For the communication between filters and MES the OPC UA application authentication via X509 certificates shall be used. OPC UA provides functionalities for using self-signed certificates that have to be manually added to a “trust list” as well as for certificates issued by a certificate authority (CA).
The minimum requirements of the protocol level for a OPC 40084-6 compliant connection are:
- Use of (self-signed) certificates for OPC UA application authentication
- Security Policy: Basic256
- Message Security Mode: sign
NOTE: It is not fixed by this specification if the certificate includes a fixed IP address and/or the host name. However, if the certificate includes a host name, a DNS server is expected to resolve the host name. An OPC UA GDS (Global Discovery Server) can be used to manage the connections and certificates.
On the filter authentication via user name and password is commonly used.
For the users and roles of the connection the following applies:
- User names can be manufacturer dependent.
- Standard roles are
- “OPC40084”: read and write access for selected parameters
- “OPC40084_read_only”: no writing permissions
- Manufactures can add additional roles. They may not start with “OPC40084”. For these roles, more parameters can be writeable than for the OPC40084 role.
- The standard user “OPC40084” has the role “OPC40084” (and no other additional role), “OPC4004_read_only” has the roll “OPC40084_read_only” (and no other additional role); the passwords for the standard users are defined by the manufacturers (they may be empty).
NOTE: OPC UA also allow an anonymous-token (e.g. for testing)