The PubSubKeyPushTargetType is formally defined in Table 181.
An instance of this ObjectTypeincludes all information required to establish a secure connection to the Serverthat is the target of a push operation as described in 5.4.4.3. If any of the connection information changes, the PubSubKeyPushTargetmust be removed and a new PubSubKeyPushTargetwith updated connection information must be added.
Table 181– PubSubKeyPushTargetType definition
|
Attribute |
Value |
||||
|
BrowseName |
PubSubKeyPushTargetType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
Subtype of BaseObjectType defined in OPC 10000-5. |
|||||
|
HasPushed SecurityGroup |
Object |
<SecurityGroupName> |
|
SecurityGroupType |
OptionalPlaceholder |
|
HasProperty |
Variable |
ApplicationUri |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
EndpointUrl |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SecurityPolicyUri |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
UserTokenType |
UserTokenPolicy |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
RequestedKeyCount |
UInt16 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
RetryInterval |
Duration |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
LastPushExecutionTime |
DateTime |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
LastPushErrorTime |
DateTime |
PropertyType |
Mandatory |
|
HasComponent |
Method |
ConnectSecurityGroups |
Defined in 8.6.3 |
Mandatory |
|
|
HasComponent |
Method |
DisconnectSecurityGroups |
Defined in 8.6.4 |
Mandatory |
|
|
HasComponent |
Method |
TriggerKeyUpdate |
Defined in 8.6.5 |
Mandatory |
|
|
Conformance Units |
|||||
|
PubSub Model SKS Push |
|||||
The Property ApplicationUriis the ApplicationUriof the Serverthat is the target of a push. The push operation shall fail if the ApplicationUriof the connected target Server does not match this parameter.
The Property EndpointUrlis the URL of the Endpointof the Serverthat is the target of a push.
The Property SecurityPolicyUriis a Stringthat contains the security policy the SKS shall use to establish a SecureChannelto the PubSubKeyPushTarget. The MessageSecurityModeshall always be SignAndEncrypt.
The Property UserTokenTypecontains the type of user toke to be used for the connection to the PubSubKeyPushTarget. The default is Anonymousand authorization is accomplished in this case with the application identity of the SKS.
The Property RequestedKeyCountis the number of keys that are to be pushed on each update. The minimum setting for this is three.
The Property RetryIntervaldefines the interval the SKSshall use to retry pushing keys after an error appeared.
The Property LastPushExecutionTimeindicates the time the last push operation was executed successfully on the PubSubKeyPushTarget. A null DateTimevalue indicates that no successful push was executed.
The Property LastPushErrorTimeindicates the last time a push operation failed on the PubSubKeyPushTarget. A null DateTimevalue indicates that no error has occurred.
The first push is started at the time a SecurityGroupis assigned to the PubSubKeyPushTarget. The assignment is done with the Method ConnectSecurityGroupsor with a successful update of the PubSubKeyPushTargetswith PubSubConfigurationType CloseAndUpdate. The sequence for push is described in 5.4.4.3.
In a period of half the KeyLifetimeof a SecurityGroup, the SKS shall open a secure communication to each related PubSubKeyPushTargetsand shall call SetSecurityKeysto push the security keys for a SecurityGroupinto a Publisheror Subscriber. The SKS shall push the previous security key, the current key, and at least one future key to bridge longer unavailability time of the SKS. If it is not possible to push security keys to a PubSubKeyPushTargetdue to errors in establishing the communication or due to errors returned from the SetSecurityKeys Method call, the SKS shall retry pushing the security keys in a period of RetryInterval. If multiple future security keys are pushed, it is up to the SKS to define when security keys are pushed, but at a minimum it shall be at the half KeyLifetimeof the current key when only one future key is remaining.
Since the SKS is unaware of the state of a PubSubKeyPushTarget, it is recommended for a PubSubKeyPushTargetto persist security keys. This allows the PubSubKeyPushTargetto continue secured PubSub communication after a power cycle, as long as the outage time is smaller than the time covered with currentKey and FutureKeys. If keys are not persisted, it may take up to half the KeyLifetimeto get the first set of security keys. The PubSubKeyPushTargetspersisting security keys shall have an understanding of time (either synchronized or battery backup) allowing them to determine whether the current key is still valid to use, or whether to use a future keyfollowing a power interruption.
This Methodconnects instances of SecurityGroupType to thisPubSubKeyPushTarget. This indicates that the SKSshall use the push model to distribute the keys of the SecurityGroupto the PubSubKeyPushTarget.
The SKS shall push keys following this assignment. If an assignment does already exist, the entry is ignored.
If the assignment for a SecurityGroupalready exists, a Good_EntryReplaced should be returned for that SecurityGroupand a new push of the existing keys shall be triggered to the push target.
