Search

200 result(s) for Client

• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.7 Client
  Client software application that sends Messages to OPC UA Servers conforming to the Services specified in this set of specifications
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.14 Discovery
  Discovery process by which Client obtains information about Server s, including endpoint and security information
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.16 EventNotifier
  EventNotifier special Attribute of a Node that signifies that a Client may subscribe to that particular Node to receive Notifications of Event occurrences
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.18 Message
  Message data unit conveyed between Client and Server that represents a specific Service request or response
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.21 MonitoredItem
  MonitoredItem Client -defined entity in the Server used to monitor Attributes or EventNotifiers for new values or Event occurrences and that generates Notifications for them
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.30 OPC UA Application
  Application Client , which calls OPC UA Services , or a Server , which performs those Services , or an OPC UA Publisher or an OPC UA Subscriber
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.32 Program
  started, and then returns intermediate and final results through Subscriptions identified by the Client during invocation
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.37 Secure Channel
  Secure Channel in OPC UA, a communication path established between an OPC UA Client and Server that have authenticated each other using certain OPC UA services and for which security
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.39 Service
  Service Client -callable operation in a Server Note 1 to entry:  Services are defined in OPC 10000-4 . A Service is similar to a method call in a programming language
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.41 Session
  Session logical long-running connection between a Client and a Server. Note 1 to entry: A Session maintains state information between Service calls from the Client to the Server
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.43 Subscription
  Subscription Client -defined endpoint in the Server, used to return Notifications to the Client Note 1 to entry:  Subscription is a generic term that describes a set of Nodes selected ... Client (1) that the Server periodically monitors for the existence of some condition, and (2) for which the Server sends Notifications to the Client when the condition is detected
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.46 View
  View specific subset of the AddressSpace that is of interest to the Client
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  4.4.1.3 Auditing
  Auditing OPC UA includes support for security audit trails with traceability between Client and Server audit logs. If a security-related problem is detected at the Server , the associated Client
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  4.4.2 Integrated AddressSpace model
  defined in OPC 10000-3 . Servers may subset the AddressSpace into Views to simplify Client access. Subclause 5.3.4.3 describes AddressSpace Views in more detail
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  4.5 Sessions
  these protocols do not automatically cause the Session to terminate. Sessions terminate based on Client or Server request, or based on inactivity of the Client . The inactivity time interval
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.1 ClientServer overview
  Servers as interacting partners. Each system may contain multiple Clients and Servers . Each Client may interact concurrently with one or more Servers , and each Server may interact concurrently with ... invoke Services , and receive Events from Servers . An application can embody both Server and Client functionalities, allowing it to exchange information with other Servers and Clients as described
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.2 OPC UA Clients
  Clients The OPC UA Client architecture models the Client endpoint of ClientServer interactions. Figure 3 illustrates the major elements of a typical Client and how they relate to each other ... Figure 3 - OPC UA Client architecture The Client Application utilizes a Client API to initiate OPC UA Service requests and receive responses from Servers . The Communication Stack handles the conversion
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.3.4.3 AddressSpace Views
  used to restrict the Node s that the Server makes visible to the Client , thus restricting the size of the AddressSpace for the Service requests submitted by the Client
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.3.5.1 MonitoredItems
  MonitoredItems MonitoredItems are entities in the Server created by the Client that monitor AddressSpace Node s and, indirectly, their real-world counterparts. When they detect a data change ... event/alarm occurrence, they generate a Notification that is transferred to the Client by a Subscription
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.3.6.2 Request/response Services
  Request/response Services Request/response Services are Services invoked by the Client through the OPC UA Service Interface to perform a specific task on one or more Node s in the AddressSpace
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.3.7 Server to Server interactions
  interactions in the ClientServer model are interactions in which one Server acts as a Client of another Server . Server to Server interactions allow for the development of servers that: exchange
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.4 Redundancy
  used for high availability, fault tolerance and load balancing. OPC 10000-4 formally defines Client , Server and Network Redundancy . Whether and what Redundancy is supported by an OPC UA Application ... defined by its Profiles . Profiles are described in OPC 10000-7 . Required Client and Server behaviours are associated with two distinct modes of Server Redundancy , transparent and non-transparent
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.6 Synergy of models
  used for efficient, high-speed dissemination of real-time data. For instance, a Client application might use ClientServer to configure a Server and set up PubSub connections. Subsequently, the Server/Publisher ... will be a Server (the owner of information) and a Subscriber is often a Client . Above all, the PubSub Information Model for configuration promotes the configuration of Publishers and Subscribers
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.7.2 Discovery Services
  Services enable OPC UA Applications to locate other OPC UA Applications. For example, a Client application can use a Local Discovery Server (LDS) to find Servers on the local network ... Discovery Server (GDS) might be used to discover Servers across different network segments. The Client sends a Discovery request, and the Discovery Server responds with a list of available Servers
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.3 SecureChannel Service Set
  communication stacks. A SecureChannel is a long-running logical connection between a single Client and a single Server . This channel maintains a set of keys that are known only ... Client and Server and that are used to authenticate and encrypt Messages sent across the network. The SecureChannel Services allow the Client and Server to securely negotiate the keys
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.6 View Service Set
  entire AddressSpace . Future versions of this specification may also define Services to create Client defined Views . The View Service Set allows Clients to discover Node s in a View
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.9 MonitoredItem Service Set
  MonitoredItem Service Set The MonitoredItem Service Set is used by the Client to create and maintain MonitoredItems . MonitoredItems monitor Variables , Attributes and EventNotifiers . They generate Notifications when they detect certain ... item to monitor and the Subscription to use to periodically publish Notifications to the Client (see 6.10 ). Each MonitoredItem also specifies the rate at which the item
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.10 Subscription Service Set
  Subscription Service Set The Subscription Service Set is used by the Client to create and maintain Subscriptions . Subscriptions are entities that periodically publish NotificationMessages for the MonitoredItem assigned to them ... Attributes , and EventNotifiers ). Once created, the existence of a Subscription is independent of the Client's Session with the Server . This allows one Client to create a Subscription
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.1 AccessRestriction
  Note 1 to entry: Operations can only be performed on a Node if the Client has the necessary Permissions and has satisfied all of the AccessRestrictions
