This Service Setdefines Servicesused to open a communication channel that ensures the confidentiality and integrity of all Messagesexchanged with the Server. The base concepts for UA security are defined in OPC 10000-2.

The SecureChannel Servicesare unlike other Servicesbecause they are typically not implemented by the OPC UA Applicationdirectly. Instead, they are provided by the communication stack that the OPC UA Applicationis built on. OPC UA Applicationssimply need to verify that a SecureChannelis active whenever it receives a Message. OPC 10000-6describes how the SecureChannel Servicesare implemented with different types of communication stacks.

A SecureChannelis a long-running logical connection between a single Clientand a single Server. This channel maintains a set of keys that are known only to the Clientand Serverand that are used to authenticate and encrypt Messagessent across the network. The SecureChannel Servicesallow the Clientand Serverto securely negotiate the keys to use.

The exact algorithms used to authenticate and encrypt Messagesare described in the security policies for a Server. These policies are exposed via the Discovery Service Set. A Clientselects the appropriate endpoint that supports the desired security policy by the Serverwhen it creates a SecureChannel.

When a Clientand Serverare communicating via a SecureChannelthey verify that all incoming Messageshave been signed and/or encrypted according to the security policy. A UA application is expected to ignore any Messagethat does not conform to the security policy for the channel.

A SecureChannelis separate from the UA Application Session; however, a single UA Application Sessionmay only be accessed via a single SecureChannel. This implies that the UA applicationis able to determine what SecureChannelis associated with each Message. A communication stack that provides a SecureChannelmechanism but that does not allow the application to know what SecureChannelwas used for a given Messagecannot be used to implement the SecureChannel Service Set.

The relationship between the UA Application Sessionand the SecureChannelis illustrated in Figure 8. The UA applications use the communication stack to exchange Messages. First, the SecureChannel Servicesare used to establish a SecureChannelbetween the two communication stacks, allowing them to exchange Messagesin a secure way. Second, the UA applications use the Session Service Setto establish a UA application Session.

image011.png

Figure 8– SecureChannel and Session Services