Search

Scope: Core (OPC-10000-*) All specs

82 result(s) for Applications

OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

3.2 Specification parts

Security Model Part 2 describes the model for securing interactions between OPC UA Applications . Part 3 ( OPC 10000-3 ) - Address Space Model Part 3 describes the contents and structure ... Profiles Part 7 specifies the Profiles that are available for OPC UA Applications. These Profiles provide groupings of functionality that can be used for conformance level certification. OPC UA Applications
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.1 General

decentralized and is mostly concerned with the standardization of the independent interactions between UA Applications (i.e. between Clients and Servers and between Publishers and Subscribers ). However, as the number ... Applications in a given system grows, there are advantages to having some information centralized and interactions that are uniform among all Applications in a system. For example, if a system
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.3 Certificate management

Certificate management OPC UA Applications rely on Digital ( X.509 ) Certificates as the basis for trust. In systems it is highly desirable to assign and manage the Certificates used ... Applications centrally as they all need periodic maintenance (e.g., updates to trust lists and revocation lists, Certificate renewals, etc.). OPC 10000-12 describes the centralize Certificate management services
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.4 KeyCredential management

KeyCredential management Some OPC UA Applications may need to access external entities (e.g. authorization services, Brokers , etc.) that require an identifier and a secret (called a "key credential
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.5 Authorization services

Authorization services The authorization services described in OPC 10000-12 allows OPC UA Applications to delegate the user authentication, user management and the assignment of users to roles
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.6 Device Onboarding

devices to be allowed to communicate on the network so that OPC UA Applications can be installed, updated, and provisioned with Certificates over the network
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.1 OPC UA security environment

composite that shows a combination of such environments. Some OPC UA Applications are on the same host and can be easily protected from external attack. Some OPC UA Applications ... security boundary protections that separate the operations network from external connections. Some OPC UA Applications run in relatively open environments where users and applications could be difficult to control. Other
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.4 OPC UA relationship to site security

specification. OPC UA specifies features that are intended so that conformant OPC UA Applications can meet the security requirements that are expected to be made by sites where they will ... site requirements with OPC UA conformant products. The system owner that installs OPC UA Applications should analyse its security risks and provide appropriate mechanisms to mitigate those risks to achieve
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.7 Security Profiles

supports. These security policies are included in certification testing associated with OPC UA Applications . The certification testing ensures that the standard is followed and that the appropriate security algorithms ... supported. Each security mechanism in OPC UA is provided in OPC UA Applications in accordance with the Profiles with which the OPC UA Application complies. At the site, however
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.11 User Authorization

provides user authorization based on the authenticated user (see 4.9 ). OPC UA Applications can determine in their own way what data is accessible and what operations are authorized or they
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

5.1.2.4 Application Crashes

Application Crashes OPC UA provides certification of OPC UA Applications . The lab testing and certification includes testing by injecting error and junk commands which could discover common faults. OPC Foundation
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

5.1.7 Malformed Messages

Malformed Messages See 4.3.7 for a description of this threat. Implementations of OPC UA Applications counter threats of malformed Message s by checking that Message s have the proper form
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

7.3 Multicast Discovery

from Rogue Servers can be minimized if OPC UA security is enabled and all applications use certificate TrustLists to control access. Also, Clients should cache connection information, minimizing the lookup ... disabled in environments where an attacker can easily access the network. OPC UA Applications (or Discovery Servers ) are built to ensure that they cannot be overloaded or brought down
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.1 Overview

Overview OPC UA Applications typically have ApplicationInstanceCertificates to provide application-level security. They are used for establishing a secure connection using Asymmetric Cryptography. These ApplicationInstanceCertificates are Certificates which are X.509 ... Application will have a list of trusted Public Keys that represent the applications it trusts. The Private Key and the list of trusted Public Keys are stored either
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.4.2 Certificate management for developers

ApplicationInstanceCertificate which it uses to identify itself when connecting to other OPC UA Applications (the Public Key and Private Key ). Each ApplicationInstance has a globally unique URI which identifies ... Application will communicate using a SecureChannel established using Asymmetric Cryptography with other applications. Administrator - The person or persons that administer the Certificate handling associated with a UA system and manage
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.6.1 Overview

example, an OPC UA Server may be built on a stack that allows applications to establish a SecureChannel using HTTPS. In these cases, the OPC UA Application shall verify that ... illustrated in Figure 13 . The Communication Stack is used by the OPC UA Applications to exchange Messages . In the first step, the SecureChannel Services are used to establish a SecureChannel
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.10 Query Service Set

version 1.05.06 because the Service Set has not been adopted by OPC UA Applications . See Annex B for an informative description
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.1 Overview

This clause describes a number of important security-related procedures that OPC UA Applications shall follow
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.2 Obtaining and installing an ApplicationInstanceCertificate

Obtaining and installing an ApplicationInstanceCertificate All OPC UA Applications require an ApplicationInstanceCertificate which shall contain the following information: The network name or address of the computer where the application runs ... Application . OPC UA defines interfaces and workflows to register OPC UA Applications with a central discovery service and to execute the interaction necessary with a CertificateManager to issue the initial
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.3 Determining if a Certificate is trusted

Determining if a Certificate is trusted Applications shall never communicate with another application that they do not trust. An Application decides if another application is trusted by checking whether ... application is trusted. A Certificate is only trusted if its chain can be validated. Applications shall rely on lists of Certificates provided by the Administrator to determine trust. There
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.7 Continuous security checks

shall be executed every time the SecurityToken is renewed for a SecureChannel . OPC UA Applications may do additional verifications between SecurityToken renews e.g. if the TrustList is updated from
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.35 SessionAuthenticationToken

secret form of the sessionId for internal use in the Client and Server Applications . The SessionAuthenticationToken is a subtype of NodeId . A Server returns a SessionAuthenticationToken in the CreateSession response ... define additional requirements for a ByteString SessionAuthenticationToken. Client and Server applications should be written to be independent of the SecureChannel implementation. Therefore, they should always treat the SessionAuthenticationToken as secret
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

F.12 DataTypeDefinition

values. This list does not include fields inherited from a base DataType . When Applications ingest a UANodeSet they follow the HasSubtype References between DataType Nodes to collect
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.1 CertificateManager

CertificateManager a software application that manages the Certificates used by Applications in an administrative domain
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.6 DiscoveryServer

DiscoveryServer an application that maintains a list of OPC UA Applications that are available on the network and provides mechanisms for other OPC UA Applications to obtain this list
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

4.2.2 Hosts with a LocalDiscoveryServer

Hosts with a LocalDiscoveryServer Applications register themselves with the LDS on the same host if they wish to be discovered. The registration ensures that the applications are visible for local ... Standard ( OPC 10000-4 ) defines a RegisterServer2 Service which provides additional registration information. All Applications and LocalDiscoveryServer shall support the RegisterServer2 Service and, for backwards compatibility, the older RegisterServer Service
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

5.2 Security Considerations for Multicast DNS

Multicast DNS The Multicast DNS ( mDNS ) specification is used for various commercial and consumer applications. This provides a benefit in that implementations exist; however, system administrators could choose to disable ... Multicast DNS operations. For this reason, Applications shall not rely on Multicast DNS Capabilities. Multicast DNS operations are insecure because of their nature; therefore, they should be disabled in environments
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.5.3 DirectoryType

information that can be accessed into subfolders It also provides methods that allow applications to register or find applications. It is defined in Table 5 . Table 5 - DirectoryType Definition Attribute ... Subtype of the 0: FolderType defined in OPC 10000-5 . 0:HasComponent Object 2:Applications - 0:FolderType Mandatory 0:HasComponent Method 2:FindApplications Defined in 6.5.4 . Mandatory 0:HasComponent Method
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.5.4 FindApplications

find the ApplicationId for an approved OPC UA Application (see 6.5.6 ). The returned applications array shall be of size 1 or 0. If the returned array is null or zero ... have an entry for the ApplicationUri . Signature FindApplications( [in] String ApplicationUri [out] ApplicationRecordDataType[] Applications ); Argument Description ApplicationUri The ApplicationUri that identifies the application of interest. Applications A list of application
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.5.10 QueryApplications

results returned may be restricted based on the Client's user credentials. The applications returned shall pass all of the filters provided (i.e. the filters are combined ... String ProductUri [in] String[] Capabilities [out] UtcTime LastCounterResetTime [out] UInt32 NextRecordId [out] ApplicationDescription[] Applications ); Argument Description INPUTS StartingRecordId Only records with an identifier greater than this number will be returned
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.5.11 QueryServers (deprecated)

QueryServers (deprecated) QueryServers is used to find Server applications that meet the specified filters. Any Client is able to call this Method , however, the set of results returned ... restricted based on the Client's user credentials. The applications returned shall pass all of the filters provided (i.e. the filters are combined in an AND operation). The ServerCapabilities parameter
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.5 Application Setup

