StartRequest is used to request a new KeyCredential.

The KeyCredential secret may be encrypted with the public key of the Certificate supplied in the request. The SecurityPolicyUri specifies the security profile used for the encryption.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the KeyCredentialAdmin Role, the ApplicationAdmin Privilege, or the ApplicationSelfAdmin Privilege (see 8.2).

Signature

StartRequest (

[in] String applicationUri

[in] ByteString publicKey

[in] String securityPolicyUri

[in] NodeId[] requestedRoles

[out] NodeId requestId

);

Argument

Description

applicationUri

The applicationUri of the application receiving the KeyCredentials.

The request is rejected applicationUri does not uniquely identify an application known to the GDS (see 6.6.6).

If the requestor is not the same as the application used to create the Secure Channel then a Certificate should be provided.

publicKey

A Public Key used to encrypt the returned KeyCredential secret. For RSA SecurityPolicies this is the DER encoded form of an X.509 v3 Certificate as described in OPC 10000-6. For ECC SecurityPolicies this is an ephemeral key created by the owner of the KeyCredentials.

Not specified if no encryption is required.

If the securityPolicyUri is provided this field shall be provided.

securityPolicyUri

The SecurityPolicy used to encrypt the secret.

If the certificate is provided this field shall be provided.

requestedRoles

A list of Roles which should be assigned to the KeyCredential.

If not provided the Server chooses suitable defaults.

The Server ignores Roles which it does not recognize or if the caller is not authorized to request access to the Role.

requestId

A unique identifier for the request.

This identifier shall be passed to the FinishRequest (see 8.5.6).

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationUri is not known to the GDS.

Bad_ConfigurationError

The applicationUri is used by multiple records in the GDS.

Bad_CertificateInvalid

The Certificate is invalid.

Bad_SecurityPolicyRejected

The SecurityPolicy is unrecognized or not allowed or does not match the Certificate.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 83 specifies the AddressSpace representation for the StartRequest Method.

Table 83 – StartRequest Method AddressSpace Definition

Attribute

Value

BrowseName

2:StartRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory