Group

Description

Address Space Model

Defines ConformanceUnits for various features of the OPC UA AddressSpace.

Aggregates

All ConformanceUnits that are related to Aggregates, including individual ConformanceUnits for each supported Aggregate as described in Part 13.

Alarms and Conditions

All ConformanceUnits that are associated with the OPC UA Information Model for Conditions, acknowledgeable Conditions, confirmations and Alarms as specified in Part 9.

Attribute Services

Includes ConformanceUnits to read or write current or historical Attribute values.

Auditing

User level security includes support for security audit trails, with traceability between Client and Server audit logs.

Base Information

All information elements as defined in Part 5.

Data Access

ConformanceUnits specific to Clients and Servers that deal with the representation and use of automation data as specified in Part 8.

Discovery Services

ConformanceUnits which focus on Server Endpoint Discovery.

GDS

Conformance Units for a GDS. Includes units for global discovery and global certificate management.

Historical Access

Access to archived data of Node Attribute values or Events.

Method Services

Methods represent the function calls of Objects. Methods are invoked and return only after completion (successful or unsuccessful).

Miscellaneous

This group contains ConformanceUnits that cover miscellaneous subjects, such as recommended behaviours, documentation etc. These ConformanceUnits typically do not fit into any of the other groups.

Monitored Item Services

Clients define MonitoredItems to subscribe to data and Events. Each MonitoredItem identifies the item to be monitored and the Subscription to use to send Notifications.

Node Management Services

Bundles ConformanceUnits for all Services to add and delete OPC UA AddressSpace Nodes and References.

Protocol and Encoding

Covers all transport and encoding combinations that are specified in Part 6.

Redundancy

The design of OPC UA ensures that vendors can create redundant Clients and redundant Servers in a consistent manner. Redundancy may be used for high availability, fault tolerance and load balancing.

Security

Security related ConformanceUnits that can be profiled this includes all aspects of security.

Session Services

An (OPC UA) Session is an application layer connection.

Subscription Services

Subscriptions are used to report Notifications to the Client.

View Services

Clients use the View Service Set to navigate through the OPC UA AddressSpace or through a View (a subset) of the OPC UA AddressSpace.

Category

Title

Description

Server

Discovery Get Endpoints

Support the GetEndpoints Service to obtain all Endpoints of the Server.

This includes filtering based on Profiles.

Server

Discovery Get Endpoints SessionLess

Support at least one endpoint for issueing SessionLess Services. Support obtaining such endpoints by accepting the Transport URI as a filter to the GetEndpoints Service with the query string "SL" appended to the Transport URI. E.g. "http://opcfoundation.org/UA-Profile/Transport/https-uajson?SL"

Server

Discovery Find Servers Self

Support the FindServers Service only for itself.

Server

Discovery Register

Call the RegisterServer Service to register itself (OPC UA Server) with an external Discovery Service via a secure channel with a SecurityMode other than NONE.

Server

Discovery Register2

Call the RegisterServer2 Service to register with an external Discovery Service via a Secure Channel with a SecurityMode other than "None". This includes passing a list of short capability identifiers.

The identifiers and their use are specified in Part 12.

Server

Discovery Server Announcement using mDNS

Provide mDNS functionality to announce a Server with its capabilities. The capability identifiers and the use of mDNS records for the purpose of OPC UA Discovery is specified in Part 12.

Note that this functionality is only required for Servers that do not register with an LDS.

The capability identifiers and their use in mDNS records are specified in Part 12.

Server

Discovery Configuration

Allow configuration of the Discovery Server URL where the Server will register itself.

Allow complete disabling of registration with a Discovery Server.

Client

Discovery Client Find Servers Basic

Uses the FindServers Service to obtain all Servers installed on a given platform.

Client

Discovery Client Find Servers with URI

Use FindServers Service to obtain URLs for specific Server URIs.

Client

Discovery Client Find Servers Dynamic

Detect new Servers after an initial FindServers Service call.

Client

Discovery Client Find Servers on Network

Support one of the options to locate Servers on the network.

Client

Discovery Client Find Servers on Network using LDS-ME

Use FindServersOnNetwork Service to obtain URLs for specific Server URIs. Note that this Service is available via the Local Discovery Server with multicast extension (LDS-ME).

Client

Discovery Client Find Servers on Network using mDNS

Use mDNS based Service Discovery to locate Servers on the same multicast network. The contents of mDNS records for OPC UA Discovery are described in Part 12.

Note that this functionality is only required for Clients when there is no Local Discovery Server with multicast extension (LDS-ME).

The capability identifiers and their use in mDNS records are specified in Part 12.

Client

Discovery Client Find Servers in GDS

Use the QueryServers Method on the GDS Directory Object to locate Servers that meet filter criteria specified in the request. This Method is specified in Part 12.

Client

Discovery Client Find Applications in GDS

Use the QueryApplications Method on the GDS Directory Object to locate Applications that meet filter criteria specified in the request. This Method is specified in Part 12.

Client

Discovery Client Get Endpoints Basic

Uses the GetEndpoints Service to obtain all Endpoints for a given Server URI.

Client

Discovery Client Get Endpoints SessionLess

Uses the GetEndpoints Service with a filter to obtain Endpoints that can be used for SessionLess Service invocation. The filter is the Transport URI extended with the query string "SL". E.g. http://opcfoundation.org/UA-Profile/Transport/https-uajson?SL.

Client

Discovery Client Get Endpoints Dynamic

Detect changes to the Endpoints after an initial GetEndpoints Service call.

Client

Discovery Client Configure Endpoint

Allow specification of an Endpoint without going through the Discovery Service Set.

Category

Title

Description

Server

Session General Service Behaviour

Implement basic Service behaviour. This includes in particular:

– checking the authentication token

– returning the requestHandle in responses

– returning available diagnostic information as requested with the 'returnDiagnostics' parameter

– respecting a timeoutHint

Server

Session Base

Support the Session Service Set (CreateSession, ActivateSession, CloseSession) except the use of ActivateSession to change the Session user. This includes correct handling of all parameters that are provided.

Note that for the CreateSession and ActivateSession services, if the SecurityMode = None then:

1) The Application Certificate and Nonce are optional.

2) The signatures are null/empty.

The details of this are described in Part 4.

Server

Session Change User

Support the use of ActivateSession to change the Session user.

Server

Session Cancel

Support the Cancel Service to cancel outstanding requests.

Server

Session Minimum 1

Support minimum 1 Session (total).

Server

Session Minimum 2 Parallel

Support minimum 2 parallel Sessions (total for all Clients).

Server

Session Minimum 50 Parallel

Support minimum 50 parallel Sessions (total for all Clients).

Server

Session Sessionless Invocation

Defines the support of the SessionlessInvoke Service defined in UA Part 4 to process any of the Services (like Read/Write, Browse, or Call) that are designated for Session-less invocation.

