For the communication between haul-offs and MES the OPC UA application authentication via X509 certificates shall be used. OPC UA provides functionalities for using self-signed certificates that have to be manually added to a “trust list” as well as for certificates issued by a certificate authority (CA).

The minimum requirements of the protocol level for a OPC 40084-4 compliant connection are:

  • Use of (self-signed) certificates for OPC UA application authentication
  • Security Policy: Basic256
  • Message Security Mode: sign

NOTE: It is not fixed by this specification if the certificate includes a fixed IP address and/or the host name. However, if the certificate includes a host name, a DNS server is expected to resolve the host name. An OPC UA GDS (Global Discovery Server) can be used to manage the connections and certificates.

On the haul-off authentication via user name and password is commonly used.

For the users and roles of the connection the following applies:

  • User names can be manufacturer dependent.
  • Standard roles are
  • “OPC40084”: read and write access for selected parameters
  • “OPC40084_read_only”: no writing permissions
  • Manufactures can add additional roles. They may not start with “OPC40084”. For these roles, more parameters can be writeable than for the OPC40084 role.
  • The standard user “OPC40084” has the role “OPC40084” (and no other additional role), “OPC4004_read_only” has the roll “OPC40084_read_only” (and no other additional role); the passwords for the standard users are defined by the manufacturers (they may be empty).

NOTE: OPC UA also allow an anonymous-token (e.g. for testing)