This Service Setdefines Servicesused to open a communication channel that ensures the confidentiality and Integrityof all Messagesexchanged with the Server. The base concepts for OPC UA security are defined in OPC 10000-2.

The SecureChannel Servicesare unlike other Servicesbecause they are not implemented directly by the OPC UA Application. Instead, they are provided by the Communication Stackon which the OPC UA Applicationis built. For example, an OPC UA Servermay be built on a stack that allows applications to establish a SecureChannelusing HTTPS. In these cases, the OPC UA Applicationshall verify that the Messageit received was in the context of an HTTPS connection. OPC 10000-6describes how the SecureChannel Servicesare implemented.

A SecureChannelis a long-running logical connection between a single Clientand a single Server. This channel maintains a set of keys known only to the Clientand Server, which are used to authenticate and encrypt Messagessent across the network. The SecureChannel Servicesallow the Clientand Serverto securely negotiate the keys to use.

Logical connections may be initiated by the Clientor by the Server as described in OPC 10000-6. After the connection is initiated, the SecureChannelis opened and closed by the Clientusing the SecureChannel Services.

An EndpointDescriptiontells a Client how to establish a SecureChannelwith a given Endpoint. A Clientmay obtain the EndpointDescriptionfrom a Discovery Server, via some non-UA defined directory server or from its own configuration.

The exact algorithms used to authenticate and encrypt Messagesare described in the SecurityPolicyfield of the EndpointDescription. A Clientshall use these algorithms when it creates a SecureChannel.

It should be noted that some SecurityPoliciesdefined in OPC 10000-7will turn off authentication and encryption resulting in a SecureChannelthat provides no security.

When a Clientand Serverare communicating via a SecureChannel, they shall verify that all incoming Messageshave been signed and encrypted according to the requirements specified in theEndpointDescription. An OPC UA Applicationshall not process any Messagethat does not conform to these requirements.

The relationship between the SecureChanneland the OPC UA Applicationdepends on the implementation technology. OPC 10000-6defines any requirements that depend on the technology used.

The correlation between the OPC UA Application Sessionand the SecureChannelis illustrated in Figure 13. The Communication Stackis used by the OPC UA Applicationsto exchange Messages. In the first step, the SecureChannel Servicesare used to establish a SecureChannelbetween the two Communication Stackswhich allows the secure exchange of Messages. In the second step, the OPC UA Applicationsuse the Session Service Setto establish an OPC UA Application Session.

image016.png

Figure 13– SecureChannel and Session Services

Once a Clienthas established a Sessionit may wish to access the Sessionfrom a different SecureChannel. The Client can do this by validating the new SecureChannelwith the ActivateSession Servicedescribed in 5.6.3.

If a Serveracts as a Clientto other Servers, which is commonly referred to as Serverchaining, then the Server shall be able to maintain user level security. By this we mean that the user identity should be passed to the underlying Serveror it should be mapped to an appropriate user identity in the underlying server. It is unacceptable to ignore user level security. This is required to ensure that security is maintained and that a user does not obtain information that they should not have access to. Whenever possible a Servershould impersonate the original Clientby passing the original Client’suser identity to the underlying Serverwhen it calls the ActivateSession Service. If impersonation is not an option then the Servershall map the original Client’suser identity onto a new user identity which the underlying Serverdoes recognize.