manualshive.com logo in svg

Siemens CP 1542SP-1, Operating Instructions Manual, Page: 50 / 118

Share
Download
Siemens CP 1542SP-1 Operating Instructions Manual Download Page 50

Configuration 

 

4.1 Security recommendations 

 

CP 154xSP-1 

50

 

Operating Instructions, 12/2019, C79000-G8976-C426-05 

Security functions of the product 

Use the options for security settings in the configuration of the product. These includes 

among others: 

 

Protection levels 
Configure a protection level of the CPU. 
You will find information on this in the information system of STEP 7. 

 

Disabling the bus adapter ports 
In the configuration disable a port of the bus adapter being used that is not required. 

 

Security function of the communication 

 

Enable the security functions of the CP and set up the firewall. 
If you connect to public networks, you should use the firewall. Think about the services 

you want to allow access to the station via public networks. By limiting the 

"transmission speed" via IP packet filter rules in the firewall, you make use of the 

possibility of restricting flooding and DoS attacks. 

 

Use the secure protocol variants NTP (secure) and SNMPv3. 

 

Use the security functions of the telecontrol protocols, e.g. the DNP3 security options. 

 

Use the secure Open User Communication (Secure OUC) via the appropriate program 

blocks. 

 

Leave access to the Web server of the CPU deactivated. 

 

Protection of the passwords for access to program blocks 
Protect the passwords stored in data blocks for the program blocks from being viewed. 

You will find information on the procedure in the STEP 7 information system under the 

keyword "Know-how protection". 

 

Logging function 
Enable the function in the security configuration and check the logged events regularly for 

unauthorized access. 

Passwords 

 

Define rules for the use of devices and assignment of passwords. 

 

Regularly update the passwords to increase security. 

 

Only use passwords with a high password strength. Avoid weak passwords for example 

"password1", "123456789" or similar. 

 

Make sure that all passwords are protected and inaccessible to unauthorized personnel. 
See also the preceding section for information on this. 

 

Do not use one password for different users and systems. 

Summary of Contents for CP 1542SP-1

Page 1: ...2SP 1 IRC CP 1543SP 1 12 2019 C79000 G8976 C426 05 Preface Application and functions 1 LEDs and connectors 2 Installation wiring commissioning 3 Configuration 4 Program blocks 5 Diagnostics and maintenance 6 Technical specifications 7 Approvals A Dimension drawings B Accessories C Documentation references D ...

Page 2: ... only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING Siemens p...

Page 3: ...on 1 Firmware version V2 1 Communications processor for connecting a SIMATIC ET 200SP CPU via Industrial Ethernet to a control center TCSB ST7 DNP3 IEC 60870 5 104 CP 1543SP 1 Article number 6GK7543 6WX00 0XE0 Hardware product version 1 Firmware version V2 1 Communications processor for connecting a SIMATIC ET 200SP CPU to Industrial Ethernet Security Figure 1 CP 1542SP 1 with plugged in BusAdapte...

Page 4: ...mes are listed in the text or in the section header New in this edition New firmware version V2 1 with the following functions among others Support of additional SDTs for OUC blocks Greater number of configurable data points telecontrol see Configuration limits and performance data Page 24 Direct communication of the CP 1542SP 1 IRC between DNP3 IEC 60870 5 Description of the functions of firmware...

Page 5: ...pprovals accessories Configuration manuals CP 1542SP 1 IRC Configuration of the CP 1542SP 1 IRC is described in the following additional documents SINAUT ST7 system manual Volume 3 Configuration under STEP 7 Professional TIA Portal Configuration manual Telecontrol Basic Configuration and diagnostics in STEP 7 Professional TIA Portal Configuration manual DNP3 Configuration and diagnostics in STEP 7...

Page 6: ...n of plants systems machines and networks In order to protect plants systems machines and networks against cyber threats it is necessary to implement and continuously maintain a holistic state of the art industrial security concept Siemens products and solutions constitute one element of such a concept Customers are responsible for preventing unauthorized access to their plants systems machines an...

Page 7: ...g and the disposal of your old device contact a certified disposal company for electronic scrap or your Siemens contact Keep to the local regulations You will find information on returning the product on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en view 109479891 SIMATIC NET glossary Explanations of many of the specialist terms used in this...

Page 8: ...Preface CP 154xSP 1 8 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 9: ...tware requirements 28 1 10 Configuration examples 28 2 LEDs and connectors 35 2 1 LEDs 35 2 2 Power supply 36 2 3 Connector for the BusAdapter 37 3 Installation wiring commissioning 39 3 1 Important notes on using the device 39 3 1 1 Notes on use in hazardous areas 39 3 1 2 Notes on use in hazardous areas according to ATEX IECEx 41 3 1 3 Notes on use in hazardous areas according to UL HazLoc 41 3 ...

Page 10: ...etwork 65 4 9 5 2 SINEMA Remote Connect 67 4 9 5 3 Creating a VPN tunnel for S7 communication between stations 70 4 9 5 4 VPN communication with SOFTNET Security Client engineering station 71 4 9 5 5 Establishment of VPN tunnel communication between the CP and SCALANCE M 72 4 9 5 6 CP as passive subscriber of VPN connections 72 4 9 6 SNMP 73 4 9 7 Certificate manager 74 4 10 Messages E mails CP 15...

Page 11: ...Table of contents CP 154xSP 1 Operating Instructions 12 2019 C79000 G8976 C426 05 11 C 1 BusAdapter 109 C 2 Router SCALANCE M 111 D Documentation references 113 Index 117 ...

Page 12: ...Table of contents CP 154xSP 1 12 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 13: ...the ET 200SP to Industrial Ethernet via a copper cable or fiber optic cable It can be used as an additional Ethernet interface of the CPU for S7 communication For the Ethernet connection the CP requires a BusAdapter The BusAdapter is not supplied with the CP For information on the compatible BusAdapters refer to the section BusAdapter Page 109 The three CP types are intended for the following comm...

Page 14: ...s Communications services The following communications services are supported S7 communication and PG OP communication with the following functions PUT GET as client and server for data exchange with S7 stations USEND URCV for uncoordinated data exchange with a remote partner BSEND BRCV for exchanging large volumes of data with a partner PG functions Operator control and monitoring functions HMI F...

Page 15: ...e OUC You will find the program blocks supported by the three CP types in the section Program blocks Page 81 E mail using program blocks HTTP HTTPS Via HTTP HTTPS you can access the Web server of the CPU For telecontrol communication of the CP 1542SP 1 IRC see section Telecontrol communication CP 1542SP 1 IRC Page 16 For information on the Security functions of the CP 1543SP 1 refer to the section...

Page 16: ...Sb is supported as of the following version V3 0 SP3 For the TCSB manual see 4 Page 114 ST7 Proprietary protocol for telecontrol applications in the SINAUT ST7 system The protocol is used to connect the CP to ST7 control centers The SINAUT ST7 supports the following functions among others Communication with the master station Communication with other stations MSC transmission protocol Under SINAUT...

Page 17: ...3 specification named above DNP3 stations outstation CPUs in stations For direct communication the Master function is enabled for the sending data point IEC 60870 5 104 The CP functions as a substation slave Communication is based on the specification IEC 60870 5 Part 104 2006 You will find a detailed overview of the attributes and properties of the IEC specification that are supported by the CP i...

Page 18: ...process image of the CPU the CP can send messages as e mails The data sent by e mail is configured using PLC tags Send buffer The CP saves the values of data points configured as an event in the send buffer It transmits the data from the send buffer spontaneously or bundled to the communications partner The data is not saved retentively It is lost in the event of a power failure Analog value proce...

Page 19: ...e CP firmware version required for communication via SINEMA RC see section Communications services Page 14 Parameter groups You configure communication via SINEMA RC and telecontrol communication via SINEMA RC in two parameter groups Communication via SINEMA RC Security VPN Telecontrol communication via SINEMA RC Communication types For information on the configuration refer to the telecontrol con...

Page 20: ...SP 1 IRC CP 1543SP 1 Security functions are available for the following CP types CP 1543SP 1 The security functions are enabled in the configuration of the CP CP 1542SP 1 IRC You will find a description of the security functions in the telecontrol configuration manuals see 10 Page 115 For information on the security functions of the Open User Communication program blocks see section Program blocks...

Page 21: ...for communication with one or more security modules The CP can be grouped together with other modules to form VPN groups during configuration IPsec tunnels are created between all security modules of a VPN group Remote maintenance via SINEMA Remote Connect It is not necessary and not possible to create a VPN group for communication via a SINEMA RC server The SINEMA RC Server manages the communicat...

Page 22: ...eControl Basic As an integrated security function the telecontrol protocol encrypts the data for transfer between the CP and telecontrol server The interval for the key exchange between the CP and telecontrol server can be set The telecontrol password is used to authenticate the CP on the telecontrol server If the security functions are enabled the CP can process telecontrol communication via SINE...

Page 23: ...dresses according to IPv4 and IPv6 Addressing The IP address the subnet mask and the address of a gateway can be set manually in the configuration As an alternative the IP address can be obtained using program blocks DHCP As an alternative the IP address can be obtained from a DHCP server DCP Discovery and Configuration Protocol is supported Time of day synchronization NTP The CP can synchronize i...

Page 24: ... allows a maximum of two CP 154xSP 1 modules For details of the permitted special modules and the slot rules refer to section Installing the CP Page 42 Connection resources Connection resources valid for all CP variants Number of connections via Industrial Ethernet maximum of 32 in total of which S7 Max 16 TCP IP Max 32 ISO on TCP Max 32 UDP Max 32 Also Online connections of the engineering statio...

Page 25: ...ditor Up to 10 e mails to be sent can be configured Maximum number of characters that can be transferred per e mail 256 ASCII characters including any value sent at the same time CP 1542SP 1 IRC Telecontrol functions of the CP 1542SP 1 IRC Telecontrol connections TeleControl Basic A connection can be established to a single or redundant telecontrol server SINAUT ST7 The CP can establish up to eigh...

Page 26: ...h the CPU parameter group The maximum size of the send buffer with the respective remote control protocol is TeleControl Basic 64000 events SINAUT ST7 32000 events DNP3 100000 events IEC 60870 5 104 100000 events For details of how the send buffer works such as storing events as well as the options for transferring the data see 10 Page 115 Data points The data to be transferred by the CP is assign...

