OPC UA security is concerned with the authentication of Clientsand Servers, the authentication of users, the integrity and confidentiality of their communications, and the verifiability of claims of functionality. It does not specify the circumstances under which various security mechanisms are required. That specification is crucial, but it is made by the designers of the system at a given site and may be specified by other standards.
Rather, OPC UA provides a security model, described in OPC 10000-2, in which security measures can be selected and configured to meet the security needs of a given installation. This model includes security mechanisms and parameters. In some cases, the mechanism for exchanging security parameters is defined, but the way that applications use these parameters is not. This framework also defines a minimum set of security Profilesthat all OPC UA Applicationssupport, even though they may not be used in all installations. Security Profilesare defined in OPC 10000-7.
Application level security relies on a secure communication channel that is active for the duration of the application Sessionand ensures the integrity of all Messagesthat are exchanged. This means users need to be authenticated only once, when the application Sessionis established. The mechanisms for discovering Servers and establishing secure communication channels and application Sessionsare described in OPC 10000-4and OPC 10000-6. Additional information about the Discoveryprocess is described in OPC 10000-12.
When a Sessionis established, the Clientand Serverapplications negotiate a secure communications channel. Digital (X.509) Certificatesare utilized to identify the Clientand Server. The Serverfurther authenticates the user and authorizes subsequent requests to access Objectsin the Server.
OPC UA includes support for security audit trails with traceability between Clientand Serveraudit logs. If a security-related problem is detected at the Server, the associated Clientaudit log entry can be located and examined. OPC UA also provides the capability for Serversto generate Event Notificationsthat report auditable Eventsto Clientscapable of processing and logging them. OPC UA defines security audit parameters that can be included in audit log entries and in audit Event Notifications. OPC 10000-5defines the data types for these parameters. Not all Serversand Clientsprovide all of the auditing features. Profiles,found in OPC 10000-7, indicate which features are supported.
OPC UA security complements the security infrastructure provided by most web service capable platforms.
Transport level security can be used to encrypt and sign Messages. Encryption and signatures protect against disclosure of information and protect the integrity of Messages. Encryption capabilities are provided by the underlying communications technology used to exchange Messagesbetween OPC UA Applications. OPC 10000-7defines the encryption and signature algorithms to be used for a given Profile.
The set of Objectsand related information that the Servermakes available to Clientsis referred to as its AddressSpace. The OPC UA AddressSpacerepresents its contents as a set of Nodes connected by References.
Primitive characteristics of Nodes are described by OPC-defined Attributes. Attributesare the only elements of a Serverthat have data values. Data types that define attribute values may be simple or complex.
To promote interoperability of Clientsand Servers, the OPC UA AddressSpaceis structured hierarchically with the top levels the same for all Servers. Although Nodes in the AddressSpaceare typically accessible via the hierarchy, they may have Referencesto each other, allowing the AddressSpaceto represent an interrelated network of Nodes. The model of the AddressSpaceis defined in OPC 10000-3.
The OPC UA Object Model provides a consistent, integrated set of NodeClassesfor representing Objectsin the AddressSpace. This model represents Objectsin terms of their Variables, Eventsand Methods, and their relationships with other Objects. OPC 10000-3describes this model.
The OPC UA object model allows Serversto provide type definitions for Objectsand their components. Type definitions may be subclassed. They also may be common or they may be system-specific. ObjectTypesmay be defined by standards organizations, vendors or end-users.
This model allows data, Alarmsand Events, and their history to be integrated into a single Server. For example, Serversare able to represent a temperature transmitter as an Objectthat is composed of a temperature value, a set of alarm parameters, and a corresponding set of alarm limits.
The interface between Clientsand Serversis defined as a set of Services.These Servicesare organized into logical groupings called Service Sets. Service Setsare discussed in 0and specified in OPC 10000-4.
OPC UA Servicesprovide two capabilities to Clients. They allow Clientsto issue requests to Serversand receive responses from them. They also allow Clientsto subscribe to Serversfor Notifications. Notificationsare used by the Serverto report occurrences such as Alarms, data value changes, Events, and Programexecution results.
OPC UA Messagesmay be encoded as text (XML or JSON) or in binary format for efficiency purposes. They may be transferred using multiple underlying transports, for example TCP or HTTP. Serversmay provide different encodings and transports as defined by OPC 10000-6.