This type defines a FileType that can be used to access a Trust List.

The CertificateManager uses this type to implement the Pull Model.

Servers use this type when implementing the Push Model.

An instance of a TrustListType shall restrict access to appropriate users or applications. This may be a CertificateManager administrative user that can change the contents of a Trust List, it may be an Administrative user that is reading a TrustList to deploy to an Application host or it may be an Application that can only access the TrustList assigned to it.

The TrustList file is a UA Binary encoded stream containing an instance of TrustListDataType (see 7.8.2.6).

The Open Method shall not support modes other than Read (0x01) and the Write + EraseExisting (0x06).

If a transaction is in progress (see 7.10.6) then the Server shall return Bad_TransactionPending if Open is called with Write Mode bit set.

Servers shall automatically Close TrustLists if there are no calls to Methods on the TrustList Object within the time specified by the ActivityTimeout Property.

The Size Property inherited from FileType has no meaning for TrustList and returns the error code defined in OPC 10000-20.

When a Client opens the file for writing the Server will not actually update the TrustList until the CloseAndUpdate Method is called. Simply calling Close will discard the updates. The bit masks in TrustListDataType structure allow the Client to only update part of the Trust List.

When the CloseAndUpdate Method is called the Server will validate all new Certificates and CRLs. If this validation fails the TrustList is not updated and the Server returns the appropriate Certificate error code (see OPC 10000-4).

Table 22 – TrustListType Definition

Attribute

Value

BrowseName

0:TrustListType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the 0:FileType defined in OPC 10000-20.

0:HasProperty

Variable

0:LastUpdateTime

0:UtcTime

0:PropertyType

Mandatory

0:HasProperty

Variable

0:UpdateFrequency

0:Duration

0:PropertyType

Optional

0:HasProperty

Variable

0:ActivityTimeout

0:Duration

0:PropertyType

Optional

0:HasProperty

Variable

0:DefaultValidationOptions

TrustListValidationOptions

0:PropertyType

Optional

0:HasComponent

Method

0:OpenWithMasks

Defined in 7.8.2.2.

Mandatory

0:HasComponent

Method

0:CloseAndUpdate

Defined in 7.8.2.3.

Mandatory

0:HasComponent

Method

0:AddCertificate

Defined in 7.8.2.4.

Mandatory

0:HasComponent

Method

0:RemoveCertificate

Defined in 7.8.2.5.

Mandatory

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

The LastUpdateTime indicates when the TrustList was last updated. The LastUpdateTime shall reflect changes made using the TrustList Object Methods. A TrustList Object in a CertificateManager shall also reflect changes made in other ways.

The LastUpdateTime of a TrustList Object in a CertificateManager allows Clients using the PullManagement to know whether the TrustList has changed since the last time they accessed it. The LastUpdateTime of a TrustList Object in the ServerConfiguration allows administration Clients to check for out of date TrustLists.

The UpdateFrequency Property specifies how often the TrustList needs to be checked for changes. When the CertificateManager specifies this value, all Clients that read a copy of the TrustList should connect to the CertificateManager and check for updates to the TrustList within 2 times the UpdateFrequency. The choice of UpdateFrequency depends on how quickly system changes need to be detected and the performance constraints of the system. UpdateFrequencies that are too long create security risks because of out of date CRLs. UpdateFrequencies that are too short negatively impact system performance. If the TrustList Object is contained within a ServerConfiguration Object then this Property is not present.

The ActivityTimeout Property specifies the maximum elapsed time between the calls to Methods on the TrustList Object after Open or OpenWithMasks is called. If this time elapses the TrustList is automatically closed by the Server and any changes are discarded. The default value is 60 000 milliseconds (1 minute).

The DefaultValidationOptions Property specifies the default options to use when validating Certificates with the TrustList. The TrustListValidationOptions DataType is defined in 7.8.2.8. This Property may be updated by Clients with access to the SecurityAdmin Role.

If auditing is supported, the CertificateManager shall generate the TrustListUpdated AuditEventType (see 7.8.2.11) when the CloseAndUpdate, AddCertificate or RemoveCertificate Methods are called.

The OpenWithMasks Method allows a Client to read only the portion of the Trust List.

This Method can only be used to read the Trust List.

After calling this Method, the Client calls Read one or more times to get the TrustList. If the Server is able to detect out of band changes to theTrustList before the Client calls the Close Method, then the next Read returns Bad_InvalidState. If the Server cannot detect out of band changes it shall ensure the Client receives a consistent snapshot.

For PullManagement, this Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationSelfAdmin Privilege, or the ApplicationAdmin Privilege (see 7.2).

For PushManagement, this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).

Signature

OpenWithMasks(

[in] UInt32 masks

[out] UInt32 fileHandle

);

Argument

Description

masks

The parts of the TrustList that are include in the file to read.

The masks are defined in 7.8.2.7.

fileHandle

The handle of the newly opened file.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_InvalidState

The TrustList has already been opened.

Bad_TransactionPending

The TrustList cannot be opened because it is part of a transaction is in progress.

Table 23 specifies the AddressSpace representation for the OpenWithMasks Method.

Table 23 – OpenWithMasks Method AddressSpace Definition

Attribute

Value

BrowseName

0:OpenWithMasks

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory

The CloseAndUpdate Method closes the TrustList and applies the changes to the TrustList. It can only be called if the TrustList was opened for writing. If the Close Method is called any cached data is discarded and the TrustList is not changed.

If only part of the TrustList is being updated the Server creates a new TrustList that includes the existing TrustList plus any updates and validates the new TrustList.

The Server shall verify that every Certificate in the new TrustList is valid using the validation process defined in OPC 10000-4. If an invalid Certificate is found the Server shall return an error and shall not replace the existing TrustList.

If the Server does not support transactions it applies the changes immediately and sets applyChangesRequired to FALSE. If the Server supports transactions then the Server creates a new transaction or continues an existing transaction and sets applyChangesRequired to TRUE.

If a transaction exists, the Server does not update the TrustList until ApplyChanges (see 7.10.6) is called. Any Clients that read the TrustList before ApplyChanges is called will receive the existing TrustList before the transaction started.

If errors occur, the new TrustList is discarded.

When the TrustList changes the Server shall re-evaluate the Certificate associated with any open Sessions. Sessions with an untrusted or revoked Certificate shall be closed.

The structure uploaded includes a mask (see 7.8.2.7) which specifies which fields are updated. If a bit is not set then the associated field is not changed.

Signature

CloseAndUpdate(

[in] UInt32 fileHandle

[out] Boolean applyChangesRequired

);

Argument

Description

fileHandle

The handle of the previously opened file.

applyChangesRequired

If TRUE the ApplyChanges Method (see 7.10.6) shall be called before the new TrustList will be used by the Server. If FALSE the TrustList is now in use.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_CertificateInvalid

The Server could not validate all Certificates in the TrustList.

The DiagnosticInfo shall specify which Certificate(s) are invalid and the specific error.

Bad_ChangesPending

Changes are queued on another Session (see 7.10.6)

Table 24 specifies the AddressSpace representation for the CloseAndUpdate Method.

Table 24 – CloseAndUpdate Method AddressSpace Definition

Attribute

Value

BrowseName

0:CloseAndUpdate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory

The AddCertificate Method allows a Client to add a single Certificate to the Trust List. The Server shall verify that the Certificate using the validation process defined in OPC 10000-4. If an invalid Certificate is found the Server shall return an error and shall not update the Trust List.

This Method will return a validation error if the Certificate is issued by a CA and the Certificate for the issuer is not in the Trust List.

This Method cannot provide CRLs so issuer Certificates cannot be added with this Method. Instead, CA Certificates and their CRLs shall be managed with the Write Method on the containing TrustList Object.

This Method cannot be called if the containing TrustList Object is open.

This Method returns Bad_TransactionPending if a transaction is in progress (see 7.10.6).

This Method returns Bad_NotWritable if the TrustList Object is read only.

For PullManagement, this Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role (see 7.2).

For PushManagement, this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).

Signature

AddCertificate(

[in] ByteString certificate

[in] Boolean isTrustedCertificate

);

Argument

Description

certificate

The DER encoded Certificate to add.

isTrustedCertificate

If TRUE the Certificate is added to the trustedCertificates list.

If FALSE Bad_CertificateInvalid is returned.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_CertificateInvalid

The certificate to add is invalid.

Bad_InvalidState

The Open Method was called with write access and the CloseAndUpdate Method has not been called.

Bad_TransactionPending

Transaction has started and ApplyChanges or CancelChanges has not been called.

Table 25 specifies the AddressSpace representation for the AddCertificate Method.

Table 25 – AddCertificate Method AddressSpace Definition

Attribute

Value

BrowseName

0:AddCertificate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List. It returns Bad_InvalidArgument if the thumbprint does not match a Certificate in the Trust List.

If the Certificate is a CA Certificate that has CRLs then all CRLs for that CA are removed as well.

This Method returns Bad_TransactionPending if a transaction is in progress (see 7.10.6).

This Method returns Bad_NotWritable if the TrustList Object is read only.For PullManagement, this Method shall be called from an authenticated SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role (see 7.2).

For PushManagement, this Method shall be called from an authenticated SecureChannel and from a Session that has access to the SecurityAdmin Role (see 7.2).

Signature

RemoveCertificate(

[in] String thumbprint

[in] Boolean isTrustedCertificate

);

Argument

Description

Thumbprint

The CertificateDigest of the Certificate to remove.

isTrustedCertificate

If TRUE the Certificate is removed from the Trusted Certificates List.

If FALSE the Certificate is removed from the Issuer Certificates List.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_InvalidArgument

The certificate to remove was not found.

Bad_InvalidState

The Open Method was called with write access and the CloseAndUpdate Method has not been called.

Bad_TransactionPending

Transaction has started and ApplyChanges or CancelChanges has not been called.

Table 26 specifies the AddressSpace representation for the RemoveCertificate Method.

Table 26 – RemoveCertificate Method AddressSpace Definition

Attribute

Value

BrowseName

0:RemoveCertificate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

This type defines a DataType which stores the TrustList of a Server. Its values are defined in Table 27.

Table 27 – TrustListDataType Structure

Name

Type

Description

TrustListDataType

Structure

Subtype of the Structure DataType defined in OPC 10000-5

specifiedLists

UInt32

A bit mask which indicates which lists contain information.

The TrustListMasks enumeration in 7.8.2.7 defines the allowed values.

trustedCertificates

ByteString[]

The list of Application and CA Certificates which are trusted.

trustedCrls

ByteString[]

The CRLs for the Certificates in the trustedCertificates list.

issuerCertificates

ByteString[]

The list of CA Certificates which are necessary to validate Certificates.

issuerCrls

ByteString[]

The CRLs for the CA Certificates in the issuerCertificates list.

Its representation in the AddressSpace is defined in Table 28.

Table 28 – TrustListDataType Definition

Attribute

Value

BrowseName

0:TrustListDataType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the 0:Structure DataType defined in OPC 10000-5.

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

This is a DataType that defines the values used for the SpecifiedLists field in the TrustListDataType. Its values are defined in Table 29.

Table 29 – TrustListMasks Enumeration

Name

Value

Description

None

0

No fields are provided.

TrustedCertificates

1

The TrustedCertificates are provided.

TrustedCrls

2

The TrustedCrls are provided.

IssuerCertificates

4

The IssuerCertificates are provided.

IssuerCrls

8

The IssuerCrls are provided.

All

15

All fields are provided.

Its representation in the AddressSpace is defined in Table 30.

Table 30 – TrustListMasks Definition

Attribute

Value

BrowseName

0:TrustListMasks

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Enumeration DataType defined in OPC 10000-5.

0:HasProperty

Variable

0:EnumValues

0:EnumValueType []

0:PropertyType

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

This DataType defines flags for TrustListValidationOptions is formally defined in Table 31.

Table 31 – TrustListValidationOptions Values

Value

Bit No.

Description

SuppressCertificateExpired

0

Ignore errors related to the validity time of the Certificate.

SuppressHostNameInvalid

1

Ignore mismatches between the host name or ApplicationUri.

SuppressRevocationStatusUnknown

2

Ignore errors if the revocation list cannot be found for the issuer of the Certificate.

SuppressIssuerCertificateExpired

3

Ignore errors if an issuer has an expired Certificate.

SuppressIssuerRevocationStatusUnknown

4

Ignore errors if the revocation list cannot be found for any issuer of issuer Certificates.

CheckRevocationStatusOnline

5

Check the revocation status online.

CheckRevocationStatusOffline

6

Check the revocation status offline.

If CheckRevocationStatusOnline is set, the Certificate validation process defined in OPC 10000-4 will look for the authorityInformationAccess extension to find an OCSP (RFC 6960) endpoint which can be used to determine if the Certificate has been revoked.

If the OCSP endpoint is not reachable then the Certificate validation process looks for offline CRLs if the CheckRevocationStatusOffline bit is set. Otherwise, validation fails.

The revocation status flags only have meaning for issuer Certificates and are used when validating Certificates issued by that issuer.

The default value for this DataType only has the CheckRevocationStatusOffline bit set.

The TrustListValidationOptions representation in the AddressSpace is defined in Table 32.

Table 32 – TrustListValidationOptions Definition

Attribute

Value

BrowseName

0:TrustListValidationOptions

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the 0:UInt32 DataType defined in OPC 10000-5

0:HasProperty

Variable

0:OptionSetValues

0:LocalizedText []

0:PropertyType

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

This SystemOffNormalAlarmType is raised by the Server when the UpdateFrequency elapses and the TrustList has not been updated. This alarm automatically returns to normal when the TrustList is updated.

Table 33 – TrustListOutOfDateAlarmType definition

Attribute

Value

BrowseName

0:TrustListOutOfDateAlarmType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the SystemOffNormalAlarmType defined in OPC 10000-9.

0:HasProperty

Variable

0:TrustListId

0:NodeId

0:PropertyType

Mandatory

0:HasProperty

Variable

0:LastUpdateTime

0:UtcTime

0:PropertyType

Mandatory

0:HasProperty

Variable

0:UpdateFrequency

0:Duration

0:PropertyType

Mandatory

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

TrustListId Property specifies the NodeId of the out-of-date TrustList Object.

LastUpdateTime Property specifies when the TrustList was last updated.

UpdateFrequency Property specifies how frequently the TrustList needs to be updated.

This event is raised when a Method that changes the TrustList is called

It is raised when CloseAndUpdate, AddCertificate or RemoveCertificate Method on a TrustListType Object is called.

Its representation in the AddressSpace is formally defined in Table 34.

Table 34 – TrustListUpdateRequestedAuditEventType Definition

Attribute

Value

BrowseName

0:TrustListUpdateRequestedAuditEventType

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the 0:AuditUpdateMethodEventType defined in OPC 10000-5.

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.

This event is raised when a TrustList is successfully changed.

This is the result of a CloseAndUpdate Method on a TrustListType Object or the result of a ApplyChanges on the ServerConfigurationType Object being called.

It shall also be raised when the AddCertificate or RemoveCertificate Method causes an update to the Trust List.

Its representation in the AddressSpace is formally defined inTable 35.

Table 35 – TrustListUpdatedAuditEventType Definition

Attribute

Value

BrowseName

0:TrustListUpdatedAuditEventType

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the 0:AuditEventType defined in OPC 10000-5.

0:HasProperty

Variable

0:TrustListId

0:NodeId

0:PropertyType

Mandatory

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

This EventType inherits all Properties of the AuditEventType. Their semantic is defined in OPC 10000-5.