The AddressSpace used for push management is shown in Figure 19. Clients interact with the Nodes defined in this model when they need update the KeyCredentials used by a Server to access resources such as Brokers or Authorization Servers. The NetworkResources Folder is a well-known Object that appears in the AddressSpace of any Server which supports KeyCredential management.

image022.png

Figure 19 – The Address Space used for Push KeyCredential Management

This Object is an instance of FolderType. It contains The Objects which make be accessed via the Server. It is the target of an HasComponent reference from the ServerConfiguration Object defined in 7.7.2. It is defined in Table 46.

Table 55 – KeyCredentialConfiguration Object Definition

Attribute

Value

BrowseName

KeyCredentialConfiguration

Namespace

CORE (see 3.3)

TypeDefinition

FolderType defined in OPC 10000-5.

References

NodeClass

BrowseName

TypeDefinition

Modelling Rule

This ObjectType is the TypeDefinition for an Object that allows the configuration of KeyCredentials used by the Server. It also includes basic status information which report problems accessing the resource that might be related to bad KeyCredentials. It is defined in Table 56.

Table 56 – KeyCredentialConfigurationType Definition

Attribute

Value

BrowseName

KeyCredentialConfigurationType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

HasProperty

Variable

ResourceUri

String

PropertyType

Mandatory

HasProperty

Variable

ProfileUri

String

PropertyType

Mandatory

HasProperty

Variable

EndpointUrls

String[]

PropertyType

Optional

HasProperty

Variable

ServiceStatus

StatusCode

PropertyType

Optional

HasComponent

Method

GetEncryptingKey

Defined in 8.5.8.

Optional

HasComponent

Method

UpdateCredential

Defined in 8.5.3.

Optional

HasComponent

Method

DeleteCredential

Defined in 8.5.4.

Optional

The ResourceUri Property uniquely identifies the resource that accepts the KeyCredentials.

The ProfileUri Property specifies the protocol used to access the resource.

The EndpointUrls Property specifies the URLs that the Server uses to access the resource.

The ServiceStatus Property indicates the result of the last attempt to communicate with the resource. The following common error values are defined:

ServiceStatus

Description

Bad_OutOfService

Communication was not attempted by the Server because Enabled is FALSE.

Bad_IdentityTokenRejected

Communication failed because the KeyCredentials are not valid.

Bad_NoCommunication

Communication failed because the endpoint is not reachable.

Where possible a more specific error code should be used.

See OPC 10000-4 for a complete list of standard StatusCodes.

The GetEncryptingKey Method is used request a Public Key that can be used to encrypt the KeyCredentials.

The UpdateKeyCredential Method is used to change the KeyCredentials used by the Server.

UpdateCredential is used to update a KeyCredential used by a Server.

The KeyCredential secret may be encrypted with the public key returned by GetEncryptingKey. The SecurityPolicyUri species the algorithm used for encryption. The format of the encrypted data is described in 8.5.8.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

UpdateCredential(

[in] String credentialId,

[in] ByteString credentialSecret,

[in] String certificateThumbprint,

[in] String securityPolicyUri

);

Argument

Description

credentialId

The unique identifier associated with the KeyCredential.

credentialSecret

The secret associated with the KeyCredential.

certificateThumbprint

The thumbprint of the Certificate used to encrypt the secret.

For RSA SecurityPolicies this shall be one of the Application Instance Certificates assigned to the Server. For ECC SecurityPolicies this field is not specified.Not specified if the secret is not encrypted.

securityPolicyUri

The SecurityPolicy used to encrypt the secret.

If not specified the secret is not encrypted.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_InvalidArgument

The credentialId or credentialSecret is not valid.

Bad_CertificateInvalid

The Certificate is invalid or it is not one of the Server’s Certificates.

Bad_SecurityPolicyRejected

The SecurityPolicy is unrecognized or not allowed.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 57 specifies the AddressSpace representation for the UpdateKeyCredential Method.

Table 57 – UpdateCredential Method AddressSpace Definition

Attribute

Value

BrowseName

UpdateCredential

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

DeleteCredential is used to delete a KeyCredential used by a Server.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

DeleteCredential()

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Table 58 specifies the AddressSpace representation for the DeleteKeyCredential Method.

Table 58 – DeleteCredential Method AddressSpace Definition

Attribute

Value

BrowseName

DeleteCredential

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

This event is raised when a KeyCredential is updated.

This Event and its subtypes report sensitive security related information. Servers shall only report these Events to Clients which are authorized to view such information.

This is the result of a UpdateCredential Method completing.

Its representation in the AddressSpace is formally defined in Table 59.

Table 59 – KeyCredentialUpdatedAuditEventType Definition

Attribute

Value

BrowseName

KeyCredentialUpdatedAuditEventType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the KeyCredentialAuditEventType defined in 8.4.7.

This EventType inherits all Properties of the KeyCredentialAuditEventType.

This event is raised when a KeyCredential is updated.

This is the result of a DeleteCredential Method completing.

Its representation in the AddressSpace is formally defined in Table 60.

Table 60 – KeyCredentialUpdatedAuditEventType Definition

Attribute

Value

BrowseName

KeyCredentialDeletedAuditEventType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the KeyCredentialAuditEventType defined in 8.4.7.

This EventType inherits all Properties of the KeyCredentialAuditEventType. GetEncryptingKey

GetEncryptingKey is used to request a key that can be used to encrypt a KeyCredential.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

GetEncryptingKey(

[in] String credentialId,

[in] String requestedSecurityPolicyUri,

[out] ByteString publicKey,

[out] String revisedSecurityPolicyUri

);

Argument

Description

credentialId

The unique identifier associated with the KeyCredential.

requestedSecurityPolicyUri

The SecurityPolicy used to encrypt the secret.

If not specified the Server chooses a suitable default.

publicKey

The Public Key used to encrypt the secret.

The format depends on the SecurityPolicyUri.

revisedSecurityPolicyUri

The SecurityPolicy used to encrypt the secret.

It also specifies the contents of the publicKey.

This may be different from the requestedSecurityPolicyUri.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_InvalidArgument

The credentialId is not valid.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 60a specifies the AddressSpace representation for the GetEncryptingKey Method.

Table 60a – GetEncryptingKey Method AddressSpace Definition

Attribute

Value

BrowseName

GetEncryptingKey

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory