The standard definitions of the WoT Thing Description specification can be used to implicitly specify the endpoint security settings supported by the OPC UA server. Alternatively, an OPC UA specific scheme can be used to exchange explicit security knowledge.
Can be used when the OPC UA server only supports one endpoint that is set up without security options (securityMode=None, securityPolicy=None). Typical use cases include demo setups of an OPC UA server or an OPC UA server that provides public and read-only UA attributes, e.g., for monitoring purposes for a dashboard.
In that case WoT Thing Description should specify the NoSecurityScheme by the vocabulary term nosec (i.e., "scheme": "nosec").
Recommended to be used to show implicit knowledge that a OPC UA server supports multiple endpoints with different configuration for the security mode (e.g., None, Sign, or SignAndEncrypt), security policy (e.g., Basic256Sha256, Aes256_Sha256_RsaPss), and supported user identity tokens (e.g., Anonymous, UserName, Certificate).
This reflects the default use case of an OPC UA Client-Server interaction during the OPC UA Session Establishment phase. The client must execute the OPC UA GetEndpoints service in order to select the desired (secured) endpoint to open the session with the OPC UA server. To indicate this, in the WoT Thing Description, the AutoSecurityScheme should be used with the term auto (i.e., "scheme": "auto").
Please note that login credentials such as passwords or certificates are not shared in WoT Thing Descriptions and must be provided separately, e.g., through a separate credential store or by an explicit prompt to the client to enter the credentials for the session.
Recommended to be used to show explicit knowledge in the WoT Thing Description that a OPC UA server supports one or multiple endpoints with different security configuration settings.
This reflects the use case where an OPC UA server specifies which security option(s) should be used by specific client(s) via the WoT Thing Description.
To indicate this, in the WoT Thing Description, you should use OPCUASecurityChannelScheme by using the term uav:channelsec (i.e., "scheme": "uav:channelsec") and OPCUASecurityAuthenticationScheme by using the term uav: authentication (i.e., "scheme": "uav:authentication"). The ComboSecurityScheme from the WoT Thing Description 1.1 specification should be used to combine the schemes with allOf.
OPCUASecurityChannelScheme vocabulary terms:
|
Vocabulary term |
Description |
Assignment |
Type |
|
uav:securityMode |
Provides information about which modes are available from the supported endpoints of the OPC UA server:
|
required |
string |
|
uav:securityPolicy |
Provides information about which policy options are available from the supported endpoints of the OPC UA server:
Outdated (not recommended policies):
|
required |
string |
OPCUASecurityAuthenticationScheme vocabulary terms:
|
Vocabulary term |
Description |
Assignment |
Type |
|
uav:userIdentityToken |
Provides information about which policy options are available from the supported endpoints of the OPC UA server:
Similar for the AutoSecurityScheme, the login credentials such as user name and passwords or certificates are not shared in WoT Thing Descriptions and must be provided separately, e.g., through a separate credential store or by an explicit prompt to the client to enter the credentials for the session.
In the case of IssuedToken there may additional security schemes defined in the WoT Thing Description to describe an external authorization service such as OAuth2 (OAuth2SecurityScheme). To declare the combination of such a specific scheme with the OPCUASecurityScheme, the ComboSecurityScheme can be used with the term allOff (see WoT Thing Description 1.1 specification for more details). |
required |
String |
|
uav:issueToken |
Express a reference to a security scheme definition within the WoT Thing Description which should be applied to (e.g., OAuth2). |
optional |
String |
Examples:
Example usage of OPCUASecurityScheme in combination with an external OAuth2 authorization service:
Note that the terms of the OAuth2 and combo schemes are defined in the W3C WoT Thing Description 1.1 specifications.