Client

Session Client General Service Behaviour

Implement basic Service behaviour. This includes in particular:

– including the proper authentication token of the Session

– creating a requestHandle if needed

– requesting diagnostic information with the 'returnDiagnostics' parameter

– evaluate the serviceResult and operational results

Client

Session Client Base

Use the Session Service Set (CreateSession, ActivateSession, and CloseSession) except the use of ActivateSession to change the Session user. This includes correct handling of all parameters that are provided

Note that for the CreateSession and ActivateSession services, if the SecurityMode = None then:

1) The Application Certificate and Nonce are optional.

2) The signatures are null/empty.

Client

Session Client Multiple Connections

Support unlimited connections (client side) with multiple Servers. Any limit on numbers of connections is from server side. May have a memory based limit, but not a software constraint limit.

Client

Session Client Renew NodeIds

This ConformanceUnit applies to Clients that allow persisting NodeIds.

Verify that the Namespace Table has not changed for NodeIds that the Client has persisted and is going to re-use beyond a Session lifetime. If changes occurred the Client has to recalculate the Namespace Indices of the respective NodeIds.

Client

Session Client Impersonate

Uses ActivateSession to change the Session user (impersonation).

Client

Session Client KeepAlive

Make periodic requests to keep the Session alive.

Client

Session Client Detect Shutdown

Read or monitor the ServerStatus/State Variable to recognize a potential shutdown of the Server and clean up resources.

Client

Session Client Cancel

Use the Cancel Service to cancel outstanding requests.

Client

Session Client Auto Reconnect

Automatic Client reconnect including:

– ActivateSession with new SecureChannel if SecureChannel is no longer valid but Session is still valid

– Creation of a new Session only if Session is no longer valid

Client

Session Client Single Session

The Client shall interoperate with Servers that only support one Session.

Client

Session Client SessionLess Service Calls

Defines the use of the SessionlessInvoke Service defined in UA Part 4 to request one of the Services (like Read or Browse) that are allowed for sessionless invocation. UA Part 6 specifies which transports may be used and how.

Category

Title

Description

Server

Node Management Add Node

Support the AddNodes Service to add one or more Nodes into the OPC UA AddressSpace.

Server

Node Management Delete Node

Support the DeleteNodes Service to delete one or more Nodes from the OPC UA AddressSpace.

Server

Node Management Add Ref

Support the AddReferences Service to add one or more References to one or more Nodes in the OPC UA AddressSpace.

Server

Node Management Delete Ref

Support the DeleteReferences Service to delete one or more References of a Node in the OPC UA AddressSpace.

Client

Node Management Client

Uses Node Management Services to add or delete Nodes and to add or delete References in Server's OPC UA AddressSpace.

Category

Title

Description

Server

View Basic

Support the View Service Set (Browse, BrowseNext).

Server

View TranslateBrowsePath

Support TranslateBrowsePathsToNodeIds Service.

Server

View RegisterNodes

Support the RegisterNodes and UnregisterNodes Services as a way to optimize access to repeatedly used Nodes in the Server's OPC UA AddressSpace.

Server

View Minimum Continuation Point 01

Support minimum 1 continuation point per Session.

Server

View Minimum Continuation Point 05

Support minimum 5 continuation points per Session.

This number has to be supported for at least half of the minimum required sessions.

Client

View Client Basic Browse

Uses Browse and BrowseNext Services to navigate through the Server's OPC UA AddressSpace. Make use of the referenceTypeId and the nodeClassMask to specify the needed References.

Client

View Client Remote Nodes Browse

The Client can browse to nodes that have an extended NodeID that reference a Server different than the originating Server. This includes automatic connection to the remote Server. It is acceptable that the Server configuration information be pre-configured on the Client and / or that the user is prompted to connect.

Client

View Client Basic ResultSet Filtering

Makes use of the resultMask parameter to optimize the result set to be returned by the Server.

Client

View Client TranslateBrowsePath

Uses the TranslateBrowsePathsToNodeIds Service to identify the NodeIds for Nodes where a starting Node and a BrowsePath is known. Makes use of bulk operations rather than multiple calls whenever possible.

Client

View Client Remote Nodes Translate Browse

The Client can translate browse paths that include nodes with extended NodeID that reference a Server different than the originating Server and return them as part of the TranslateBrowsePathsToNodeIds Service. It is acceptable that the Server configuration information be pre-configured on the Client.

Client

View Client RegisterNodes

Uses the RegisterNodes Service to optimize access for Nodes that are used repeatedly. Use UnregisterNodes when Nodes are not used anymore.

Category

Title

Description

Server

Attribute Read

Supports the Read Service to read one or more Attributes of one or more Nodes. This includes support of the IndexRange parameter to read a single element or a range of elements when the Attribute value is an array.

Server

Attribute Read Complex

Supports reading and encoding Values with structured DataTypes.

Server

Attribute Write Values

Supports writing to values to one or more Attributes of one or more Nodes.

Server

Attribute Write Complex

Supports writing and decoding Values with structured DataTypes.

Server

Attribute Write StatusCode & Timestamp

Supports writing of StatusCode and Timestamps along with the Value.

Server

Attribute Write Index

Supports the IndexRange to write a single element or a range of elements when the Attribute value is an array and partial updates is allowed for this array.

Server

Attribute Alternate Encoding

Supports alternate Data Encoding when reading value Attributes.

By default, every Server has to support the Data Encoding of the currently used Stack Profile (i.e. binary with UA Binary Encoding and XML with XML Encoding). This ConformanceUnit - when supported - specifies that the other Data Encoding is supported in addition.

Server

Attribute Historical Read

Supports the HistoryRead Service. The details of what aspects of this service are used are listed in additional ConformanceUnits, but at least one of ReadRaw, ReadProcessed, ReadModified, ReadAtTime or ReadEvents must be supported.

Server

Attribute Historical Update

Supports the HistoryUpdate service. The details of the supported features of this service are described by additional ConformanceUnits, but at least one of the following must be supported: InsertData, InsertEvents, ReplaceData, ReplaceEvents, UpdateData, UpdateEvents, DeleteData, DeleteEvents or DeleteAtTime.

Client

Attribute Client Read Base

Use the Read Service to read one or more Attributes of one or more Nodes. This includes use of an IndexRange to select a single element or a range of elements when the Attribute value is an array.

Clients shall use bulk operations whenever possible to reduce the number of Service invocations.

Client

Attribute Client Remote Nodes Attribute Access

The Client can retrieve attributes of nodes that have an extended NodeID that reference a Server different than the originating Server. This requires a connection to the remote Server for access (not necessarily displayed as a connection). It is acceptable that the Server configuration information be pre-configured on the Client.

Client

Attribute Client Read with proper Encoding

This ConformanceUnit refers to the ability of a Client to discover the available encodings and choose a specific one when calling the Read Service.

Client

Attribute Client Read Complex

Read and decode Values with structured DataTypes.