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.12 Authentication
  Authentication process that assures that the identity of an entity such as a Client , Server , Publisher or user can be verified
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.40 Role
  Role function assumed by a Client when it accesses a Server Note 1 to entry: A Role could refer to a specific job function such as operator or engineer
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.41 SecureChannel
  communication channel that ensures the confidentiality and/or integrity of all messages exchanged between a Client and a Server Note 1 to entry: If the security policy is None, then confidentiality
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.1 OPC UA security environment
  that could require different levels of security and different security infrastructure. For example, both Client - Server and Publisher - Subscriber communication is shown in Figure 1 . OPC UA also defines global
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.2.1 Overview
  objectives against the OPC UA functions. Clause 6 offers additional best practice guidelines to Client and Server developers or those that deploy OPC UA Application
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.2.3 Authorization
  system. Authorization can be as coarse-grained as allowing or disallowing a Client to access a Server or it could be much finer grained such as allowing specific actions
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.2 Message flooding
  Message flooding For Client - Server , an attacker can send a large volume of Message s, or a single Message that contains a large number of requests, with the goal ... layers including OPC UA, HTTP or TCP. Message flooding attacks can also target a Client , although this is less of a risk, since the Client chooses who to connect
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.3 Resource Exhaustion
  typically valid, but they each use up a resource resulting in a single Client obtaining all resources blocking valid Clients from accessing the Server . For example, on a Server ... which only 10 Sessions are available a malicious person using a legitimate Client, could obtain all 10 Sessions . Or a malicious Client could try to open 10 SecureChannel s, without
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.4 Application Crashes
  known problem in a stack or application. These system bugs can allow a Client to issue a command that would cause the Server to crash, as an alternate it could ... that can respond to a legitimate message with a response that would cause the Client to crash. The attacker could also be a Publisher that issues a Message that would
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.3 Eavesdropping
  record and capture Message s. It could be beyond the capability of a Client or Server to recover from a compromised operating system. Eavesdropping impacts Confidentiality directly and if session
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.4 Message spoofing
  feigning identities (user, application, process etc.). An attacker could forge Message s from a Client or a Server or a Publisher where the messages are forged to attempt to appear ... occur at multiple layers in the protocol stack. By spoofing Message s from a Client, a Server or Publisher , attackers can perform unauthorized operations and avoid detection of their activities
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.5 Message alteration
  application layer Message s could be captured or modified and forwarded to OPC UA Client s, Servers, and Subscribers . Message alteration could allow illegitimate access to a system. Message alteration
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.6 Message replay
  valid application layer Message s could be captured and resent to OPC UA Client s, Servers and Subscribers at a later stage without modification. An attacker could misinform the user
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.7 Malformed Messages
  malformed XML, UA Binary, etc.) or data values, and send them to OPC UA Client s, Servers or Subscribers . The OPC UA Client , Server or Subscriber could incorrectly handle certain
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.8 Server profiling
  tries to deduce the identity, type, software version, or vendor of the Server or Client in order to apply knowledge about specific vulnerabilities of that product to mount a more
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.10 Rogue Server
  simply appear as a new Server in the system. The OPC Client could disclose confidential information. A rogue Server impacts all security objectives except Integrity and Non-Repudiation
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.16 Message suppression
  other manners. Messages could be blocked in either direction i.e. messages originating from a Client or originating from a Server. Message suppression impacts Integrity and Availability
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.17 Downgrade Attack
  Downgrade Attack An attacker could attempt to fool a Client into using a less secure connection or deprecated security policy. This could be attempted by modifying a Discovery response
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.1 Overview
  security objectives are addressed at different levels. The OPC UA security architecture, for Client / Server communication is structured in an Application Layer and a Communication Layer atop the Transport Layer ... shown in Figure 2 . Figure 2 - OPC UA security architecture - Client / Server OPC UA also supports a Publish - Subscribe communications architecture ( PubSub ) and the security architecture for that communication
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.1 Overview
  Overview Client / Server communication can include both Session and session-less communication. Security in part is provided by the application or by the communications layers. It can also utilize transport
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.2 Session application layer
  Session application layer The routine work of a Client application and a Server application to transmit information, settings, and commands is done in a Session in the Application Layer ... SecureChannel breaks, the Session will remain valid for a period of time allowing the Client to re-establish the connection to the Session via a new SecureChannel. Otherwise, the Session
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.3 Session communication layer
  establish a SecureChannel (see 4.13 ) that is used to secure the communication between a Client and a Server . The SecureChannel provides encryption to maintain Confidentiality , Message Signature s to maintain
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.3.2 Broker-less
  additional details). The SKS makes use of the standard Client / Server security described in 4.5.2 to establish application Authentication as well as user Authentication . This approach allows all applications ( Publishers ... interact with an SKS. The SKS can push keys to a Server and a Client can pull keys from the SKS. See OPC 10000-14 for more details
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.6 SecurityPolicies
  used by the Server to announce which mechanisms it supports and by the Client to select which one to use with the SecureChannel it wishes to open ... mechanisms and policy announcement strategies can be found in OPC 10000-12 . In the Client Server communications pattern, each Client can select a policy independent of the policy selected
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.7 Security Profiles
  Security Profiles OPC UA Client and Server products are certified against Profiles that are described in OPC 10000-7 . Some of the Profiles specify security functions and others specify other
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.9 User Authentication
  User Authentication User Authentication is achieved when the Client passes user credentials to the Server as specified via Session Services (described in OPC 10000-4 ). The Server can authenticate
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.13 OPC UA security related Services
  that are used for applying various security mechanisms to communication between OPC UA Client s and Server s. OPC 10000-4 provides an overview of security in the "Service ... Service Set (specified in OPC 10000-4 ) defines services used by an OPC UA Client to obtain information about the security policies (see 4.6 ) and the Certificate s of specific
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.1 General
  General Client s and Servers generate audit records of successful and unsuccessful connection attempts, results of security option negotiations, configuration changes, system changes, user interactions and Session rejections ... support for security audit trails through two mechanisms. First, it provides for traceability between Client and Server audit logs. The Client generates an audit log entry for an operation that
