Protocol-Specific Considerations
This section lists the protocol specific considerations for Oracle Utilities Live Energy Connect (LEC).
ICCP
The ICCP protocol (IEC 60870-6/TASE.2) is based on MMS (ISO 9506) and allows for both client and server roles. ICCP and MMS allow for TCP/IP connections to be inbound, outbound, or both,- irrespective of the client/server role. The default MMS IP port is 102.
By default, the LEC Server listens on localhost:102. To override this when required to allow an inbound connection, the following command line modification must be added (via the Extra params field in the LCM Server tab): /listen=<interface> (example: /listen=192.168.1.1). You can specify 0.0.0.0 to listen on all local interfaces. For more information refer to the LEC Configuration Manager User Guide.
MMS TCP/IP port 102 connections and traffic must be allowed between the LEC machine and any configured ICCP peers, based on the connection inbound/ outbound configurations.
Secure ICCP
Secure ICCP is simply ICCP tunneled via TLS, with some additional protocol message signing. Default settings for ICCP as described above are sufficient and no override is required. When the LEC Server is configured to accept inbound Secure ICCP connections, it always listens on localhost for TCP/IP connections on the standard Secure ICCP port 3782.
Secure ICCP TCP/IP port 3782 connections and traffic must be allowed between the LEC Server machine and any configured Secure ICCP peers, based on the connection inbound/outbound configurations.
OPC UA
OPC UA is a TCP/IP protocol that allows both client and server roles. OPC UA servers listen for TCP/IP connections, and clients make outbound TCP/IP connections, on configurable ports.
OPC UA allows for both unencrypted/unauthenticated and encrypted/authenticated connections with varying levels of security:
- Basic256/Sha256 (most secure)
- Basic256
- Basic256/Sha15
By default, when the LEC Server is configured as an OPC UA server or client, Basic256/Sha256 is used. This can be overridden to use lesser security when required (example: when connecting with a legacy system). For more information refer to the Configure LEC as an OPC UA/ICCP Front End to an OEM Application.
Unencrypted/unauthenticated connections should only be used when absolutely necessary and such usage requires that the operating network be secured.
OPC UA uses configurable IP ports. TCP/IP connections and traffic must be allowed between the Server machine and any configured OPC UA client/server peers based on the connection inbound/outbound configurations.
DNP3
DNP3 (IEEE 1815) is a protocol that uses TCP/IP or UDP/IP as a transport layer. LEC Server can be configured to accept inbound connections, make outbound connections, listen for inbound UDP messages, and send outbound UDP messages.
DNP3 is an unsecured protocol that offers no encryption nor authentication and therefore must only be enabled for use on a secure operating network.
DNP3 uses configurable IP ports. TCP/IP connections and traffic must be allowed between the Server machine and any configured DNP3 master/outstation (client/server) peers based on connection and listen inbound/outbound configurations.
REST
LEC Server REST interface implements an HTTPS REST client and server. The REST server handles inbound HTTPS REST requests (example: GET, POST, PUT, …) to read and write data. The REST client pushes data to a configurable external REST server. Both the client and server use standard HTTPS (TLS 1.x) security for encryption and can use client certificate or Windows Native authentication. Microsoft IIS on the local machine is used as a reverse HTTPS proxy for inbound HTTPS connections.
IIS must be installed and configured as a HTTPS reverse proxy to use the Server REST in production. For more information refer to the LEC RESTful API Specification and Configuration Guide. IIS listens for inbound HTTPS connections on either the standard or an alternatively configured TCP/IP port.
When configured as a REST client, the remote REST server must be configured to use secure HTTPS URLs and client/server authentication. For more details refer to the LEC RESTful API Specification and Configuration Guide.
Current standards for HTTPS security, certificate key length, etc., should be followed.
RTP/NMS
When LEC Server is configured as and ICCP or DNP3 front end for Oracle Utilities Network Management System, the Server's RTP binary protocol is used. RTP is a simple TCP/IP protocol that operates on a configurable port. Connections originate from Oracle Utilities Network Management System to the Server.
RTP is an unsecured protocol that offers no encryption nor authentication and therefore must only be enabled for use on a secure operating network.
TCP/IP connections and traffic must be allowed from the Oracle Utilities Network Management System machine to the Server machine on the configured port.