Client

Attribute Client Write Base

Use the Write Service to write values to one or more Attributes of one or more Nodes. This includes use of an IndexRange to select a single element or a range of elements when the Attribute value is an array.

Clients shall use bulk operations whenever possible to reduce the number of Service invocations.

Client

Attribute Client Write Complex

Write and Encode Values with structured DataTypes.

Client

Attribute Client Write Quality & Timestamp

Use the Write Service to also write StatusCode and/or Timestamps along with a Value.

Client

Attribute Client Historical Read

The Client makes use of the HistoryRead service. The details of which aspect of this service are used are provided by additional ConformanceUnits, but at least one or more of the following is used ReadRaw, ReadAtTime, ReadProcessed, ReadModified or ReadEvents.

Client

Attribute Client Historical Updates

The Client makes use of the HistoryUpdate service. The details of this usage are provided by additional ConformanceUnits, but at least one or more of the following must be provided InsertData, InsertEvents, ReplaceData, ReplaceEvents, UpdateData, UpdateEvents, DeleteData or DeleteEvents or DeleteAtTime.

Category

Title

Description

Server

Method Call

Support the Call Service to call (invoke) a Method which includes support for Method Parameters.

Client

Method Client Call

Use the Call Service to call one or several Methods.

Category

Title

Description

Server

Monitor Basic

Support the following MonitoredItem Services: CreateMonitoredItems, ModifyMonitoredItems, DeleteMonitoredItems and SetMonitoringMode.

Server

Monitor Value Change

Support creation of MonitoredItems for Attribute value changes. This includes support of the IndexRange to select a single element or a range of elements when the Attribute value is an array.

Server

Monitor Complex Value

Supports monitoring and encoding Values with structured DataTypes.

Server

Monitored Items Deadband Filter

Supports an absolute Deadband filter as a DataChangeFilter for numeric data types.

Server

Monitor Aggregate Filter

Support for Aggregate filters for MonitoredItems. The result of this ConformanceUnit includes a list of Aggregates that are supported as part of the Profile Certificate.

Server

Monitor Alternate Encoding

Support alternate encoding when monitoring value Attributes.

By default, every Server has to support the encoding of the currently used Stack Profile (i.e. binary with UA Binary Encoding and XML with XML Encoding). This ConformanceUnit - when supported - specifies that the other encoding is supported in addition.

Server

Monitor Items 2

Support at least 2 MonitoredItems per Subscription where the size of each MonitoredItem is at least equal to size of Double.

Server

Monitor Items 10

Support at least 10 MonitoredItems per Subscription where the size of each MonitoredItem is at least equal to size of Double.

Server

Monitor Items 100

Support at least 100 MonitoredItems per Subscription.

This number has to be supported for at least half of the required Subscriptions for half of the required Sessions.

Server

Monitor Items 500

Support at least 500 MonitoredItems per Subscription.

This number has to be supported for at least half of the required Subscriptions for half of the required Sessions.

Server

Monitor QueueSize_1

This ConformanceUnit does not require queuing when multiple value changes occur during a "publish period".

I.e. the latest change will be sent in the Notification.

Server

Monitor MinQueueSize_02

Support at least 2 queue entries for MonitoredItems.

Servers often will adapt the queue size to the number of currently MonitoredItems. However, it is expected that Servers support this minimum queue size for at least one third of the supported MonitoredItems.

Server

Monitor MinQueueSize_05

Support at least 5 queue entries for MonitoredItems.

Servers often will adapt the queue size to the number of currently MonitoredItems. However, it is expected that Servers support this minimum queue size for at least one third of the supported MonitoredItems.

Server

Monitor QueueSize_ServerMax

This ConformanceUnit is for events. When the Client requests queuesize=MAXUInt32 the Server is to return the maximum queue size that it can support for event notifications as the revisedQueueSize.

Server

Monitor Triggering

Support the SetTriggering Service to create and/or delete triggering links for a triggering item.

Server

Monitor Events

Support creation of MonitoredItems for an "EventNotifier Attribute" for the purpose of Event Notification. The subscription includes supporting a filter that includes SimpleAttribute Operands and a select list of Operators. The list of Operators includes: Equals, IsNull, GreaterThan, LessThan, GreaterThanorEqual, LessThatorEqual, Like, Not, Between, InList, And, Or, Cast, BitwiseAnd, BitwiseOr.

Server

Monitor Complex Event Filter

Support for the 'TypeOf' complex Event filter operator.

Client

Monitor Client Value Change

Use the MonitoredItem Service Set to register items for changes in Attribute value.

Use CreateMonitoredItems to register the Node/Attribute tuple. Set proper sampling interval, Deadband filter and queuing mode.

Use disabling / enabling instead of deleting and re-creating a MonitoredItem.

Use bulk operations rather than individual service requests to reduce communication overhead.

Client

Monitor Client Complex Value

Monitor and decode Values with structured DataTypes.

Client

Monitor Client Deadband Filter

Uses Absolute Deadband filters for subscriptions.

Client

Monitor Client by Index

Use the IndexRange to select a single element or a range of elements when the Attribute value is an array.

Client

Monitor Client Aggregate Filter

Uses Aggregate filters for Subscriptions.

Client

Monitor Client Events

Use the MonitoredItem Service Set to create MonitoredItems for Event notifications.

Client

Monitor Client Event Filter

Use the Event filter when calling CreateMonitoredItems to filter the desired Events and to select the columns to be provided for each Event Notification.

Client

Monitor Client Complex Event Filter

Use of the 'TypeOf' complex Event filter operator.

Client

Monitor Client Modify

Use ModifyMonitoredItems Service to change the configuration setting.

Use SetMonitoringMode Service to disable / enable sampling and / or publishing.

Client

Monitor Client Trigger

Use the Triggering Model if certain items are to be reported only if some other item triggers.

Use proper monitoring mode for these items.

Use SetTriggering Service to link these items to the trigger item.

Category

Title

Description

Server

Subscription Basic

Support the following Subscription Services: CreateSubscription, ModifySubscription, DeleteSubscriptions, Publish, Republish and SetPublishingMode.

Server

Subscription Minimum 1

Support at least 1 Subscription per Session.

This number has to be supported for all of the minimum required sessions.

Server

Subscription Minimum 02

Support at least 2 Subscriptions per Session.

This number has to be supported for at least half of the minimum required sessions.

Server

Subscription Minimum 05

Support at least 5 Subscriptions per Session.

This number has to be supported for at least half of the minimum required sessions.

Server

Subscription Publish Min 02

Support at least 2 Publish Service requests per Session.

This number has to be supported for all of the minimum required sessions. Support of a NotificationMessage retransmission queue is not required; if not available the Republish Service returns Bad_MessageNotAvailable.

Server

Subscription Publish Min 05

Support at least 5 Publish Service requests per Session.

This number has to be supported for at least half of the minimum required sessions. Support, as a minimum, the number of Publish requests per session as the size of the NotificationMessage retransmission queue for Republish.