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.2 Single Client and Server
  Single Client and Server Figure 7 illustrates the simple case of a Client communicating with a Server . Figure 7 - Simple Servers In this case, OPC Client "A" executes ... contains its own Auditing information. It also includes the name of the Client that issued the service request and the Client audit entry id received in the request. Using this
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.3 Aggregating Server
  Aggregating Server Figure 8 illustrates the case of a Client accessing services from an aggregating Server . An aggregating Server is a Server that provides its services by accessing services ... contains its own Auditing information. It also includes the name of the Client that issued the service request and the Client audit entry id received in the request. The Server
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.4 Aggregation through a non-auditing Server
  Aggregation through a non-auditing Server Figure 9 illustrates the case of a Client accessing services from an aggregating Server that does not support Auditing . Figure 9 - Aggregation with ... this case, Server "B" passes the audit id it receives from its Client "A" to the next Server . This creates the required audit chain. Server
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.5 Aggregating Server with service distribution
  Aggregating Server with service distribution Figure 10 illustrates the case of a Client that submits a service request to an aggregating Server , and the aggregating service supports that service ... would be able to provide all of the Audit Events to Client "A", including the event generated by Server "C" and Server
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.2.2 Message flooding
  only services that the Server handles before the Client is authenticated. The response to GetEndpoints is only a set of static information so the Server does not need ... their product documentation as specified in OPC 10000-7 . OPC UA user and Client Authentication reduce the risk of a legitimate Client being used to mount a flooding attack
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.2.3 Resource exhaustion
  Resource exhaustion OPC UA user and Client Authentication reduce the risk of a legitimate Client being used to mount a resource exhaustion attack. Additionally, Server Auditing allows the detection ... Client if a resource exhaustion attack was carried out by a legitimate Client . Servers are also required to recycle OpenSecureChannel request that have not been completed (specified
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.10 Rogue Server or Publisher
  Publisher See 4.3.10 and 4.3.11 for a description of this threat. OPC UA Client applications counter the use of rogue Servers by validating Server ApplicationInstanceCertificates . There would still ... Server would never be able to read and misuse secured data sent by a Client . Also, without the Private Key the Server would never be able to sign a response
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.11 Rogue Local Discover Server
  Rogue Local Discover Server See 4.3.12 for a description of this threat. OPC UA Client can counter a rogue Discovery Server , by only connecting to Servers that are trusted. This ... protects the Client against malicious Server. The use of a GDS can also mitigate the effect of a compromised Local Discovery Server . A GDS, that aggregates information from Local Discovery
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.13 Repudiation
  Repudiation See 4.3.15 for a description of this threat. OPC UA Client and Server applications counter Repudiation by the signing of Message s that are specified
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.14 Message Suppression
  Message Suppression See 4.3.16 for a description of this threat. A Client and Server can counter message suppression by using checking the SequenceNumber in the sequence header. A SecureChannel ... closed if a SequenceNumber is missed. This allows both a Server and a Client to detect if a message is supressed. Both the Server and Client are required to report
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.15 Downgrade Attack
  Downgrade Attack See 4.3.17 for a description of this threat. A Client can counter a downgrade attack, by verifying the available communication options once a secure connection is established ... connection provided in activate Session is different from the list provided in discovery, the Client disconnects and reports an error (see OPC 10000-4 ). Downgrade attacks can also be countered
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.2 Application Authentication
  specified in the GetEndpoints and OpenSecureChannel services in OPC 10000-4 , OPC UA Client and Server applications identify and authenticate themselves with X.509 v3 Certificate s and associated private keys ... represent the machine or user instead of the application. For publish subscribe communications Client Server communications is required to obtain the shared keys from a SecurityKeyService (SKS). Although the application
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.3 User Authentication
  entities. As described in the ActivateSession service in OPC 10000-4 , the OPC UA Client accepts a UserIdentityToken from the user and passes it to the OPC UA Server ... provides a Nonce and signing algorithm as the challenge in its CreateSession response. The Client responds to the challenge by signing the Server 's Nonce and providing
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.4 Authorization
  that product. Identification and Authentication of users is specified in OPC UA so that Client and Server applications can recognize the user in order to determine the Authorization level
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.7 Auditability
  Audit logging by providing traceability of activities through the log entries of the multiple Client s and Servers that initiate, forward, and handle the activity. OPC UA depends upon
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.2 Appropriate timeouts:
  Potential consequences include Denial of service: Denial of service conditions could exist when a Client does not reset a Session , if the timeouts are very large. Resource consumption: When ... Client is idle for long periods of time, the Server keeps the Client 's buffered Message or information for that period, leading to resource exhaustion. The implementer should use reasonable
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.9 Alarm related guidance
  that could cause safety concerns. Dialog Events could also be used to overload a Client . It would be a best practice for Servers that support dialogs to restrict the number ... some timeout period to ensure that they are not used to create a DOS. Client implementers should also ensure that any dialog processing cannot be used to overwhelm an operator
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.14 Reverse Connect
  Reverse Connect Reverse connect allows a Server to initiate the connection to a Client (open the socket sending a HEL message). This results in an additional security concern ... Client , in that the Client needs to validate that the connection is from an appropriate Server and not a denial of service attack. The Client follows the process described
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.17 Least privilege principle
  Least privilege principle When a Client connects to a Server , the Client should be granted the minimum privileges that it requires to function. In OPC UA a Client can request
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.18 Zero trust environments
  data access policies. The support for a GDS in all Servers and Client allows an Enterprise PKI system to be deployed. The GDS can be linked to identity management systems
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.19 Diagnostic related issues
  Diagnostic related issues Diagnostics are an important tool in troubleshooting problems in a Server , Client or system, but it is important that security sensitive information not be provided as part
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.20 Changing Users in OPC UA
  Changing Users in OPC UA OPC UA via the ActivateSession Service allows a Client to change the user that is involved with the Session . This Service can have security related
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  8.2 Rogue GDS
  best security possible and that the Server's Certificate matches the one that the Client used to connect. The EndpointDescription provided by the Server includes a relative SecurityLevel that
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.2 Self signed certificate management