Page 27: ... the ET 200SP The CP supports operation in stations that contain one of the following CPUs CPU 1510SP 1 PN Article number 6ES7510 1DJ01 0AB0 CPU 1510SP F 1 PN Article number 6ES7510 1SJ01 0AB0 CPU 1512SP 1 PN Article number 6ES7512 1DK01 0AB0 CPU 1512SP F 1 PN Article number 6ES7512 1SK01 0AB0 Further parts and modules that are also required to set up the ET 200SP station such as rails I O modules...

Page 28: ...quired STEP 7 in the version specified above CPU firmware To use the CP a CPU 151xSP with a firmware version V2 0 is required 1 10 Configuration examples Below you will find configuration examples for the use of the three CP types CP 1542SP 1 Network separation The CP is used in the ET 200SP to operate lower level networks separately or to achieve separation from the higher level network The ET 20...

Page 29: ...CP 1542SP 1 CP 1543SP 1 Cell protection with security functions The CP communicates encrypted with communications partners in the connected network The firewall monitors the access to the ET 200SP and therefore protects lower level networks This avoids data loss disruptions of production and damage to machines Figure 1 2 Configuration example of an ET 200SP with CP 1543SP 1 ...

Page 30: ...P 1542SP 1 IRC Connection to control centers By using the CP the ET 200SP can be used as a remote terminal unit The following protocols can be used for telecontrol communication TeleControl Basic SINAUT ST7 IEC 60870 5 104 DNP3 Figure 1 3 Configuration example of an ET 200SP with CP 1542SP 1 IRC protocol TeleControl Basic ...

Page 31: ...Application and functions 1 10 Configuration examples CP 154xSP 1 Operating Instructions 12 2019 C79000 G8976 C426 05 31 Figure 1 4 Configuration example of an ET 200SP with CP 1542SP 1 IRC protocol ST7 ...

Page 32: ...on examples CP 154xSP 1 32 Operating Instructions 12 2019 C79000 G8976 C426 05 Figure 1 5 Configuration example of an ET 200SP with CP 1542SP 1 IRC protocol DNP3 A configuration with which the protocol IEC 60870 5 104 is used could look similar ...

Page 33: ...a SINEMA Remote Connect The following figure shows a configuration in which the CP 1542SP 1 IRC communicates with the master station via a SINEMA Remote Connect Server In this example the CP uses the protocol IEC 60870 5 104 Figure 1 6 Configuration example of an ET 200SP with CP 1542SP 1 IRC for telecontrol communication via SINEMA RC ...

Page 34: ...tructions 12 2019 C79000 G8976 C426 05 Remote maintenance with SINEMA RC The following figure shows the connection of different stations with Security CP to an engineering station via SINEMA Remote Connect Server Figure 1 7 Connection of stations to engineering station via SINEMA RC ...

Page 35: ...ance Table 2 1 Legend for the following tables Symbol Meaning LED status ON LED lit OFF LED flashes Any Table 2 2 Meaning of the LED displays of the CP PWR green RN green ER red MT yellow Meaning No supply voltage on the CP or supply voltage too low CP startup CP in RUN mode Error LED display with the following events Duplicate IP address Bus adapter not plugged in or pulled No telecontrol connect...

Page 36: ...rms about the connection status with Ethernet and the frame traffic of the port Table 2 3 Meaning of the LED displays of the bus adapters LK green Meaning No Ethernet connection Possible causes No physical connection to the network Port disabled in the configuration LED flashing test There is an Ethernet connection between the port and communications partner 2 2 Power supply External power supply ...

Page 37: ...polarity protection The connector X80 also has electronic reverse polarity protection You will find further data on the power supply in section Technical specifications Page 99 2 3 Connector for the BusAdapter Operation of the device only with BusAdapter For connecting to Ethernet the CP requires a BusAdapter A BusAdapter does not ship with the CP The slot is on the front of the device Figure 2 2 ...

Page 38: ...LEDs and connectors 2 3 Connector for the BusAdapter CP 154xSP 1 38 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 39: ... caused for example by lightning strikes or switching of higher loads The connector of the external power supply is not protected from strong electromagnetic pulses To protect it an external overvoltage protection module is necessary The requirements of EN61000 4 5 surge immunity tests on power supply lines are met only when a suitable protective element is used A suitable device is for example th...

Page 40: ...onal Electrical Code r ANSI NFPA 70 If the equipment is connected to a redundant power supply two separate power supplies both must meet these requirements WARNING EXPLOSION HAZARD Do not connect or disconnect cables to or from the device when a flammable or combustible atmosphere is present WARNING EXPLOSION HAZARD Replacing components may impair suitability for Class 1 Division 2 or Zone 2 WARNI...

Page 41: ...be taken If the equipment is operated in an air ambient in excess of 50 C only use cables with admitted maximum operating temperature of at least 80 C WARNING Take measures to prevent transient voltage surges of more than 40 of the rated voltage This is the case if you only operate devices with SELV safety extra low voltage 3 1 3 Notes on use in hazardous areas according to UL HazLoc WARNING EXPLO...

Page 42: ...zardous locations only WARNING EXPLOSION HAZARD The equipment is intended to be installed within an ultimate enclosure The inner service temperature of the enclosure corresponds to the ambient temperature of the module Use installation wiring connections with admitted maximum operating temperature of at least 30 ºC higher than maximum ambient temperature 3 2 Installing the CP NOTICE Install and re...