Server

Subscription Publish Min 10

Support at least 10 Publish Service requests per Session.

This number has to be supported for at least half of the minimum required sessions. Support, as a minimum, the number of Publish requests per session as the size of the NotificationMessage retransmission queue for Republish.

Server

Subscription Publish Discard Policy

Respect the specified policy for discarding Publish Service requests. If the maximum number of Publish Service requests has been queued and a new Publish Service request arrives, the "oldest" Publish request has to be discarded by returning the proper error.

Server

Subscription Transfer

Support TransferSubscriptions Service to transfer a Subscription from one Session to another.

Server

Subscription Durable

Support setting Subscriptions in durable mode. This mode requires that collected data and events are stored and delivered even if a Client was disconnected for a longer time or the Server was restarted.

Support one of the “Subscription Durable StorageLevel nnn” ConformanceUnits.

Server

Subscription Durable StorageLevel Small

Support at least 20 monitored items with a queue size of 10000 for each item and where the size of each MonitoredItem is at least equal to size of Double. This requires storage capacity for 200 thousand values of DataType Double.

Server

Subscription Durable StorageLevel Medium

Support at least 100 monitored items with a queue size of 50000 for each item and where the size of each MonitoredItem is at least equal to size of Double. This requires storage capacity for 5 million values of DataType Double.

Server

Subscription Durable StorageLevel High

Support at least 2000 monitored items with a queue size of 200000 for each item and where the size of each MonitoredItem is at least equal to size of Double. This requires storage capacity for 400 million values of DataType Double.

Client

Subscription Client Basic

Use the Subscription and MonitoredItem Service Set as an efficient means to detect changes of Attribute values and / or to receive Event occurrences.

Set appropriate intervals for publishing, keep alive notifications and total Subscription lifetime.

Supply a sufficient number of Publish requests to the Server so that Notifications can be sent whenever a publish timer expires.

Acknowledge received Notifications with subsequent Publish requests.

Client

Subscription Client Fallback

The Client shall interoperate with Servers that do not support Subscriptions, or have exhausted Subscription limits, for Monitoring by using Read Service.

Client

Subscription Client Republish

Evaluate the sequence number in Notifications to detect lost Notifications.

Use Republish to request missing Notifications.

Client

Subscription Client Modify

Allow modification of the Subscription configuration using the ModifySubscription Service.

Client

Subscription Client TransferSubscriptions

The Client supports transferring Subscription from other Clients. This ConformanceUnit is used as part of redundant Clients.

Client

Subscription Client Multiple

Use multiple Subscriptions to reduce the payload of individual Notifications.

Client

Subscription Client Publish Configurable

Send multiple Publish Service requests to assure that the Server is always able to send Notifications.

The number of parallel Publish Service requests per Session shall be configurable.

Client

Subscription Client Durable

Use durable Subscriptions.

Category

Title

Description

Security

Security User Name Password

The Server supports User Name/Password combination(s). The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User X509

The Server supports a public/private key pair for user identity. The use of this feature must be able to be enabled or disabled by an administrator.

Security

Security User IssuedToken Kerberos

The Server supports a Kerberos Server token for User Identity. The use of this feature must be able to be enabled or disabled by an Administrator. The use of this token is defined in Kerberos Token Documentation.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User IssuedToken Kerberos Windows

The Server supports the Windows implementation of Kerberos Tokens. This ConformanceUnit only applies if the "Security User IssuedToken Kerberos" is supported.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User JWT IssuedToken

The Server supports a JSON Web Token (JWT) for user identity. Part 6 describes OAuth2 and JWTs in more detail. The use of this feature must be able to be enabled or disabled by an Administrator.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User Anonymous

The Server provides support for Anonymous access. The use of this feature must be able to be enabled or disabled by an Administrator. By default Anonymous access shall be disabled.

Security

Security User Name Password Client

A Client uses a User Name/Password combination.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User X509 Client

A Client uses a public/private key pair for user identity. This includes all validation and trust issues associated with a certificate.

Security

Security User IssuedToken Kerberos Client

A Client uses a Kerberos Server token. The use of this token is defined by the Kerberos documentation.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User IssuedToken Kerberos Windows Client

A Client uses the Windows implementation of Kerberos tokens. This ConformanceUnit only applies if the "Security User IssuedToken Kerberos Client" is supported.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security User JWT IssuedToken Client

A Client uses a JSON Web Token (JWT) for user identity. Part 6 describes OAuth2 and JWTs in more detail.

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Security

Security Invalid user token

Servers shall take proper measures to protect against attacks on user identity tokens. Such an attack is assumed if repeated connection attempts with invalid user identity tokens happen. See ActivateSession Service in UA Part 4.

Security

Security User JWT Token Policy

The Server supports one or more Endpoints with a UserTokenPolicy that includes a JWT IssuerEndpointUrl as defined in UA Part 6.

For JWT the issuerEndpointUrl is a JSON object that includes all parameters that define the AuthorizationService.

As part of the JWT Token Policy, the Server shall support at least one of the following Authority Profile Conformance Units. The URIs defined in the ConformanceUnit shall be exposed in the authorityProfileURI field of the JWT Token Policy.

Security

Security User JWT Token Policy Client

The Client understands and uses the Authorization Service definition inside the JWT UserTokenPolicy returned with GetEndpoints.

It shall support at least one of the following Authority Profile Conformance Units. The URIs defined in the ConformanceUnit are in the authorityProfileURI field of the JWT Token Policy exposed in Server Endpoints.

Security

OAuth2 Authority Profile

This unit indicates support of OAuth2 over HTTPS to request access tokens.

The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OAuth2"

Security

OPC UA Authority Profile

This unit indicates support of the OPC UA Methods defined in UA Part 12 to request access tokens.

The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OPCUA"

Security

Azure Identity Provider Authority Profile

This unit indicates support of the Azure identity provider to request access tokens.

The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#Azure"

Security

Security Certificate Validation

A certificate will be validated as specified in Part 4. This includes among others structure and signature examination. Allowing for some validation errors to be suppressed by administration directive.

Security

Security Default ApplicationInstance Certificate

An application, when installed, has a default ApplicationInstanceCertificate that is valid. The default ApplicationInstanceCertificate shall either be created as part of the installation or installation instructions explicitly describe the process to create and apply a default ApplicationInstanceCertificate to the application.

Security

Security – No Application Authentication

The Server supports being able to be configured for no application authentication, just User authentication and normal encryption/signing:

– Configure Server to accept all certificates

– Certificates are just used for message security (signing and encryption)

– Users level is used for authentication

Security

Security Policy Required

Support at least Security Policy [A] and Security Policy [B].Support of multiple Security Policies - even obsolete ones - is recommended. This will provide best interoperability and allows the end user to choose the required level of security.

Obsolete Security Policies shall not be enabled / usable without administrative intervention.

Security

Security None CreateSession ActivateSession

When SecurityPolicy=None, the CreateSession and ActivateSession service allow for a NULL/empty signature and do not require Application Certificates or a Nonce.

Security

Security None CreateSession ActivateSession 1.0

The Client can connect to Servers that require a certificate being passed on Session establishment. The Client in this case will first try without a certificate and if this fails present a certificate.

Security

Security TLS General

This ConformanceUnit indicates that at least one of the transport security Profiles for TLS is supported by this application. It is used in TLS transport Profiles, but the choice of transport security profile is optional. The actual used security profile will default to the most secure one.

Security

Security TLS_RSA with AES_256_CBC_SHA256

The connection is established using TLS_RSA_WITH_AES_256_CBC_SHA256. That has a MinAsymmetricKeyLength – 2048, MaxAsymmetricKeyLength – 4096, AsymmetricSignatureAlgorithm – RSA_SHA256. (TLS 1.2)

Security

Security TLS_DHE_RSA with AES_nnn_CBC_SHA256

The connection is established using TLS_DHE_RSA with AES_128_CBC_SHA256 or TLS_DHE_RSA with AES_256_CBC_SHA256. That has a MinAsymmetricKeyLength – 2048, MaxAsymmetricKeyLength – 4096, CertificateSignatureAlgorithm – RSA_SHA256. (TLS 1.2).

Clients and Servers have to support both algorithms.

Security

Security Encryption Required

Encryption is required using the algorithms provided in the security algorithm suite.

Security

Security Signing Required

Signing is required using the algorithms provided in the security algorithm suite.

Security

Security Time Synch – Configuration

Application supports configuring acceptable clock skew.

Security

Security Time Synch – NTP / OS Based support

Application supports time synchronization, either via an implementation of Network Time Protocol (NTP), or via features of a standard operating system.

Security

Security Time Synch – UA based support

An application makes use of the responses header timestamp provided by a configured well know source, such as a Discovery Server to synchronize the time on the application and that this time synchronization occurs periodically. Use of this TimeSyncing can be configured.

Security

Security Administration

Allow configuration of the following Security related items (when they apply).

* select the allowed User identification policy or policies (e.g. User Name/Password or X509).

* enable/disable the security policy "None" or other security policies.

* enable/disable endpoints with MessageSecurityMode SIGN or SIGNANDENCRYPT.

* set the permitted certification authorities.

* define how to react to unknown Certificates.

* allow accepting any valid Certificate

Security

Security Administration – XML Schema

Support the OPC UA defined XML schema for importing and exporting security configuration information. This schema is defined in Part 6.

Security

Security Certificate Administration

Allow a site administrator to be able to assign a site specific ApplicationInstanceCertificate and if desired to configure a site specific Certificate Authority (CA).

Security

Security Role Server Base

Support the User Authorization Information Model defined in UA Parts 3 and 5 - like Roles - and the RolePermissions and UserRolePermissions Attributes.

Security

Security Role Well Known

Support the well-known Roles "ConfigureAdmin" and "SecurityAdmin" with suggested permissions defined in UA Part 3.

Security

Security Role Server IdentityManagement

Allow authorized users to add and/or remove Identities from Roles with the appropriate Methods.

Security

Security Role Server Management

Allow authorized users to create new Roles and/or remove Roles with the appropriate Methods.

Security

Security Role Server Restrict Applications

Support adding applications to a Role with the appropriate Methods so that only these applications can use this Role.

Security

Security Role Server Restrict Endpoints

Support adding Endpoints to a Role with the appropriate Methods. With this restriction a Role is only applied when a Client connects via one of these Endpoints.

Security

Security Role Server DefaultRolePermissions

Allow authorized users to set the DefaultRolePermissions Property for certain NameSpaces. DefaultRolePermissions are applied if no RolePermissions are associated with a Node.

Security

Security Role Server RolePermissions

Allow authorized users to set the RolePermissions Attribute on Nodes.

Security

Security Role Server Authorization

Restrict access based on the configured Roles and permissions.

Security

Security Role Client Base

Understand and use the User Authorization Information Model defined in UA Part 5 and the RolePermissions Attribute.

Security

Security Role Client Management

Support creating new Roles and adding Identities as well as remove Roles or Identities using the appropriate Methods.

Security

Security Role Client Restrict Applications

Use the appropriate Methods to add applications to a Role so that only these applications can use this Role.

Security

Security Role Client Restrict Endpoints

Use the appropriate Methods to add Endpoints to a Role. With this restriction a Role is only applied when a Client connects via one of these Endpoints.

Security

Security Role Client DefaultRolePermissions

Ability to set the DefaultRolePermissions Property for certain NameSpaces. DefaultRolePermissions are applied if no RolePermissions are associated with a Node.

Security

Security Role Client RolePermissions

Support setting the RolePermissions Attribute on Nodes.

Security

Pull Model for Global Certificate and TrustList Management

Use the Certificate Management Services of UA Part 12 for the Pull model to manage Application Instance Certificates and Trust Lists including Revocation Lists.

Security

Push Model for Global Certificate and TrustList Management

Support the Certificate Management Services of UA Part 12 for the Push model to manage Application Instance Certificates and Trust Lists including Revocation Lists.

Security

Pull Model for KeyCredential Service

Use the Methods on an instance of the KeyCredentialServiceType (Pull model) to obtain KeyCredentials as specified in UA Part 12.

Security

Push Model for KeyCredential Service

Support the KeyCredential Services Push model of UA Part 12 to obtain KeyCredentials. This includes support of one or more instances of the KeyCredentialConfigurationType and the Methods to update or delete credentials.

Security

Authorization Service Configuration Server

Support the Object Types defined in Part 12 to allow configuration of information needed to accept Access Tokens when presented by the Client during session establishment. Access Tokens are issued by Authorization Services.

Security

Authorization Service Client

Use the RequestAccessToken Method defined in UA Part 12.

Security

SymmetricSignatureAlgorithm_None

This algorithm does not apply.

Security

SymmetricSignatureAlgorithm_HMAC-SHA1

A keyed hash which is defined in https://tools.ietf.org/html/rfc2104.

The hash algorithm is SHA1 and is described in https://tools.ietf.org/html/rfc3174.

The URI is http://www.w3.org/2000/09/xmldsig#hmac-sha1.

No known exploits exist when using SHA1 with a keyed hash, however, SHA1 was broken in 2017 so use of this algorithm is not recommended.

Security

SymmetricSignatureAlgorithm_HMAC-SHA2-256

A keyed hash used for message authentication which is defined in https://tools.ietf.org/html/rfc2104.

The hash algorithm is SHA2 with 256 bits and described in https://tools.ietf.org/html/rfc4634

Security

SymmetricEncryptionAlgorithm_None

This algorithm does not apply.

Security

SymmetricEncryptionAlgorithm_AES128-CBC

The AES encryption algorithm which is defined in http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.