  handling An administrator would be required to copy the Public Key associated with all Client applications to all Server applications that they desire communication with. In addition, the administrator would ... required to copy the Public Key associated with all Server applications to all Client applications that communicate with them. As the number of Servers and Clients grows, the administration effort
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.1 Overview
  Overview A Role is a function assumed by a Client when it accesses a Server . Roles are used to separate authentication (determining who a Client is) from authorization (determining what ... Client is allowed to do). By separating these tasks Servers can allow centralized services to manage user identities and credentials while the Server only manages the Permissions on its Nodes
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.3 Evaluating Permissions with Roles
  Evaluating Permissions with Roles When a Client attempts to access a Node, the Server goes through the list of Roles granted to the Session and logically ORs the Permissions ... access to the Role with a application rule that restricts access to a single Client application. Operator2 Identities = Users with name 'Joe' or 'Ann' Applications = urn:OperatorStation2 Endpoints = An identity
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.2 NodeId
  change the namespaceIndex NodeId element of a Node with future Sessions and therefore a Client shall not assume the namespaceIndex will not change. The structure of the NodeId is defined
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.8 UserWriteMask
  UserWriteMask The optional UserWriteMask Attribute exposes the possibilities of a client to write the Attributes of the Node taking user access rights into account. It uses the AttributeWriteMask DataType which ... which was not reflected in the state of this Attribute at the time the Client accessed
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.9 RolePermissions
  Server allows writes to the RolePermissions it shall preserve all bits written by the Client even if they are not valid for the Node . When a Client reads the RolePermissions
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.10 UserRolePermissions
  standard Role model defined in 4.9 . This Attribute shall not be writeable. When a Client reads the UserRolePermissions it shall ignore bits that are not valid for the Node
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.6.2 Variable NodeClass
  which was not reflected in the state of this Attribute at the time the Client accessed the Variable . The MinimumSamplingInterval Attribute specifies how fast the Server can reasonably sample
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.7.1 Method NodeClass
  InputArguments Property is used to specify the arguments that shall be used by a client when calling the Method. OutputArguments O Argument[] The OutputArguments Property specifies the result returned from ... which was not reflected in the state of this Attribute at the time the Client accessed it. Properties may be defined for Methods using HasProperty References . The Properties InputArguments
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.8.5.2 DataTypeRefinement Objects
  name of the field. The Namespace of the BrowseName shall be ignored by a Client when performing an equality check with a field name. A DataTypeRefinement Object shall not reference
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  6.4.2 Creating an Instance
  allow Servers to indicate that some Nodes are always present; however, the Client shall be prepared for the case where the Node exists in a different Server . A Client
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  7.9 HasOrderedComponent ReferenceType
  well-defined order. The order is Server -specific, but the Client can assume that the Server always returns them in the same order. There are no additional constraints defined
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  7.22.2 Differences between HasStructuredComponent and ExposesItsArray
  subvariable with the highest index is removed. When subscribing to a subvariable, the Client always get the value assigned to the place in the array. The same behaviour ... order of the array is not considered. Even if the order is changing, the Client subscribing to the subvariable will observe the original subscribed content. In Figure 42 , an example
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.3 QualifiedName
  index is the index of that namespace in the local Server 's NamespaceArray . The Client may read the NamespaceArray Variable to access the string value of the namespace. Name String
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.4 LocaleId
  allows the use of other <country/region> codes as deemed necessary by the Client or the Server . This specification also allows
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.40 OptionSet
  receives a different array size. When the Server returns the value to the Client , the validBits provides information of which bits in the bit mask have a meaning ... should be ignored as it has no meaning. When the Client passes the OptionSet value to the Server , it sets the bits of validBits to 1 for each
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.55 PermissionType
  defined in Table 38 . Table 38 - PermissionType Definition Name Bit Description Browse 0 The Client is allowed to see the references to and from the Node . This implies that ... Client is able to Read to Attributes other than the Value or the RolePermissions Attribute . This Permission is valid for all NodeClasses . ReadRolePermissions 1 The Client is allowed to read
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.56 AccessRestrictionType
  defined in Table 39 . Table 39 - AccessRestrictionType Definition Name Bit Description SigningRequired 0 The Client can only access the Node when using a SecureChannel which digitally signs all messages. This ... apply to the Browse permission if the ApplyRestrictionsToBrowse is not set. EncryptionRequired 1 The Client can only access the Node when using a SecureChannel which encrypts all messages. This does
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.5 AuditEventType
  generated as a result of an action taken on the Server by a Client of the Server or as a result of some vendor specific action. For example, in response ... Client issuing a write to a Variable , the Server would generate an AuditEvent describing the Variable as the source and the user and Client session as the initiators
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.31 SystemStatusChangeEventType
  example, if the status indicates an underlying system is not running, then a Client cannot expect any Events from the underlying system. A Server can identify its own status changes
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.32.3 Views
  AddressSpace , it would generate only a ModelChangeEvent for View "A". If a Client does not want to receive duplicates of changes then it shall use the filter mechanisms
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.32.5 BaseModelChangeEventType
  contain information about the changes but only indicates that changes occurred. Therefore the Client shall assume that any or all of the Nodes may have changed
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.32.7 Guidelines for ModelChangeEvents
  updates. It should not issue multiple types of ModelChangeEvent for the same update. Any Client that responds to ModelChangeEvents should respond to any Event of the BaseModelChangeEventType including its subtypes ... like the GeneralModelChangeEventType. If a Client is not capable of interpreting additional information of the subtypes of the BaseModelChangeEventType , it should treat Events of these types the same
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  A.3 ObjectTypes
  several values) and whether that object should be exposed as an object in the Client 's GUI or just as a value. Whenever a modeller is in doubt
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  A.4.2 Properties or DataVariables
  refined (subtyping). If the type definition should be made available so the Client can use the AddNodes Service defined in OPC 10000-4 to create new instances of the type
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  A.4.3 Many Variables and / or Structured DataTypes
  Structured DataTypes When structured data structures should be made available to the Client there are basically three different approaches: Create several simple Variables using simple DataTypes always reflecting parts ... that the complex structure of the data is visible in the AddressSpace . A generic Client can easily access the data without knowledge of user-defined DataTypes and the Client
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  A.5 Views
  Clients , etc. The View only provides the information needed for the purpose of the Client and hides unnecessary information