Client into a system in which a GDS is available and managing Certificates . Applications using a Client interface can be setup using the PullManagement . Applications using a Server interface ... Certificate when they first start. They may also have a pre-configured TrustList with Applications that are allowed to setup the Server . For example, a machine vendor
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.6 Pull Management Workflow

establish the connection. Application authentication is used by the CertificateManager to allow OPC UA Applications to access the necessary resources to update themselves using the ApplicationSelfAdmin Privilege . Required information ... CertificateManager . Each Method call requires its own CSR. As alternative for OPC UA Applications who do not have access to a cryptographically sufficient entropy source, the Method StartNewKeyPairRequest
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.1 CertificateGroupType

AddressSpace . A CertificateManager can have many CertificateGroups which manage CertificateTypes and TrustLists for the applications in the system. A Server has one or more C ertificateGroups which specify the CertificateTypes ... CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to applications which belong to the CertificateGroup . For example, a CertificateGroup with the NodeId of RsaMinApplicationCertificateType
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.3 CertificateGroupFolderType

Global Certificate and TrustList Management The DefaultApplicationGroup Object represents the default CertificateGroup for Applications . It is used to access the default application TrustList and to define the CertificateTypes allowed ... Certificates used by the application when communicating with peers: For OPC UA Applications and CertificateManagers these CertificateTypes specify what is allowed for ApplicationInstance Certificates . They shall specify one or more
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.8 RsaMinApplicationCertificateType

ApplicationInstanceCertificate . They shall have an RSA key size of 1024 or 2048 bits. All Applications which support the Basic128Rsa15 and Basic256 profiles (see OPC 10000-7 ) shall have a Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.9 RsaSha256ApplicationCertificateType

They shall have an RSA key size of 2048, 3072 or 4096 bits. All Applications which support the Basic256Sha256 profile (see OPC 10000-7 ) shall have a Certificate of this
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.10 EccApplicationCertificateType

Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC Public Key . Applications which support the ECC profiles (see OPC 10000-7 ) shall have a Certificate of this
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.11 EccNistP256ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP256 Public Key . Applications which support the ECC NIST P256 curve profiles (see OPC 10000-7 ) shall have
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.12 EccNistP384ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP384 Public Key . Applications which support the ECC NIST P384 curve profiles (see OPC 10000-7 ) shall have
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.13 EccBrainpoolP256r1ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP256r1 Public Key . Applications which support the ECC brainpoolP256r1 curve profiles (see OPC 10000-7 ) shall have a Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.14 EccBrainpoolP384r1ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP384r1 Public Key . Applications which support the ECC brainpoolP384r1 curve profiles (see OPC 10000-7 ) shall have a Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.15 EccCurve25519ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve25519 Public Key . Applications which support the ECC curve25519 curve profiles (see OPC 10000-7 ) shall have a Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.16 EccCurve448ApplicationCertificateType

intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve448 Public Key . Applications which support the ECC curve448 curve profiles (see OPC 10000-7 ) shall have a Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

Annex D Server Capability Identifiers (Normative)

trigger an update to this document. Application developers shall always use the linked CSV. Applications that support the PUB capability can send PubSub Messages but may not support the PubSub ... information model. Client applications that support the RCP capability allow Servers to connect, however, they do not support GetEndpoints Service
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

F.1 Certificate Store Directory Layout

Certificate Store Directory Layout A recommended directory layout for Applications that store their Certificates on a file system is shown in Table . The Local Discovery Server shall use this structure ... OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist. The base
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.1 Application Setup with PullManagement

Application Setup with PullManagement Applications that use PullManagement (see 7.3 ) to setup their configuration shall know the location of the CertificateManager which they can use to request Certificates and download ... connect even if it has not been pre-configured to trust the CertificateManager, however, Applications should not provide any secret information to a CertificateManager that is not trusted. After establishing
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.3 Setting Permissions

that use hardware to protect the Private Key . In addition to the Private Key , Applications shall be protected from unauthorized updates to their TrustList . This can also be done ... anyone who is not using an account authorized to administer the application. Finally, Applications may depend on one or more configuration files and/or databases which tell them where their TrustList
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

1 Scope

messages and transport protocols, and a PubSub configuration model. Not all OPC UA Applications will need to implement all defined message and transport protocol mappings. OPC 10000-7 defines
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

4.1 Fields of application

Fields of application In PubSub the participating OPC UA Applications with their roles as Publishers and Subscribers are decoupled. The number of Subscribers receiving data from a Publisher does ... influence the Publisher . This makes PubSub suitable for applications where location independence and/or scalability are required. The following are some example uses for PubSub : Configurable peer-to-peer communication between
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