Multiple blocks encrypted using the CBC mode described in http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf.

The key size is 128 bits. The block size is 16 bytes.

The URI is http://www.w3.org/2001/04/xmlenc#aes128-cbc.

Security

SymmetricEncryptionAlgorithm_AES256-CBC

The AES encryption algorithm which is defined in http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.

Multiple blocks encrypted using the CBC mode described in http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf.

The key size is 256 bits. The block size is 16 bytes.

The URI is http://www.w3.org/2001/04/xmlenc#aes256-cbc.

Security

SymmetricEncryptionAlgorithm_AES128-CTR

The AES encryption algorithm which is defined in http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.

Multiple blocks encrypted using the CTR mode described in http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf.

The counter block format is defined in https://tools.ietf.org/html/rfc3686.

The key size is 128 bits. The block size is 16 bytes. The input nonce length is 4 bytes.

The URI is http://opcfoundation.org/UA/security/aes128-ctr.

Security

SymmetricEncryptionAlgorithm_AES256-CTR

The AES encryption algorithm which is defined in http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.

The key size is 256 bits. The block size is 16 bytes.

Multiple blocks encrypted using the CTR mode described in http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf.

The counter block format is defined in https://tools.ietf.org/html/rfc3686.

The key size is 128 bits. The block size is 16 bytes. The input nonce length is 4 bytes.

The URI is http://opcfoundation.org/UA/security/aes256-ctr.

Security

AsymmetricSignatureAlgorithm_None

This algorithm does not apply.

Security

AsymmetricSignatureAlgorithm_RSA- PKCS15-SHA1

The RSA signature algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSASSA-PKCS1-v1_5 scheme is used.

The hash algorithm is SHA1 and is described in https://tools.ietf.org/html/rfc3174.

The URI is http://www.w3.org/2000/09/xmldsig#rsa-sha1.

SHA1 was broken in 2017 so this algorithm should not be used.

Security

AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256

The RSA signature algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSASSA-PKCS1-v1_5 scheme is used.

The hash algorithm is SHA2 with 256bits and is described in https://tools.ietf.org/html/rfc6234.

The URI is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

Security

AsymmetricSignatureAlgorithm_RSA-PSS -SHA2-256

The RSA signature algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSASSA-PSS scheme is used.

The hash algorithm is SHA2 with 256bits and is described in https://tools.ietf.org/html/rfc6234.

The mask generation algorithm also uses SHA2 with 256 bits.

The salt length is 32 bytes.

The URI is http://opcfoundation.org/UA/security/rsa-pss -sha2-256.

Security

AsymmetricEncryptionAlgorithm_None

This algorithm does not apply.

Security

AsymmetricEncryptionAlgorithm_RSA-PKCS15

The RSA encryption algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSAES-PKCS1-v1_5 scheme is used.

The URI is http://www.w3.org/2001/04/xmlenc#rsa-1_5.

The RSAES-PKCS1-v1_5 scheme has known weaknesses and is not recommended.

Security

AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1

The RSA encryption algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSAES-OAEP scheme is used.

The hash algorithm is SHA1 and is described in https://tools.ietf.org/html/rfc6234.

The mask generation algorithm also uses SHA1.

The URI is http://www.w3.org/2001/04/xmlenc#rsa-oaep.

No known exploits exist when using SHA1 with RSAES-OAEP, however, SHA1 was broken in 2017 so use of this algorithm is not recommended.

Security

AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA2-256

The RSA encryption algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSAES-OAEP scheme is used.

The hash algorithm is SHA2 with 256 bits and is described in https://tools.ietf.org/html/rfc6234.

The mask generation algorithm also uses SHA2 with 256 bits.

The URI is http://opcfoundation.org/UA/security/rsa-oaep-sha2-256.

Security

KeyDerivationAlgorithm_None

This algorithm does not apply.

Security

KeyDerivationAlgorithm_P-SHA1

The P_SHA-1 pseudo-random function defined in https://tools.ietf.org/html/rfc4346.

The URI is http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1.

No known exploits exist when using SHA1 with P-SHA-1, however, SHA1 was broken in 2017 so use of this algorithm is not recommended.

Security

KeyDerivationAlgorithm_P-SHA2-256

The P_SHA256 pseudo-random function defined in https://tools.ietf.org/html/rfc5246.

The URI is http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256.

Security

CertificateSignatureAlgorithm_None

This algorithm does not apply.

Security

CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256

The RSA signature algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSASSA-PKCS1-v1_5 scheme is used.

The hash algorithm is SHA2 with 256bits and is described in https://tools.ietf.org/html/rfc6234.

The SHA2 algorithm with 384 or 512 bits may be used instead of SHA2 with 256 bits.

The URI is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

Security

CertificateSignatureAlgorithm_RSA-PKCS15-SHA1

The RSA signature algorithm which is defined in https://tools.ietf.org/html/rfc3447.

The RSASSA-PKCS1-v1_5 scheme is used.

The hash algorithm is SHA1 and is described in https://tools.ietf.org/html/rfc3174.

The URI is http://www.w3.org/2000/09/xmldsig#rsa-sha1.

SHA1 was broken in 2017 so this algorithm should not be used.

The SHA2 algorithm with 244, 256, 384 or 512 bits may be used instead of SHA1.

The SHA2 algorithm is described in https://tools.ietf.org/html/rfc6234.

Security

SecurtyPolicy_None_Limits

DerivedSignatureKeyLength: 0

Security

Aes128-Sha256-RsaOaep_Limits

-> DerivedSignatureKeyLength: 256 bits

-> MinAsymmetricKeyLength: 2048 bits

-> MaxAsymmetricKeyLength: 4096 bits

-> SecureChannelNonceLength: 32 bytes

Security

Basic256Sha256_Limits

-> DerivedSignatureKeyLength: 256 bits

-> MinAsymmetricKeyLength: 2048 bits

-> MaxAsymmetricKeyLength: 4096 bits

-> SecureChannelNonceLength: 32 bytes

Security

Aes256-Sha256-RsaPss_Limits

-> DerivedSignatureKeyLength: 256 bits

-> MinAsymmetricKeyLength: 2048 bits

-> MaxAsymmetricKeyLength: 4096 bits

-> SecureChannelNonceLength: 32 bytes

Security

Basic128Rsa15_Limits

-> DerivedSignatureKeyLength: 128 bits

-> MinAsymmetricKeyLength: 1024 bits

-> MaxAsymmetricKeyLength: 2048 bits

-> SecureChannelNonceLength: 16 bytes

Security

Basic256_Limits

-> DerivedSignatureKeyLength: 192 bits

-> MinAsymmetricKeyLength: 1024 bits

-> MaxAsymmetricKeyLength: 2048 bits

-> SecureChannelNonceLength: 32 bytes

Category

Title

Description

Server

Protocol Reverse Connect Server

Support reverse connectivity by sending a ReverseHello message to a Client. The reverse connect procedure can be applied to several transports as specified in UA Part 6 and shall be supported for all of these that are available in a Server.

