc_logon, 3, en_US]
You are now logged on to the SICAM GridPass Web user interface with the RBAC Manager and Security Admin- istrator role.
34 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.3 Create Operational CA
[sc_login_gridpass_web_ui, 4, en_US] Figure 4-3 SICAM GridPass Web User Interface
² On each Web site, you have got an online help you can open and close pressing the arrow.
[sc_online_help, 2, en_US] Figure 4-4 SICAM GridPass – Online Help
4.3 Create Operational CA
To use the Web UI without security notifications, create a productive CA and bind it to the IP or DNS of the installed system. In this example, the system has the DNS localhost.siemens.de. Do not use this name for your productive system.
SICAM, GridPass, Manual 35 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.3 Create Operational CA
[sc_createca_menu_ca, 3, en_US]
[sc_createca_menu_authorities, 1, en_US]
² Go through the easy menu and create the first CA. Use a meaningful name for the CA. Enter suitable attributes for your CA. These attributes will be a readable part of the CA certificate which everyone can see. Choose an appropriate validity of the CA in conjunction with your selected key length and algorithm. See also keylength.com for recommendations of key length and validity. For example, 10 years for a 4096-bit RSA key or alternatively a secp256r1 ECC curve are a good choice.
36 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.3 Create Operational CA
[sc_createca_wizard_step1, 3, en_US] Figure 4-5 Wizard Create Certificate Authority – Step 1: Basic Settings
² You can leave the selected attributes for using the created certificate for a CA. You can set the Subject alternative name as FQDN or IPs. The values have to be separated by "," or ";". The value entered here during CA creation is not necessary for the later behavior during the TLS handshake phase. The CRL distribution point here should be empty because of creating a root CA at this moment. You can find more information in the chapter 6.5 CRL Distribution Point.
SICAM, GridPass, Manual 37 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.3 Create Operational CA
[sc_createca_wizard_step2, 3, en_US] Figure 4-6 Wizard Create Certificate Authentication – Step 2: Extended Settings
² Now set the PKCS#12 container PIN.
38 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.3 Create Operational CA
[sc_createca_set_pin, 4, en_US] Figure 4-7 Set PIN and Download
² Download the P12 including the PRIVATE KEY.
[sc_createca_gp, 3, en_US]
[sc_createca_gp_downloads, 1, en_US]
Now, the first CA is created.
SICAM, GridPass, Manual 39 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.4 Create a Server Certificate for Web UI and EST Server
[sc_first_CA, 2, en_US]
4.4 Create a Server Certificate for Web UI and EST Server
Now you can create the server certificate for the SICAM GridPass UI https Web server. Web browsers are very sensitive regarding the offered server certificates from the Web server. In any case the CA certificate has to be trusted to accept the server certificate. Also the Subject Alternative Name has to be the same as used in your URL, for example https://gridpass.siemens.com, to open the Web UI.
[sc_createca_webui_server_certificate, 4, en_US]
[sc_createca_webui_server_certificate_icon, 1, en_US]
40 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.4 Create a Server Certificate for Web UI and EST Server
² Use the DNS name as Common name (CN) or any other name or IP you are using to open the Web UI in your Web browser. Select a reasonable time range for the validity of your server certificate. When reaching the expiry date create a new certificate for the server. At least after the expiry date your browser will show a message for the invalid certificate. 1 year for a server leaf certificate is a good choice, together with an RSA key with 2048-bit key length or alternatively a secp256r1 ECC curve.
Step 1 – Select Certificate Profile ² To start the certification wizard, select the certificate profile TLS Server to issue a server certificate for SICAM GridPass Web and EST server. All values which will be part of the certificate will be shown in the right section of your wizard. They will be updated automatically when changing the settings. Therefore, you can always check the values to be used when issuing the certificate.
[sc_createservercert_wizard_step1, 3, en_US]
² Press the right arrow button to proceed with step 2.
Step 2 – Define Certificate Settings ² Select a descriptive Common name for your server certificate. ² Set also the Alternative names for the FQDN server and/or the accessible IP used for later Web access to SICAM GridPass, for example https://gridpass.siemens.com and/or https://191.168.56.5. You can enter more than 1 alternative name for your certificate. For the IP name, use IP address from the list box, enter your IPv4 address, for example https://192.168.56.5and press the + button. When using the DNS name, select DNS name from the list box, enter for example gridpass.siemens.com and press the + button. All entries can be verified in the right section of the wizard.
SICAM, GridPass, Manual 41 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.4 Create a Server Certificate for Web UI and EST Server
[sc_createservercert_wizard_step1_default, 2, en_US]
The parameter Issuer certificate is selected by default if only 1 CA certificate created is available.
[sc_createservercert_wizard_step2_names, 2, en_US]
42 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.4 Create a Server Certificate for Web UI and EST Server
NOTE i If the certificates values are sufficient for you and the certificate issuing process, a checkmark will be shown to stop the wizard. The certificate will be issued.
² Press the right arrow to continue with step 3.
Step 3 – Assign Roles and Area of Responsibility ² The area of responsibility can be skipped for this server certificate because it will not be considered by the browsers or EST clients. These values are relevant for using certificates for IEC 62351-8 requirements if used in your process environment. ² Press the right arrow to continue with step 4.
Step 4 – Define Validity ² Enter the start and end date of your certificate.
[sc_createservercert_wizard_step4_start, 2, en_US]
[sc_createservercert_wizard_step4_end, 2, en_US]
² Press the right arrow to continue with step 5.
SICAM, GridPass, Manual 43 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.4 Create a Server Certificate for Web UI and EST Server
Step 5 – Define CRL Distribution Point The CRL distribution point will be written automatically with all GridPass machine IPs and host names into the created certificate if you select Automatic from the list box to point to the local SICAM GridPass Web server running on the same machine as this SICAM GridPass CA. The values are taken from the network config- uration and are not visible here. ² Press the + button to add the CRL distribution point to the certificate. If you want to use an own CDP URL select http or ldap protocol from the drop-down menu and enter a string in this field in the form:
http://
- or - ² Use the placeholder {} to use the GridPass-generated naming: http://
[sc_createservercert_wizard_step5, 2, en_US]
² Press the right arrow to continue with step 6.
Step 6 – Assign Key Type and Key Parameters ² Select the key types RSA or elliptic curve cryptography (ECC) and the key length in case of a selected RSA key or elliptic curve in case of a selected ECC key type.
44 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createservercert_wizard_step6_key_type, 2, en_US]
² Finish the server-certificate creation wizard pressing the Check button to see your created certificate.
[sc_server-certificate-creation, 1, en_US]
4.5 Download and Trust the CA Certificate
² To avoid the security notification from your Web browser for the connection to the SICAM GridPass you have to trust the CA certificate which has issued the SICAM GridPass server certificate. To trust the CA you have to import the CA certificate in the Microsoft certificate store category Trusted Root Certification Authorities to connect to SICAM GridPass.
SICAM, GridPass, Manual 45 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_certauth_menu, 2, en_US]
[sc_createca_certauth_ca, 4, en_US]
² Export the GridPassCA certificate as DER encoded file.
[sc_createca_certauth_pem, 4, en_US]
² Select the download folder to install the certificate.
46 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_export_der-file, 1, en_US]
² Right-click the certificate and select Install Certificate.
[sc_createca_certauth_install, 2, en_US]
² Confirm the security warning with the Open button.
SICAM, GridPass, Manual 47 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_security_confirmation, 1, en_US]
² If you trust the CA certificate for each user to access this PC and the SICAM GridPass administration, select Local machine. If you only want to trust the logged in user, select Current User.
48 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_trust_certificate, 1, en_US]
² Select the Trusted Root Certification Authorities folder to install the CA certificate.
SICAM, GridPass, Manual 49 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_certauth_certstore, 2, en_US]
50 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_certauth_import_wizard, 1, en_US]
² To install the certificate, click OK and Next >.
SICAM, GridPass, Manual 51 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.5 Download and Trust the CA Certificate
[sc_createca_certauth_complete, 2, en_US]
² Click Finish to install the CA certificate.
