Siemens S7-1200/1500 V5 / TIA19
Requirements
Version 5 is functionally backward compatible with version 4. Starting with this version, encrypted communication with the connector (from V5.1.0.0) is now possible.
The following chapters only deal with this (new) aspect of communication; for standard functions, please refer to the existing chapters.
To use this functionality, the following minimum requirements apply with regard to Siemens firmware:
-
S7-1500 CPUs: Firmware >= V2.5
-
S7-1200 CPU: Firmware >= V4.2 Please note that although the connection can be established with an S7-1200 CPU, as of today (April 2025**) it can take up to 14 seconds! In our opinion, this is not efficient! We therefore recommend using an S7-1500 CPU.** Alternatively, you could accept the long connection setup time once, but keep the connection open (example “ConnectionObserver”, set parameter “xHoldOpen” = TRUE).
Older CPUs do not support the “TCON_IP_V4_SEC” module from the “Open user communication” library.
The configuration is shown below using an S7-1500 CPU.
Hardware-Architecture and SSL certificates
-
PLC IP address: 10.100.100.213
-
SQL4automation Connector IP address: 10.100.100.211
CLIENT152
openssl genrsa -out client152.key 2048
openssl req -new -key client152.key -out client152.csr -subj "/C=CH/ST=Bern/L=Lyssach/CN=10.100.100.152/O=Inasoft"
openssl x509 -req -in client152.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client152.crt -days 1825 -sha256
openssl pkcs12 -export -out client152.p12 -inkey client152.key -in client152.crt
--> PWD: SSLtest
SERVER211
openssl genrsa -out server211.key 2048
openssl req -new -key server211.key -out server211.csr -subj "/C=CH/ST=Bern/L=Lyssach/CN=10.100.100.211/O=Inasoft"
openssl x509 -req -in server211.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server211.crt -days 1825 -sha256
openssl pkcs12 -export -out server211.p12 -inkey server211.key -in server211.crt
--> PWD: SSLtest
ROOT CA
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem -subj "/C=CH/ST=Bern/L=Lyssach/CN=SQL4automation/O=Inasoft"
openssl pkcs12 -export -out rootCA.p12 -inkey rootCA.key -in rootCA.pem
--> PWD: SSLtest
Commissioning TLS encryption
Before commissioning, the certificates for the SQL4automation Connector must be copied to the appropriate paths.
-
Path “C:\ProgramData\SQL4automation\certs\CA” 🡪 Copy the contents of RootCA to the file
-
Path “C:\ProgramData\SQL4automation\certs\S4AConnector” 🡪 The server certificates are copied to this location..
-
Path “C:\ProgramData\SQL4automation\certs\S4AQueryTool” This is where the certificates are located for testing with the query tool.
After copying the RootCA, the SQL4automation Connector service must be restarted before operation.
In a further step, it is recommended to put the connection between SQL4automation and the controller into operation WITHOUT TLS encryption.
Only when communication works without encryption do we recommend activating encryption. Please note that the system time must be checked at this point and adjusted if necessary!
Passphrase: SSLtest
The following security settings must be configured in the TIA Portal:
Usr: SQL4automation, pwd: SQL4automation
Import the three certificates “rootCA.p12”, “server211.p12” and “client152.p12” with the password “SSLtest”.
After refreshing the view, the following entries are visible:
The IDs will continue to be used in the future. Please make a note of the relevant numbers.
Pwd: SQL4automation
Pwd: SQL4automation
The server and client certificates must be added to the list using “add new”.
-
When calling SQL4Siemens, activate encryption and reference the corresponding certificates using their numbers.
-
xActivateSecureConn: TRUE
-
iTLSClientCertRef: <Number of Client.p12-Zertifikats>
-
iTLSServerCertRef: <Number of RootCA.p12-Zertifikats>
If the query is successful, plausible values are displayed in the response table and the status shows “xDone.”
.