The SecurityGroupType is formally defined in Table 173.
The Permissionof the SecurityGroupType Objectscontrols the access to the security keys for the SecurityGroupthrough the Method GetSecurityKeys. TheGetSecurityKeys Method is defined in 8.3.2. The Permissionto access the keys is different to the Permissionnecessary to modify the configuration of SecurityGroups.
Table 173– SecurityGroupType definition
|
Attribute |
Value |
||||
|
BrowseName |
SecurityGroupType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
Subtype of BaseObjectType defined in OPC 10000-5. |
|||||
|
HasProperty |
Variable |
SecurityGroupId |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
KeyLifetime |
Duration |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SecurityPolicyUri |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
MaxFutureKeyCount |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
MaxPastKeyCount |
UInt32 |
PropertyType |
Mandatory |
|
HasComponent |
Method |
InvalidateKeys |
Defined in 8.4.2. |
Optional |
|
|
HasComponent |
Method |
ForceKeyRotation |
Defined in 8.4.3. |
Optional |
|
|
Conformance Units |
|||||
|
PubSub Model SKS |
|||||
The Property SecurityGroupIdcontains the identifier for the SecurityGroupused in the key exchange Methods GetSecurityKeysand SetSecurityKeysin the PubSubGroupType.
The Property KeyLifetimedefines the lifetime of a key in milliseconds.
The Property SecurityPolicyUriis the identifier for a SecurityPolicy. SecurityPoliciesdefine the set of algorithms and key lengths used to secure the messages exchanged in the context of the SecurityGroup. The SecurityPoliciesare defined in OPC 10000-7.
The Property MaxFutureKeyCountdefines the maximum number of future keys returned by the Method GetSecurityKeys.
The Property MaxPastKeyCountdefines the maximum number of historical keys stored by the SKS. The historical keys are necessary to allow Subscribersto request keys for older NetworkMessages.
This Methodinvalidates the current and all future keys of this SecurityGroup. The keys will be replaced by new keys; indicated by a new currentSecurityTokenId. The new current SecurityTokenIdshall be incremented beyond the SecurityTokenIdof the last invalidated future key.
If the SecurityGroup is related to one or more PubSubKeyPushTargets, the SKSshall push the new set of keys to all related PubSubKeyPushTargets.
The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.
Signature
InvalidateKeys();
Method Result Codes
|
ResultCode |
Description |
|
Bad_UserAccessDenied |
The Sessionuser is not allowed invalidate the keys on this SecurityGroup. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using signing. |
Table 174specifies the AddressSpacerepresentation for the InvalidateKeys Method.
Table 174– InvalidateKeys Method AddressSpace definition
|
Attribute |
Value |
|
BrowseName |
InvalidateKeys |
|
ConformanceUnits |
|
|
PubSub Model SKS |
|
This Methodforces a key update prior to expiration of KeyLifetime, i.e. it initiates an unplanned key rotation. The future keys of this SecurityGroupremain valid.
InvalidateKeysmakes all keys invalid immediately and most likely this causes communication interruptions. The ForceKeyRotation Methodallows faster rotation of keys without breaking communication e.g. for removing applications from a UDP multicast group.
If the SecurityGroup is related to one or more PushTargets, the SKSshall push an updated set of keys to all PushTargets.
The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.
Signature
ForceKeyRotation();
Method Result Codes
|
ResultCode |
Description |
|
Bad_UserAccessDenied |
The Sessionuser is not allowed force key rotation on this SecurityGroup. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using signing. |
Table 175specifies the AddressSpacerepresentation for the ForceKeyRotation Method.
Table 175– ForceKeyRotation Method AddressSpace definition
|
Attribute |
Value |
|
BrowseName |
ForceKeyRotation |
|
ConformanceUnits |
|
|
PubSub Model SKS |
|