[sc_createca_certauth_successful, 2, en_US]
52 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.6 Set the Created Server Certificate as SICAM GridPass Web-Server Certificate
4.6 Set the Created Server Certificate as SICAM GridPass Web-Server Certificate
[sc_createca_etsserver_menu, 2, en_US]
² Select the server certificate used for the Web server and the EST server provided to a browser or EST client during TLS handshake.
[sc_createca_etsserver_chooseca, 4, en_US]
[sc_createca_etsserver_assign, 2, en_US] Figure 4-8 Selecting EST/HTTPS Server Certificate
SICAM, GridPass, Manual 53 E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.6 Set the Created Server Certificate as SICAM GridPass Web-Server Certificate
[sc_createca_etsserver_assign_confirmation, 1, en_US]
² After this confirmation, the Web server changes from self-signed certificate to the selected certificate issued by a CA. You have got now a trusted connection to your GridPass Web server. ² Now check the connection to SICAM GridPass with the IP address and/or the DNS name used in the certifi- cate alternative name. In case of a secure connection the lock is closed in the URL address of the browser. Pressing the lock with a left-click will show the secure connection.
[sc_createca_etsserver_change, 4, en_US]
54 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Workflow Step-by-Step 4.7 Configure Centralized Syslog Logging
[sc_createca_etsserver_change_finish, 2, en_US]
NOTE i Set only the new EST/HTTPS certificate in SICAM GridPass after you have installed the CA issued by the server certificate in your Microsoft certificate store. If not, the Chrome browser will no longer accept the exception for using the Web page! In case of missed CA certificate download, use the Firefox browser for a temporary login to download and install the CA certificate.
4.7 Configure Centralized Syslog Logging
For a central logging you can configure a syslog server located in your network. SICAM GridPass CA supports the standard-based native syslog protocol.
[sc_syslog_menu, 2, en_US]
In general, syslog is based on UDP and is connecting to a syslog server listening on port 514. You can enter also another port if your syslog server is listening on a different UDP port. ² First check the Use syslog checkbox. Now you can enter the IP address and the port of your syslog server.
[sc_syslog_use_syslog_ip, 2, en_US]
The log messages will now be sent to your centralized syslog server.
SICAM, GridPass, Manual 55 E50417-H8940-C598-A6, Edition 05.2020 5 User Management
5.1 Introduction 57 5.2 User Administration 57
56 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 User Management 5.1 Introduction
5.1 Introduction
5.1.1 Overview
In general, more than one user is working with the SICAM GridPass CA. Therefore the SICAM GridPass UI has the possibility to create more SICAM GridPass UI users with different roles. Additionally, the SICAM GridPass UI supports different authentication methods. You can use only the local database, LDAP, or the RADIUS-based authentication. In case of a centralized user management the user and the corresponding roles has to be managed by the authentication server.
5.2 User Administration
5.2.1 Local User Administration
[sc_userman_menu, 5, en_US]
[sc_userman_menu_local, 2, en_US]
²
Add a new user and enter login name, role, and initial password. For security reasons the user has to change the password with the first login. Depending on the role the user has different rights to use the SICAM GridPass UI.
SICAM, GridPass, Manual 57 E50417-H8940-C598-A6, Edition 05.2020 User Management 5.2 User Administration
[sc_userman_add_user, 4, en_US] Figure 5-1 Adding Local User
² Now you can add more local users. As long as there is no centralized authentication mechanism available you cannot deactivate the local user authentication.
58 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 User Management 5.2 User Administration
[sc_userman_deactivate, 2, en_US] Figure 5-2 Deactivating Local User Authentication
² You can change your own password for the login account in the main menu.
[sc_userman_change_pw, 2, en_US]
SICAM, GridPass, Manual 59 E50417-H8940-C598-A6, Edition 05.2020 User Management 5.2 User Administration
[sc_userman_set_pw, 1, en_US] Figure 5-3 Changing Password
²
Enter the old and the new password to change your password and confirm with .
5.2.2 Logout
² In any case after completion of the configuration, log off from the system. You can find the Logout func- tion in the main menu.
[sc_userman_logout, 2, en_US]
60 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 User Management 5.2 User Administration
[sc_userman_logout_result, 1, en_US]
After 10 minutes of inactivity, you will be prompted to log on because an auto logout function is imple- mented.
5.2.3 Initial Login with a Local Account
² After entering your credentials the first time you will get the change password dialog for security reasons.
[sc_userman_logon_a, 1, en_US]
SICAM, GridPass, Manual 61 E50417-H8940-C598-A6, Edition 05.2020 User Management 5.2 User Administration
[sc_userman_logon_b, 1, en_US]
² Enter your initial password and confirm with check mark.
[sc_GridPass_set-passwort, 1, en_US]
You will see the user logged in and the corresponding role in the header.
[sc_userman_username, 2, en_US]
62 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 6 Certificate Management
6.1 Overview of Import, Export, and Creation of Certificates 64 6.2 Remote Requests 65 6.3 Local Requests 66 6.4 Certification Authorities 79 6.5 CRL Distribution Point 83 6.6 Subject Alternative Name 84
SICAM, GridPass, Manual 63 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.1 Overview of Import, Export, and Creation of Certificates
6.1 Overview of Import, Export, and Creation of Certificates
In general, certificates are issued by a Root-CA or a Sub-CA. A Sub-CA is issued by another subordinated Sub- CA or the Root-CA. The entity certificate is the last one in the chain and cannot issue other certificates. The entity certificate is issued by a Root-CA or Sub-CA: • GridPass can import and export Root-CAs and Sub-CAs. • GridPass can import and export entity certificates. • GridPass can create Root-CAs, Sub-CAs, and entity certificates. • GridPass can issue certificates which are manually uploaded as Certificate Signing Request (CSR). • GridPass can issue certificates coming over the EST protocol as Certificate Signing Request (CSR). Additionally SICAM GridPass can handle Attribute Certificates (AC) which are defined in the X.509 and IEC 62351-8 standard. Attribute Certificates are issued by an Attribute Authority (AA). An Attribute Authority (AA) is issued by an existing Root-CA or Sub-CA. The Attribute certificate has a binding to an entity certificate: • GridPass can import and export Attribute Authorities. • GridPass can create Attribute Authorities and Attribute Certificates. • GridPass can export Attribute Authorities and Attribute Certificates. All these functions will be found in the first category from GridPass.
[sc_gridpass_categories, 2, en_US]
[sc_manremote_menu, 2, en_US]
• Show certificates which are issued automatically by SICAM GridPass via a certificate signing request (CSR) coming from remote from a device or from a PC software via EST protocol. • Export (download from SICAM GridPass) the automatically issued certificates.
64 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.2 Remote Requests
[sc_local_requests, 2, en_US]
• Show certificates manually created and issued with SICAM GridPass. • Show certificates imported manually. • Show certificates issued by a file-based imported CSR. • Create a public-key certificate (device or user certificate) or a Sub-CA certificate. • Export (download from SICAM GridPass) a public-key certificate or a Sub-CA certificate. • Create an Attribute Authority and Attribute Certificates. • Import a public-key certificate (file). • Import a CSR and issue the certificate (file). • Export (download from SICAM GridPass) the CSR issued certificate.
[sc_certification_authorities, 2, en_US]
• Show CA certificates manually created and issued with SICAM GridPass. • Show certificates imported manually. • Create a Root-CA. • Import a Root-CA, a Sub-CA (file), or an Attribute Authority. • Export (download from SICAM GridPass) a Root-CA, a Sub-CA certificate, or an Attribute Authority.
6.2 Remote Requests
In this menu, all issued certificates received over EST will be shown. Here, you can revoke and export certificates. You can find more information in chapter 7.2.3 Managing Remote Requests.
SICAM, GridPass, Manual 65 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
6.3 Local Requests
6.3.1 Create a Certificate
[sc_createca_webui_server_certificate, 4, en_US]
The procedure to create a certificate with the certificate creation wizard is described for a server certificate in chapter 4.4 Create a Server Certificate for Web UI and EST Server. Beside a server certificate, you can also create for example a client certificate or an Intermediate CA (Sub-CA) depending on which profile is selected.
66 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
NOTE i Extensions for: • Intermediate CA certificate (Sub-CA) – basicConstraints = critical,CA:true – Key usage = critical, CRL Sign, Certificate Sign • TLS Client certificate – basicConstraints = critical,CA:false – Key usage = critical, Digital Signature – Extended key usage = critical, Client Authentication • TLS Server certificate – basicConstraints = critical,CA:false – Key usage = critical, Digital Signature, Key Encipherment – Extended key usage = critical, Server Authentication • TLS Client and Server certificate – basicConstraints = critical,CA:false – Key usage = critical, Digital Signature, Key Encipherment – Extended key usage = critical, Client Authentication, Server Authentication • TLS Client and Server certificate without extended key usage – basicConstraints = critical,CA:false – Key usage = critical, Digital Signature, Key Encipherment – Extended key usage = critical, any key usage • Code-signing certificate – basicConstraints = critical,CA:false – Key usage = critical, Digital Signature – Extended key usage = critical, code signing • Attribute Authority certificate – basicConstraints = critical,CA:false – KeyUsage = critical, cRLSign, keyCertSign
In the following you can find an example for creating a user-client certificate.
Step 1 – Select Certificate Profile ² Select the TLS client certificate profile.
SICAM, GridPass, Manual 67 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_createca_TLSClient_wizard_step1, 2, en_US]
² Press the right arrow button to proceed with step 2.
Step 2 – Define Certificate Settings ² Select the Issuer certificate signing the TLS client certificate. In case of only one existing CA with a private key the CA is preselected and cannot be adjusted. ² Select a descriptive Common name, for example the device or user name. ² Check the Subject information and adjust the parameters if needed in the list box.
[sc_createca_TLSClient_wizard_step2, 2, en_US]
² Check the values in the right section of the wizard.
68 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_createca_TLSClient_wizard_step2_check, 2, en_US]
² Press the right arrow to continue with step 3.
Step 3 – Assign Roles and Area of Responsibility ² If you use the certificates in a IEC 62351 standardized environment you can add the role information as defined in the IEC 62351-8 standard together with the Area-of-Responsibility (AoR) limitation (see also 8.10 Roles and Area of Responsibility according to IEC 62351-8 for more information about standard roles and AoR). ² Then verify the entered date in the right section of the wizard again.
[sc_createca_TLSClient_wizard_step3, 2, en_US]
SICAM, GridPass, Manual 69 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
NOTE i If you do not need to add IEC 62351-8 role extensions to the certificate you can skip this wizard step and go to the next section do define the validity of the certificate
² Press the right arrow to continue with step 4.
Step 4 – Define Validity ² Enter the start and end date of your certificate.
[sc_createca_TLSClient_wizard_step4, 2, en_US]
² If you have entered the CRL distribution point and the key type/parameter in a previous step and they are still sufficient for you, you can finish the wizard with the checkmark. Otherwise proceed with the right arrow and select the CRL distribution point as described in the previous chapter and/or your key settings.
6.3.2 Import a CSR and Issue a Certificate
[sc_createca_webui_client_certificate, 2, en_US]
In case of a device using a crypto chip, the private key will be created on the chip and will never leave the chip. In this case, a Certificate Signing Request (CSR) will be created by the device and can be uploaded to GridPass
70 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
manually if no EST protocol is available on device side. GridPass will sign the request after uploading the CSR. Afterwards, you can download the certificate as PEM or DER encoded file. ² Select the CSR file which you want to issue as certificate from your file system.
[sc_select_CSR, 1, en_US]
² Select the CA which signs (issues) the CSR and enter the validity of the certificate.
[sc_create_certificates_validities, 2, en_US]
² Select the CA to issue the certificate and enter the validity of the certificate.
SICAM, GridPass, Manual 71 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_select_CSR_2, 2, en_US]
² Add the CRL distribution point (see chapter 6.5 CRL Distribution Point).
[sc_CRL_distribution_point, 2, en_US]
Afterwards, you will see the issued certificate within the list of Local requests. The certificate will be downloaded automatically.
72 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_issued_certificate_with_local_requests, 2, en_US]
6.3.3 Import a Certificate with CA Chain
[sc_createca_webui_sub_ca, 1, en_US]
You can import an entity certificate with or without a private key. Only for the P12 container format the private-key import is supported. Certificates without a private key will be imported only in PEM format. If it is available in the P12 container, the complete CA chain will also be imported. PEM files can have only 1 certifi- cate for import.
Rules for Import • CA certificates shown up in the CA tile, entity certificates in the Local requests tile • A notification occurs if the certificate already exists in the database. • If the certificate contains the same public key as an already imported key – with a later validTo-date – the existing entry is replaced (external certificate resign). • If a PEM file has more than 1 certificate the import will be rejected; an error message occurs. • Imported certificates are linked to issuing or issued certificates if available. • The import of the P12-container content is only possible with a correct PIN of the P12 container and the private key inside the container. Note, that the container PIN and the private key PIN must be the same although the specification allows more options.
SICAM, GridPass, Manual 73 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
Import of PEM files ² Select a PEM file with the certificate you want to import from your file system.
[sc_import_leaf_certificate_select, 2, en_US]
² If the CA is not available yet, a message appears. In this case import the CA and if necessary each Sub-CA, to SICAM GridPass (see also 6.4.2 Import a Certification Authority).
[sc_import_leaf_certificate_message, 1, en_US]
The entity certificate is imported now (without a private key).
[sc_import_leaf_certificate_imported, 2, en_US]
Import of P12 Files ² Select a PEM file with the certificates and optionally the key you want to import from your file system.
74 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_import_leaf_certificate_p12_select, 2, en_US]
The PIN dialog appears.
[sc_import_leaf_certificate_p12_pin, 2, en_US]
If you enter the wrong PIN an error message appears.
[sc_import_leaf_certificate_p12_wrong_pin, 2, en_US]
After successful import, the certificate with the private key appears in the list of certificates.
SICAM, GridPass, Manual 75 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
[sc_import_leaf_certificate_p12_private_key, 1, en_US]
During the import process also the CA certificate or the certificates are imported automatically.
[sc_import_leaf_certificate_p12_CA, 1, en_US]
6.3.4 Export a Certificate
[sc_local_request_symbol, 1, en_US]
[sc_issued_certificate_with_local_requests, 2, en_US]
76 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
² It is possible to export a certificate as a file or to export a certificate to a Directory service via LDAP. ² You can export certificates in different formats, depending on whether a private key is available or not, whereas an export to a Directory service is only possible without a private key. ² If a private key is available, you can select between a PKCS#12 password encrypted P12 container and between 2 certificates only variants, the base64 encoded PEM or the binary encoded DER format without private key for download. If you select the PKCS#12 format, you must enter a PIN for protecting the container.
[sc_export_certificates_P12, 2, en_US]
² If the private key is not available, you can select between 3 certificates only variants, the base64 encoded PEM or the binary encoded DER format for download or export to LDAP.
[sc_export_certificates_DER_file, 2, en_US]
SICAM, GridPass, Manual 77 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.3 Local Requests
6.3.5 Revoke a Certificate
[sc_local_requests, 1, en_US]
[sc_local_revoke, 1, en_US]
² You can revoke all certificates issued for one device with one click:
[sc_revoke_all_certificates, 1, en_US]
² You can revoke a single certificate:
[sc_revoke_certificates, 1, en_US]
You can find more information on revoking certificates in chapter 7.2.4 Certificate Revocation List (CRL).
78 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.4 Certification Authorities
6.4 Certification Authorities
6.4.1 Create a Root-CA
[sc_certification_authorities_root_ca, 1, en_US]
You can find more information on the creation of a Root-CA in chapter 4.3 Create Operational CA. You can create an arbitrary number of Root-CAs.
6.4.2 Import a Certification Authority
[sc_certification_authorities_import, 1, en_US]
² Search for the CA you want to import and confirm the import.
[sc_manest_import, 1, en_US]
The imported CA will be shown in the list of available CAs with the hint that no private key is available.
