The Application Instance Certificate, including the public and private key, can either be generated by the application or provided by an administrator.Ĭertificates are filed in a Certificate Store, containing separate locations for trusted and own certificates, as well as certificates from certificate authorities used to verify certificate chains. A communication partner can use the public key to verify the trust relation, check the signature of messages, and encrypt messages. The private key has to remain secret and is used to sign and/or decrypt messages. The public key is distributed with the certificate. To identify itself to communication partners, each installed OPC UA application or devices needs an Application Instance Certificate and an associated public/private key pair. It is up to an administrator to enable deprecated Security Policies for backward compatibility but the user must be warned about the deprecated status of these Security Policies.Ĭertificates, Certificate Store and Trust List Note For security reasons, the Security Policies Basic128Rsa15, Basic256 and None should be deactivated by default. The following table contains the already deprecated Security Policies: Deprecated Security Policy The following table contains the currently valid Security Policies: Security Policy OPC UA defines a unique URI for each Security Policies. Therefore each OPC UA profile specification release may add new Security Policies and may deprecate older Security Policies. The security profiles are regularly updated since specific algorithms may be considered insecure in the future or a key length is not longer secure because of increased compute power. A SecurityPolicy defines the algorithms for signing and encryption, the algorithm for key derivation and the key lengths used in the algorithms.Ī Security Policy is derived from a security profile defined in OPC UA Part 7 - Profiles. The initial configuration on client and server side, the different options to find available servers, and the connection establishment between client and server is described in the following sections.Ī Security Policy specifies which security mechanisms are to be used for the Secure Channel between client and server. Clients may then request a list of all available servers from the discovery server and then use the GetEndpoints service to get connection information from a server. Servers can register at the Discovery Server. If several OPC UA servers exist, a Discovery Server can be used to provide information of available servers. User Token Type (types of user authentication supported by the server).Message Security Mode (security level for exchanged messages).Security Policy (name for a set of security algorithms and key length).Endpoint URL (protocol and network address).A server can provide several endpoints, each containing Audit mechanisms for connection establishment, Write and Call servicesĪll information which is required to establish a connection between client and server is stored in a so-called endpoint.Access control down to nodes and attributes.User Authentication based on different user tokens.Secure communication channel with message signing and encryption based on Security Policies.Application Authentication based on Certificates.For this purpose, OPC UA defines a set of discovery features.įor the connection between client and server, OPC UA provides different security features for different purpose and for different levels of security: To connect to a server, a client needs information like network address, protocol, and security settings.
0 Comments
Leave a Reply. |