SecurityKeyServices is an array of the DataType EndpointDescription and defines one or more Security Key Servers (SKS) that manage the security keys for the SecurityGroup assigned to the PubSubGroup. The EndpointDescription DataType is defined in OPC 10000-4.

The parameter is null if the SecurityMode is NONE.

Each element in the array is an Endpoint for an SKS that can supply the security keys for the SecurityGroupId. Multiple Endpoints exist because an SKS may have multiple redundant instances. If the SKS supports non-transparent redundancy, each Server in the redundant set shall have one entry in the array.

The use of the EndpointDescription parameters for the SKS selection are defined in Table 31. The main key for the identification of the SKS is the ApplicationUri.

The ApplicationUri is used in the different Server discovery mechanisms to get the OPC UA endpoint information necessary to connect to the SKS.

The combination of SecurityGroupId and SKS ApplicationUri is the unique key for a SecurityGroup in a PubSub application.

Table 31 – SecurityKeyService parameter content

Field

Type

Definition for the values

EndpointUrl

String

Shall be null or empty.

Server

ApplicationDescription

The ApplicationDescription DataType is defined in OPC 10000-4.

ApplicationUri

String

The ServerUri of the SKS.

ProductUri

String

Can be null or empty.

ApplicationName

LocalizedText

Can be null or empty.

ApplicationType

Enum

ApplicationType

SERVER

The security keys are pulled from the SKS using the Method GetSecurityKeys.

CLIENT

The security keys are pushed from the SKS to the PubSub application using the Method SetSecurityKeys.

CLIENTANDSERVER

Invalid value.

DISCOVERYSERVER

Invalid value.

If the SKS information is sent as part of a discovery announcement message for a WriterGroup, the ApplicationType shall be set to SERVER even if the Publisher is configured for push.

GatewayServerUri

String

Shall be null or empty.

DiscoveryProfileUri

String

Shall be null or empty.

DiscoveryUrls []

String

A list of URLs for the DiscoveryEndpoints provided by the SKS.

ServerCertificate

ApplicationInstance

Certificate

Shall be null or empty.

SecurityMode

MessageSecurityMode

The value shall be SIGNANDENCRYPT.

SecurityPolicyUri

String

ApplicationType SERVER

The URI for SecurityPolicy to use to connect to the SKS.

If the URI is null or empty, the pull access shall use the best available security policy that is also supported by the pull Client.

ApplicationType CLIENT

Shall be null or empty.

UserIdentityTokens []

UserTokenPolicy

ApplicationType SERVER

The user identity tokens that should be used to connect to the SKS.

The default is ANONYMOUS if the array is empty. For ANONYMOUS the authorization for accessing the keys is based on the application authentication.

If the type is USERNAME, a KeyCredentialConfigurationType instance is used to configure user name and password. The ResourceUri of the KeyCredentialConfigurationType instance shall match the ApplicationUri of the SKS. The KeyCredentialConfigurationType is defined in OPC 10000-12.

The UserTokenPolicies are defined in OPC 10000-4.

ApplicationType CLIENT

The array shall be null or empty.

TransportProfileUri

String

Can be null or empty.

SecurityLevel

Byte

Shall be 0.