[sc_manest_imported, 1, en_US]
² If you want to use an external CA to create certificates, for example for EST usage with the SICAM Grid- Pass CA, you can import also a CA with an available private key, in general a PKCS#12 container including key and certificate of the CA.
SICAM, GridPass, Manual 79 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.4 Certification Authorities
[sc_manest_choose_privatekey, 1, en_US]
² The PKCS#12 container is encrypted with a PIN. Enter the PIN to finish the import of the CA.
[sc_manest_pin, 1, en_US]
You have now imported a CA with a private key.
[sc_ca_with_private_key, 1, en_US]
6.4.3 Export a CA Certificate
[sc_certification_authorities, 2, en_US]
² You can export CA certificates in different formats, depending on whether a private key is available or not.
80 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.4 Certification Authorities
[sc_certification_authorities_w/o_private_key, 1, en_US]
² If a private key is available, you can select between a PKCS#12 password encrypted P12 container and between 2 certificates only variants, the base64 encoded PEM or the binary encoded DER format without private key for download. If you select the PKCS#12 format, you must enter a PIN for protecting the container.
[sc_export_certificates_P12, 2, en_US]
² If the private key is not available, you can select between 2 certificates only variants, the base64 encoded PEM or the binary encoded DER format for download.
SICAM, GridPass, Manual 81 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.4 Certification Authorities
[sc_export_certificates_DER_file, 2, en_US]
6.4.4 Create a CRL Manually
[sc_manual_CA, 1, en_US]
The CRL handling and usage is described in chapter 7.2.4 Certificate Revocation List (CRL). You will see the icon to create a CRL only in case you have a private key. Only in this case you can create and sign a CRL.
6.4.5 Revoke Certification Authority
In general, a Certification Authority should not be revoked. This is an emergency workflow in case of the Certification Authority is compromised. ² If necessary, revoke the CA:
[sc_revoce_CA, 1, en_US]
² Confirm the selection:
82 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.5 CRL Distribution Point
[sc_customCA_remove, 1, en_US]
Afterwards the CA is invisible and the CRL will be downloaded automatically.
[sc_ca-p12, 1, en_US]
All issued certificates are also revoked and put to the CRL. You can find more information on revoking certificates in chapter 7.2.4 Certificate Revocation List (CRL)
6.5 CRL Distribution Point
The CRL Distribution Point (CRLDP) is part of the certificate and is used for getting the information where the CRL is stored. In general, the issued certificate points to the CRLDP from the CA which has issued the certifi- cate. In general, because of this procedure, the Root-CA has no CRLDP, but according the standard, this is also not wrong and therefore, the Root-CA can have the CRLDP included from their own CRL. GridPass uses this feature to automatically put the CRLDP inside the issued certificates. ² GridPass gives you 4 options to handle the CDP during the certificate creation.
[sc_create_certificates_options, 2, en_US]
SICAM, GridPass, Manual 83 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.6 Subject Alternative Name
• You can leave it empty. No value will be stored inside the certificate. This could be an option if no CRL check is used in the environment or CRL is handled by the applications itself without using the CRLDP from the certificate. • You can select Automatic represented by the wildcard {} and confirm with +. In this case, the automati- cally generated unique CRL name will be used together with the default URL to the GridPass CRL Web server, for example: http://167.87.44.98/ca/GridPassCA_ski_c9561842b51a9b91f0868857e46084444e1e67ff.crl • You can enter your own http or ldap URL followed by {} and confirm with +. In this case, your URL will be used together with the automatic generated unique CRL name, for example: http://mycdp.company.com/GridPassCA_ski_c9561842b51a9b91f0868857e46084444e1e67ff.crl • You can enter your own http or ldap URL with a CRL name selected and confirm with +, for example: http://mycdp.company.com/company.crl With these options you have all possibilities to handle CRL files in every environment. More than one entry is possible if your environment and systems support this feature. You can use the GridPass offered CDP Web server with the automatically generated CRL names, or you can use another CDP server but using the automat- ically generated CRL names or you can rename the CRL files and use your own CDP server.
6.6 Subject Alternative Name
The Subject Alternative Name (SAN) is used for example, from browsers to verify the URL or IP from the Web server with the entry of the certificate. If the IP or DNS is different to the SAN entry inside the certificate the Internet site will be shown as not secure:
[sc_not_secure, 1, en_US]
If the IP or DNS conforms with the certificate entry, the Internet site will be shown as secure:
[sc_secure, 1, en_US]
84 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.6 Subject Alternative Name
[sc_certificate_entry_IP_DNS, 1, en_US]
GridPass gives you the possibility to add the DNS or/and IP to your certificate during the creation process.
[sc_create_certificates_options, 2, en_US]
SICAM, GridPass, Manual 85 E50417-H8940-C598-A6, Edition 05.2020 Certificate Management 6.6 Subject Alternative Name
[sc_alternative_names_DNS, 1, en_US]
² Set the Subject Alternative Name to your server FQDN or the accessible IPv4 address with + ² You can enter more than one Subject Alternative Name if your system is accessible via more than one DNS name and additionally via a static IPv4 address.
NOTE i Not only browsers which access an HTTPS server are using this option, also other TLS based protocols eval- uate this value and can refuse the connection if the values are not mapped together.
86 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 7 Managing EST
7.1 Introduction 88 7.2 EST Administration 88
SICAM, GridPass, Manual 87 E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.1 Introduction
7.1 Introduction
7.1.1 Overview
The purpose of the SICAM GridPass is to sign CSRs from EST clients coming generally from a device. 2 possibilities of certificates are possible: • Imprinted certificates • Engineered certificates If the devices do not support imprinted certificates the SICAM GridPass CA can be used to create certificates similar to the server certificate. The issued CA used for the EST connection has to be trusted in any case to accept CSRs from the entity. To trust a CA the CA has to be imported inside the SICAM GridPass or created inside the SICAM GridPass. Only for trusting you can import a certificate without having the private key of the CA. Each CA can be trusted for EST usage inside the SICAM GridPass.
7.2 EST Administration
7.2.1 Managing EST Clients
To trust implicitly the entities which issue a Certificate Signing Request (CSR) to SICAM GridPass in order to get a signed certificate back you have to trust all CAs which have generated the entity client certificates for the TLS-based EST connection between entities and SICAM GridPass.
[sc_estclient_menu, 1, en_US]
² Select the CAs you want to trust:
[sc_estclient_selectca, 1, en_US]
88 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.2 EST Administration
[sc_estclient_selectca_ok, 1, en_US]
[sc_estclient_selectca_add, 1, en_US]
Now all CAs trusted are available in the overview.
[sc_estclient_overview, 1, en_US]
All client certificates issued from these CAs now will be accepted during the EST handshake. All others will be rejected during the handshake phase. All CSRs coming from a trusted entity will now receive a valid signature from the selected operational EST CA.
7.2.2 Managing EST Server
[sc_estserver_menu, 1, en_US]
² In a previous step the server certificate was selected to establish a secure https Web UI SICAM GridPass connection. The same server certificate is used for the EST TLS connection and needs no change.
[sc_estserver_chooselist, 1, en_US]
SICAM, GridPass, Manual 89 E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.2 EST Administration
² But it is necessary to select the CA which is responsible for signing the CSRs coming from the client enti- ties via the EST connection. You can select each CA with an available private key. All other CAs will not be displayed.
[sc_estserver_extestca, 1, en_US]
[sc_estserver_chooseca, 1, en_US]
You can adjust the validity period starting from a dedicated day or from the moment the CSR was signed by the selected CA. Additionally enter a validity of days for the certificate. In general the certificates are valid until the expiration date, but you can also revoke certificates. SICAM GridPass supports this functionality.
7.2.3 Managing Remote Requests
[sc_manremote_menu, 2, en_US]
² You can see the number of licenses used on the Remote requests tile.
NOTE i This display is not refreshed automatically.
² Whenever a certificate is issued after CSR request via EST protocol, from an EST client for example, the issued certificate for the instance is shown.
90 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.2 EST Administration
[sc_manremote_request, 1, en_US]
[sc_manremote_requestinfo, 1, en_US]
² You can export/download the issued certificate:
For example:
.
