SSH-secured DNC connection

Application

If user administration is active, external applications also need to authenticate a user so that the suitable rights can be assigned.

For DNC connections using the RPC or LSV2 protocol, the connection is routed through an SSH tunnel. This method assigns the remote user to a user set up on the control, granting the remote user this user's rights.

Related topics

  • Forbidding non-secure connections
  • Firewall

  • Roles for remote logon
  • Roles

Requirements

  • TCP/IP network
  • The remote computer acts as SSH client
  • The control acts as SSH server
  • Key pair consisting of
    • Private key
    • Public key

Description of function

Concept of transmission through an SSH tunnel

An SSH connection is always set up between an SSH client and an SSH server.

A key pair is used to protect the connection. This key pair is generated on the client. The key pair consists of a private key and a public key. The private key remains with the client. During setup, the public key is transferred to the server and assigned to a certain user.

The client tries to connect to the server using the pre-defined user name. The server can use the public key to verify that the requester of the connection holds the associated private key. If yes, the server accepts the SSH connection and assigns it to the user that has been used for the login. Communication can then be "tunneled" through this SSH connection.

Use in external applications

The PC tools available from HEIDENHAIN, such as TNCremo with version v3.3 or higher, provide all functions for setting up, establishing, and managing secure connections through an SSH tunnel.

When the connection is set up, the required key pair is generated in TNCremo and the public key is transferred to the control.

This also applies to applications that are using the HEIDENHAIN DNC component from RemoTools SDK for communication. There is no need to adapt existing customer applications.

 
Tip

In order to expand the connection configuration using the associated CreateConnections tool, you need to update to HEIDENHAIN DNC v1.7.1. A modification of the application source code is not required.

Setting up SSH-secured DNC connections

To set up an SSH-secured DNC connection for the logged-on user:

  1. Select the Settings application
  2. Select Network/Remote Access
  3. Select DNC
  4. Activate the Setup permitted toggle switch
  5. Use TNCremo to set up the secure connection (TCP secure).
  6.  
    Manual

    For details, refer to the integrated help system of TNCremo.

  7. TNCremo transmits the public key to the control.
  8.  
    Tip

    In order to ensure maximum security, deactivate the Allow password authentication function after the public key has been stored.

  9. Deactivate the Setup permitted toggle switch

Removing a secure connection

If you delete a private key from the control, that user no longer has the possibility of a secure connection.

To delete a key:

  1. Select the Settings application
  2. Select Operating System
  3. Double-tap or double-click Current User
  4. The control opens the Active user window.
  5. Select Certificate and keys
  6. Select the key to be deleted
  7. Select Delete SSH key
  8. The control deletes the selected key.

Notes

  • The encryption used with the SSH tunnel protects the communication from attackers. 
  • For OPC UA connections, a stored user certificate is used for authentication.
  • OPC UA NC Server (#56-61 / #3-02-1*)

  • When user administration is active, you can set up only secure network connections via SSH or OPC UA (#56-61 / #3-02-1*). If non-secure network connections exist, you must set them up again as secure connections.
  • If user administration is inactive, the control also automatically blocks non-secure LSV2 or RPC connections. In the optional machine parameters allowUnsecureLsv2 (no. 135401) and allowUnsecureRpc (no. 135402), the machine manufacturer can define whether the control will permit non-secure connections.

  • Once the connection configurations have been set up, they can be shared among all HEIDENHAIN PC tools for establishing a connection.
  • You can also transfer a public key to the control by using a USB device or network drive.
  • In the Certificate and keys window, you can select a file with additional public SSH keys in the Externally administered SSH key file area. This allows you to use SSH keys without having to transfer them to the control.