UA Part 12: Discovery and Global Services - 7.6 Pull Management Workflow

7.6 Pull Management Workflow

In this workflow the OPC UA Applicationthat gets Certificatesfrom the CertificateManager is the Clientthat executes the workflow and the CertificateManager is the Serverprocessing the request in the workflow.

The Applicationis authenticated with the Certificatesigned by the CertificateManager(or the Certificateassigned during registration). The UserTokenTypeis always Anonymoususing the ApplicationSelfAdmin Privilege.

The workflow for PullManagementis shown in Figure 16and the steps are described in Table 21. The two options for the key pair creation are described in Figure 17. The boxes with blue textindicate Method calls.

Figure 16– Certificate Pull Management Workflow

Figure 17– The Pull Management Private Key Options

The steps of the PullManagementworkflow are described in detail in Table 21.

Table 21– Certificate Pull Management Workflow Steps

Step	Description
Certificate management begin options	The following options are possible to start thePullManagement. Continue application setup using the Sessionavailable from the application registration workflow described in 6.5. Cyclic check of the application status using a new connection to the CertificateManager. The cycle time is defined by the UpdateFrequencyon the related TrustList Objectin the CertificateManager.
Connect	Create a connection for option (2). For the connection management with the CertificateManagerthe Services OpenSecureChannel, CreateSessionand ActivateSessionare used to create a connection with MessageSecurityMode SignAndEncryptand an Anonymoususer. Applicationauthentication is used by the CertificateManagerto allow OPC UA Applicationsto access the necessary resources to update themselves using the ApplicationSelfAdmin Privilege.
Required information	The OPC UA Applicationneeds to know the following information to execute the PullManagementworkflow ApplicationId NodeIdof the OPC UA Applicationin the CertificateManager. CertificateGroupIdsNodeIdsfor each CertificateGroupin the CertificateManagerthat are relevant to the OPC UA Application. This includes a mapping to the related internal CertificateGroupand the CertificateTypesneeded. Pending signing requestsRequestIdsfor pending signing requests that need to be completed and their relationship with a CertificateGroupand CertificateType.
SigningRequestPending	If one or more signing requests are pending for a CertificateGroup, the FinishRequest Methodis called directly with the ApplicationIdand the RequestIdfor the pending signing request. The repeat count is set to 0 in this case.
GetCertificateStatus	The Method GetCertificateStatusis called with the ApplicationIdand the CertificateGroupIdto check if a certificate update is needed. This is repeated for each CertificateTypeneeded for the CertificateGroup.
Update Required	If GetCertificateStatusreturns updateRequired set to True for one or more combinations of CertificateGroupand CertificateType, the process for key pair creationis started for the affected combinations.
Create CSR	The application creates a certificate signing request (CSR). It is strongly recommended, that the OPC UA Application creates a new private key for each signing request.
StartSigningRequest	The Method StartSigningRequestis called for each CertificateGroupand CertificateTypetogether with the CSR to request a signed Certificatefrom the CertificateManager. Each Methodcall needs it’s own CSR. As alternative for OPC UA Applications who do not have access to a cryptograhically sufficient entropy source, the Method StartNewKeyPairRequestcan be used. In this case the private key is created by the CertificateManager. Both Methods return a RequestIdthat can be passed to the FinishRequest Method. The repeat count for FinishRequestis set to a small number like 2.
FinishRequest	The Method FinishRequestis called to check the results of a previous StartSigningRequestor StartNewKeyPairRequest. The following results are possible: If FinishRequestreturns a Goodresult, the Methodreturns the signed Certificateand optionally the private key for the StartNewKeyPairRequestcase. If FinishRequestreturns Bad_NothingToDoit indicates that the request is not completed yet. If the repeat count is not 0, the repeat count is decremented and FinishRequestis repeated after a short delay. If the repeat count is 0, the RequestIdis persisted and the next CertificateGroupor CertificateTypeis processed If FinishRequestreturns any other Badresult, a new request must be sent in the next cycle
GetTrustList	If all Certificatesfor a CertificateGroupare up-to-date, the trust list is checked for updates by calling the Method GetTrustList. The Method returns the NodeIdof the TrustList Objectfor the CertificateGroup. The LastUpdateTimeof TrustList Objectindicates when the contents of the TrustListchanged. When using PullManagement, the Clientshould check this Propertybefore downloading the TrustList.
TrustListType::Read	The NodeIdof the TrustList Objectreturned by GetTrustListis used to open the TrustListfor reading and to read the current content of the TrustList.
Persist TrustList	If a TrustListupdate or Certificateupdates are available, they are persisted for further use by the OPC UA Application. They must be persisted at the same time to ensure a consistent setup.
Repeat for all CertificateGroups	Repeat the process for all CertificateGroups.
Disconnect	Disconnect from CertificateManager.