Page 43: ...lation of the rack DIN rail means vertical position of the CP Vertical installation of the rack DIN rail means horizontal position of the CP You will find the permitted temperature ranges in the section Technical specifications Page 99 Installation of the rack Installation position of the CP Horizontal installation of the rack Vertical installation of the rack Slot rules The CPU always occupies sl...

Page 44: ...s must be plugged in to the slot directly beside the IO modules Figure 3 1 Slots of the ET 200SP Installation on a DIN rail Note Protecting the modules from slipping on the DIN rail If you install the modules in an area with mechanical load use suitable clamping devices at both ends of the device group to secure the modules on the DIN rail e g Siemens and retainer 8WA1808 The end retainers prevent...

Page 45: ...Tilt the CP to the back until the mounting rail release audibly locks in place 5 Move the CP to the left until it audibly locks in place in the CPU 6 Mount the other base units and modules accordingly See manual 3 Page 114 for information on this Plugging in the bus adapter NOTICE Touching the plug in contacts Do not touch the plug in contacts when no bus adapter is plugged in 1 Connect the approp...

Page 46: ...ail release of the modules to be moved CPU CPs and move them parallel to the left until they are released from the remaining module group free space approx 16 mm Press the locking slide marked PUSH on the top of a module down to be able to move the module in the DIN rail 3 Activate the mounting rail release on the CP and move it to the right until it is released from the CPU free space approx 8 mm...

Page 47: ... 5 mm2 AWG 24 13 With wire end ferrule 0 25 1 5 mm2 AWG 24 16 With TWIN wire end ferrule 0 5 1 0 mm2 AWG 20 17 You will find information about the power consumption and further technical details of the connectors in section Technical specifications Page 99 3 4 Commissioning the CP Requirement Configuration prior to commissioning A prerequisite for full commissioning of the module is the completene...

Page 48: ... using security functions such as SINEMA Remote Connect the CP needs the current time for authentication on the partner or on the SINEMA RC Server The CP receives the time from the CPU or from an NTP server before the connection is established for the first time Recommendation During commissioning set the time of the CPU manually at least once using the STEP 7 online functions This is necessary es...

Page 49: ...new features on the Siemens Internet pages Here you can find information on Industrial Security Link http www siemens com industrialsecurity You can find a selection of documentation on the topic of network security here Link https support industry siemens com cs ww en view 92651441 Keep the firmware up to date Check regularly for security updates of the firmware and use them Information regarding...

Page 50: ... the secure protocol variants NTP secure and SNMPv3 Use the security functions of the telecontrol protocols e g the DNP3 security options Use the secure Open User Communication Secure OUC via the appropriate program blocks Leave access to the Web server of the CPU deactivated Protection of the passwords for access to program blocks Protect the passwords stored in data blocks for the program blocks...

Page 51: ...rotocol function Protocols that the device supports Port number protocol Port number assigned to the protocol Default of the port Open The port is open at the start of the configuration Closed The port is closed at the start of the configuration Port status Open The port is always open and cannot be closed Open after configuration The port is open if it has been configured Open login when configur...

Page 52: ... a security vulnerability To avoid opening the port during online diagnostics see section Online security diagnostics via port 8448 CP 1542SP 1 IRC CP 1543SP 1 Page 90 Table 4 2 Server ports only CP 1542SP 1 IRC and CP 1543SP 1 Protocol function Port number pro tocol Default of the port Port status Authentication Online diagnostics 102 TCP Closed Open after configuration No Communication via SINEM...

Page 53: ...S 465 TCP NTP 123 UDP DNS 53 UDP SINEMA RC Autoconfiguration 443 TCP can be set SINEMA RC and OpenVPN 1194 UDP can be set in SINEMA RC IPSec 500 TCP Syslog 514 UDP 4 2 Configuration in STEP 7 Configuration in STEP 7 You configure the modules and networks in SIMATIC STEP 7 You will find the required version in the section Software requirements Page 28 Note Configuration of the CP 1542SP 1 IRC You w...

Page 54: ...thernet subnet 6 Configure the inserted CPs When the device view of the CP is open you can find the BusAdapters in a separate catalog directory You will find detailed information about the security functions in the section Security CP 1543SP 1 Page 62 7 Optional Create the program blocks for the Open User Communication 8 Save and compile the project Here you will find information on individual par...

Page 55: ...e diagnostics of the CPU with a direct connection to the interface of the CPU however remains possible Enabling S7 communication Enables the functions of S7 communication with a SIMATIC S7 on the CP If you configure S7 connections to the relevant station and these run via the CP you will need to enable this option Open User Commmunication does not need to be enabled since you then need to create t...

Page 56: ...cription of telecontrol specific transmission settings of the CP 1542SP 1 IRC in the relevant configuration manual see Documentation references Page 113 BA BusAdapter To connect to the Ethernet network the CP requires a BusAdapter A BusAdapter does not ship with the CP You will find the supported BusAdapters in appendix BusAdapter Page 109 Inserting a BusAdapter As default setting the CP uses a BA...

