The PubSubKeyPushTargetType is formally defined in Table 181.

An instance of this ObjectTypeincludes all information required to establish a secure connection to the Serverthat is the target of a push operation as described in 5.4.4.3. If any of the connection information changes, the PubSubKeyPushTargetmust be removed and a new PubSubKeyPushTargetwith updated connection information must be added.

Table 181– PubSubKeyPushTargetType definition

Attribute

Value

BrowseName

PubSubKeyPushTargetType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of BaseObjectType defined in OPC 10000-5.

HasPushed SecurityGroup

Object

<SecurityGroupName>

SecurityGroupType

Optional‌Placeholder

HasProperty

Variable

ApplicationUri

String

PropertyType

Mandatory

HasProperty

Variable

EndpointUrl

String

PropertyType

Mandatory

HasProperty

Variable

SecurityPolicyUri

String

PropertyType

Mandatory

HasProperty

Variable

UserTokenType

UserTokenPolicy

PropertyType

Mandatory

HasProperty

Variable

RequestedKeyCount

UInt16

PropertyType

Mandatory

HasProperty

Variable

RetryInterval

Duration

PropertyType

Mandatory

HasProperty

Variable

LastPushExecutionTime

DateTime

PropertyType

Mandatory

HasProperty

Variable

LastPushErrorTime

DateTime

PropertyType

Mandatory

HasComponent

Method

ConnectSecurityGroups

Defined in 8.6.3

Mandatory

HasComponent

Method

DisconnectSecurityGroups

Defined in 8.6.4

Mandatory

HasComponent

Method

TriggerKeyUpdate

Defined in 8.6.5

Mandatory

Conformance Units

PubSub Model SKS Push

The Property ApplicationUriis the ApplicationUriof the Serverthat is the target of a push. The push operation shall fail if the ApplicationUriof the connected target Server does not match this parameter.

The Property EndpointUrlis the URL of the Endpointof the Serverthat is the target of a push.

The Property SecurityPolicyUriis a Stringthat contains the security policy the SKS shall use to establish a SecureChannelto the PubSubKeyPushTarget. The MessageSecurityModeshall always be SignAndEncrypt.

The Property UserTokenTypecontains the type of user toke to be used for the connection to the PubSubKeyPushTarget. The default is Anonymousand authorization is accomplished in this case with the application identity of the SKS.

The Property RequestedKeyCountis the number of keys that are to be pushed on each update. The minimum setting for this is three.

The Property RetryIntervaldefines the interval the SKSshall use to retry pushing keys after an error appeared.

The Property LastPushExecutionTimeindicates the time the last push operation was executed successfully on the PubSubKeyPushTarget. A null DateTimevalue indicates that no successful push was executed.

The Property LastPushErrorTimeindicates the last time a push operation failed on the PubSubKeyPushTarget. A null DateTimevalue indicates that no error has occurred.

The first push is started at the time a SecurityGroupis assigned to the PubSubKeyPushTarget. The assignment is done with the Method ConnectSecurityGroupsor with a successful update of the PubSubKeyPushTargetswith PubSubConfigurationType CloseAndUpdate. The sequence for push is described in 5.4.4.3.

In a period of half the KeyLifetimeof a SecurityGroup, the SKS shall open a secure communication to each related PubSubKeyPushTargetsand shall call SetSecurityKeysto push the security keys for a SecurityGroupinto a Publisheror Subscriber. The SKS shall push the previous security key, the current key, and at least one future key to bridge longer unavailability time of the SKS. If it is not possible to push security keys to a PubSubKeyPushTargetdue to errors in establishing the communication or due to errors returned from the SetSecurityKeys Method call, the SKS shall retry pushing the security keys in a period of RetryInterval. If multiple future security keys are pushed, it is up to the SKS to define when security keys are pushed, but at a minimum it shall be at the half KeyLifetimeof the current key when only one future key is remaining.

Since the SKS is unaware of the state of a PubSubKeyPushTarget, it is recommended for a PubSubKeyPushTargetto persist security keys. This allows the PubSubKeyPushTargetto continue secured PubSub communication after a power cycle, as long as the outage time is smaller than the time covered with currentKey and FutureKeys. If keys are not persisted, it may take up to half the KeyLifetimeto get the first set of security keys. The PubSubKeyPushTargetspersisting security keys shall have an understanding of time (either synchronized or battery backup) allowing them to determine whether the current key is still valid to use, or whether to use a future keyfollowing a power interruption.

This Methodconnects instances of SecurityGroupType to thisPubSubKeyPushTarget. This indicates that the SKSshall use the push model to distribute the keys of the SecurityGroupto the PubSubKeyPushTarget.

