SSH-secured DNC connection

Application

If user administration is active, external applications also need to authenticate a user so that the suitable rights can be assigned.

For DNC connections using the RPC or LSV2 protocol, the connection is routed through an SSH tunnel. This method assigns the remote user to a user set up on the control, granting the remote user this user's rights.

Related topics

  • Forbidding non-secure connections
  • Firewall

  • Roles for remote logon
  • Roles

Requirements

  • TCP/IP network
  • The remote computer acts as SSH client
  • The control acts as SSH server
  • Key pair consisting of
    • Private key
    • Public key

Description of function

Concept of transmission through an SSH tunnel

An SSH connection is always set up between an SSH client and an SSH server.

A key pair is used to protect the connection. This key pair is generated on the client. The key pair consists of a private key and a public key. The private key remains with the client. During setup, the public key is transferred to the server and assigned to a certain user.

The client tries to connect to the server using the pre-defined user name. The server can use the public key to verify that the requester of the connection holds the associated private key. If yes, the server accepts the SSH connection and assigns it to the user that has been used for the login. Communication can then be "tunneled" through this SSH connection.

SSH-Verbindung fuer DNC

Use in external applications

The PC tools available from HEIDENHAIN, such as TNCremo with version v3.3 or higher, provide all functions for setting up, establishing, and managing secure connections through an SSH tunnel.

When the connection is set up, the required key pair is generated in TNCremo and the public key is transferred to the control.

This also applies to applications that are using the HEIDENHAIN DNC component from RemoTools SDK for communication. There is no need to adapt existing customer applications.

 
Tip

In order to expand the connection configuration using the associated CreateConnections tool, you need to update to HEIDENHAIN DNC v1.7.1. A modification of the application source code is not required.

Setting up SSH-secured DNC connections

  1. To set up an SSH-secured DNC connection for the logged-on user:
  2. Select the Settings application
  3. Select Network/Remote Access
  4. Select DNC
  5. Activate the Setup permitted toggle switch
  6. Use TNCremo to set up the secure connection (TCP secure).
  7.  
    Manual

    For details, refer to the integrated help system of TNCremo.

  8. TNCremo transmits the public key to the control.
  9.  
    Tip

    In order to ensure maximum security, deactivate the Allow password authentication function after the public key has been stored.

  10. Deactivate the Setup permitted toggle switch

Removing a secure connection

If you delete a private key from the control, that user no longer has the possibility of a secure connection.

  1. To delete a key:
  2. Select the Settings application
  3. Select Operating system
  4. Double-tap or double-click Current User
  5. The control opens the Active user window.
  6. Select Certificate and keys
  7. Select the key to be deleted
  8. Select Delete SSH key
  9. The control deletes the selected key.

Notes

  • The the encryption used with the SSH tunnel protects the communication from attackers. 
  • For OPC UA connections, a stored user certificate is used for authentication.
  • OPC UA NC Server (options 56 to 61)

  • When user administration is active, you can set up only secure network connections via SSH. The control automatically disables the LSV2 connections via the serial interfaces (COM1 and COM2) and the network connections without user identification.
  • The machine manufacturer uses the machine parameters allowUnsecureLsv2 (no. 135401) and allowUnsecureRpc (no. 135402) to define whether the control disables non-secure LSV2 or RPC connections even if user administration is not active. These machine parameters are included in the data object CfgDncAllowUnsecur (135400).

  • Once the connection configurations have been set up, they can be shared among all HEIDENHAIN PC tools for establishing a connection.
  • You can also transmit a public key to the control using a USB device or a network drive.
  • In the Certificate and keys window you can select a file with additional public SSH keys in the Externally administered SSH key file area. This allows you to use SSH keys without needing to transmit them to the control.