The parameter ClientCipherSuite defines the DTLS 1.3 cipher suite that is used for data security of the PubSub communication. Supported cipher suites are described in Part 7. This is the cipher suite sent from the client-side in the DTLS handshake.
Note that the cipher suite describes the data encryption and data authenticity algorithms used. Key agreement and certificate signature algorithms are designated via the OPC UA Client Server Security Policy.
The client cipher suite is configured at the PubSubConnection level. This parameter denotes the single cipher suite that the DTLS client will offer in the DTLS handshake. This cipher suite must match a cipher suite entry configured in ServerCipherSuites for the server side of the DTLS handshake. If this variable is not configured (e.g. set to the null string) then for a given PubSubConnection the device is meant to act as a server.
The parameter ServerCipherSuites defines the DTLS 1.3 cipher suite(s) that are used for data security of the PubSub communication. Supported cipher suites are described in OPC 10000-7. This is a list of cipher suites that the server will accept if offered by a client. In DTLS PubSub a client will only offer one cipher suite. The server will then either accept that one cipher suite as it is listed in ServerCipherSuites or reject it if it is not included in ServerCipherSuites.
Note that the cipher suite describes the data encryption and data authenticity algorithms used. Key agreement and certificate signature algorithms are designated via the OPC UA Client Server Security Policy.
The ZeroRTT parameter is a DataType Boolean. This parameter describes whether or not the zero round-trip-time feature of DTLS 1.3 is enabled. If this parameter is not set then it defaults to False. Note that using the Zero Round-Trip-Time feature has implications for security, as PubSub data will be sent before full authentication occurs. It is the responsibility of the user to decide whether or not this is acceptable.
The CertificateGroupId parameter is the NodeId of the CertificateGroup used for the DTLS Tranpsort. This includes the Certificate and TrustList that are to be used for establishing DTLS sessions. Note that the CertificateGroup used for DTLS may be restricted via profile, see Part 7 for more information on the profiles support DTLS.
The VerifyClientCertificate parameter is a DataType Boolean. This parameter describes whether or not the client certificate will be requested and verified by the server as part of the DTLS handshake. If this parameter is not set then it defaults to True.
This Structure DataType is used to represent additional DTLS specific datagram transport mapping parameters for PubSubConnections.
The DtlsPubSubConnectionDataType is formally defined in Table 138.
Table 138 – DtlsPubSubConnectionDataType structure
|
Name |
Type |
Description |
|
DtlsPubSubConnectionDataType |
Structure |
|
|
ClientCipherSuite |
String |
Defined in 6.4.1.7.1. |
|
ServerCipherSuites |
String [] |
Defined in 6.4.1.7.2. |
|
ZeroRTT |
Boolean |
Defined in 6.4.1.7.3. |
|
CertificateGroupId |
NodeId |
Defined in 6.4.1.7.4. |
|
VerifyClientCertificate |
Boolean |
Defined in 6.4.1.7.5. |
Its representation in the AddressSpace is defined in Table 139.
Table 139 – DtlsPubSubConnectionDataType definition
|
Attributes |
Value |
|
BrowseName |
DtlsPubSubConnectionDataType |
|
IsAbstract |
False |
|
Subtype of Structure defined in OPC 10000-5. |
|
|
Conformance Units |
|
|
PubSub Parameters Datagram DTLS |
|