UA Part 12: Discovery and Global Services - 7.6 Pull Management Workflow

7.6 Pull Management Workflow

In this workflow the OPC UA Application that gets Certificates from the CertificateManager is the Client that executes the workflow and the CertificateManager is the Server processing the request in the workflow.

The Application is authenticated with the Certificate signed by the CertificateManager (or the Certificate assigned during registration). The UserTokenType is always Anonymous using the ApplicationSelfAdmin Privilege.

The workflow for PullManagement is shown in Figure 16 and the steps are described in Table 21. The two options for the key pair creation are described in Figure 17. The boxes with blue text indicate Method calls.

Figure 16 – Certificate Pull Management Workflow

Figure 17 – The Pull Management Private Key Options

The steps of the PullManagement workflow are described in detail in Table 21.

Table 21 – Certificate Pull Management Workflow Steps

Step	Description
Certificate management begin options	The following options are possible to start the PullManagement. Continue application setup using the Session available from the application registration workflow described in 6.5. Cyclic check of the application status using a new connection to the CertificateManager. The cycle time is defined by the UpdateFrequency on the related TrustList Object in the CertificateManager.
Connect	Create a connection for option (2). For the connection management with the CertificateManager the Services OpenSecureChannel, CreateSession and ActivateSession are used to create a connection with MessageSecurityMode SignAndEncrypt and an Anonymous user. Application authentication is used by the CertificateManager to allow OPC UA Applications to access the necessary resources to update themselves using the ApplicationSelfAdmin Privilege.
Required information	The OPC UA Application needs to know the following information to execute the PullManagement workflow ApplicationId NodeId of the OPC UA Application in the CertificateManager. CertificateGroupIdsNodeIds for each CertificateGroup in the CertificateManager that are relevant to the OPC UA Application. This includes a mapping to the related internal CertificateGroup and the CertificateTypes needed. Pending signing requestsRequestIds for pending signing requests that need to be completed and their relationship with a CertificateGroup and CertificateType.
SigningRequestPending	If one or more signing requests are pending for a CertificateGroup, the FinishRequest Method is called directly with the ApplicationId and the RequestId for the pending signing request. The repeat count is set to 0 in this case.
GetCertificateStatus	The Method GetCertificateStatus is called with the ApplicationId and the CertificateGroupId to check if a certificate update is needed. This is repeated for each CertificateType needed for the CertificateGroup.
Update Required	If GetCertificateStatus returns updateRequired set to True for one or more combinations of CertificateGroup and CertificateType, the process for key pair creation is started for the affected combinations.
Create CSR	The application creates a certificate signing request (CSR). It is strongly recommended, that the OPC UA Application creates a new private key for each signing request.
StartSigningRequest	The Method StartSigningRequest is called for each CertificateGroup and CertificateType together with the CSR to request a signed Certificate from the CertificateManager. Each Method call needs it’s own CSR. As alternative for OPC UA Applications who do not have access to a cryptograhically sufficient entropy source, the Method StartNewKeyPairRequest can be used. In this case the private key is created by the CertificateManager. Both Methods return a RequestId that can be passed to the FinishRequest Method. The repeat count for FinishRequest is set to a small number like 2.
FinishRequest	The Method FinishRequest is called to check the results of a previous StartSigningRequest or StartNewKeyPairRequest. The following results are possible: If FinishRequest returns a Good result, the Method returns the signed Certificate and optionally the private key for the StartNewKeyPairRequest case. If FinishRequest returns Bad_NothingToDo it indicates that the request is not completed yet. If the repeat count is not 0, the repeat count is decremented and FinishRequest is repeated after a short delay. If the repeat count is 0, the RequestId is persisted and the next CertificateGroup or CertificateType is processed If FinishRequest returns any other Bad result, a new request must be sent in the next cycle
GetTrustList	If all Certificates for a CertificateGroup are up-to-date, the trust list is checked for updates by calling the Method GetTrustList. The Method returns the NodeId of the TrustList Object for the CertificateGroup. The LastUpdateTime of TrustList Object indicates when the contents of the TrustList changed. When using PullManagement, the Client should check this Property before downloading the TrustList.
TrustListType::Read	The NodeId of the TrustList Object returned by GetTrustList is used to open the TrustList for reading and to read the current content of the TrustList.
Persist TrustList	If a TrustList update or Certificate updates are available, they are persisted for further use by the OPC UA Application. They must be persisted at the same time to ensure a consistent setup.
Repeat for all CertificateGroups	Repeat the process for all CertificateGroups.
Disconnect	Disconnect from CertificateManager.