- or - ² Delete the certificate:
In this case the certificate is put automatically to the CRL and the CRL will be distributed to the CRL distri- bution point or can be downloaded via the SICAM GridPass.
NOTE i The CSR has to be generated by the client and sent via the EST protocol (RFC 7030) to the EST server. The server only supports mutual authentication via X.509 certificates during the TLS handshake. After a successful TLS authentication the client can send any CSR to the EST server and will get back a valid certifi- cate signed by the configured operational EST CA.
7.2.4 Certificate Revocation List (CRL)
A Web server is running on the same system listening – in general to port 80 – to support the entities with a valid CRL for each created or imported CA with a private key.
SICAM, GridPass, Manual 91 E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.2 EST Administration
[sc_gridpass_categories, 2, en_US]
Whenever revoking a certificate the certificate will be put on the CRL. In case of putting a CA on a CRL all entity certificates will be also revoked and will be put on the CRL. Whenever a certificate is put on the CRL the CRL will be distributed to the Web server. In case of a non-revocation for 12 hours a CRL will be distributed auto- matically because of the limited validity of 24 hours. ² You can revoke all local and remote requested certificates issued for one device or a single certificate after selection. - or - ² You can revoke a CA together with all certificates issued from this CA.
[sc_crl_localrequest_menu, 2, en_US]
² You can enter the reason of revocation and the date and time of revocation.
[sc_crl_revoke, 1, en_US]
Afterwards the revoked certificate is no longer visible in the certificate list.
92 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Managing EST 7.2 EST Administration
[sc_crl_certlist, 1, en_US]
² In case the CRL is available on the Web server, you can download it. You find the link inside the CA certificate, for example http://167.87.44.98/ca/Grid-PassCA_ski_c9561842b51a9b91f0868857e46084444e1e67ff.crl, but this is only for testing purposes. ² For manual download, you better use the Web front-end.
[sc_crl_downloadwebui2, 1, en_US]
² Open it and, for example transfer it to a target system.
[sc_crl_transfer, 1, en_US]
SICAM, GridPass, Manual 93 E50417-H8940-C598-A6, Edition 05.2020 8 Other Features
8.1 Local User Management 95 8.2 Remote User Management 97 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory 100 8.4 Attribute Certificates 106 8.5 Auto Logout 114 8.6 Backup and Restore 114 8.7 Signing Server 119 8.8 Logging 119 8.9 Update to a New SICAM GridPass Version 122 8.10 Roles and Area of Responsibility according to IEC 62351-8 123
94 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.1 Local User Management
8.1 Local User Management
[sc_feature_userman_menu, 1, en_US]
Besides creating local users you can set new passwords or roles within the local user management. You can also disable the local user management completely in case of a successfully configured remote user manage- ment.
NOTE i In case of temporarily interrupted connections to the remote user management system only the cached users are able to log on. Be careful while changing RADIUS settings, for example the RADIUS preshared key or the IP address, because you could lock out your access to SICAM GridPass permanently. A good choice is to establish one local emergency user with an ADMIN role and a long password. The password should be stored in a secure way. The local emergency user can be used only in the emergency mode because local user access is only possible if the remote connection is not available. As long as the remote system is avail- able a fallback to the local user is not possible.
² You can open each user created and see the assigned roles.
[sc_feature_userman_admin, 1, en_US]
²
You can delete users or assign new roles or set a new password for the user.
²
The set password leads to a mandatory password change dialog after the next login for this user.
[sc_feature_userman_enterpw, 1, en_US]
SICAM, GridPass, Manual 95 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.1 Local User Management
The password change is mandatory to proceed with the login . ²
Deleting users generates the following message: . You can skip or confirm the deleting process. The current selected roles will be displayed after starting the role assignment dialog:
[sc_feature_userman_chooserole, 1, en_US]
A new role assignment will be generated immediately and will be shown under assigned roles after confirming the role assignment.
[sc_feature_userman_changerole, 1, en_US]
[sc_feature_userman_assignedrole, 1, en_US]
After the user login, the new roles are available and visible at the landing page.
96 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.2 Remote User Management
[sc_feature_userman_roleoverview, 1, en_US]
8.2 Remote User Management
Beside the local user management, you can also use a remote user management to manage your users and passwords. SICAM GridPass has the possibility to deactivate the local user management if you have configured a remote user management successfully. Successful logged on local users will be cached in case of temporary failures in the remote user-management server access. As long as the local user administration is activated, the local user management access is possible. Due to security reasons, the local user login is not possible with a successful remote user-management server access.
NOTE i The cached users are only available as long as the remote user-management server is not accessible.
RADIUS Authentication
[sc_feature_remote_menu, 1, en_US]
To use the RADIUS authentication, enable the feature and enter the RADIUS IP and the PSK (pre-shared key) configured in your RADIUS server for this PC with SICAM GridPass. In the following, you can see the attributes to be used within your RADIUS server. A separate guide is available for configuration of a Microsoft NPS (Network Policy Server). In the following, you can find the standardized dictionary file used with the access with SICAM GridPass. VENDOR International Electrotechnical Commission 41912 BEGIN-VENDOR International Electrotechnical Commission ATTRIBUTE IEC62351-8-roleID-0 1 integer ATTRIBUTE IEC62351-8-roleDefinition-0 2 string ATTRIBUTE IEC62351-8-aor-0 3 string ATTRIBUTE IEC62351-8-revision-0 4 integer ATTRIBUTE IEC62351-8-validFrom-0 5 string ATTRIBUTE IEC62351-8-validTo-0 6 string ATTRIBUTE IEC62351-8-roleID-1 11 integer ATTRIBUTE IEC62351-8-roleDefinition-1 12 string ATTRIBUTE IEC62351-8-aor-1 13 string ATTRIBUTE IEC62351-8-revision-1 14 integer
SICAM, GridPass, Manual 97 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.2 Remote User Management
ATTRIBUTE IEC62351-8-validFrom-1 15 string ATTRIBUTE IEC62351-8-validTo-1 16 string ATTRIBUTE IEC62351-8-roleID-2 21 integer ATTRIBUTE IEC62351-8-roleDefinition-2 22 string ATTRIBUTE IEC62351-8-aor-2 23 string ATTRIBUTE IEC62351-8-revision-2 24 integer ATTRIBUTE IEC62351-8-validFrom-2 25 string ATTRIBUTE IEC62351-8-validTo-2 26 string END-VENDOR International Electrotechnical Commission
The main focus of SICAM GridPass is the IEC 62351 standard. Therefore the RADIUS vendor dictionary for IEC 62351 is used for operating. For more information about the RADIUS protocol, see RFC 2865. SICAM GridPass was tested with Microsoft Network Policy Server (NPS) and the open source software FreeRA- DIUS. The right to role assignment is fixed in SICAM GridPass and not configurable. The following roles are supported with fixed assigned rights: • SECADM • RBACMGMT • ADMIN Locally only SECADM and RBACMGMT are implemented because the SEACADM right assignment covers also the ADMIN role.
