TheAddressSpaceused for PushManagementis shown in Figure 26. Clientsinteract with the Nodesdefined in this model when they need update the KeyCredentials used by a Serverto access resources such as Brokersor Authorization Servers. The NetworkResources Folderis a well-known Objectthat appears in the AddressSpaceof any Serverwhich supports KeyCredentialmanagement.
Figure 26– The Address Space used for Push KeyCredential Management
This ObjectTypeis the TypeDefinitionfor an Folder Objectthat contains the KeyCredentialConfiguration Objectswhich may be accessed via the Server.
Table 90– KeyCredentialConfigurationFolderType Definition
|
Attribute |
Value |
|||
|
BrowseName |
0:KeyCredentialConfigurationFolderType |
|||
|
IsAbstract |
False |
|||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:FolderTypedefined in OPC 10000-5. |
||||
|
0:HasComponent |
Object |
0:<ServiceName> |
0:KeyCredentialConfigurationType |
Optional Placeholder |
|
0:HasComponent |
Method |
0:CreateCredential |
Defined in 8.6.2. |
Optional |
|
|
||||
|
Conformance Units |
||||
|
GDS Key Credential Service Push Model |
||||
CreateCredentialis used to add a new KeyCredentialConfiguration Object.
This Methodshall be called from an encrypted SecureChanneland from a Clientthat has access to the SecurityAdmin Role (see 8.2).
Signature
CreateCredential (
[in] String name
[in] String resourceUri
[in] String profileUri
[in] String[] endpointUrls
[out] NodeId credentialNodeId
);
|
Argument |
Description |
|
name |
This the BrowseNameof the new Object. |
|
resourceUri |
The resourceUriuniquely identifies the resource that accepts the KeyCredentials. A valid URI shall be provided. |
|
profileUri |
The specified URI assigned in OPC 10000-7to the protocol used to communicate with the resource identified by the resourceUri. A valid URI shall be provided. |
|
endpointUrls |
The specifies URLs used by the Serverto communicate with the resource identified by the resourceUri. Valid URLs shall be provided. |
|
credentialNodeId |
A unique identifier for the new KeyCredentialConfiguration Object Node. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_InvalidArgument |
The resourceUri, profileUri,or one or more endpointUrlsare not valid. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 91specifies the AddressSpacerepresentation for the CreateCredential Method.
Table 91– CreateCredential Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:CreateCredential |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:InputArguments |
Argument[] |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:OutputArguments |
Argument[] |
0:PropertyType |
Mandatory |
This Objectis an instance of FolderType.It contains The Objectswhich may be accessed via the Server. It is the target of an HasComponentreference from the ServerConfiguration Object defined in 7.10.2. It is defined in Table 92.
Table 92– KeyCredentialConfiguration Object Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:KeyCredentialConfiguration |
||||
|
TypeDefinition |
0:KeyCredentialConfigurationFolderTypedefined in 8.6.1. |
||||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
|
Modelling Rule |
|
|
|||||
|
Conformance Units |
|||||
|
GDS Key Credential Service Push Model |
|||||
This ObjectTypeis the TypeDefinitionfor an Objectthat allows the configuration of KeyCredentialsused by the Server. It also includes basic status information which report problems accessing the resource that might be related to bad KeyCredentials. It is defined in Table 93.
Table 93– KeyCredentialConfigurationType Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:KeyCredentialConfigurationType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the BaseObjectTypedefined in OPC 10000-5. |
|||||
|
0:HasProperty |
Variable |
0:ResourceUri |
0:String |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:ProfileUri |
0:String |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:EndpointUrls |
0:String[] |
0:PropertyType |
Optional |
|
0:HasProperty |
Variable |
0:ServiceStatus |
0:StatusCode |
0:PropertyType |
Optional |
|
0:HasComponent |
Method |
0:GetEncryptingKey |
|
Defined in 8.6.5. |
Optional |
|
0:HasComponent |
Method |
0:UpdateCredential |
|
Defined in 8.6.6. |
Optional |
|
0:HasComponent |
Method |
0:DeleteCredential |
|
Defined in 8.6.7. |
Optional |
|
|
|||||
|
Conformance Units |
|||||
|
GDS Key Credential Service Push Model |
|||||
The ResourceUri Propertyuniquely identifies the resource that accepts the KeyCredentials.
The ProfileUri Propertyspecifies the protocol used to access the resource.
The EndpointUrls Propertyspecifies the URLs that the Serveruses to access the resource.