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.1.1 Active Server
  entry: In OPC UA redundant systems, an Active Server is the Server that a Client is using as the source of data
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.1.2 Deadband
  when subscribing to Variables and is used to keep noisy signals from updating the Client unnecessarily. This document defines AbsoluteDeadband as a common filter. OPC 10000-8 defines an additional
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.1.7 Failover
  entry: In OPC UA redundant systems, a Failover is the act of a Client switching away from a failed or degraded Server to another Server in the redundant set ( Server ... failover). In some cases a Client may have no knowledge of a Failover action occurring (transparent redundancy). A Client failover is the act of an alternate Client replacing an existing
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.3 Conventions for Service definitions
  Conventions for Service definitions OPC UA Services contain parameters that are conveyed between the Client and the Server . The OPC UA Service specifications use tables to describe Service parameters
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  4.1 Service Set model
  implementation. The Discovery Service Set , illustrated in Figure 1 , defines Services that allow a Client to discover the Endpoints implemented by a Server and to read the security configuration ... SecureChannel Service Set , illustrated in Figure 2 , defines Services that allow a Client to establish a communication channel to ensure the Confidentiality and Integrity of Messages exchanged with the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  4.2 Request/response Service procedures
  Server , and the subsequent return of responses. The procedures begin with the requesting Client submitting a Service request Message to the Server . Upon receipt of the request, the Server processes ... with any data that is to be returned. To perform these operations, both the Client and the Server may make use of the API of a Communication Stack to construct
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.3 Service results
  Service fully or partially succeeded. In this case, other response parameters are returned. The Client shall always check the response parameters, especially all StatusCodes associated with each operation. These StatusCodes ... Server shall use these specific StatusCodes as described in the Service . A Client should be able to handle these Service specific StatusCodes . In addition, a Client shall expect other common
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.4 Locale Negotiation
  LocalizedText should be returned. The array of LocaleIds is in the preferred order the Client would like the Server to use when selecting the locale of the LocalizedText ... list is the most preferred. If the Server returns a LocalizedText to the Client , the Server shall return the translation which is the most preferred that
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.1 Overview
  process The URL for a DiscoveryEndpoint shall provide all of the information that the Client needs to connect to the DiscoveryEndpoint . Once a Client retrieves the Endpoints , the C lient ... connect directly to the Server again without going through the discovery process. If the Client finds that it cannot connect then the Server configuration may have changed and the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.2.1 Description
  behaviour of Discovery Servers is described in detail in OPC 10000-12 . The Client may reduce the number of results returned by specifying filter criteria. A Discovery Server returns ... empty list if no Servers match the criteria specified by the Client . The filter criteria supported by this Service are described in 5.5.2.2 . Every Server shall provide a DiscoveryEndpoint that
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.2.2 Parameters
  type RequestHeader is defined in 7.32 . endpointUrl String The network address that the Client used to access the DiscoveryEndpoint . The Server uses this information for diagnostics and to determine what
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.3.1 Description
  Discovery Server . Unlike FindServers , this Service is only implemented by Discovery Servers . The Client may reduce the number of results returned by specifying filter criteria. An empty list is returned ... Server matches the criteria specified by the Client . This Service shall not require message security but it may require transport layer security. Each time the Discovery Server creates or updates
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.1 Description
  Service shall not require message security but it may require transport layer security. A Client may reduce the number of results returned by specifying filter criteria based on LocaleIds ... Server returns an empty list if no Endpoints match the criteria specified by the Client . The filter criteria supported by this Service are described in 5.5.4.2 . A Server may support
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.2 Parameters
  type RequestHeader is defined in 7.32 . endpointUrl String The network address that the Client used to access the DiscoveryEndpoint . The Server uses this information for diagnostics and to determine what
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.5.1 Description
  create the SecureChannel . This Service can only be invoked via SecureChannels that support Client authentication (i.e. HTTPS cannot be used to call this Service ). A Server only provides its serverUri ... operating system at boot and those that are automatically launched when a Client attempts to connect. The registration process that a Server shall use depends on which category it falls
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.6.1 Description
  more details. This Service can only be invoked via SecureChannels that support Client authentication (i.e. HTTPS cannot be used to call this Service
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.1 Overview
  Services are implemented. A SecureChannel is a long-running logical connection between a single Client and a single Server . This channel maintains a set of keys known only ... Client and Server , which are used to sign and encrypt Messages sent across the network to ensure Confidentiality and Integrity . The SecureChannel Services allow the Client and Server to securely
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.1 Description
  SecureChannel has a globally-unique identifier and is valid for a specific combination of Client and Server application instances. Each channel contains one or more SecurityTokens that identify ... Clients do not reject Messages secured with the new SecurityToken that arrive before the Client receives the new SecurityToken . Clients should accept Messages secured by an expired SecurityToken
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.2 Parameters
  type RequestHeader is defined in 7.32 . clientCertificate ApplicationInstance‌Certificate A Certificate that identifies the Client . The OpenSecureChannel request shall be signed with the private key for this Certificate . The ApplicationInstanceCertificate type ... Duration The requested lifetime, in milliseconds, for the new SecurityToken . It specifies when the Client expects to renew the SecureChannel by calling the OpenSecureChannel Service again. If a SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.3 Service results
  description of this result code. A Server shall check the minimum length of the Client nonce and return this status if the length is below 32 bytes. A check
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  Description This Service is used by an OPC UA Client to create a Session and the Server returns two values which uniquely identify the Session . The first value ... used to associate an incoming request with a Session . Before calling this Service , the Client shall create a SecureChannel with the OpenSecureChannel Service to ensure the Integrity of all Messages
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.2 Parameters
  type RequestHeader is defined in 7.32 . clientDescription Application Description Information that describes the Client application. The type ApplicationDescription is defined in 7.2 . serverUri String This parameter is no longer used ... Client shall set this value to null or empty and the Server shall ignore any value provided. endpointUrl String The network address that the Client used to access the Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.3 Service results
  description of this result code. A Server shall check the length of the Client nonce and return this status if the length is less than 32 bytes or greater than
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.1 Description
