SecurityKeyServicesis an array of the DataType EndpointDescriptionand definesone or more Security Key Servers(SKS) that manage the security keys for the SecurityGroupassigned to the PubSubGroup. The EndpointDescription DataTypeis defined in OPC 10000-4.

The parameter is null if the SecurityMode is NONE.

Each element in the array is an Endpointfor an SKS that can supply the security keys for theSecurityGroupId. Multiple Endpointsexist because an SKS may have multiple redundant instances. If the SKS supports non-transparent redundancy, each Serverin the redundant set shall have one entry in the array.

The use of the EndpointDescriptionparameters for the SKS selection are defined in Table 31. The main key for the identification of the SKS is the ApplicationUri.

The ApplicationUriis used in the different Serverdiscovery mechanisms to get the OPC UA endpoint information necessary to connect to the SKS.

The combination of SecurityGroupIdand SKS ApplicationUriis the unique key for a SecurityGroupin a PubSubapplication.

Table 31– SecurityKeyService parameter content

Field

Type

Definition for the values

EndpointUrl

String

Shall be null or empty.

Server

ApplicationDescription

The ApplicationDescription DataTypeis defined in OPC 10000-4.

ApplicationUri

String

The ServerUriof the SKS.

ProductUri

String

Can be null or empty.

ApplicationName

LocalizedText

Can be null or empty.

ApplicationType

Enum

ApplicationType

SERVER

The security keys are pulled from the SKS using the Method GetSecurityKeys.

CLIENT

The security keys are pushed from the SKS to the PubSub application using the Method SetSecurityKeys.

CLIENTANDSERVER

Invalid value.

DISCOVERYSERVER

Invalid value.

If the SKS information is sent as part of a discovery announcement message for a WriterGroup, the ApplicationTypeshall be set to SERVER even if the Publisheris configured for push.

GatewayServerUri

String

Shall be null or empty.

DiscoveryProfileUri

String

Shall be null or empty.

DiscoveryUrls []

String

A list of URLs for the DiscoveryEndpointsprovided by the SKS.

ServerCertificate

ApplicationInstance

Certificate

Shall be null or empty.

SecurityMode

MessageSecurityMode

The value shall be SIGNANDENCRYPT.

SecurityPolicyUri

String

ApplicationType SERVER

The URI for SecurityPolicyto use to connect to the SKS.

If the URI is null or empty, the pull access shall use the best available security policy that is also supported by the pull Client.

ApplicationType CLIENT

Shall be null or empty.

UserIdentityTokens []

UserTokenPolicy

ApplicationType SERVER

The user identity tokens that should be used to connect to the SKS.

The default is ANONYMOUS if the array is empty. For ANONYMOUS the authorization for accessing the keys is based on the application authentication.

If the type is USERNAME, a KeyCredentialConfigurationTypeinstance is used to configure user name and password. The ResourceUriof theKeyCredentialConfigurationTypeinstance shall match the ApplicationUriof the SKS. The KeyCredentialConfigurationTypeis defined in OPC 10000-12.

The UserTokenPoliciesare defined in OPC 10000-4.

ApplicationType CLIENT

The array shall be null or empty.

TransportProfileUri

String

Can be null or empty.

SecurityLevel

Byte

Shall be 0.