For the communication between haul-offs and MES the OPC UA application authentication via X509 certificates shall be used. OPC UA provides functionalities for using self-signed certificates that have to be manually added to a “trust list” as well as for certificates issued by a certificate authority (CA).
The minimum requirements of the protocol level for a OPC 40084-4 compliant connection are:
- Use of (self-signed) certificates for OPC UA application authentication
- Security Policy: Basic256
- Message Security Mode: sign
NOTE: It is not fixed by this specification if the certificate includes a fixed IP address and/or the host name. However, if the certificate includes a host name, a DNS server is expected to resolve the host name. An OPC UA GDS (Global Discovery Server) can be used to manage the connections and certificates.
On the haul-off authentication via user name and password is commonly used.
For the users and roles of the connection the following applies:
- User names can be manufacturer dependent.
- Standard roles are
- “OPC40084”: read and write access for selected parameters
- “OPC40084_read_only”: no writing permissions
- Manufactures can add additional roles. They may not start with “OPC40084”. For these roles, more parameters can be writeable than for the OPC40084 role.
- The standard user “OPC40084” has the role “OPC40084” (and no other additional role), “OPC4004_read_only” has the roll “OPC40084_read_only” (and no other additional role); the passwords for the standard users are defined by the manufacturers (they may be empty).
NOTE: OPC UA also allow an anonymous-token (e.g. for testing)