SecurityKeyServicesis an array of the DataType EndpointDescriptionand definesone or more Security Key Servers(SKS) that manage the security keys for the SecurityGroupassigned to the PubSubGroup. The EndpointDescription DataTypeis defined in OPC 10000-4.
The parameter is null if the SecurityMode is NONE.
Each element in the array is an Endpointfor an SKS that can supply the security keys for theSecurityGroupId. Multiple Endpointsexist because an SKS may have multiple redundant instances. If the SKS supports non-transparent redundancy, each Serverin the redundant set shall have one entry in the array.
The use of the EndpointDescriptionparameters for the SKS selection are defined in Table 31. The main key for the identification of the SKS is the ApplicationUri.
The ApplicationUriis used in the different Serverdiscovery mechanisms to get the OPC UA endpoint information necessary to connect to the SKS.
The combination of SecurityGroupIdand SKS ApplicationUriis the unique key for a SecurityGroupin a PubSubapplication.
Table 31– SecurityKeyService parameter content
|
Field |
Type |
Definition for the values |
|
EndpointUrl |
String |
Shall be null or empty. |
|
Server |
ApplicationDescription |
The ApplicationDescription DataTypeis defined in OPC 10000-4. |
|
ApplicationUri |
String |
The ServerUriof the SKS. |
|
ProductUri |
String |
Can be null or empty. |
|
ApplicationName |
LocalizedText |
Can be null or empty. |
|
ApplicationType |
Enum ApplicationType |
SERVER The security keys are pulled from the SKS using the Method GetSecurityKeys. CLIENT The security keys are pushed from the SKS to the PubSub application using the Method SetSecurityKeys. CLIENTANDSERVER Invalid value. DISCOVERYSERVER Invalid value. If the SKS information is sent as part of a discovery announcement message for a WriterGroup, the ApplicationTypeshall be set to SERVER even if the Publisheris configured for push. |
|
GatewayServerUri |
String |
Shall be null or empty. |
|
DiscoveryProfileUri |
String |
Shall be null or empty. |
|
DiscoveryUrls [] |
String |
A list of URLs for the DiscoveryEndpointsprovided by the SKS. |
|
ServerCertificate |
ApplicationInstance Certificate |
Shall be null or empty. |
|
SecurityMode |
MessageSecurityMode |
The value shall be SIGNANDENCRYPT. |
|
SecurityPolicyUri |
String |
ApplicationType SERVER The URI for SecurityPolicyto use to connect to the SKS. If the URI is null or empty, the pull access shall use the best available security policy that is also supported by the pull Client. ApplicationType CLIENT Shall be null or empty. |
|
UserIdentityTokens [] |
UserTokenPolicy |
ApplicationType SERVER The user identity tokens that should be used to connect to the SKS. The default is ANONYMOUS if the array is empty. For ANONYMOUS the authorization for accessing the keys is based on the application authentication. If the type is USERNAME, a KeyCredentialConfigurationTypeinstance is used to configure user name and password. The ResourceUriof theKeyCredentialConfigurationTypeinstance shall match the ApplicationUriof the SKS. The KeyCredentialConfigurationTypeis defined in OPC 10000-12. The UserTokenPoliciesare defined in OPC 10000-4. ApplicationType CLIENT The array shall be null or empty. |
|
TransportProfileUri |
String |
Can be null or empty. |
|
SecurityLevel |
Byte |
Shall be 0. |