Errata exists for this version of the document.

The SecuredApplication element specifies the security settings for an application. The elements contained in a SecuredApplication are described in Table E.1.

When an instance of a SecuredApplication is imported into an application the application updates its configuration based on the information contained within it. If unrecoverable errors occur during import an application shall not make any changes to its configuration and report the reason for the error.

The mechanism used to import or export the configuration depends on the application. applications shall ensure that only authorized users are able to access this feature.

The SecuredApplication element may reference X.509 v3 Certificates which are contained in physical stores. Each application needs to decide whether it uses shared physical stores which the administrator can control directly by changing the location or private stores that can only be accessed via the import/export utility. If the application uses private stores, then the contents of these private stores shall be copied to the export file during export. If the import file references shared physical stores, then the import/export utility shall copy the contents of those stores to the private stores.

The import/export utility shall not export private keys. If the administrator wishes to assign a new public-private key to the application the administrator shall place the private in a store where it can be accessed by the import/export utility. The import/export utility is then responsible for ensuring it is securely moved to a location where the application can access it.

Table E.1 – SecuredApplication

Element

Type

Description

ApplicationName

String

A human readable name for the application.

Applications shall allow this value to be read or changed.

ApplicationUri

String

A globally unique identifier for the instance of the application.

Applications shall allow this value to be read or changed.

ApplicationType

ApplicationType

The type of application.

May be one of

  • Server_0;
  • Client_1;
  • ClientAndServer_2;
  • DiscoveryServer_3;

Application shall provide this value.

Applications do not allow this value to be changed.

ProductName

String

A name for the product.

Application shall provide this value.

Applications do not allow this value to be changed.

ConfigurationMode

String

Indicates how the application should be configured.

An empty or missing value indicates that the configuration file can be edited directly. The location of the configuration file shall be provided in this case.

Any other value is a URI that identifies the configuration utility. The vendor documentation shall explain how to use this utility.

Application shall provide this value.

Applications do not allow this value to be changed.

LastExportTime

UtcTime

When the configuration was exported by the import/export utility.

It may be omitted if applications allow direct editing of the security configuration.

ConfigurationFile

String

The full path to a configuration file used by the application.

applications do not provide this value if an import/export utility is used.

Applications do not allow this value to be changed.

Permissions set on this file shall control who has rights to change the configuration of the application. re

ExecutableFile

String

The full path to an executable file for the application.

Applications may not provide this value.

Applications do not allow this value to be changed.

Permissions set on this file shall control who has rights to launch the application.

ApplicationCertificate

CertificateIdentifier

The identifier for the Application Instance Certificate.

Applications shall allow this value to be read or changed.

This identifier may reference a Certificate store that contains the private key. If the private key is not accessible to outside applications this value shall contain the X.509 v3 Certificate for the application.

If the configuration utility assigns a new private key this value shall reference the store where the private key is placed. The import/export utility may delete this private key if it moves it to a secure location accessible to the application.

Applications shall allow Administrators to enter the password required to access the private key during the import operation. The exact mechanism depends on the application.

Applications shall report an error if the ApplicationCertificate is not valid.

TrustedCertificateStore

CertificateStoreIdentifier

The location of the CertificateStore containing the Certificates of applications or Certificate Authorities (CAs) which can be trusted.

applications shall allow this value to be read or changed.

This value shall be a reference to a physical store which can be managed separately from the application. applications that support shared physical stores shall check this store for changes whenever they validate a Certificate.

The Administrator is responsible for verifying the signature on all Certificates placed in this store. This means the application may trust Certificates in this store even if they cannot be verified back to a trusted root.

Administrators shall place any CA certificates used to verify the signature in the IssuerStore or the IssuerList. This will allow applications to properly verify the signatures.

The application shall check the revocation status of the Certificates in this store if the Certificate was issued by a CA. The application shall look for the offline Certificate Revocation List (CRL) for a CA in the store where it found the CA Certificate.

The location of an online CRL for CA shall be specified with the CRLDistributionPoints (OID= 2.5.29.31) X.509 v3 Certificate extension.

The ValidationOptions parameter is used to specify which revocation list should be used for CAs in this store.

TrustedCertificates

CertificateList

A list of Certificates for applications for CAs that can be trusted.

Applications shall allow this value to be read or changed.

The value is an explicit list of Certificates which is private to the application. It is used when the application does not support shared physical Certificate stores or when Administrators need to specify ValidationOptions for individual Certificates.

If the TrustedCertificateStore and the TrustedCertificates parameters are both specified, then the application shall use the TrustedCertificateStore for checking trust relationships. The TrustedCertificates parameter is only used to lookup ValidationOptions for individual Certificates. It may also be used to provide CRLs for CA certificates.

If the TrustedCertificateStore is not specified, then TrustedCertificates parameter shall contain the complete X.509 v3 Certificate for each entry.

IssuerStore

CertificateStoreIdentifier

The location of the CertificateStore containing CA Certificates which are not trusted but are needed to check signatures on Certificates.

Applications shall allow this value to be read or changed.

This value shall be a reference to a physical store which can be managed separately from the application. applications that support shared physical stores shall check this store for changes whenever they validate a Certificate.

This store may also contain CRLs for the CAs.

IssuerCertificates

CertificateList

A list of Certificates for CAs which are not trusted but are needed to check signatures on Certificates.

Applications shall allow this value to be read or changed.

The value is an explicit list of Certificates which is private to the application. It is used when the application does not support shared physical Certificate stores or when Administrators need to specify ValidationOptions for individual Certificates.

If the IssuerStore and the IssuerCertificates parameters are both specified, then the application shall use the IssuerStore for checking signatures. The IssuerCertificates parameter is only used to lookup ValidationOptions for individual Certificates. It may also be used to provide CRLs for CA certificates.

RejectedCertificatesStore

CertificateStoreIdentifier

The location of the shared CertificateStore containing the Certificates of applications which were rejected.

Applications shall allow this value to be read or changed.

Applications shall add the DER encoded Certificate into this store whenever it rejects a Certificate because it is untrusted or if it failed one of the validation rules which can be suppressed (see Clause E.6).

Applications shall not add a Certificate to this store if it was rejected for a reason that cannot be suppressed (e.g. Certificate revoked).

BaseAddresses

String []

A list of URLs for the Endpoints supported by a Server.

Applications shall allow these values to be read or changed.

If a Server does not support the scheme for a URL it shall ignore it.

This list can have multiple entries for the same URL scheme. The first entry for a scheme is the base URL. The rest are assumed to be DNS aliases that point to the first URL.

It is the responsibility of the Administrator to configure the network to route these aliases correctly.

SecurityProfileUris

SecurityProfile []

A list of SecurityPolicyUris supported by a Server. The URIs are defined as security Profiles in OPC 10000-7.

Applications shall allow these values to be read or changed.

Applications shall allow the Enabled flag to be changed for each SecurityProfile that it supports.

If the Enabled flag is false, the Server shall not allow connections using the SecurityProfile.

If a Server does not support a SecurityProfile it shall ignore it.

Extensions

xs:any

A list of vendor defined Extensions attached to the security settings.

Applications shall ignore Extensions that they do not recognize.

Applications that update a file containing Extensions shall not delete or modify extensions that they do not recognize.