Push management is performed by using a KeyCredentialConfiguration Object(see 8.6.4) which is a component of the KeyCredentialManagement Folderwhich, in turn, is component of the ServerConfiguration Objectin a Server. The interactions between the Administration application and the KeyCredentialServiceduring PushManagementare illustrated in Figure 24.

image027.png

Figure 24– The Push Model for KeyCredential Management

The Administration Component may use internal APIs to manage KeyCredentialsor it could be a standalone utility that uses OPC UA to communicate with a Serverwhich supports the pull model (see 8.3). The Configuration Database is used by the Serverto persist its configuration information. The administration and database components are examples to illustrate how an application could be built and are not a requirement.

To ensure security of the KeyCredentials,the KeyCredentialServicecomponent can require that secrets be encrypted with a key only known to the intended recipient of the KeyCredentials. For this reason, the Administration Component uses the GetEndpoints Serviceto read the Certificatefrom the Serverbefore initiating the credential request on behalf of the Server.

Security, when using the PushManagementmodel, requires an encrypted channel and Clientswith acccess to the SecurityAdmin Role.