Agent Authentication

Securing the authenticity of the communication partners is essential to avoid unauthorized system access. As a system administrator in charge of security, you configure your system to apply the level of security that is appropriate for your company.

The main tasks you need to carry out to authenticate the Agents are:

• Define the method used to authenticate the Agents, which determines the level of security
• Authenticate the Agents using the defined method
• If an Agent is compromised or if you want to upgrade it, you must first withdraw its authentication
• If necessary, you can change the authentication method later on

More information:

• Setting the Authentication Method
• Authenticating Agents and Withdrawing the Authentication
• Changing the Authentication Method
• UC_AS_SETTINGS - Advanced Security

Authentication Methods

There are three authentication methods to define how the agent initially authenticates: NO, LOCAL or LOCAL_REMOTE. Each method offers advantages and disadvantages, depending on the required security level. This authentication package is used to enable the automatic registration and certificate exchange between the Agent and the Automation Engine.

NO

Agents that start for the first time can log on to the Automation Engine system immediately. The Automation Engine does not verify whether the new agent is allowed to access the system.

Advantages:

• No additional setup needed

Disadvantages:

• Least secure method

LOCAL (Server)

All agents use the same authentication package to authenticate during initial setup (shared secret).

Advantages:

• Semi-automatic setup of new Agents.
• Ensured authenticity of the Automation Engine on Agent side.
• Manual authentication of the Agents by the administrator.

Disadvantages:

• Manual distribution of the Installation Package

LOCAL_REMOTE (Server and Agent)

This is the most secure authentication method.

An Agent object must be created in system Client 0 for each Agent that will communicate with the Automation Engine.

The Installation Package contains a one-time authentication package of the particular Agent that can be gained by exporting the Installation Package from the Automation Engine system Client 0.

Advantages:

• Quick and easy setup
• No manual steps involved
• New Agents are automatically registered

Disadvantages:

• A leaked authentication package may lead to unauthorized agent registrations

Warning! Changing the authentication method is possible, but involves considerable effort. For more information, see Changing the Authentication Method.

Compromised Agents

The architecture of the Automation Engine protects it and its communication against man-in-the-middle attacks by using TLS/SSL.

If attackers want to intercept or read a connection, they must compromise an Agent, which means that they need access to the machine on which the Agent is installed. If this happens, the Agent is compromised and further confidentiality cannot be guaranteed. The system access can be shut down immediately removing the agent from the Automation Engine. To restore access, the agent has to redo the whole authentication process. See also Authenticating Agents and Withdrawing the Authentication

See also:

Security and System Hardening