IEC 62351-8 Defined Roles
Role RoleID Revision RoleDefinition VIEWER 0 0 IEC62351-8 OPERATOR 1 0 IEC62351-8 ENGINEER 2 0 IEC62351-8 INSTALLER 3 0 IEC62351-8 SECADM 4 0 IEC62351-8 SECAUD 5 0 IEC62351-8 RBACMNT 6 0 IEC62351-8
Siemens-Defined Roles
Role RoleID hexadecimal RoleID decimal Revision RoleDefinition ADMIN FFFF8460 -31648 0 SiemensGridSecurity GUEST FFFFAFC7 -20537 0 SiemensGridSecurity BDEW OPERATOR FFFFFF9B -101 0 SiemensGridSecurity
Example with FreeRADIUS In the following you can find an example to give a short introduction how to handle the input inside a RADIUS backend system based on FreeRADIUS. clients.conf could have one entry particular for SICAM GridPass:
client SICAM GridPass { ipaddr = 192.168.178.1 secret = siemens!SICAMGridPass
98 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.2 Remote User Management
}
Users with the following entry for users RbacMntUser, SecAdmUser, SiemensAdminUser, and SecRbacMn- tUser with the password 12345678:
[sc_rbac_user, 1, en_US]
User name Entries RbacMntUser Cleartext-Password:= "12345678" Service-Type = Login IEC62351-8-roleID-0 = “6” IEC62351-8-roledefinition-0 = “IEC62351-8” IEC62351-8-revision-0 = “0” IEC62351-8-aor-0 = “*” IEC62351-8-validTo = “99991231235959” SecAdmUser Cleartext-Password:= “12345678” Service-Type = Login IEC62351-8-roleID-0 = “4” IEC62351-8-roledefinition-0 = “IEC62351-8” IEC62351-8-revision-0 = “0” IEC62351-8-aor-0 = “*” IEC62351-8-validTo = “99991231235959” SiemensAdminUser Cleartext-Password:= “12345678” Service-Type = Login IEC62351-8-roleID-0 = “-31648” IEC62351-8-roledefinition-0 = “SiemensGridSecurity” IEC62351-8-revision-0 = “0” IEC62351-8-aor-0 = “*” IEC62351-8-validTo = “99991231235959” SecRbacMntUser Cleartext-Password:= “12345678” Service-Type = Login IEC62351-8-roleID-0 = “4” IEC62351-8-roleID-0 = “6” IEC62351-8-roledefinition-0 = “IEC62351-8” IEC62351-8-revision-0 = “0” IEC62351-8-aor-0 = “*” IEC62351-8-validTo = “99991231235959”
Together with the generation of an appropriate dictionary file https://freeradius.org/radiusd/man/ dictionary.htm and with the input above you can use users and the assigned roles together with RADIUS. In the example above the pre-shared key input in SICAM GridPass RADIUS configuration would be siemens! SICAMGridPass.
SICAM, GridPass, Manual 99 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
[sc_preshared_key, 1, en_US]
NOTE i In case of the entered pre-shared key in the SICAM GridPass is different to the configured secret from the central repository the login to the RADIUS server failed. In this case, the local user login is not possible as long the RADIUS server is accessible. Isolate the GridPass server network and log on with a local account because the fallback functionality is available if the connection to the RADIUS server is interrupted. Harmo- nize the pre-shared key and reconnect the GridPass server to the network.
8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
SICAM GridPass offers the possibility to push X.509 entity certificates to an LDAP Directory service or Micro- soft Active directory with the LDAP protocol. The 1st step is to configure SICAM GridPAss to use the Directory service functionality. This push can be done in a secure way via LDAPS as the preferred way or in plaintext that is only recommended in a secure environment. To secure the protocol, the server-based authentication with a server certificate is supported in SICAM GridPass. For this function, the CA certificate that issued the LDAPS server certificate has to be imported in SICAM GridPass and selected in the LDAP configuration menu.
NOTE i A CA chain does not work with this feature.
8.3.1 Configuration
[Features Config_LDAP, 1, en_US]
100 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
[Features Config_LDAP_IPaddress, 1, en_US]
To configure the Directory service server you need the IP address of the Directory service server and the listening TCP port. In general, the LDAPS (secure variant of LDAP protocol) is using the TCP port 636 and the plaintext LDAP protocol is using TCP port 389. Additionally you have to enter the search base of the Directory service with for example CN=Users,DC=xcom- pany,DC=de and the CA certificate which has issued the Directory service server certificate in case of using LDAPS.
[Features Config_LDAP-connection, 1, en_US]
The configuration of the LDAP(S) connection is now finished an can be used for the certificate export in the local requests menu.
8.3.2 Certificate Export to LDAP
After the LDAP configuration is finished it is possible to push a created certificate to the Directory service to an existing user in the Directory structure. For example if you want to push a certificate to Tom Jones the user must be available in the Directory service with the Common name in the certificate.
SICAM, GridPass, Manual 101 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
[sc_certificate export to LDAP, 1, en_US]
[sc_certificate export to LDAP_Serial-number, 1, en_US]
102 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
In the export certificates dialog, select the option to export the certificate to the Directory service.
[sc_certificate export to LDAP_export-certificates, 1, en_US]
After the selection and confirmation the LDAP Logon dialog appears.
[sc_certificate export to LDAP-logon_a, 1, en_US]
SICAM, GridPass, Manual 103 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
Enter the credentials of a user which has the necessary Directory service rights to push certificates to an existing user.
[sc_certificate export to LDAP-logon_b, 1, en_US]
In case of wrong user credentials or in case the user has not the necessary rights a warning message appears.
[sc_certificate export to LDAP-log-SICAM-GridPass, 1, en_US]
104 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.3 Certificate Export to an LDAP Directory Service or Microsoft Active Directory
After confirmation the certificate is pushed to the Directory service.
[sc_certificate export to LDAP_active-directory-user, 1, en_US]
It is also possible to add more than one certificate to an existing user.
[sc_certificate export to LDAP_Serial-number_01, 1, en_US]
SICAM, GridPass, Manual 105 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc_certificate export to LDAP_list-x509-certificates, 1, en_US]
8.4 Attribute Certificates
Attribute certificates are defined in general in the INTERNATIONAL STANDARD ISO/IEC 9594-8 RECOMMENDA- TION ITU-T X.509. Particularly for Energy Automation, the AttributeValue is defined to put the role information according to the IEC 62351-8 standard inside the attribute certificates. Attribute certificates in this context have always a binding to a public-key certificate, for example to a user certificate. A typical advantage to use public-key certificates together with attribute certificates is the different validity of both certificate types. In general a user remains user and therefore a validity of 2 or 3 years for a public-key certificate of a user can be normal in contrast to an attribute certificate which holds the user role information for a user. Roles can change rapidly when replacing a colleague in case of vacation or illness. Therefore it can be an advantage to use a combination of certificates so that the system can handle the attribute certificates. Otherwise also public-key certificates can hold the role information inside according to the IEC 62351-8 standard. But only with the effort to create and rollout public-key certificates often and manually for human users. In case of using an EST protocol to rollout public certificates automatically for devices supporting the feature the pressure is quite low to split the certificates. To create attribute certificates, it is necessary to follow rules. A Certification Authority (CA) is not allowed to create Attribute Certificates (AC). Attribute certificates are issued by an Attribute Authority (AA). Therefore, the following workflow is required: • The Attribute Authority (AA) must be issued from a Certification Authority (CA). • The Attribute Certificates (AC) are issued from an Attribute Authority (AA). • An Attribute Certificate (AC) in general has a binding to a Public-Key Certificate (PKC). SICAM GridPass supports this workflow in the following way: • You can create an AA over the local request wizard issued by a CA. • You must export the AA as a P12 in the local request menu. • You must import the AA in the Certification Authority menu. • You can now create the AC over a local request wizard with a binding to a PKC.
NOTE i Of course, you can also import an external AA or an AA CSR to get a valid AA. These procedures to import a CA or import a CSR explained here in this manual in other chapters are identical.
The AC has now a (cryptographical) binding to a PKC and an AA and CA.
106 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
• Reduced syntax of an AC in context of this requirement for ACs with binding to a PKC:
[sc-Features_attribute-certificates_01, 1, en_US] • To complete the picture of an AC also the roles how they are included in the AC will be mentioned here:
[sc-Features_attribute-certificates_02, 1, en_US]
SICAM, GridPass, Manual 107 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
• The object identifier for the AttributeType is defined as in the following:
[sc-Features_attribute-certificates_03, 1, en_US] • The value for the AttributeValue is defined as in the following:
[sc-Features_attribute-certificates_04, 1, en_US]
² Create an AA.
² Select the profile for an Attribute authority to get the right extension for the certificate.
[sc-Features_attribute-certificates_06, 1, en_US]
² Select the CA which shall issue the AA and all other attributes.
108 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc-Features_attribute-certificates_07, 1, en_US]
NOTE i An SNI (Alternative name) in general is not necessary for an AA but in case of using CRLs in your environ- ment it makes sense to insert also the CRL-DP in an AA certificate. See the chapter for CRL distribution points in this manual in case you need more information using the right CRL-DP.
² Finish the issuing process to generate an AA. Afterwards go back to the Local requests and export the AA certificate as P12 file.