4.3 Decoupling by use of middleware

Decoupling by use of middleware In PubSub the participating OPC UA Applications can assume the roles Publisher and Subscriber . Publishers are the sources of data, while Subscribers consume that data
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

5.4.6.2.2 Broker-less model with OPC UA UDP

Broker-less model with OPC UA UDP Figure 15 depicts the applications, entities and messages involved in peer-to-peer communication using UDP as a protocol that does not require ... DataSetMessages are sent in a NetworkMessage to the IP multicast address. OPC UA Applications like HMI applications would use the values of the DataSetMessage that they are interested
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

5.4.6.4 QoS configuration

configuration OPC UA Applications may demand Quality of Service (QoS) for the transport of NetworkMessages . These QoS requirements have to be fulfilled by the broker-less Message Oriented Middleware ... Figure 18 - Message Oriented Middleware providing QoS QoS requirements of an OPC UA Applications shall be configurable with OPC UA means and without dependencies to the underlying network technology. Hiding
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

6.2.3.1 Overview

published events for acyclic DataSets as defined in 6.2.3.8 . OPC UA Applications can provide PublishedDataSets where the information source is application specific. The custom PublishedDataSet source DataType defined
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

6.2.3.9.2 PublishedDataSetCustomSourceDataType

used directly if no further information is exposed for the source. OPC UA Applications shall use DataTypes derived from PublishedDataSetSourceDataType if they want to provide custom information about the source
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.3.2.2 UDP multicast and broadcast

essential in order to create well-functioning OPC UA Application networks. OPC UA Applications shall issue an IGMP membership report message (V1, V2 or V3 as appropriate) for IPv4
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

8.8 Security Key Service Roles

different SecurityGroups . SecurityKeyServerPush This Role allows an SKS to push security keys to PubSub Applications . This includes executing methods related to PubSub security
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

C.1 Overview

Overview OPC UA Applications represent software or devices that provide information to other OPC UA Applications or consume information from other OPC UA Applications . Annex C contrasts the Subscription functionality
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

C.3 Publish-Subscribe

Publish-Subscribe With PubSub , OPC UA Applications do not directly exchange requests and responses. Instead, Publishers send messages to a Message Oriented Middleware , without knowledge of what, if any, Subscribers
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.1 RoleType definition

Variable Identities IdentityMapping RuleType [] PropertyType Mandatory HasProperty Variable ApplicationsExclude Boolean PropertyType Optional HasProperty Variable Applications String [] PropertyType Optional HasProperty Variable EndpointsExclude Boolean PropertyType Optional HasProperty Variable Endpoints EndpointType [] PropertyType Optional ... corresponding Method calls. The CurrentWrite bit of the AccessLevel Attribute for the Properties Identities , Applications and Endpoints shall be FALSE. If the configuration of a Role is changed, the Role
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

3.1.1 Application

Application a program that runs on a Device and communicates with other Applications on the network. Note 1 to entry: Each Application has an identifier that is unique within
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.1 Device Lifecycle

network. A Device has a unique identifier and may have one or more Applications (see 3.1.4 ). Composite A collection of Devices or Composites assembled into a single unit. Each Composite ... runs on a Device . Each Application has a unique identifier and communicates with other Applications on the network (see 3.1.1 ). OwnerOperator An organization deploying and operating a system that comprises
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.2.2 Firmware and Applications

Firmware and Applications Every Device has multiple layers of hardware and software that are installed and managed at different stages in the lifecycle by different actors. The layers are shown ... Device Configuration Application (DCA) which is used for Device authentication and setup of other Applications on the Device . A Device may have storage used for Applications and their configuration
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.2.4 Trust on First Use (TOFU)

Once the onboarding process completes the DCA is supplied with credentials that authorize Applications that are allowed to make changes to its security configuration. Devices should have a mechanism ... network. OwnerOperators should also have network services designed to detect and eliminate malicious applications that attempt to interfere with the onboarding process. Devices may have other ways to assign
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.2.6 Roles and Privileges

Client is a DCA that has rights to request Certificates and TrustLists for Applications that it has been granted rights to. For a detailed description of Roles
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.2 Onboarding

issued a Certificate by the Registrar that allows the DCA to configure other Applications running on the Device . The Registrar is responsible for determining if a DCA is authorized ... behalf a specific Application . For example, the DCA rights may be limited to Applications with the same hostname as the DCA. During Onboarding , the Device may need to have software
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.3 Application Setup

process of issuing an Application Instance Certificate and a TrustList to one or more Applications running on a Device that will allow the Applications to communicate with other ... Applications running on the network. These mechanisms are provided by the CertificateManager Information Model and are described in OPC 10000-12 . During the Onboarding step, the DCA is issued
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.4 Configuration