  Description This Service is used by the Client to specify the identity of the user associated with the Session . This Service request shall be issued by the Client before ... Failure to do so shall cause the Server to close the Session . Whenever the Client calls this Service the Client shall prove that it is the same application that called
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.2 Parameters
  Session . userIdentityToken Extensible Parameter UserIdentityToken The credentials of the user associated with the Client application. The Server uses these credentials to determine whether the Client should be allowed to activate ... Session and what resources the Client has access to during this Session . The UserIdentityToken is an extensible parameter type defined in 7.40 . The EndpointDescription specifies what UserIdentityTokens the Server shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.3 Service results
  description of this result code. Bad_ApplicationSignatureInvalid The signature provided by the Client application is missing or invalid. Bad_UserSignatureInvalid The user token signature is missing or invalid. Bad_NoValidCertificates ... Client did not provide at least one Software Certificate that is valid and meets the profile requirements for the Server . Bad_IdentityChangeNotSupported The Server does not support changing the user
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.4.1 Description
  requests to complete before submitting the CloseSession request. It removes the entry for the Client in its SessionDiagnosticsArray Variable . When the CloseSession Service is called before the Session is successfully
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.8.1 Overview
  between them. All added Nodes continue to exist in the AddressSpace even if the Client that created them disconnects from the Server . Calls to NodeManagement Services may result in changes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.8.2.2 Parameters
  Reference from the parent Node to the new Node . requestedNewNodeId Expanded NodeId Client requested expanded NodeId of the Node to add. The serverIndex in the expanded NodeId shall ... this NodeId , it rejects this Node and returns the appropriate error code. If the Client does not want to request a NodeId , then it sets the value of this parameter
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.8.2.4 StatusCodes
  because the Server does not allow node ids to be specified by the Client . Bad_NodeIdExists The requested node id is already used by another node. Bad_NodeClassInvalid See Table
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.8.3.2 Parameters
  nodeId shall contain the namespace index. targetNodeClass NodeClass NodeClass of the TargetNode . The Client shall specify this since the TargetNode might not be accessible directly by the Server . Response responseHeader
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.8.4.1 Description
  then a Notification containing the status code Bad_NodeIdUnknown is sent to the monitoring Client indicating that the Node has been deleted
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.1 Overview
  Server . Future versions of this document may also define services to create Client -defined Views . See OPC 10000-5 for a description of the organization of views in the AddressSpace
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.2.1 Description
  supports a primitive filtering capability. In some cases it may take longer than the Client timeout hint to process all nodes to browse. In this case the Server may return
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.2.2 Parameters
  each starting Node specified in the request. The value 0 indicates that the Client is imposing no limitation (see 7.8 for Counter definition). nodesToBrowse [] BrowseDescription A list of nodes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.3.1 Description
  return exceeds the maximum number of results to return that was specified by the Client in the original Browse request. The BrowseNext shall be submitted on the same Session that
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.3.2 Parameters
  passed continuationPoints shall be used to get the next set of browse information. A Client shall always use the continuation point returned by a Browse or BrowseNext response to free ... resources for the continuation point in the Server . If the Client does not want to get the next set of browse information, BrowseNext shall be called with this parameter
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.4.1 Description
  type definitions. Since BrowseNames shall be unique in the context of type definitions, a Client may create a browse path that is valid for a type definition and use this
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.4.2 Parameters
  indicate which RelativePath elements still need to be processed. To complete the operation the Client shall connect to the other Server and call this service again using the target
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.5.2 Parameters
  RequestHeader definition). nodesToRegister [] NodeId List of NodeIds to register that the Client has retrieved through browsing, querying or in some other manner. Response responseHeader Response Header Common response parameters ... ResponseHeader definition). registeredNodeIds [] NodeId A list of NodeIds which the Client shall use for subsequent access operations. The size and order of this list matches the size and order
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.2.2 Parameters
  time when the Server starts processing the request. For example if the Client specifies a maxAge of 500 milliseconds and it takes 100 milliseconds until the Server starts processing ... number of MonitoredItems that are defined for the Attribute . In any case, the Client can make no assumption about which copy of the data will be returned. If the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.3.1 Description
  values could be returned in one response. The value is opaque for the Client and is only used to maintain the state information for the Server to continue from ... information for the continuation point. In some cases it may take longer than the Client timeout hint to read the data for all nodes to read. Then the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.3.2 Parameters
  passed continuationPoints shall be used to get the next set of historical information. A Client shall always use the continuation point returned by a HistoryRead response to free the resources ... continuation point in the Server . If the Client does not want to get the next set of historical information, HistoryRead shall be called with this parameter set to TRUE. nodesToRead
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.4.1 Description
  more than one operation, the order of the processing is undefined. If a Client requires sequential processing the Client needs separate Service calls. It is possible that the Server ... successfully write some Attributes , but not others. Rollback is the responsibility of the Client . If a Server allows writing of Attributes with the DataType LocalizedText , the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.4.4 StatusCodes
  match the IndexRange . Bad_WriteNotSupported The requested write operation is not supported. If a Client attempts to write any value, status code, timestamp combination and the Server does not support ... OutOfRange See Table 179 for the description of this result code. If a Client attempts to write a value outside the valid range like a value not contained
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.12.2.1 Description
  terminated, the results of the Method's execution cannot be returned to the Client and are discarded. This is independent of the task actually performed at the Server . The order ... more than one operation, the order of the processing is undefined. If a Client requires sequential processing the Client needs separate Service calls
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.12.2.2 Parameters
  arguments than the total number of input arguments defined may be passed by the Client when optional input arguments are defined. A Method may define input arguments as optional
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.12.2.4 StatusCodes
  executable Attribute does not allow the execution of the Method . Bad_ArgumentsMissing The Client did not specify all of the non-optional input arguments for the Method . Bad_TooManyArguments ... Client specified more input arguments than defined for the Method . Bad_InvalidArgument See Table 178 for the description of this result code. Used to indicate in the operation level results
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.1.1 Overview
  data changes and Events . They are packaged into NotificationMessages for transfer to the Client . The Subscription periodically sends NotificationMessages at a user-specified publishing interval, and the cycle during which ... used to determine if an Event received from the Node is sent to the Client . The filter also allows selecting fields of the EventType that will be contained