Page 57: ...commended at intervals of approximately 10 seconds This achieves as small a deviation as possible between the internal time and the UTC time Note Consistent time of day synchronization via NTP NTP secure Up to firmware version V2 0 of the CP both the CPU and CP can have the time of day synchronized using NTP In this case only have the time of day of the station from an external time source synchro...

Page 58: ...the time to the CPU The CPs provides the CPU with the option of taking its time of day from the CP using a PLC tag See section Communication with the CPU Page 59 for more on this When the CPU takes the time from the CP using a PLC tag disable the CPU s own time of day synchronization Procedure for time of day synchronization The time of day synchronization procedures of the respective CP types are...

Page 59: ...ia the host name FQDN When addressing a communications partner as FQDN you need to configure a DNS server The IP address IPv4 IPv6 of the communications partner is then determined via the configured DNS server When using IPv6 addresses make sure to configure the DNS servers accordingly 4 7 Communication with the CPU Validity CP 1542SP 1 CP 1543SP 1 You will find the description of the CP 1542SP 1 ...

Page 60: ...ostics With the parameter group you have the option of reading out advanced diagnostics data from the CP Enable advanced CP diagnostics Enable the option to use advanced CP diagnostics If the option is enabled at least the Diagnostics trigger tag must be configured The following PLC tags for the individual items of diagnostics data can be enabled selectively Diagnostics trigger tag If the PLC tag ...

Page 61: ...ished 0 No tunnel established 1 Tunnel established 4 8 SNMP SNMP parameter group Enable SNMP parameter group Releases the function of the SNMP agent on the CP Scope of performance of the CPs The CPs support the following SNMP version CP 1542SP 1 SNMPv1 CP 1543SP 1 CP 1542SP 1 IRC SNMPv1 SNMPv3 with activated Security functions If the security functions are enabled you will find the parameter group...

Page 62: ...Creating a security user You need the relevant configuration rights to be able to configure security functions For this purpose you need to create at least one security user with the corresponding rights Navigate to the global security settings User and roles Users tab 1 Create a user and configure the parameters 2 Assign this user the role NET Standard or NET Administrator in the area below Assig...

Page 63: ...ho Request the previously globally created service Action Accept From Station To External Service ICMPv4 6 service Echo Reply the previously globally created service 4 For the IP rule for the Echo Request service enter the IP address of the engineering station under Source IP address With these rules the CP can only be reached from the engineering station with ICMP packets ping via the firewall No...

Page 64: ...value for filtering the system events is set too high you may not be able to achieve the maximum performance for the communication The high number of output error messages can delay or prevent the processing of the communications connections In Security Log settings Configure system events set the Level parameter to the value 3 Error to ensure the reliable establishment of the communications conne...

Page 65: ...e mail service provider which option is supported If you want to use an Internet connection with an IPv6 infrastructure note the information in the section IPv6 Page 55 4 9 5 VPN 4 9 5 1 VPN Virtual Private Network VPN IPsec Virtual Private Network VPN is a technology for secure transportation of confidential data in public IP networks for example the Internet With VPN a secure connection IPsec tu...

Page 66: ...end to site connection Secure access to a server end to end connection Communication between two servers without being accessible to third parties end to end or host to host connection Ensuring information security in networked automation systems Securing the computer systems including the associated data communication within an automation network or secure remote access via the Internet Secure re...

Page 67: ...cations partners must be configured in the SINEMA RC Server Exporting the CA certificate optional If you want to use the server certificate as authentication method of the communications module during connection establishment export the CA certificate from SINEMA RC Server Then import the CA certificate from SINEMA RC Server to the engineering station Alternatively you can use the fingerprint of t...

Page 68: ... select the authentication method of the communications module during connection establishment CA Certificate Under CA certificate select the CA certificate from SINEMA RC Server that was previously imported and assigned in the local certificate manager The module generally checks the CA certificate of the server and its validity period The two options cannot be changed Fingerprint When you select...

Page 69: ...ction is interrupted the CP automatically re establishes the connection If the connection parameters are changed by the SINEMA Remote Connect Server the CP requests the new connection data after the update interval configured above has elapsed PLC trigger The option is intended for sporadic communication of the module via the SINEMA RC Server You can use this option when you want to establish temp...

Page 70: ...need to make further settings Procedure To create a VPN tunnel you need to work through the following steps 1 Creating a security user If the security user has already been created Log on as this user 2 Enable the Activate security features option 3 Creating the VPN group and assigning security modules 4 Configure the properties of the VPN group 5 Configure local VPN properties of the two CPs You ...

Page 71: ...me Note Specifying the VPN properties of the CPs You specify the VPN properties of the CPs in the Security Firewall VPN parameter group of the relevant module Result You have created a VPN tunnel The firewalls of the CPs are activated automatically The Activate firewall check box is selected by default when you create a VPN group You cannot disable the option Download the configuration to all modu...

Page 72: ...el between the CP and a SCALANCE M router as described for the stations VPN tunnel communication will only be established if you have selected the check box Perfect Forward Secrecy in the global security settings of the created VPN group VPN groups Authentication If the check box is not selected the CP rejects establishment of the tunnel 4 9 5 6 CP as passive subscriber of VPN connections Setting ...