[sc-Features_attribute-certificates_08, 1, en_US]
SICAM, GridPass, Manual 109 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc-Features_attribute-certificates_09, 1, en_US]
² After that, install the exported AA P12 in the Certificate authorities menu.
110 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc-Features_attribute-certificates_11, 1, en_US]
² After the import you will see the imported AA in the menu of Certification authorities.
[sc-Features_attribute-certificates_12, 1, en_US]
² Go back to the Local request menu to start the wizard for creating an Attribute Certificate (AC).
[sc-Features_attribute-certificates_13, 1, en_US]
² Select the Issuer of the AC (the AA) and the Holder of the AC (the PKC user).
SICAM, GridPass, Manual 111 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc-Features_attribute-certificates_14, 1, en_US]
² Add the IEC 62351-8 role information to the AC together with the Area of Responsibility (AoR). See more about this values here in this manual.
[sc-Features_attribute-certificates_15, 1, en_US]
² Set the validity of the AC.
112 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.4 Attribute Certificates
[sc-Features_attribute-certificates_16, 1, en_US]
NOTE i In case of the need of a very short validity of an AC select the start and end date in one of the both calendar grids:
[sc-Features_attribute-certificates_17, 1, en_US]
² Finish the dialog to issue the attribute certificate because CRL is not supported and an attribute certificate has no keys. ² The link between the PKC an AC can be found in the local request overview and identified with the serial number of the entity certificate.
SICAM, GridPass, Manual 113 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.5 Auto Logout
[sc-Features_attribute-certificates_18, 1, en_US]
[sc-Features_attribute-certificates_19, 1, en_US]
8.5 Auto Logout
SICAM GridPass supports auto logout functionality. After 10 minutes of an inactive backend activity, SICAM GridPass will auto log off the current user.
NOTE i It could be that it is not immediately visible in your Web front end. But if an interaction between your Web front end and the SICAM GridPass backend happens, you will see the login screen. Log on and start your workflow again.
8.6 Backup and Restore
In case of a broken database or system crash you can restore the database if you have a backup. SICAM Grid- Pass is based on a single file-based database called SQLite. Therefore, it is easy to make a backup. On your system running SICAM GridPass, open a command shell as administrator, move to the according folder, and make a copy of your database.
NOTE i To avoid inconsistency, stop the GridPass access and the GridPass services before copying the file.
[sc_backup_restore_services, 1, en_US]
114 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.6 Backup and Restore
Stopping SICAM GridPass Services ² To copy the database in a consistent form stop the SICAM GridPass access before stopping all SICAM Grid- Pass services. ² Right-click the Windows icon in the menu bar and select Run.
[sc_backup_restore_run, 1, en_US]
² Enter services.msc and confirm with OK to open the Services dialog.
[sc_backup_restore_run_services, 1, en_US]
² Stop the 3 SICAM GridPass services via the context menu.
SICAM, GridPass, Manual 115 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.6 Backup and Restore
[sc_backup_restore_stop_services, 1, en_US]
² Recheck the status.
Copying the Database Manually ² Open a command shell via the Run menu entry and enter CMD. ² Click OK to open the command line window. ² Navigate to the SICAM GridPass database folder: cd C:\Users\GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0
[sc_shell_path, 1, en_US]
² Copy the database via command line: copy "C:\Users\GridPassUser\AppData\Local\Siemens Energy\GridPass \1.0\SICAM.GridPass.V1.sqlite" "C:\Users\GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0\SICAM.GridPass.V1.sqlite.backup"
[sc_copy_database, 1, en_US]
The database has been copied:
116 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.6 Backup and Restore
[sc_copy_database_result, 1, en_US]
²
Restarting All Services ² Start the 3 services again via the context menu.
[sc_backup_restore_services_start, 1, en_US]
Stopping and Starting All Services Automatically via Script ² Stopping and starting services can also be done via a scheduler job using a small batch script. Run the script with administrator rights or with a user with administrator rights (for example for the Task Scheduler job).
Script: net stop GridPassEST net stop GridPassCRL net stop GridPassWeb
copy "C:\Users\GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0\SICAM.GridPass.V1.sqlite" "C:\Users \GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0\SICAM.GridPass.V1.sqlite.backup"
net start GridPassEST net start GridPassCRL net start GridPassWeb
SICAM, GridPass, Manual 117 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.6 Backup and Restore
Commands to be used: The net stop commands stop all SICAM GridPass services. The copy command copies the database for backup. The net start commands restart the SICAM GridPass services.
[sc_backup_restore_task_scheduler, 1, en_US] Figure 8-1 Script Executed by the Windows Task Scheduler
Restoring ² Install SICAM GridPass as shown in this manual. ² Stop all SICAM GridPass services as shown above. ² Copy the backup of the SQLite database file SICAM.GridPass.V1.sqlite.backup to the following folder: C:\Users\GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0\
NOTE i Delete the database file SICAM.GridPass.V1.sqlite in the folder C:\Users\GridPassUser\AppData \Local\Siemens Energy\GridPass\1.0\ if it was already created during the installation process.
² Rename the file SICAM.GridPass.V1.sqlite.backup to SICAM.GridPass.V1.sqlite in the folder C:\Users \GridPassUser\AppData\Local\Siemens Energy\GridPass\1.0\. ² Restart all SICAM GridPass services now.
NOTE i After the 1st login via the Web interface, the backup and restore password has to be entered in case of a new installation on a new system.
118 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.7 Signing Server
8.7 Signing Server
[sc_signing_server1, 1, en_US]
GridPass offers a signing server to sign SIPROTEC 5 configuration files for DIGSI 5 offline engineering. Here, you can select the CA which creates the user certificate for signing the file.
[sc_signing_server, 1, en_US]
8.8 Logging
SICAM GridPass supports Microsoft Windows event logs and syslog according to RFC 5424. Syslog has facilities and severities. The priority
SICAM, GridPass, Manual 119 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.8 Logging
[sc_syslog_message_facilities, 1, en_US]
[sc_syslog_message_severities, 1, en_US]
2 priorities are used for the security audit trail of SICAM GridPass. Warning and Alert for severities and Log audit for facility are used to map the events and alarms as defined in IEEE1686:2013: • Events: 8 x 13 + 4 = <108> • Alarms: 8 x 13 + 1 = <105> Additionally 2 priorities are used for the SICAM GridPass specific logs: • User-level messages and Error: 8 x 1 + 3 = <11> • User-level messages and Warning: 8 x 1 + 4 = <12>
120 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.8 Logging
According to one option of RFC 5424 an unstructured syslog message format is used. The following values are used as fixed values: • APP-NAME: “SICAM GridPass” • PROCID: “-“ • MSGID: “Siemens-Grid-Security” The syslog message of SICAM GridPass has the following syntax: HEADER: <105>1 2019-08-29T12:17:08.077+1:00 SECCertMWin2016 SICAM GridPass - Siemens-Grid-Security <108>1 2019-08-30T10:05:17.952+1:00 SECCertMWin2016 SICAM GridPass - Siemens-Grid-Security <11>1 2019-08-29T12:16:10.085+1:00 SECCertMWin2016 SICAM GridPass - Siemens-Grid-Security <12>1 2019-08-29T12:17:15.067+1:00 SECCertMWin2016 SICAM GridPass - Siemens-Grid-Security
MSG (with PRIO): <105> 3 incorrect password entries in succession were attempted while logging in to user account 'SecAdm' ('GridPass local'-managed account) from 'GridPass UI at 172.17.16.126' <105> Repeated attempt to log in to user account 'SecAdm' ('GridPass local'-managed account) from 'GridPass UI at 172.17.16.126' <105> User account 'SecAdm' ('GridPass local'-managed account) blocked for the next '30' minutes after too many attempts to log in unsuccessfully from 'GridPass UI at 172.17.16.126' <108> User 'SecAdm' changed settings related to secure communication: 'Add EST client CA' [set to value '81']. <108> User 'SecAdm' changed settings related to secure communication: 'Remove EST client CA' [set to value '81']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validfromnow' [set to value '0']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validfrom' [set to value '20190830000000Z']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validfrom' [set to value '20180912000000Z']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validdays' [set to value '90']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validfrom' [set to value '20180912000000Z']. <108> User 'SecAdm' changed settings related to secure communication: 'est_validfromnow' [set to value '1']. <108> The user 'SecAdm' has initiated a remote session from '172.17.16.126' with role(s) 'RBACMGMT,SECADM'. <108> The user 'SecAdm' has initiated a remote session from '172.17.16.126' with role(s) 'SECADM'. <108> User 'SecAdm' changed settings related to user management: 'localuser_active' [set to value '0']. <108> User 'SecAdm' changed settings related to user management: 'localuser_active' [set to value '1']. <108> User 'SecAdm' changed settings related to user management: 'localuser_active' [set to value '0']. <108> User 'SecAdm' changed settings related to user management: 'localuser_active' [set to value '1'].