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.1.2 Sampling interval
  Sampling interval Each MonitoredItem created by the Client is assigned a sampling interval that is either inherited from the publishing interval of the Subscription or that is defined specifically ... rate at which the Server should sample its underlying source for data changes. A Client shall define a sampling interval of 0 if it subscribes for Events . The assigned sampling
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.1.5 Queue parameters
  publishing interval of the Subscription , the MonitoredItem will be over sampling and the Client will always receive the most up-to-date value. The discard policy is ignored ... queue size is one. On the other hand, the Client may want to subscribe to a continuous stream of Notifications without any gaps, but does not want them reported
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.2.1 Description
  corresponding revised parameter. It is strongly recommended by OPC UA that a Client reuses a Subscription after a short network interruption by activating the existing Session on a new SecureChannel ... described in 6.7 . If a Client called CreateMonitoredItems during the network interruption and the call succeeded in the Server but did not return to the Client , then the Client does
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.1 Description
  Description Subscriptions are used to report Notifications to the Client . Their general behaviour is summarized below. Their precise behaviour is described in 5.14.1.2 . Subscriptions have a set of MonitoredItems assigned ... them by the Client . MonitoredItems generate Notifications that are to be reported to the Client by the Subscription (see 5.13.1 for a description of MonitoredItems ). Subscriptions have a publishing interval
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.2 State table
  defined for the Subscription lifetime without having received a Subscription Service request from the Client , the Subscription assumes that the Client is no longer present, and terminates. Clients send Publish
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.3 State variables and parameters
  queued. LifetimeCounter A value that contains the number of consecutive publishing timer expirations without Client activity before the Subscription is terminated. MessageSent A boolean value that is set to TRUE
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.4 Functions
  Functions Function Description ClientValidated() A boolean function that returns TRUE only when the Client that is submitting a TransferSubscriptions request is operating on behalf of the same user and supports ... same Profiles as the Client of the previous Session . CreateNotificationMsg() Increment the SeqNum and create a NotificationMessage from the MonitoredItems assigned to the Subscription . Save the newly-created NotificationMessage
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.2.1 Description
  Subscription . Subscriptions monitor a set of MonitoredItems for Notifications and return them to the Client in response to Publish requests. Illegal request values for parameters that can be revised
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.2.2 Parameters
  cyclic rate that the Subscription is being requested to return Notifications to the Client . This interval is expressed in milliseconds. This interval is represented by the publishing timer ... NotificationMessage to be sent, the Subscription sends a keep-alive Message to the Client . The negotiated value for this parameter is returned in the response. If the requested value
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.3.2 Parameters
  cyclic rate at which the Subscription is being requested to return Notifications to the Client . This interval is expressed in milliseconds. This interval is represented by the publishing timer ... NotificationMessage to be sent, the Subscription sends a keep-alive Message to the Client . The negotiated value for this parameter is returned in the response. If the requested value
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.5.1 Description
  used by any Subscription . 5.14.1.2 describes the use of the Publish Service . Client strategies for issuing Publish requests may vary depending on the networking delays between the Client ... Server . In many cases, the Client may wish to issue a Publish request immediately after creating a Subscription , and thereafter, immediately after receiving a Publish response. In other cases, especially
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.5.2 Parameters
  Server does not support the retransmission queue. If the list is empty, the Client should not acknowledge sequence numbers. This information is for diagnostic purpose and Clients should log differences
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.1 Description
  transfer a Subscription and its MonitoredItems from one Session to another. For example, a Client may need to reopen a Session and then transfer its Subscriptions to that Session ... also be used by one Client to take over a Subscription from another Client by transferring the Subscription to its Session . The authenticationToken contained in the request header identifies
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.2 Parameters
  subscriptionIds [] IntegerId List of identifiers for the Subscriptions to be transferred to the new Client (see 7.19 for IntegerId definition). These identifiers are transferred from the primary Client ... backup Client via external mechanisms. sendInitialValues Boolean A Boolean parameter with the following values: TRUE the first Publish response(s) after the TransferSubscriptions call shall contain the current value
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.3 Service results
  TooManyOperations See Table 178 for the description of this result code. Bad_InsufficientClientProfile The Client of the current Session does not support one or more Profiles that are necessary
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.4 StatusCodes
  code. Bad_UserAccessDenied See Table 178 for the description of this result code. The Client of the current Session is not operating on behalf of the same user
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.8.1 Description
  This Service is invoked to delete one or more Subscriptions that belong to the Client's Session . Successful completion of this Service causes all MonitoredItems that use the Subscription ... NoSubscription. Subscriptions that were transferred to another Session shall be deleted by the Client that owns the Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.3 Determining if a Certificate is trusted
  Certificate is not an ApplicationInstanceCertificate. ApplicationInstanceCertificates shall not be used in a Client or Server until they have been evaluated and marked as trusted. This can happen automatically ... Server side, the error Bad_SecurityChecksFailed shall be reported back to the Client . Build Certificate Chain Bad_CertificateChainIncomplete Bad_SecurityChecksFailed AuditCertificateInvalidEventType The trust chain for the Certificate is created
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  SecureChannel are shown in Figure 21 . Figure 21 - Establishing a SecureChannel Figure 21 assumes Client and Server have online access to a CertificateA uthority (CA). If online access ... administrator has installed the CA public key on the local machine, then the Client and Server shall still validate the application Certificates using that key. The figure shows only
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.5 Creating a Session
  Creating a Session Once an OPC UA Client has established a SecureChannel with a Server it can create an OPC UA Session . The steps involved in establishing a Session ... Figure 22 . Figure 22 - Establishing a Session Figure 22 illustrates the interactions between a Client , a Server , a Certificate Authority (CA) and an identity provider. The CA is responsible
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.6 Impersonating a User
  Impersonating a User Once an OPC UA Client has established a Session with a Server it can change the user identity associated with the Session by calling the ActivateSession service
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.7 Continuous security checks
  security checks ApplicationInstanceCertificates or UserIdentityTokens may expire, get invalid or may be rejected on Client or Server side. ApplicationInstanceCertificates verification shall be executed every time the SecurityToken is renewed
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.8 Calculating Signatures used in CreateSession and ActivateSession
