To use the full functionality of the Web server, the following settings in STEP 7 are necessary.
Procedure
You have opened the properties dialog of the CPU in STEP 7 in the project view.
Web server settings in STEP 7
Activate Web server on this module
The Web server is deactivated in the default setting of a configured CPU. Proceed as follows to activate the Web server:
1. Open the "Devices & Networks" view by double-clicking in the project tree in STEP 7.
2. Select the desired CPU in the device, network or topology view.
3. Navigate to the "Web server" area in the Inspector window properties, "General" tab.
4. Select the "Activate Web server on this module" check box. The following note is output:
Security note upon activation of the Web server in STEP 7
Note
When projects from deliveries are applied in which the Web server was already activated and configured on the module, this security note is not shown.
Permit access only with HTTPS
Note: A valid Web server certificate is required in the CPU to operate the Web server using the secure transfer protocol "HTTPS". See "Creating and assigning a Web server certificate" in the section above.
To ensure secure access to the Web server the "Permit access only with HTTPS" check box is activated in the basic setting of a configured CPU.
The web pages are transmitted by default via a secure connection and are protected from attacks by third parties. Note that in this case the URL of the CPU starts with "https://".
The requirements for error-free HTTPS access to the CPU are as follows:
·The current date/time must be set in the CPU.
Note
When using secure communication (e.g. HTTPS), make sure that the corresponding modules have the current time of day and the current date. Otherwise the modules cannot check the validity period or evaluate the certificates used as invalid. Therefore, a secure connection cannot be established.
·The IP address of the CPU must be assigned.
·A valid Web server certificate offered by the CPU is installed in the web browser.
NOTICE
Safety-related functions only possible with CA-signed Web server certificate
For the safety-relevant functions, backup and restoring the CPU configuration, see section Online backup, are only possible with a CA-signed Web server certificate.
A valid CA-signed Web server certificate in the CPU is also required:
· User management with password-protected users
· Saving and downloading diagnostics information in csv files
To use the full functionality of the Web server, we therefore recommend that you use the Certificate Manager to create a CA-signed server certificate in the global security settings and assign it to the CPU.
·If no CA-signed Web server certificate is installed, a warning is output recommending that you do not use the page. To view the page, you may need to "Add an exception", depending on the web browser used.
·A valid CA certificate is available for download from the "Intro" web page under "Download certificate".
·You can find instructions for installing the certificate in the help system of your web browser and in the FAQ with the entry ID 103528224 at the Service&Support website.
Note
To protect against manipulation from the outside, download the certificate only in an environment that is guaranteed not to be compromised. Installation of the CA certificate has to be carried out once for each display device you wish to use.
Access protection
The encrypted connection created with the help of the certificate prevents eavesdropping or falsification of communication, but does not provide access protection. This means you have to protect your CPU from unauthorized access with the corresponding configuration in the user management.
You can find more information on the access protection in the online help for STEP 7, keyword: "Protection".
Activate automatic update
Automatic updating is activated in the default setting of a configured CPU.
The following web pages are updated automatically:
·Start page
·Diagnostics (memory, runtime information, fail-safe)
·Diagnostics buffer
·Motion Control diagnostics
·Module information
·Alarms
·Communication
·Topology
·Tag status
·Watch tables
·Record
·DataLogs
·User files
·Customer pages
·File browser
Note
The default activation interval is 10 seconds. Larger data volumes or multiple HTTP/HTTPS-connections increase the update time.
Setting the language for the Web
In total, you can assign up to three different project languages to the user interface languages of the Web server.
In STEP 7, activate the project languages that you want to use and then assign one of the activated project languages to each of the Web server interface languages.
You can find more information about the language settings and a description of how to assign a project language to the interface languages in the section Language settings.
Amending user management
Note: A valid CA-signed Web server certificate in the CPU along with a secure HTTPS connection are required for user administration with password-protected users. See "Creating and assigning a Web server certificate" and "Permit access only with HTTPS" in this section.
User administration in STEP 7
In STEP 7, you can manage the user list in the "Web server > User administration" area.
The user list provides the following options:
·Create users
·Specify access permissions
·Assign passwords
Users only have access to the options that are permanently linked to the access rights.
You can assign different user rights depending on the CPU and firmware used.
The available user rights can be selected in STEP 7 as follows:
Assignment of user rights in STEP 7
If you are not logged in, you automatically access the Web server as the user "Everybody".
It does not matter in this case whether you have configured additional users.
User "Everybody"
A user with the name "Everybody" is preset in the user list; this user has minimum access rights. These are read-only access to the intro page and start page. The user "Everybody" is defined without assigning a password, but you can assign all access authorizations available in STEP 7 to it.
You can create a maximum of 20 users and a user "Everybody".
Since the user "Everybody" is defined in STEP 7 without assigning a password, pay attention to which access authorizations you assign to this user. Individual authorizations, such as the ability to change the operating mode, can represent a security risk. When assigning security-relevant authorizations, we recommend that you create a user with password protection in STEP 7.
WARNING
For an F-CPU, do not assign the user "Everybody" the access authorization "Perform changes as F-Admin".
Make sure that you observe the warnings relating to this in the section "Restoring a backup of the safety program to an S7-300/1500 F-CPU" in the manual SIMATIC Safety - Configuring and Programming.
Passwords should always be more than 8 characters in length and contain uppercase and lowercase characters as well as special characters and numbers (?!+%$1234...). Computer keyboard character strings and words from the dictionary are unsuitable. Change the password regularly.
Note
When assigning rights, note that read and write access to the watch tables and the tag status is retained, even if you have deactivated the attribute "Accessible from HMI/OPC UA" in the PLC tag table when configuring the data block in STEP 7.
Customer pages
In the "Customer pages" area, you can download your own web pages to the CPU and make your own web applications available via the web browser.
You can find more information in section User pages.
Activation of the Web server for specific interfaces
In the area "Overview of interfaces", you have the option to enable access to the Web server.
Activation of access to the Web server via the interfaces
Comments