SICAM, GridPass, Manual 121 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.9 Update to a New SICAM GridPass Version
<108> User 'SecAdm' changed settings related to user management: 'radius_active' [set to value '0']. <108> User 'RBAC' changed settings related to user management: 'radius_active' [set to value '1']. <108> User 'RBAC' changed settings related to user management: 'radius_ip' [set to value '172.17.16.189']. <108> User 'RBAC' changed settings related to user management: 'radius_psk' [set to value '****']. <108> 'SecAdm': User account 'SysLogUser' created with role(s) 'RBACMGMT;SECADM' has been deleted ('GridPass'-managed account). <108> 'SecAdm': Roles of user account 'TestUser' have been modified to 'RBACMGMT;SECADM' ('GridPass'-managed account). <108> The user 'SecAdm' has logged out. <108> 'GridPass': The interactive session with the user 'SecAdm' has been terminated due to timeout ('10' minutes). <11> /GridPass_LeafCertUpload: Crypto: Error parsing PKCS#12 file. <11> /GridPass_LeafCertUpload: WEB Upload Data: PIN Required to proceed further. <11> /GridPass_LeafCertUpload: Business: Same Certificate with an higher validity exists in DB. <11> /GridPass_LeafCertUpload: WEB Upload Data: Certificate already exists. <11> /GridPass_LeafCertUpload: Crypto: Error reading DER/PEM/CER file. <11> /GridPass_LeafCertUpload: WEB Upload Data: Create certificate failed. <12> /GridPass_Login: Access: The user is blocked! <12> Core User: Import of Cert failed. <12> /GridPass_LeafCertUpload: Core CA: Certificate does not contain CA chain information. <12> /GridPass_LeafCertUpload: WEB Upload Data: At least one CA is missing from the chain.
All logs are also stored in the Microsoft Windows event log in the application section.
8.9 Update to a New SICAM GridPass Version
NOTE i Before the update, keep ready your GridPass user password assigned during installation (see also 4.1.3 Setup).
To update the SICAM GridPass version, first deinstall the old version of SICAM GridPass. After that, you can immediately start the installation of the new version, without rebooting. Proceed with the new installation as described in 4.1.3 Setup. The database and settings will be not changed during deinstallation and installation. After the new installation is completed clear the cache of your browser. Otherwise it is possible that you get an old login screen without the possibility to login.
NOTE i To clean the cache, open the following URL: chrome://settings/clearBrowserData. Siemens recommends to use Google Chrome as browser.
122 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.10 Roles and Area of Responsibility according to IEC 62351-8
8.10 Roles and Area of Responsibility according to IEC 62351-8
SICAM GridPass supports role information inside of X.509 certificates (entity certificates and attribute certificates) as defined in IEC 62351-8. Currently all standard roles defined in the IEC 62351-8 standard are selectable to be used in the certificate. Together with the role information also the Area of Responsibility (AoR) is specified in the IEC 62351-8 standard and must be entered in step 3 of the wizard during the certificate- creation process, if you want to add a role inside the certificate.
[sc_createca_TLSClient_wizard_step3, 2, en_US]
Standard Roles as Defined in the IEC 62351-8 Standard
RoleName RoleID1 VIEWER 0 OPERATOR 1 ENGINEER 2 INSTALLER 3 SECADM 4 SECAUD 5 RBACMNT 6
RoleID as Defined in the IEC 62351-8 Standard The role is defined using a mapping to an integer space: • <0 .. 32767> Reserved for application in IEC 62351 • <-32768 .. -1> Reserved for private usage All roles to be used in the context of IEC protocols shall be defined as part of IEC 62351-8. The current defini- tion of roles comprises IEC 61850-specific roles. A token may specify more than 1 role; if more than 1 role is specified the subject is authorized to enact any combination of identified roles.
1 The RoleID represents the RoleName inside a certificate
SICAM, GridPass, Manual 123 E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.10 Roles and Area of Responsibility according to IEC 62351-8
Area of Responsibility (AoR) as Defined in the IEC 62351-8 Standard The area of responsibility (AoR) restricts the applicability of a role of the subject to a set of objects. To enable limiting the role applicability, the objects must be configured with the AoR information. The AoR is an identi- fier defining a hierarchical name space. These identifiers are typically alphanumeric. The AoR can be related to the following structures and descriptions: • Network structure • Organizational structure • Geographic area description Siemens recommendeds to use just one dimension within the AoR description. As notation a point delimited notation with the option to include key words shall be used like for example: descriptor(N).descriptor(N-1).descriptor(N-2).….descriptor(1):keyword Within this notation wildcards are allowed for the lowest descriptor (N). If a wildcard is present, the role applies to all objects belonging to descriptor(N-1). The wildcard character shall be “*”, for example if the AoR itself has no restrictions, “*” shall be used. Keywords defined here are: • Local Describes the device access, for example via a dedicated device-local physical port (for example via a dedicated Local HMI) • Remote Describes remote access to the device, for example via a network connection If no keyword is provided, remote and local access are allowed.
Access Token Certificate Extension as Defined in the IEC 62351-8 Standard The certificate format X.509v3 can be used with the following role-related attributes defined to be included as an extension. The OID value is defined as shown in the following: id-IEC62351 OBJECT_IDENTIFIER ::= { 1 0 62351 } id-IECuserRoles OBJECT_IDENTIFIER ::= { id-IEC62351 8 1 } The access token certificate extension is not critical. The value for the extension is defined as shown in the following:
[sc_user_role_information, 1, en_US]
IECUserRoles ::= SEQUENCE OF UserRoleInfo As this is extension describes a sequence, it allows to associate more than 1 role to a subject.
124 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020 Other Features 8.10 Roles and Area of Responsibility according to IEC 62351-8
NOTE i This is only an excerpt of the IEC 62351-8 standard and explains only the values which are important for understanding the values in the context of SICAM GridPass. To implement the standard in a correct way buy the standard from the IEC (International Electrotechnical Commission): https://webstore.iec.ch/
SICAM, GridPass, Manual 125 E50417-H8940-C598-A6, Edition 05.2020 A Glossary
AA Attribute Authority (issuing attribute certificates) AC Attribute Certificate (bound to a PKC) AoR Area of Responsibility (in the context of IEC 62351-8) CA Certification Authority (issuing certificates) CC Control Center CRL Certificate Revocation List CRLDP Certificate Revocation List Distribution Point CSR Certificate Signing Request Directory service Microsoft Active Directory or OpenLDAP or others using LDAP DNS Domain Name Service EST Enrollment over Secure Transport (enrollment protocol for certificates) FQDN Fully Qualified Domain Name LDAP Lightweight Directory Access Protocol (for example for access to an Active Direc- tory) PKC Public Key Certificate (for example entity certificate) PKI Public-Key Infrastructure (manages certificates) RA Registration Authority (service to the entities with access in the backend to a CA) RADIUS Remote Authentication Dial-In User Service (user authentication and authoriza- tion) RFC Request for Comments (defines and describes technical standards) Root-CA Highest hierarchical CA with self-signed certificate Sub-CA Issued by a root or hierarchical higher placed Sub-CA Search Base Defines the starting point for the search in the directory tree of a Directory service TCP Transmission Control Protocol TLS Transport Layer Security
126 SICAM, GridPass, Manual E50417-H8940-C598-A6, Edition 05.2020