Page 73: ...community strings see below SNMPv1 Use SNMPv3 Enables the use of SNMPv3 for the device For information on the configuration of the required algorithms see below SNMPv3 SNMPv1 The community strings need to be sent along with queries to the device via SNMPv1 Note the use of lowercase letters with the preset community strings Reading community string The string is required for read access Leave the p...

Page 74: ...ication via VPN connections Certificates generated by STEP 7 such as SSL certificates or VPN group certificates are automatically assigned to the corresponding modules and do not need to be assigned using the local security settings The local certificate manager Certificates that were imported via the certificate manager in the global security settings are not automatically assigned to the corresp...

Page 75: ...he certificates in the CP configuration Select the following certificates in the CP configuration Table Device certificates The device certificate of the CP generated by STEP 7 Table Certificates of the partner devices The imported certificate of the partner 4 10 Messages E mails CP 1543SP 1 Validity Validity CP 1543SP 1 You will find the description of the CP 1542SP 1 IRC in the relevant configur...

Page 76: ...e CP Shortcut menu Open the data point and messages editor Via the project navigation Station Local modules CP Messages Double clicking on the Messages entry opens the editor Creating messages You create a new message by double clicking Add in the first table row with the grayed out entry You can change the default name of an e mail Alarm but it must be unique within the module Message parameters ...

Page 77: ...e trigger bit can be configured for each e mail For information on the trigger bit see below Resetting the trigger bit If the memory area of the trigger bit is in the memory area or in a data block the trigger bit is reset to zero when the message is sent In all other cases you need to reset the trigger bit with the user program Note Fast setting of the diagnostics trigger tag Trigger should not b...

Page 78: ...elect a PLC tag whose value is integrated in the message can be the placeholder for a variable with a simple data type up to a size of 32 bits The respective current value is entered in the message text instead of the placeholder To do this enter as a placeholder for the value to be sent in the message text Editor view Arranging columns and rows As with many other programs you can also arrange the...

Page 79: ...self to the broadest entry in this column Showing hiding columns You call this function using the shortcut menu that opens when you right click on a column header Copy messages If you right click in the row of an object in the table you can access the following copy functions from the shortcut menu Cut Copy Paste You can paste cut or copied objects within the table or in the first free row below t...

Page 80: ...Configuration 4 10 Messages E mails CP 1543SP 1 CP 154xSP 1 80 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 81: ...ifferent versions of a program block in a station Program blocks Together with the three CP types the following OUC blocks with the specified minimum version are available to the CPU TSEND_C V3 0 TRCV_C V3 0 Compact blocks for Connection establishment termination and sending data Connection establishment termination and receiving data As an alternative use TCON V4 0 TDISCON V2 1 Connection establi...

Page 82: ...criptions in system data types SDTs For the connection description the blocks listed above use the parameter CONNECT or MAIL_ADDR_PARAM with TMAIL_C The connection description is stored in a data block whose structure is specified by the system data type SDT Creating an SDT for the data blocks Create the SDT required for every connection description as a data block global DB The SDT type is not cr...

Page 83: ... address TMail_FQDN For transferring e mails addressing the e mail server using its name FQDN Additionally for CP 1542SP 1 IRC and CP 1543SP 1 TMail_V4_SEC For secure transfer of e mails addressing the e mail server using an IPv4 address TMail_V6_SEC For secure transfer of e mails addressing the e mail server using an IPv6 address TMail_QDN_SEC For secure transfer of e mails addressing the e mail ...

Page 84: ...k the connection must also be terminated by calling TDISCON Make sure that you take this into account in your programming 5 2 Changing the IP parameters during runtime Changing the IP address during runtime As of STEP 7 V14 you can change the following address parameters of the CP program controlled during runtime with T_CONFIG IP address Subnet mask Router address Note Changing the IP parameters ...

Page 85: ... the address parameters of DNS servers IF_CONF_DNS and NTP servers IF_CONF_NTP can also be changed program controlled The following program blocks and system data types can be used T_CONFIG Together with the following SDTs IF_CONF_V4 IF_CONF_V6 IF_CONF_NTP IF_CONF_DNS You can find detailed information on the blocks and SDTs in the STEP 7 information system 5 3 MODBUS blocks MODBUS TCP All three CP...

Page 86: ...Program blocks 5 3 MODBUS blocks CP 154xSP 1 86 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 87: ...nostics information from the CP from an engineering station on which the project with the CP is stored CP 1542SP 1 IRC CP 1543SP 1 If you want to operate online diagnostics with the station via the CP you need to activate the Enable online functions option under Communication types as a prerequisite Diagnostics group The diagnostics pages are divided into the following groups General This group di...

Page 88: ... the data is written to a log file With the function Save you can save the log file on the engineering station and then analyze it Time of day Information on the time on the device Security This group is available for modules with security functions Status This diagnostics page displays the most important security settings the time of day and data relating to the configuration System log You can s...

Page 89: ...fer to the section Web server of the CPU Page 93 SNMP For information on the functions refer to the section Diagnostics with SNMP Page 90 Diagnostics e mail Validity CP 1542SP 1 IRC CP 1543SP 1 The two CPs can send a diagnostics e mail if configurable events occur for example a partner cannot be reached or CPU STOP The configuration is described in section Messages E mails CP 1543SP 1 Page 75 Tele...