Configuration Configuration occurs when the Applications running on the Device are installed, modified, backed up or restored. Configuration is also the mode that allows a new Device to be dropped ... existing Device that is no longer functioning. Some Devices may allow individual Applications to be configured while other Applications continue in Operation state described
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.5 Operation

Operation Operation occurs when one or more Applications on a Device are running normally performing whatever task it was deployed to do. In this stage it is possible to update
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

5.3 Composite Identity

these Devices are also visible on an external network and have one or more Applications that need to be provisioned. Composites are an abstraction on a network and can only ... external network it may be necessary to install and re-provision some of the Applications on each externally visible Device . This requires that additional Trust Lists be provided
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.3 Authentication

lifespan and a CA which is managed by the OwnerOperator . This Certificate allows all Applications running on the Device to automatically be onboarded and configured without human intervention. When ... configuration application that acts on behalf of those agents. The CertificateManager shall restrict the Applications that a DCA is permitted to manage. A simple restriction would limit Certificate Requests
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.1 Overview

which will allow the DCA to be used to provision the other Applications running on the Device. This Certificate is called the DCA Certificate . When using PullManagement ... Application Instance Certificate which will allow the DCA to provision the other Applications running on the Device. The DCA Application Instance Certificate cannot be used for any action other than
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.2 Pull Management

expectation is the Registrar and the CertificateManager share a common backend so Certificates and Applications created via the Registrar will be known to the CertificateManager . In some cases, the Registrar ... Figure 5 . Figure 5 - Requesting Certificates using Pull Management The DCA registers all Applications it intends to manage with the Registrar which verifies that the DCA is authorized to manage
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.3 Push Management

CertificateManager will be able to push Application Instance Certificates and TrustLists for all Applications exposed via an ApplicationConfiguration Object (see Figure 7 ) in the DCA AddressSpace . This process is shown ... normal Application Instance Certificate to the DCA that cannot be used to configure other Applications
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.4.1 Overview

responsibility of the alternate mechanism to issue and renew Application Instance Certificates to all Applications running on the Device and to maintain their Trust Lists . In other cases, the alternate ... Registrar to get permission to request Certificates and TrustLists on behalf of those Applications . The location of the CertificateManager is returned by the GetManagers Method
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.2 DeviceRegistrarType

complete the onboarding process. The RegisterManagedApplication Method allows the DCA to register Applications that it needs to manage with the Registrar . The Administration Object allows an administration Client to manage
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.3.1 Overview

network. It is updated by the Registrar when the Device Authentication process completes. The Applications that may be configured via the Server are components of the ProvisionableDevice Object . They ... configured via the ServerConfiguration Object. Some DCAs may choose to have CertificateGroups for individual Applications organized by the CertificateGroups Folder in the ServerConfiguration Object. In these cases, DCAs shall
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.3.3 ProvisionableDeviceType

Instance Certificate (i.e., it cannot be used to access the security configuration for different Applications ). A ProvisionableDevice shall not have any ApplicationConfiguration components if IsSingleton is TRUE. The RequestTickets Method
OPC-10000-26 – Part 26: LogObject - Part 26: LogObject Model

5.9 Relationships between LogRecords - A LogRecord Hierarchy

provides an illustration of the LogRecords that could result from calls between two Applications that include TraceContext information. The first line is each table is a list of the fields
OPC-10000-100 – OPC Unified Architecture - Part 100: Devices

7.1 Overview

TopologyElement (clause 4.3 ) and the Network (clause 5.3 ). By default, a lock allows other Applications to view (navigate/read) the locked element. However, Servers can choose to implement an exclusive locking ... where other Applications have no access at all (e.g. in cases where even read operations require certain settings to Variables
OPC-10000-100 – OPC Unified Architecture - Part 100: Devices

7.2 LockingServices Type

some Application and that no or just limited access is available for other Applications . When the lock is initiated by a Client, LockingClient contains the ApplicationUri of the Client
OPC-10000-100 – OPC Unified Architecture - Part 100: Devices

7.5 InitLock Method

InitLock Method InitLock restricts access for other UA Applications . A call of this Method for an element that is already locked will be rejected. While locked, requests from other Applications ... navigate will typically work. Servers can choose to implement an exclusive locking where other Applications have no access at all. The lock is removed when ExitLock is called