Server

Protocol Configuration

Allow administration of the Endpoints and the port number used by the Endpoints.

Client

Protocol Reverse Connect Client

Support reverse connectivity by accepting Reverse Hello messages from Servers and establish a Secure Channel if the URI of the Server is accepted by Client or Client user. The reverse connect procedure can be applied to several transports as specified in UA Part 6 and shall be supported for all of these transports that are supported by the Client.

Transport

Protocol UA TCP

Support the UA TCP transport protocol as defined in UA Part 6.

Transport

Protocol HTTPS

Support the HTTPS protocol as defined in UA Part 6.

Transport

Protocol Web Sockets

Support the WebSocket protocol (WSS) with at least one of the sub-protocols defined in UA Part 6.

Transport

UA Secure Conversation

Support UA Secure Conversation specified in UA Part 6.

Transport

UA Binary Encoding

Support UA Binary Encoding. Values of these data types are encoded in compact binary formats, contiguously and without tagging. I.e. the receiver is assumed to understand the structure it is decoding.

Transport

UA SOAP-XML Encoding

Support Soap V1.2 based Xml Encoding as defined in UA Part 6. The XML elements include all information necessary to convert it back into OPC UA structures of any language.

Transport

JSON Reversible Encoding

Support reversible JSON Encoding as defined in UA Part 6. The JSON object includes all information necessary to convert it back into OPC UA structures of any language.

Category

Title

Description

Server

Base Info Core Structure

The Server supports the Server Object, ServerCapabilities and supports the OPC UA AddressSpace structure.

Server

Base Info Server Capabilities

The Server supports publishing of the Server limitation in the ServerCapabilities, including MaxArrayLength, MaxStringLength, MaxNodePerRead, MaxNodesPerWrite, MaxNodesPerSubscription and MaxNodesPerBrowse.

Server

Base Info Progress Events

The Server exposes if generation of Progress events for long running service calls such as HistoryRead or Query is supported. If it is listed as supported in ServerCapabilities, than the actual events are verified.

Server

Base Info Diagnostics

The Server supports the collection of diagnostic information. The EnabledFlag in the ServerDiagnostics Object can be set TRUE and in that case all static and dynamic Objects and Variables for diagnostic data as defined in UA Part 5 are supported.

Server

Base Info System Status

The Server supports generating SystemStatusChangeEventType indicating shutdown of the Server (SourceNode=Server).

Server

Base Info Estimated Return Time

Server supports the EstimatedReturnTime Property. It indicates the time at which the Server is expected to have a ServerStatus.State of RUNNING_0. Clients can use this information to govern the reconnect logic.

Server

Base Info System Status Underlying System

The Server supports generating SystemStatusChangeEventType indicating changes to an Underlying System (SourceNode = Server). This event can also be used to indicate that the OPC UA Server has underlying systems.

Server

Base Info Device Failure

The Server supports generating DeviceFailureEventType indicating changes to individual devices in an underlying system.

Server

Base Info GetMonitoredItems Method

The Server supports obtaining subscription information via GetMonitoredItems Method on the Server object.

Server

Base Info ResendData Method

Support the standard Method ResendData (defined in UA Part 5) to get the latest value of the monitored items of a Subscription.

Server

Base Info Type System

The Server exposes a Type System with DataTypes, ReferenceTypes, ObjectTypes and VariableTypes including all of the OPC UA (namespace 0) types that are used by the Server, as defined in Part 5. Items that are defined in Namespace 0 but are defined in other specification parts are tested as part of the other information models.

Server

Base Info Custom Type System

The Server supports custom types (i.e. types that are derived from well-known ObjectTypes, VariableTypes, ReferenceTypes or DataTypes). Supporting this conformance unit requires that the custom types with their full inheritance tree are exposed in the AddressSpace.

Server

Base Info Model Change

The Server supports ModelChange Event and NodeVersion Property for all Nodes that the server allows Model changes for.

Server

Base Info Placeholder Modelling Rules

The Server supports defining custom Object or Variables that include the use of OptionalPlaceholder or MandatoryPlaceholder modelling rules.

Server

Base Info SemanticChange

The Server supports SemanticChangeEvent for some Properties. This includes setting the SemanticChange Bit in the status when a semantic change occurs, such as a change in the engineering unit associated with a value.

Server

Base Info EventQueueOverflow EventType

The Server supports the EventQueueOverflowEventType as defined in Part 4.

Server

Base Info OptionSet

The Server supports the VariableType OptionSet.

Server

Base Info ValueAsText

The Server supports the Property ValueAsText for enumerated DataTypes.

Server

Base Info Engineering Units

The Server supports defining Variables that include the Engineering Units Property. This property makes use of the EUInformation data structure. This structure by default represents the UN/CEFACT "Codes for Units of Measurement". If a different EU representation is required then the EUInformation.namespaceUri will indicate the alternate namespace.

Server

Base Info Selection List

The Server supports Variables of the SelectionListType VariableType.

Server

Base Info FileType Base

The Server supports the FileType Object (see Part 5). File writing may be restricted.

Server

Base Info FileType Write

The Server supports the FileType Object, including writing of files. Also included is the support of user access control on FileType Object.

Server

Base Info RequestServerStateChange Method

The Server supports the RequestServerStateChange Method.

Server

Base Info State Machine Instance

Support instances of the StateMachineType or a sub-type in the AddressSpace. Generate Events when significant state changes occur.

At least one GeneratesEvent Reference exists to define the Event(s) triggered on state changes.

Server

Base Info Finite State Machine Instance

Support instances of the FiniteStateMachineType or a sub-type in the AddressSpace.

Server

Base Info Available States and Transitions

Support the Properties AvailableStates and AvailableTransitions defined for the FiniteStateMachineType.

Client

Base Info Client Basic

The Client uses the defined OPC UA AddressSpace.

Access or provide access to Server information like the Server's state, BuildInfo, capabilities, Namespace Table and Type Model.

Client

Base Info Client Honour Operation Limits

The Client shall honour Server limits described in ServerCapabilites Object of Server.

Client

Base Info Event Processing

The Client is able to subscribe for and process base OPC UA Events.

Client

Base Info Client System Status

The Client makes use of SystemStatusChangeEventType to detect server shutdowns.

Client

Base Info Client Estimated Return Time

Client uses the EstimatedReturnTime Property to govern the reconnect logic.

Client

Base Info Client System Status Underlying System

The Client makes use of SystemStatusChangeEventType to detect changes to an Underlying System (SourceNode = Server).

Client

Base Info Client Device Failure

The Client makes use of DeviceFailureEventType to detect failed devices in underlying systems

Client

Base Info Client Progress Events

The Client makes use of ProgressEvents, including checking for their support.

Client

Base Info Client Diagnostics

The Client provides interactive or programmatic access to the Server's diagnostic information.

