Caution! Don’t do this in a productive environment!
Add a security police “None” to the OPC UA configuration file.
On Windows you can find the file here: “C:\Program Files\Siemens\Automation\WinCCUnified\bin\OpcUaServerRTIL.xml”
<SecurityProfileUris>
<SecurityProfile>
<ProfileUri>http://opcfoundation.org/UA/SecurityPolicy#None</ProfileUri>
<Enabled>true</Enabled>
</SecurityProfile>
...
</SecurityProfileUris>If you have created a backup of a disk with dd:
dd if=/dev/sdb of=image.img bs=4096
then you can create loop back devices with partitions:
losetup -f -P ./image.img losetup -a
then you can mount partition:
mount /dev/loop0p1 /mnt/diskAnother hint: Copy files with tar so that permissions and users are persevered:
tar cf - . | (cd /destination; tar xvf -) tar cf - . | ssh root@server2 "tar xf - -C /destination/"
Port 20008 is used to download a project from TIA Portal to the runtime.
So, if you want to do a remote download then this port has to be open.
First you have to enable the Trace forwareder on the panel
Then you have to start a tool on the host where you have installed TIA with Unified (change IP to your Panel IP):
"c:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceTool.exe" -mode receiver -host 192.168.210.128 -tcpThen you can start the trace viewer on the PC:
"C:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceViewer.exe"Create a file “override.conf” in /etc/systemd/system/docker.service.d
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376Reload and restart the Docker daemon:
systemctl daemon-reload
systemctl restart docker.serviceNow you can connect for example the Siemens Industrial Edge Publisher to the Docker engine and create a Industrial App from images on your Docker host.
Linux: /etc/exports add a line /home/vogler *(rw,no_subtree_check,insecure) exports -a In this example we do it very insecure...
Windows: mount -o anon <hostname>:/home/vogler z:
Add a label object into your screen and add some lines of code to get a QR image. In this example a mobile phone app will scan the QR code and send username and password via a GraphQL server to WinCC OA and set it on datapoints (username and password should additionally be encrypted).
#uses "CtrlQRCode"
string g_code;
main()
{
g_code = createUuid();
strreplace(g_code,"{", "");
strreplace(g_code,"}", "");
DebugTN(g_code);
string fpath = PROJ_PATH+"/pictures/";
string fname = "login_qr_code_"+myUiNumber();
int ret = createQRCodeFile(g_code, fpath+fname);
this.image=fname+".png";
dpConnect("work", false, "QRLogin.code", "QRLogin.usr", "QRLogin.pwd");
}
void work(string dp, string code, string dp1, string usr, string dp2, string pwd)
{
if (code == g_code)
{
setInputFocus(myModuleName(), myPanelName(), txt_username.name());
txt_username.text = usr;
setInputFocus(myModuleName(), myPanelName(), txt_password.name());
txt_password.text = pwd;
m_loginFrameworkController.doContinue();
}
}
A GraphQL server can also be queried with a simple GET request:
wget -O - "https://server.rocworks.at/graphql?query=query { getTag(name: \"Input\") { tag { current { value time } } } }"Lot of times my ssh session get broken because I didn’t do anything for a while. Sometimes I have started “top” just that the connection does not get broken because of inactivity. But this is not really what I wanna do everytime. Luckily the SSH client can be configured to send alive telegrams for every session so that you do not need to pass arguments every time you open a SSH conneciton.
Following settings will make the SSH client to send alive telegrams to the other side every 60 seconds, and give up if it doesn’t receive any response after 2 tries.
~/.ssh/config
Host *
ServerAliveInterval 60
ServerAliveCountMax 2
Initially you have to init the certbot and get the certificate manually.
# Directories used:
/var/www
/var/www/certbot # handshake sites from certbot
/etc/letsencrypt # certificates are stored here# Initialize Certbot:
docker run --rm -ti \
-v /var/www:/var/www \
-v /etc/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --webroot -w /var/www/certbot -d <yor-domain-name> --email your.email@something.com The letsencrypt and the www directory must be mounted on both containers. Certbot will check the certificates every 12h and nginx must reload the configuration periodically.
nginx:
image: nginx:1.17.8
ports:
- 80:80
- 443:443
volumes:
- /var/www:/var/www
- /etc/nginx.conf:/etc/nginx/nginx.conf
- /etc/letsencrypt:/etc/letsencrypt
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- /var/www:/var/www
- /etc/letsencrypt:/etc/letsencrypt
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${1}; done;'"Nginx must be configured to publish the certbots well-known sites for the handshake and your sites must be configured to use the certificates from letsencrypt.
server {
listen 80;
server_name <your-domain-name>;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name vcm.winccoa.at;
ssl_certificate /etc/letsencrypt/live/<your-domain-name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<your-domain-name>/privkey.pem;
root /var/www;
index index.html;
location / {
try_files $uri $uri/ =404;
}