The ServiceStatus Propertyindicates the result of the last attempt to communicate with the resource. The following common error values are defined:
|
ServiceStatus |
Description |
|
Bad_OutOfService |
Communication was not attempted by the Serverbecause Enabledis FALSE. |
|
Bad_IdentityTokenRejected |
Communication failed because the KeyCredentialsare not valid. |
|
Bad_NoCommunication |
Communication failed because the endpoint is not reachable. Where possible a more specific error code should be used. See OPC 10000-4for a complete list of standard StatusCodes. |
The GetEncryptingKey Methodis used request a Public Keythat can be used to encrypt the KeyCredentials.
The UpdateKeyCredential Methodis used to change the KeyCredentialsused by the Server.
The DeleteKeyCredential Methodis used to delete the KeyCredentialsstored by the Server.
GetEncryptingKeyis used to request a key that can be used to encrypt a KeyCredential.
This Methodshall be called from an encrypted SecureChanneland from a Clientthat has access to the SecurityAdmin Role (see 8.2).
Signature
GetEncryptingKey(
[in] String credentialId
[in] String requestedSecurityPolicyUri
[out] ByteString publicKey
[out] String revisedSecurityPolicyUri
);
|
Argument |
Description |
|
credentialId |
The unique identifier associated with the KeyCredential. |
|
requestedSecurityPolicyUri |
The SecurityPolicyused to encrypt the secret. If not specified the Serverchooses a suitable default. |
|
publicKey |
The Public Key used to encrypt the secret. The format depends on the SecurityPolicyUri. |
|
revisedSecurityPolicyUri |
The SecurityPolicyused to encrypt the secret. It also specifies the contents of the publicKey. This may be different from the requestedSecurityPolicyUri. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_InvalidArgument |
The credentialId is not valid. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 94specifies the AddressSpacerepresentation for the GetEncryptingKey Method.
Table 94– GetEncryptingKey Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:GetEncryptingKey |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:InputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:OutputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
UpdateCredentialis used to update a KeyCredentialused by a Server.
The KeyCredentialsecret may be encrypted with the public key returned by GetEncryptingKey. The SecurityPolicyUrispecies the algorithm used for encryption. The format of the encrypted data is described in 8.5.6.
This Methodshall be called from an encrypted SecureChanneland from a Clientthat has access to the SecurityAdmin Role (see 8.2).
Signature
UpdateCredential(
[in] String credentialId
[in] ByteString credentialSecret
[in] String certificateThumbprint
[in] String securityPolicyUri
);
|
Argument |
Description |
|
credentialId |
The unique identifier associated with the KeyCredential. |
|
credentialSecret |
The secret associated with the KeyCredential. |
|
certificateThumbprint |
The thumbprint of the Certificateused to encrypt the secret. For RSA SecurityPoliciesthis shall be one of the Application Instance Certificatesassigned to the Server. For ECC SecurityPoliciesthis field is not specified.Not specified if the secret is not encrypted. |
|
securityPolicyUri |
The SecurityPolicyused to encrypt the secret. If not specified the secret is not encrypted. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_InvalidArgument |
The credentialId or credentialSecret is not valid. |
|
Bad_CertificateInvalid |
The Certificateis invalid or it is not one of the Server’s Certificates. |
|
Bad_SecurityPolicyRejected |
The SecurityPolicy is unrecognized or not allowed. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 96specifies the AddressSpacerepresentation for the UpdateKeyCredential Method.
Table 95– UpdateCredential Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:UpdateCredential |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:InputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
DeleteCredentialis used to delete a KeyCredentialused by a Server.
This Methodshall be called from an encrypted SecureChanneland from a Clientthat has access to the SecurityAdmin Role (see 8.2).
Signature
DeleteCredential();
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 95specifies the AddressSpacerepresentation for the DeleteKeyCredential Method.
Table 96– DeleteCredential Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:DeleteCredential |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
This event is raised when a KeyCredentialis updated.
This Eventand its subtypes report sensitive security related information. Servers shall only report these Eventsto Clients which are authorized to view such information.
This is the result of a UpdateCredential Methodcompleting.
Its representation in the AddressSpaceis formally defined in Table 97.
Table 97– KeyCredentialUpdatedAuditEventType Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:KeyCredentialUpdatedAuditEventType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:KeyCredentialAuditEventType defined in 8.5.8. |
|||||
|
|
|||||
|
Conformance Units |
|||||
|
Push Model for KeyCredential Service |
|||||
This EventTypeinherits all Propertiesof the KeyCredentialAuditEventType.
This event is raised when a KeyCredentialis updated.
This is the result of a DeleteCredential Methodcompleting.
Its representation in the AddressSpaceis formally defined in Table 98.
Table 98– KeyCredentialDeletedAuditEventType Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:KeyCredentialDeletedAuditEventType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:KeyCredentialAuditEventType defined in 8.5.8. |
|||||
|
|
|||||
|
Conformance Units |
|||||
|
GDS Key Credential Service Push Model |
|||||
This EventTypeinherits all Propertiesof the KeyCredentialAuditEventType.