  Calculating Signatures used in CreateSession and ActivateSession There are a number of Signatures which Client and Server applications may need to calculate when calling CreateSession and ActivateSession . The new Signature ... method uses the following values: The ChannelThumbprint ; The Server SecureChannel Certificate ( Server ChannelCertificate ); The Client SecureChannel Certificate ( Client ChannelCertificate ); The Server Application Certificate ( ServerCertificate ); The Client Application Certificate ( ClientCertificate
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.1 Overview
  Token that tells the Server what the user is a allowed to do. The Client interactions with these services may be indirect as shown in 6.2.2 or direct as shown ... Even when the Server requires the Client to use an external Authorization Service the Server is still responsible for managing and enforcing the Permissions assigned to Nodes in its Address
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.2 Indirect handshake with an Identity Provider
  communicate with the AS. The IssuerEndpointUrl field contains the information needed by the Client to connect to the AS using the protocol required by the AS. The basic handshake
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.3 Direct handshake with an Identity Provider
  managing users known to the system. It validates the credentials provided by the Client and returns an Identity Access Token which identifies the user. The Identity Access Token is passed ... Application Authorization Service which validates the Client and Server applications and creates a new Access Token that can be used to access the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.1 Description
  second option is to provide the UrisVersion to ensure consistency of namespace arrays between Client and Server . The UrisVersion is first read from the Server together with the NamespaceArray
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.2 Parameters
  Server's UrisVersion Property , the Server shall return Bad_VersionTimeInvalid. In this case the Client shall read the UrisVersion , NamespaceArray and the ServerArray from the Server Object to repeat
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.1 Overview
  Subclause 6.5 describes what is expected of an OPC UA Server and Client with respect to auditing and it details the audit requirements for each service set. Auditing ... audit event using the OPC UA event mechanism. This allows an external OPC UA Client to subscribe to and log the audit entries to a log file or other storage
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.2 General audit logs
  contains a string parameter that is used to carry an audit record id. A Client or any Server operating as a Client , such as an aggregating Server , can create ... local audit log entry for a request that it submits. This parameter allows this Client to pass the identifier for this entry with the request. If this Server also maintains
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.5 Auditing for SecureChannel Service Set
  failed service invocations and for successful invocation of the OpenSecureChannel and CloseSecureChannel Services. The Client generated audit entries should be setup prior to the actual call, allowing the correct audit ... service failed. This description should be more detailed than what was returned to the Client . From a security point of view a Client only needs to know that it failed
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.10 Auditing for View, Query, MonitoredItem and Subscription Service Set
  Service Set All of the Services in these four Service Sets only provide the Client with information, with the exception of the TransferSubscriptions Service in the Subscription Service
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.1 Redundancy overview
  same data. Server Redundancy can be achieved in multiple manners, some of which require Client interaction, others that require no interaction from a Client . Redundant Servers could exist in systems ... redundant networks or Clients . Redundant Servers could also coexist in systems with network and Client Redundancy . Server Redundancy is formally defined in 6.6.2 . Client Redundancy allows identically configured Clients
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.1 General
  Failover of Server responsibilities from one Server to another is transparent to the Client . The Client is unaware that a Failover has occurred and the Client has no control over ... Failover behaviour. Furthermore, the Client does not need to perform any actions to continue to send or receive data. In non-transparent Redundancy the Failover from one Server to another
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.2 RedundantServerSet Requirements
  that are part of a RedundantServerSet have certain AddressSpace requirements. These requirements allow a Client to consistently access information from Servers in a RedundantServerSet and to make intelligent choices related ... Nodes that are in the local Server namespace like the Server diagnostic Nodes . A Client that fails over shall not be required to translate browse paths or otherwise resolve NodeIds
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.1 Client behaviour
  Client behaviour To a Client the transparent RedundantServerSet appears as if it is just a single Server and the Client has no Failover actions to perform. All Servers ... RedundantServerSet , the ServiceLevel of each Server, and which Server is currently responsible for the Client Session . This information is specified in TransparentRedundancyType ObjectType defined in OPC 10000-5 . Since
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.2 Server requirements
  interactions within a given Session shall be supported by one Server and the Client is able to identify which Server that is, allowing a complete audit trail for the data ... Session and Subscriptions from the Failed Server . Failover may require a reconnection of the Client's SecureChannel but the EndpointUrl of the Server and the ServerUri shall not change
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.1 Overview
  Overview For non-transparent Redundancy , OPC UA provides the data structures to allow the Client to identify what Servers are available in the RedundantServerSet and also Server information which tells ... Client what modes of Failover the Server supports. This information allows the Client to determine what actions it may need to take in order to accomplish Failover . This information
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.2 ServiceLevel
  ServiceLevel The ServiceLevel provides information to a Client regarding the health of a Server and its ability to provide data. See OPC 10000-5 for a formal definition for ServiceLevel ... even simple connections attempts or monitoring of the ServiceLevel . The EstimatedReturnTime indicates when the Client should check to see if the Server is available. If updates or patches are taking
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.3 Load balancing
  system with 3 Servers , all Servers are initially at ServiceLevel 255, but when a Client connects, the Server with the Client connection sets its level to 254. The next Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.4 Server Failover modes
  Table 105 indicates the ability of the Server to provide its data to the Client . The ServiceLevel of the primary Server will be in the Healthy ServiceLevel sub-range ... Notifications . The ServiceLevel Variable defined in OPC 10000-5 should be used by the Client to find the Servers with the highest ServiceLevel to achieve load balancing
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.5.1 General
  Servers in the RedundantServerSet through the FindServers Service . This information is needed by the Client to translate the ServerUri into information needed to connect to the other Servers ... RedundantServerSet . Therefore a Client needs to connect to only one of the redundant Servers to find the other Servers based on the provided information. A Client should persist information about
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.5.2 Cold
  Cold A Cold Failover mode is where the Client can only connect to one Server at a time. When the Client loses connectivity with the Active Server it will attempt ... redundant Server (s) which may or may not be available. In this situation the Client may need to wait for the redundant Server to become available and then create Subscriptions
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.5.3 Warm
  Warm A Warm Failover mode is where the Client should connect to one or more Servers in the RedundantServerSet primarily to monitor the ServiceLevel . A Client can connect and create ... Servers . The Server with the highest ServiceLevel is the Active Server . For Failover the Client activates sampling and publishing on the Server with the highest ServiceLevel . Figure 30 illustrates