The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.
Signature
ConnectSecurityGroups(
[in]NodeId[] SecurityGroupIds,
[out]StatusCode[]ConnectResults
);
|
Argument |
Description |
|
SecurityGroupIds |
The NodeIdsof the SecurityGroupsto connect to the PushTarget. |
|
ConnectResults |
The result codes for the SecurityGroups to connect. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_UserAccessDenied |
The Sessionuser is not allowed to connect SecurityGroupsto the push target. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using signing. |
Operation Result Codes
|
ResultCode |
Description |
|
Good_EntryReplaced |
The PushTarget was already assigned to the SecurityGroup, a new push was triggered |
|
Bad_NodeIdUnknown |
A SecurityGroupNodeIdis unknown. |
|
Bad_NodeIdInvalid |
A SecurityGroupNodeIdis not a NodeIdof a SecurityGroupType Object. |
Table 182specifies the AddressSpacerepresentation for the ConnectSecurityGroups Method.
Table 182– ConnectSecurityGroups Method AddressSpace definition
|
Attribute |
Value |
||||
|
BrowseName |
ConnectSecurityGroups |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
HasProperty |
Variable |
InputArguments |
Argument[] |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |
|
ConformanceUnits |
|||||
|
PubSub Model SKS Push |
|||||
This Methoddisconnects instances of SecurityGroupTypefrom thisPubSubKeyPushTarget. This indicates that the SKSshall stop using the push model to distribute the keys of those SecurityGroupsto the PubSubKeyPushTarget.
The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.
Signature
DisconnectSecurityGroups(
[in]NodeId[] SecurityGroupIds,
[out]StatusCode[]DisconnectResults
);
|
Argument |
Description |
|
SecurityGroupIds |
The NodeIdsof the SecurityGroups to disconnect. |
|
DisconnectResults |
The result codes for the SecurityGroups to disconnect. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_UserAccessDenied |
The Sessionuser is not allowed to disconnet SecurityGroupsfrom the push target. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using signing. |
Operation Result Codes
|
ResultCode |
Description |
|
Bad_NodeIdUnknown |
A SecurityGroupNodeIdis unknown. |
|
Bad_NodeIdInvalid |
A SecurityGroupNodeIdis not a NodeIdof a SecurityGroupType Object. |
Table 183specifies the AddressSpacerepresentation for the DisconnectSecurityGroups Method.
Table 183– DisconnectSecurityGroups Method AddressSpace definition
|
Attribute |
Value |
||||
|
BrowseName |
DisconnectSecurityGroups |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
HasProperty |
Variable |
InputArguments |
Argument[] |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |
|
ConformanceUnits |
|||||
|
PubSub Model SKS Push |
|||||
This Methodtriggers a key update of all SecurityGroupsrelated to the PubSubKeyPushTarget. The SKS shall push the new set of keys for all related SecurityGroups, even if not currently scheduled.
The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.
Signature
TriggerKeyUpdate();
Method Result Codes
|
ResultCode |
Description |
|
Bad_UserAccessDenied |
The Sessionuser is not allowed to trigger a key update on this push target. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using signing. |
The HasPushedSecurityGroup ReferenceTypeis a concrete ReferenceTypethat can be used directly. It is a subtype of the HierarchicalReferences ReferenceType.
The SourceNodeof Referencesof this type shall be an Objectof ObjectType PubSubKeyPushTargetType or an ObjectTypethat is a subtype of PubSubKeyPushTargetType defined in 8.6.1.
The TargetNodeof this ReferenceType shall be an Objectof the ObjectType SecurityGroupTypedefined in 8.4.1.
Serversshall provide the inverse Referencethat relates a SecurityGroup Objectback to a PubSubKeyPushTargetType Object.
The representation of the HasPushedSecurityGroup ReferenceTypein the AddressSpaceis specified in Table 184.
Table 184– HasPushedSecurityGroupReferenceType
|
Attributes |
Value |
||
|
BrowseName |
HasPushedSecurityGroup |
||
|
InverseName |
HasPushTarget |
||
|
Symmetric |
False |
||
|
IsAbstract |
False |
||
|
References |
NodeClass |
BrowseName |
Comment |
|
Subtype of HierarchicalReferences defined in OPC 10000-5. |
|||
|
Conformance Units |
|||
|
PubSub Model SKS Push |
|||
Table 185specifies the AddressSpacerepresentation for the TriggerKeyUpdate Method.
Table 185– TriggerKeyUpdate Method AddressSpace definition
|
Attribute |
Value |
|
BrowseName |
TriggerKeyUpdate |
|
ConformanceUnits |
|
|
PubSub Model SKS Push |
|