Client

Base Info Client Type Programming

The Client programmatically process instances of Objects or Variables by using their type definitions. This includes custom DataTypes, ObjectTypes and VariableTypes.

Client

Base Info Client Type Pre-Knowledge

The Client shall interoperate with Servers that do not expose OPC UA Types in AddressSpace.

Client

Base Info Client Remote Nodes

The Client can access Nodes that have an extended NodeID that reference a Server different then the orginating Server. It is acceptable that the Server configuration information be pre-configured on the Client.

Client

Base Info Client Change Events

The Client processes ModelChangeEvents to detect changes in the Server's OPC UA AddressSpace and take appropriate action for a given change.

Client

Base Info Client GetMonitoredItems Method

The Client makes use of GetMonitoredItems Method to recover for communication interruptions and/or to recover subscription information.

Client

Base Data Client ResendData Method

The Client makes use of ResendData Method to fetch the last value of the data monitored items.

Client

Base Info Client Selection List

The Client uses and understands Variables of the SelectionListType VariableType.

Client

Base Info Client FileType Base

The Client can access a FileType Object to transfer a file from the Server to the Client. This includes large files.

Client

Base Info Client FileType Write

The Client can access a FileType Object to transfer a file from the Client to the Server. This includes large files.

Client

Base Info Client RequestServerStateChange

The Client can invoke the RequestServerStateChange Method.

Client

Base Info Client State Machine Instance

Use instances of the StateMachineType or a sub-type. Monitor either the CurrentState component Variable of the instance or the Events triggered as effect of state changes. Use Methods when defined for the StateMachineType to affect the state.

Client

Base Info Client Finite State Machine Instance

Use instances of the FinitStateMachineType or a sub-type. Monitor either the CurrentState component Variable of the instance or the Events triggered as effect of state changes.

Client

Base Info Client Available States and Transitions

Use the Properties AvailableStates and AvailableTransitions when exposed by a Server.

Category

Title

Description

Server

Address Space Base

Support the NodeClasses with their Attributes and References as defined in Part 3. This includes for instance: Object, ObjectType, Variable, VariableType, References and DataType.

Server

Address Space Atomicity

Support setting the NonatomicRead and NonatomicWrite flags in the AccessLevelEx Attribute for Variable Nodes to indicate whether Read or Write operations can be performed in atomic manner. If the flags are set to '1', atomicity cannot be assured.

Server

Address Space Full Array Only

Support setting the WriteFullArrayOnly flag in the AccessLevelEx Attribute for Variable Nodes of non-scalar data types to indicate whether write operations for an array can be performed with an IndexRange.

Server

Address Space Events

Support OPC UA AddressSpace elements for generating Event notifications. This includes at least one Node with an EventNotifier Attribute set to True (Server Node).

Server

Address Space Complex Data Dictionary

Support structured DataTypes with a Data Dictionary. Note that V1.04 of OPC UA Part 3 specifies a simplified approach using the new DataTypeDefinition Attribute. The "Address Space DataTypeDefinition Attribute" Conformance Unit requires support of the DataTypeDefinition Attribute. Support of a DataDictionary will be deprecated in one of the next OPC UA versions.

Server

Address Space DataTypeDefinition Attribute

Support structured DataTypes and expose the meta data and encoding information with a StructureDefinitionType via the DataTypeDefinition Attribute.

Server

Address Space Method

Support Method Nodes.

Server

Address Space Notifier Hierarchy

Supports using the HasNotifier reference to build a hierarchy of Object Nodes that are notifiers with other notifier Object Nodes.

Server

Address Space Source Hierarchy

Supports hierarchies of event sources where each hierarchy roots in an Object Node that is a notifier. The HasEventSource Reference is used to relate the Nodes within a hierarchy. If Conditions are supported, the hierarchy shall include HasCondition References.

Server

Address Space WriteMask

Supports WriteMask indicating the write access availability for all attributes, including not supported attributes.

Server

Address Space UserWriteMask

Supports UserWriteMask indicating the write access availability for all attributes for the given user, including not supported attributes. Support includes at least two levels of users.

Server

Address Space UserWriteMask Multilevel

Supports UserWriteMask indicating the write access availability for all attributes for the given user, including not supported attributes. This includes supporting multiple levels of access control for all nodes in the system.

Server

Address Space User Access Level Full

Implements User Access Level security, this includes supporting multiple levels of access control for Variable nodes in the system. This includes an indication of read, write, Historical read and Historical write access to the Value Attribute.

Server

Address Space User Access Level Base

Implements User Access Level Security for Variable nodes, this includes at least two users in the system. This includes an indication of read, write, historical read and Historical write access to the value attribute

Client

Address Space Client Base

Uses and understands the NodeClasses with their Attributes and behaviour as defined in Part 3. This includes for instance: Object, ObjectType, Variable, VariableType, References and DataType. This includes treating BrowseNames and String NodeIds as case sensitive.

Client

Address Space Client Atomicity

Access the NonatomicRead or NonatomicWrite flags in the AccessLevelEx Attribute of Variable Nodes to determine whether Read or Write operations can be performed in atomic manner. This information will typically be shown to a user for further action.

Client

Address Space Client Full Array Only

Access the WriteFullArrayOnly flag in the AccessLevelEx Attribute of Variable Nodes with non-scalar data types to determine whether writing to an array with an IndexRange is allowed.

Client

Address Space Client Complex Data Dictionary

Uses and understands arbitrary structured DataTypes via Data Dictionary. Note that V1.04 of OPC UA Part 3 specifies a simplified approach using the new DataTypeDefinition Attribute. The "Address Space Client DataTypeDefinition Attribute" Conformance Unit requires support of the DataTypeDefinition Attribute.

Client

Address Space Client DataTypeDefinition Attribute

Uses and understands arbitrary structured DataTypes where the meta data and encoding information are exposed with the StructureDefinitionType via the DataTypeDefinition Attribute.

Client

Address Space Client Notifier Hierarchy

Uses hierarchy of Object Nodes that are notifiers to detect specific areas where the Client can subscribe for Events.

Client

Address Space Client Source Hierarchy

Detect and use the hierarchy of event sources exposed for specific Object Nodes that are event notifiers.

Category

Title

Description

Server

Data Access DataItems

Provide Variables of DataItemType or one of its subtypes. Support the StatusCodes specified in Part 8. Support of optional Properties (e.g. "InstrumentRange") shall be verified during certification testing and will be shown in the Certificate.

Server

Data Access AnalogItems

Support AnalogItemType Variables with corresponding Properties. The support of optional properties will be listed.

Server

Data Access PercentDeadband

Support PercentDeadband filter when monitoring AnalogItemType Variables.

Server

Data Access Semantic Changes

Support semantic changes of AnalogItemType items (EURange Property and/or EngineeringUnits Property). Support semantic change StatusCode bits where appropriate.

Server