The SKS shall push keys following this assignment. If an assignment does already exist, the entry is ignored.

If the assignment for a SecurityGroupalready exists, a Good_EntryReplaced should be returned for that SecurityGroupand a new push of the existing keys shall be triggered to the push target.

The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.

Signature

ConnectSecurityGroups(

[in]NodeId[] SecurityGroupIds,

[out]StatusCode[]ConnectResults

);

Argument

Description

SecurityGroupIds

The NodeIdsof the SecurityGroupsto connect to the PushTarget.

ConnectResults

The result codes for the SecurityGroups to connect.

Method Result Codes

ResultCode

Description

Bad_UserAccessDenied

The Sessionuser is not allowed to connect SecurityGroupsto the push target.

Bad_SecurityModeInsufficient

The communication channel is not using signing.

Operation Result Codes

ResultCode

Description

Good_EntryReplaced

The PushTarget was already assigned to the SecurityGroup, a new push was triggered

Bad_NodeIdUnknown

A SecurityGroupNodeIdis unknown.

Bad_NodeIdInvalid

A SecurityGroupNodeIdis not a NodeIdof a SecurityGroupType Object.

Table 182specifies the AddressSpacerepresentation for the ConnectSecurityGroups Method.

Table 182– ConnectSecurityGroups Method AddressSpace definition

Attribute

Value

BrowseName

ConnectSecurityGroups

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

ConformanceUnits

PubSub Model SKS Push

This Methoddisconnects instances of SecurityGroupTypefrom thisPubSubKeyPushTarget. This indicates that the SKSshall stop using the push model to distribute the keys of those SecurityGroupsto the PubSubKeyPushTarget.

The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.

Signature

DisconnectSecurityGroups(

[in]NodeId[] SecurityGroupIds,

[out]StatusCode[]DisconnectResults

);

Argument

Description

SecurityGroupIds

The NodeIdsof the SecurityGroups to disconnect.

DisconnectResults

The result codes for the SecurityGroups to disconnect.

Method Result Codes

ResultCode

Description

Bad_UserAccessDenied

The Sessionuser is not allowed to disconnet SecurityGroupsfrom the push target.

Bad_SecurityModeInsufficient

The communication channel is not using signing.

Operation Result Codes

ResultCode

Description

Bad_NodeIdUnknown

A SecurityGroupNodeIdis unknown.

Bad_NodeIdInvalid

A SecurityGroupNodeIdis not a NodeIdof a SecurityGroupType Object.

Table 183specifies the AddressSpacerepresentation for the DisconnectSecurityGroups Method.

Table 183– DisconnectSecurityGroups Method AddressSpace definition

Attribute

Value

BrowseName

DisconnectSecurityGroups

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

ConformanceUnits

PubSub Model SKS Push

This Methodtriggers a key update of all SecurityGroupsrelated to the PubSubKeyPushTarget. The SKS shall push the new set of keys for all related SecurityGroups, even if not currently scheduled.

The Clientshall be authorized to modify the configuration for the SKSfunctionality and shall use at least a signed communication channel when invoking this Methodon the Server.

Signature

TriggerKeyUpdate();

Method Result Codes

ResultCode

Description

Bad_UserAccessDenied

The Sessionuser is not allowed to trigger a key update on this push target.

Bad_SecurityModeInsufficient

The communication channel is not using signing.

The HasPushedSecurityGroup ReferenceTypeis a concrete ReferenceTypethat can be used directly. It is a subtype of the HierarchicalReferences ReferenceType.

The SourceNodeof Referencesof this type shall be an Objectof ObjectType PubSubKeyPushTargetType or an ObjectTypethat is a subtype of PubSubKeyPushTargetType defined in 8.6.1.

The TargetNodeof this ReferenceType shall be an Objectof the ObjectType SecurityGroupTypedefined in 8.4.1.

Serversshall provide the inverse Referencethat relates a SecurityGroup Objectback to a PubSubKeyPushTargetType Object.

The representation of the HasPushedSecurityGroup ReferenceTypein the AddressSpaceis specified in Table 184.

Table 184– HasPushedSecurityGroupReferenceType

Attributes

Value

BrowseName

HasPushedSecurityGroup

InverseName

HasPushTarget

Symmetric

False

IsAbstract

False

References

NodeClass

BrowseName

Comment

Subtype of HierarchicalReferences defined in OPC 10000-5.

Conformance Units

PubSub Model SKS Push

Table 185specifies the AddressSpacerepresentation for the TriggerKeyUpdate Method.

Table 185– TriggerKeyUpdate Method AddressSpace definition

Attribute

Value

BrowseName

TriggerKeyUpdate

ConformanceUnits

PubSub Model SKS Push