Page 90: ...Security parameter group click the Connect online button In this way you perform the security diagnostics via port 8448 See also Settings for online security diagnostics and downloading to station with the firewall activated Page 63 6 3 Diagnostics with SNMP Requirement The requirement for using SNMP is the enabling of the function in the configuration see section SNMP Page 61 SNMP Simple Network ...

Page 91: ...NMP version CP 1542SP 1 SNMPv1 CP 1543SP 1 CP 1542SP 1 IRC SNMPv1 SNMPv3 with activated Security functions For information on configuring SNMPv3 see section SNMP Page 73 Traps are not supported by the CP Supported MIBs in SNMPv1 The CPs support the following MIBs MIB II acc to RFC1213 The CP supports the following groups of MIB objects System Interfaces IP ICMP TCP UDP SNMP LLDP MIB ...

Page 92: ...rmation about the CP interfaces IP IPv4 IPv6 ICMP TCP UDP SNMP The following groups of the standard MIB II are not supported Adress Translation AT EGP Transmission LLDP MIB Access rights using community names SNMPv1 As default setting the CP uses the following community strings to control the permissions for access to the SNMP agent Table 6 1 Access rights in the SNMP agent Type of access Communit...

Page 93: ...en the corresponding project on the engineering station 2 Select the CPU of the station involved in STEP 7 3 Select the Web server entry 4 In the parameter group General select the Enable Web server for this interface option 5 In the user management create a user with suitable rights on the CPU To load firmware you need to assign this user the right to perform firmware updates in the access level ...

Page 94: ...ss 3 Press the Enter key The start page of the Web server opens 4 Click on the Download certificate entry at the top right of the window The Certificate dialog opens 5 Download the certificate to your PC by clicking the Install certificate button The certificate is loaded on your PC You will find information on downloading a certificate in the help of your Web browser and in the STEP 7 information...

Page 95: ... certificate was detected by the SMTP client 8407 Request to use SSL was denied 8408 The client could not obtain a socket for creating a TCP IP connection to the mail server 8409 It is not possible to write via the connection Possible cause The communications partner reset the connection or the connection aborted 8410 It is not possible to read via the connection Possible cause The communications ...

Page 96: ...01 Syntax error Check the following configuration data Alarm configuration E mail data Content Recipient address To or Cc 8502 Syntax error Check the following configuration data Alarm configuration E mail data Content Email address sender 8535 SMTP authentication incomplete Check the User name and Password parameters in the CP configuration 8550 SMTP server cannot be reached You have no access ri...

Page 97: ...te Duration of the firmware update Downloading a new firmware file can take several minutes Note that the procedure takes longer the larger the station due to I O modules Always wait until the completion of the firmware update can be recognized from the LEDs LED pattern Maintenance demanded End of the firmware update Loading the firmware with the online functions of STEP 7 via Ethernet Requirement...

Page 98: ...he Status output box You will find further information on the online functions in the STEP 7 information system 6 7 Module replacement CAUTION Read the system manual SIMATIC ET 200SP Distributed I O System Prior to installation connecting up and commissioning read the relevant sections in the system manual SIMATIC ET 200SP Distributed I O System refer to the documentation in the Appendix When inst...

Page 99: ...erminal block for socket Two terminals with reverse polarity protec tion 2 x two terminal for single or redundant power supply Power supply external Type of voltage Permitted low limit Permitted high limit 24 VDC 19 2 V 28 8 V Current consumption From backplane bus 3 3 V 4 mA typ From 24 V DC external With BusAdapter BA 2xRJ45 typ max With BusAdapter BA 2xLC typ max With BusAdapter BA SCRJ typ max...

Page 100: ...uring transportation 40 70 C Relative humidity During operation 95 at 25 C no condensation Design dimensions and weight Module format Compact module ET 200SP Degree of protection IP20 Weight Without bus adapter With bus adapter 2xRJ45 180 g 230 g Dimensions W x H x D 60 x 117 x 74 mm Installation options DIN rail 35 mm Mean Time Between Failures MTBF At 40 C At 60 C 56 87 years 24 78 years Product...

Page 101: ...ficial documentation of the European Union 2014 34 EU ATEX explosion protection directive Directive of the European Parliament and the Council of 26 Febrary 2014 on the approximation of the laws of the Member States concerning equipment and protective systems intended for use in potentially explosive atmospheres official journal of the EU L96 29 03 2014 pages 309 356 2014 30 EU EMC EMC directive o...

Page 102: ...ou can find on the Internet at the following address Link https support industry siemens com cs ww en ps The conditions must be met for safe usage of the product according to the section Notes on use in hazardous areas according to ATEX IECEx Page 41 You should also note the information in the document Use of subassemblies modules in a Zone 2 Hazardous Area that you can find on the Internet at the...

Page 103: ... Electromagnetic Compatibility EMC directive Applied standards EN 61000 6 4 Electromagnetic compatibility EMC Part 6 4 Generic standards Emission standard for industrial environments EN 61000 6 2 Electromagnetic compatibility EMC Part 6 2 Generic standards Immunity for industrial environments RoHS The CP meets the requirements of the EC directive 2011 65 EU on the restriction of the use of certain...

