Category Archives: Allgemein

Let’s Encrypt Certificate with WinCC OA on Windows

This is a manual way to get and use Certificates from Letsencrypt with the Webserver (ULC UX) in WinCC Open Architecture. You have to update the certificate manually before it expires.

  • Temporarily configure IIS (HTTP) to get a new certificate via WIN-ACME
  • Download Win-ACME, it is a Letsencrypt Client for Windows + IIS
  • Set “PrivateKeyExportable” to TRUE! in settings.json of Win-ACME!
  • Execute Win-ACME wacs.exe and follow the instructions for fist setup.
  • Execute wacs.exe --renew --baseuri https://acme-v02.api.letsencrypt.org/ to renew a certificate.

  • Export Root Certificate as PEM:
  • Save Root Cert as root-cert.pem to the WinCC OA project config directory.

  • Export the Host Certificate with “certlm”
  • Convert Certificate from PFX to Certificate and Private-Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out keyfile-encrypted.key
openssl rsa -in keyfile-encrypted.key -out privkey.pem
=> Save to config/privkey.pem

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out certificate.pem
=> Save to config/certificate.pem

MQTT and GraphQL Gateway for OPC UA

Here is an OPC UA gateway with which you can access your OPC UA values via MQTT and GraphQL (HTTP). If you have an OPC UA server in your PLC, or a SCADA system with an OPC UA server, you can query data from there via MQTT and GraphQL (HTTP). In addition, the gateway can also log value changes from OPC UA nodes in an InfluxDB. The archived values can then also be queried via GraphQL.

Open-source

Runs anywhere: Linux, Windows, Mac, …

Example MQTT Client:

Example MQTT Topics:

opc/unified/node/1/16.687.1.0.0.0
opc/unified/node:Value/1/16.687.1.0.0.0
opc/unified/node:Pretty/1/16.687.1.0.0.0
opc/unified/path/Tags/HMI_Tag_3
opc/oa/node:Value/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:value/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:Json/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:json/2/ExampleDP_Float.ExampleDP_Arg1

Example GraphQL Queries:

Here are some Videos/Demos:

Mount Disk Image on Linux

If you have created a backup of a disk with dd:

dd if=/dev/sdb of=image.img bs=4096

then you can create loop back devices with partitions:

losetup -f -P ./image.img 
losetup -a

then you can mount partition:

mount /dev/loop0p1 /mnt/disk

Another hint: Copy files with tar so that permissions and users are persevered:

tar cf - . | (cd /destination; tar xvf -)

tar cf - . | ssh root@server2 "tar xf - -C /destination/"

How to enable remote docker API…

Create a file “override.conf” in /etc/systemd/system/docker.service.d

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376

Reload and restart the Docker daemon:

systemctl daemon-reload
systemctl restart docker.service

Now you can connect for example the Siemens Industrial Edge Publisher to the Docker engine and create a Industrial App from images on your Docker host.

SSH Keep Alive

Lot of times my ssh session get broken because I didn’t do anything for a while. Sometimes I have started “top” just that the connection does not get broken because of inactivity. But this is not really what I wanna do everytime. Luckily the SSH client can be configured to send alive telegrams for every session so that you do not need to pass arguments every time you open a SSH conneciton.

Following settings will make the SSH client to send alive telegrams to the other side every 60 seconds, and give up if it doesn’t receive any response after 2 tries.

~/.ssh/config
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 2

Nginx & Certbot (Letsencrypt) via Docker…

Initially you have to init the certbot and get the certificate manually.

# Directories used:
/var/www 
/var/www/certbot # handshake sites from certbot
/etc/letsencrypt # certificates are stored here
# Initialize Certbot:
docker run --rm -ti \
  -v /var/www:/var/www \
  -v /etc/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --webroot -w /var/www/certbot -d <yor-domain-name> --email your.email@something.com 

The letsencrypt and the www directory must be mounted on both containers. Certbot will check the certificates every 12h and nginx must reload the configuration periodically.

  nginx:
    image: nginx:1.17.8
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/www:/var/www
      - /etc/nginx.conf:/etc/nginx/nginx.conf
      - /etc/letsencrypt:/etc/letsencrypt
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - /var/www:/var/www
      - /etc/letsencrypt:/etc/letsencrypt
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${1}; done;'"

Nginx must be configured to publish the certbots well-known sites for the handshake and your sites must be configured to use the certificates from letsencrypt.

    server {
        listen 80;
        server_name <your-domain-name>;
        server_tokens off;
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name vcm.winccoa.at;

        ssl_certificate     /etc/letsencrypt/live/<your-domain-name>/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<your-domain-name>/privkey.pem;

        root /var/www;
        index index.html;

        location / {
            try_files $uri $uri/ =404;
        }

WinCC OA on Docker, Dockerfiles and Howto’s…

This repository on Github contains Dockerfiles and samples to build Docker images for WinCC OA products.

Build Docker Image

Download and unzip the CentOS WinCC OA rpm’s to the centos/software directory.

Only put those WinCC OA rpm’s into the directory which you want to have installed in your image. For a minimum image you only need the base packag of WinCC OA.

WinCC_OA_3.16-base-rhel-0-17.x86_64.rpm

Build your WinCC OA Docker image with:

docker build -t winccoa:3.16 .

WinCC OA Project in a Container

The project should be mounted on /proj/start as a volume to your docker container.

And you may also mount a shield file to your docker container.

Example how to startup a WinCC OA project in a container:

docker run -d  
  --name winccoa  
  --hostname winccoa-server  
  -v ~/shield.txt:/opt/WinCC_OA/3.16/shield.txt  
  -v /proj/DemoApplication_3.16:/proj/start  
  -p 5678:5678  
  winccoa:3.16 

WinCC OA Gedi in a Container

To start a WinCC OA client application like a Gedi or a User-Interface you have to adapt your config file so that the proxy settings point to the WinCC OA server container. You can just create a copy of your config file (e.g. config.ui) and adapt the settings.

[general] 
data = "winccoa-server" 
event = "winccoa-server" 
mxProxy = "winccoa-server <your-docker-host-name>:5678 cert" 

Then you can startup a Gedi/Ui with:

docker run --rm  
-e DISPLAY=$DISPLAY  
-v /tmp/.X11-unix:/tmp/.X11-unix  
-v /proj/DemoApplication_3.16:/proj/default  
-v /proj/DemoApplication_3.16/config/config.ui:/proj/default/config/config  
winccoa:3.16  
WCCOAui -autoreg -m gedi -proj default 

Sure you can also use a copy of your project directory (or a git checkout if you use git) and adapt the config file.

Start Project Administration as Container

With the Project Administration you can create a new project in the /proj directory.

docker run -ti --rm 
-e DISPLAY=$DISPLAY 
-v /tmp/.X11-unix:/tmp/.X11-unix 
-v /proj:/proj 
winccoa:3.16 
WCCOAui -projAdmin

Distributed Managers and Kubernetes

For sure what we have done with the Gedi can also be done with Control-Managers and Drivers. And in theory that can also be done with Kubernetes and so you can run your SCADA project in a Kubernetes Cluster.