How to disable security in WinCC Unified OPC UA Server…

Caution! Don’t do this in a productive environment!

Add a security police “None” to the OPC UA configuration file.

On Windows you can find the file here: “C:\Program Files\Siemens\Automation\WinCCUnified\bin\OpcUaServerRTIL.xml”

<SecurityProfileUris>
<SecurityProfile>
<ProfileUri>http://opcfoundation.org/UA/SecurityPolicy#None</ProfileUri>
<Enabled>true</Enabled>
</SecurityProfile>
...
</SecurityProfileUris>

Mount Disk Image on Linux

If you have created a backup of a disk with dd:

dd if=/dev/sdb of=image.img bs=4096

then you can create loop back devices with partitions:

losetup -f -P ./image.img 
losetup -a

then you can mount partition:

mount /dev/loop0p1 /mnt/disk

Another hint: Copy files with tar so that permissions and users are persevered:

tar cf - . | (cd /destination; tar xvf -)

tar cf - . | ssh root@server2 "tar xf - -C /destination/"

How to view remote traces with RTILtraceViewer from a SIMATIC HMI Unified Comfort Panel…

First you have to enable the Trace forwareder on the panel

Then you have to start a tool on the host where you have installed TIA with Unified (change IP to your Panel IP):

"c:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceTool.exe" -mode receiver -host 192.168.210.128 -tcp

Then you can start the trace viewer on the PC:

"C:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceViewer.exe"

How to enable remote docker API…

Create a file “override.conf” in /etc/systemd/system/docker.service.d

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376

Reload and restart the Docker daemon:

systemctl daemon-reload
systemctl restart docker.service

Now you can connect for example the Siemens Industrial Edge Publisher to the Docker engine and create a Industrial App from images on your Docker host.

Generate QR Code Image in WinCC OA …

Add a label object into your screen and add some lines of code to get a QR image. In this example a mobile phone app will scan the QR code and send username and password via a GraphQL server to WinCC OA and set it on datapoints (username and password should additionally be encrypted).

#uses "CtrlQRCode"

string g_code;

main()
{
  g_code = createUuid();
  strreplace(g_code,"{", "");
  strreplace(g_code,"}", "");
  DebugTN(g_code);

  string fpath = PROJ_PATH+"/pictures/";
  string fname = "login_qr_code_"+myUiNumber();
  int ret = createQRCodeFile(g_code, fpath+fname);
  this.image=fname+".png";

  dpConnect("work", false, "QRLogin.code", "QRLogin.usr", "QRLogin.pwd");
}

void work(string dp, string code, string dp1, string usr, string dp2, string pwd)
{
  if (code == g_code)
  {
    setInputFocus(myModuleName(), myPanelName(), txt_username.name());
    txt_username.text = usr;
    setInputFocus(myModuleName(), myPanelName(), txt_password.name());
    txt_password.text = pwd;
    m_loginFrameworkController.doContinue();
  }
}

SSH Keep Alive

Lot of times my ssh session get broken because I didn’t do anything for a while. Sometimes I have started “top” just that the connection does not get broken because of inactivity. But this is not really what I wanna do everytime. Luckily the SSH client can be configured to send alive telegrams for every session so that you do not need to pass arguments every time you open a SSH conneciton.

Following settings will make the SSH client to send alive telegrams to the other side every 60 seconds, and give up if it doesn’t receive any response after 2 tries.

~/.ssh/config
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 2

Nginx & Certbot (Letsencrypt) via Docker…

Initially you have to init the certbot and get the certificate manually.

# Directories used:
/var/www 
/var/www/certbot # handshake sites from certbot
/etc/letsencrypt # certificates are stored here
# Initialize Certbot:
docker run --rm -ti \
  -v /var/www:/var/www \
  -v /etc/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --webroot -w /var/www/certbot -d <yor-domain-name> --email your.email@something.com 

The letsencrypt and the www directory must be mounted on both containers. Certbot will check the certificates every 12h and nginx must reload the configuration periodically.

  nginx:
    image: nginx:1.17.8
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/www:/var/www
      - /etc/nginx.conf:/etc/nginx/nginx.conf
      - /etc/letsencrypt:/etc/letsencrypt
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - /var/www:/var/www
      - /etc/letsencrypt:/etc/letsencrypt
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${1}; done;'"

Nginx must be configured to publish the certbots well-known sites for the handshake and your sites must be configured to use the certificates from letsencrypt.

    server {
        listen 80;
        server_name <your-domain-name>;
        server_tokens off;
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name vcm.winccoa.at;

        ssl_certificate     /etc/letsencrypt/live/<your-domain-name>/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<your-domain-name>/privkey.pem;

        root /var/www;
        index index.html;

        location / {
            try_files $uri $uri/ =404;
        }