Page 104: ...0 3611 3810 ANSI ISA 61010 1 Equipment rating Class I Division 2 Group A B C D Temperature Class T4 Ta 60 C Class I Zone 2 Group IIC Temperature Class T4 Ta 60 C Ta Refer to the temperature class on the type plate of the CP Observe the conditions for safe usage of the CP according to the section General notices on use in hazardous areas according to FM Page 42 Australia RCM The CP meets the requir...

Page 105: ...itted to the relevant authorities and approval centers for approvals relating to specific markets and applications If you require a list of the current approvals for individual devices consult your Siemens contact or check the Internet pages of Siemens Industry Online Support Link http support automation siemens com WW view en 45605894 ...

Page 106: ...Approvals CP 154xSP 1 106 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 107: ...CP 154xSP 1 Operating Instructions 12 2019 C79000 G8976 C426 05 107 Dimension drawings B All dimensions in the dimension drawings are in millimeters Figure B 1 Front view of the CP ...

Page 108: ...Dimension drawings CP 154xSP 1 108 Operating Instructions 12 2019 C79000 G8976 C426 05 Figure B 2 Side view left of the CP ...

Page 109: ...apter here BA SCRJ RJ45 The CP supports the following bus adapters BA 2 RJ45 PROFINET bus adapter with the following connectors 2 x Ethernet jack RJ 45 Article number 6ES7193 6AR00 0AA0 BA 2xFC PROFINET bus adapter with the following connectors 2 x direct connection of the bus cable FastConnect Article number 6ES7193 6AF00 0AA0 BA 2xSCRJ PROFINET bus adapter with the following connectors 2 x fiber...

Page 110: ...n of the bus cable FastConnect Article number 6ES7193 6AP40 0AA0 You will find further details in the manual 2 Page 114 and in the Siemens Industry Mall under Link https mall industry siemens com Pinout of the Ethernet interface The table below shows the pin assignment of the Ethernet interface The pin assignment corresponds to the Ethernet standard 802 3 2005 100BASE TX version Table C 1 Pin assi...

Page 111: ...output ADSL2T or ADSL2 ADSL2T analog phone connection Annex A Article number 6GK5816 1AA00 2AA2 ADSL2 ISDN connection Annex B Article number 6GK5816 1BA00 2AA2 SCALANCE M826 2 SHDSL router for IP communication via 2 and 4 wire cables ITU T standard G 991 2 SHDSL biz SHDSL topology Point to point bonding line bridge mode routing mode with VPN firewall NAT 1 Ethernet interface with 4 port switch 1 d...

Page 112: ...ersion Article number 6GK5876 3AA02 2BA2 Version for Korea Article number 6GK5876 3AA02 2EA2 SCALANCE M876 4 4G router for wireless IP communication via LTE mobile phone VPN firewall NAT 1 RJ45 Ethernet interface with 4 port switch 2 SMA antenna connectors MIMO technology 1 digital input 1 digital output Version for Europe Article number 6GK5876 4AA00 2BA2 Version for North America Article number ...

Page 113: ...ur Siemens representative You will also find the product information in the Siemens Industry Mall at the following address Link https mall industry siemens com Manuals on the Internet You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en ps 15247 man Go to the required product in the product tree and make the fol...

Page 114: ... AG Link https support industry siemens com cs ww en view 84133942 4 SIMATIC NET TeleControl Server Basic Version V3 Operating Instructions Siemens AG Link https support industry siemens com cs ww en ps 15918 man 5 SIMATIC NET TIM DNP3 System manual Siemens AG Link https support industry siemens com cs ww en ps 15940 man 6 SIMATIC NET Diagnostics and configuration with SNMP Diagnostics manual Siem...

Page 115: ...MATIC NET SINEMA Remote Connect Server Operating Instructions Siemens AG Link https support industry siemens com cs ww en ps 21816 man 9 SIMATIC NET SINAUT ST7 System Manual Volume 1 System and hardware Volume 2 Configuration in STEP 7 V5 Volume 3 Configuration in STEP 7 Professional Siemens AG Link https support industry siemens com cs ww en ps 21771 man 10 SIMATIC NET TeleControl Siemens AG Conf...

Page 116: ...Documentation references 10 CP 154xSP 1 116 Operating Instructions 12 2019 C79000 G8976 C426 05 ...

Page 117: ...nfiguration 75 Quantity 25 Ethernet interface Assignment 110 F Firewall 21 Firmware version 3 Forwarding time of day 58 Frame memory 26 G Gateway VPN 72 Glossary 7 H Hardware product version 3 I IEC 60870 5 104 Device profile 17 Protocol 17 Inter station communication 16 IP address program controlled change 84 IP_CONF_V4 84 IPsec 65 IPv4 23 IPv6 23 M MAC address 3 MIB 90 MODBUS TCP 85 N NTP 58 NTP...

Page 118: ...nections Enable 55 Safety notices 39 Security diagnostics 90 Security functions 22 Send buffer 26 Service Support 7 SIMATIC NET glossary 7 SINEMA Remote Connect 14 Slot rules 43 SMTPS 65 SNMP 24 90 SNMPv3 21 73 STARTTLS 65 STEP 7 version 28 T T_CONFIG 84 TC_CONFIG 84 TCSB Version 16 TeleControl Basic 16 TLS 65 Training 7 V VPN 25 65 W Web server 57 ...

Reviews:

No comments