The SecurityGroupType is formally defined in Table 173.

The Permissionof the SecurityGroupType Objectscontrols the access to the security keys for the SecurityGroupthrough the Method GetSecurityKeys. TheGetSecurityKeys Method is defined in 8.3.2. The Permissionto access the keys is different to the Permissionnecessary to modify the configuration of SecurityGroups.

Table 173– SecurityGroupType definition

Attribute

Value

BrowseName

SecurityGroupType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of BaseObjectType defined in OPC 10000-5.

HasProperty

Variable

SecurityGroupId

String

PropertyType

Mandatory

HasProperty

Variable

KeyLifetime

Duration

PropertyType

Mandatory

HasProperty

Variable

SecurityPolicyUri

String

PropertyType

Mandatory

HasProperty

Variable

MaxFutureKeyCount

UInt32

PropertyType

Mandatory

HasProperty

Variable

MaxPastKeyCount

UInt32

PropertyType

Mandatory

HasComponent

Method

InvalidateKeys

Defined in 8.4.2.

Optional

HasComponent

Method

ForceKeyRotation

Defined in 8.4.3.

Optional

Conformance Units

PubSub Model SKS

The Property SecurityGroupIdcontains the identifier for the SecurityGroupused in the key exchange Methods GetSecurityKeysand SetSecurityKeysin the PubSubGroupType.

The Property KeyLifetimedefines the lifetime of a key in milliseconds.

The Property SecurityPolicyUriis the identifier for a SecurityPolicy. SecurityPoliciesdefine the set of algorithms and key lengths used to secure the messages exchanged in the context of the SecurityGroup. The SecurityPoliciesare defined in OPC 10000-7.

The Property MaxFutureKeyCountdefines the maximum number of future keys returned by the Method GetSecurityKeys.

The Property MaxPastKeyCountdefines the maximum number of historical keys stored by the SKS. The historical keys are necessary to allow Subscribersto request keys for older NetworkMessages.

This Methodinvalidates the current and all future keys of this SecurityGroup. The keys will be replaced by new keys; indicated by a new currentSecurityTokenId. The new current SecurityTokenIdshall be incremented beyond the SecurityTokenIdof the last invalidated future key.

If the SecurityGroup is related to one or more PubSubKeyPushTargets, the SKSshall push the new set of keys to all related PubSubKeyPushTargets.

The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.

Signature

InvalidateKeys();

Method Result Codes

ResultCode

Description

Bad_UserAccessDenied

The Sessionuser is not allowed invalidate the keys on this SecurityGroup.

Bad_SecurityModeInsufficient

The communication channel is not using signing.

Table 174specifies the AddressSpacerepresentation for the InvalidateKeys Method.

Table 174– InvalidateKeys Method AddressSpace definition

Attribute

Value

BrowseName

InvalidateKeys

ConformanceUnits

PubSub Model SKS

This Methodforces a key update prior to expiration of KeyLifetime, i.e. it initiates an unplanned key rotation. The future keys of this SecurityGroupremain valid.

InvalidateKeysmakes all keys invalid immediately and most likely this causes communication interruptions. The ForceKeyRotation Methodallows faster rotation of keys without breaking communication e.g. for removing applications from a UDP multicast group.

If the SecurityGroup is related to one or more PushTargets, the SKSshall push an updated set of keys to all PushTargets.

The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.

Signature

ForceKeyRotation();

Method Result Codes

ResultCode

Description

Bad_UserAccessDenied

The Sessionuser is not allowed force key rotation on this SecurityGroup.

Bad_SecurityModeInsufficient

The communication channel is not using signing.

Table 175specifies the AddressSpacerepresentation for the ForceKeyRotation Method.

Table 175– ForceKeyRotation Method AddressSpace definition

Attribute

Value

BrowseName

ForceKeyRotation

ConformanceUnits

PubSub Model SKS