I’ve been having a lot of trouble getting the Siemens Opcenter OPC-UA client to connect to the Ignition server (v8.1), and I finally discovered the workaround of setting the Ignition Security Policies to Basic256Sha256,None. While this works, I’m uneasy about the gap in OT security. Have there been any changes in version 8.3 that allow for such clients to connect without using None?
I apologize if this is in the release notes somewhere; I’ve skimmed through but didn’t see anything specific.
Yes, in Ignition 8.3, it should be easier to get broken clients to connect without enabling the None security policy.
The technical reason for this is that we now allow unsecured connections against the session endpoint like every other server does, even if security is required, but only for the discovery services. Previously in the secure-only configuration you would need to use the discovery endpoint for discovery services (at /discovery), and the client would have to be implemented correctly such that it then paid attention to the endpoint URLs returned in the EndpointDescriptions.
So now in 8.3 you can just point your broken clients at the non-discovery endpoint URL (the one that doesn't end with /discovery) and they should just work.
Fantastic, thank you for the excellent and timely explanation.