Search

26 result(s) for OpenSecureChannel

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.2.3 Resource exhaustion
  attack was carried out by a legitimate Client . Servers are also required to recycle OpenSecureChannel request that have not been completed (specified in OPC 10000-4 ), this will eliminate attacks
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.13 Repudiation
  channel indicates that the message originated from the owner of the private key. During OpenSecureChannel and Session establishment the communicating parties are clearly identified and confirmed. Lastly Auditing as described
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.2 Application Authentication
  entities with which they are communicating. As specified in the GetEndpoints and OpenSecureChannel services in OPC 10000-4 , OPC UA Client and Server applications identify and authenticate themselves with X.509
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.1 Description
  Mode Security Policy Supported User Identity Tokens The ApplicationInstanceCertificate is used to secure the OpenSecureChannel request (see 5.6.2 ). The MessageSecurityMode and the SecurityPolicy tell the Client how to secure messages
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.1 Description
  When Session -less Service invocation is done through a transport mapping that requires the OpenSecureChannel Service , the Server shall maintain a last used time for the SecureChannel to detect ... oldest unused SecureChannel. The OpenSecureChannel request and response Messages shall be signed with the sender's private key. These Messages shall always be encrypted. If the transport layer does
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.2 Parameters
  network depends on the mappings defined in OPC 10000-6 . Table 11 - OpenSecureChannel Service Parameters Name Type Description Request requestHeader RequestHeader Common request parameters. The authenticationToken is always null ... RequestHeader is defined in 7.32 . clientCertificate ApplicationInstance‌Certificate A Certificate that identifies the Client . The OpenSecureChannel request shall be signed with the private key for this Certificate . The ApplicationInstanceCertificate type
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.3 Service results
  results specific to this Service . Common StatusCodes are defined in Table 178 . Table 12 - OpenSecureChannel Service Result Codes Symbolic Id Description Bad_SecurityChecksFailed See Table 178 for the description ... below 32 bytes. A check for duplicated nonce can only be done in OpenSecureChannel calls with the request type RENEW
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  Session . Before calling this Service , the Client shall create a SecureChannel with the OpenSecureChannel Service to ensure the Integrity of all Messages exchanged during a Session . This SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  change rarely and the Client can cache it locally. If the Server rejects the OpenSecureChannel request the Client should call GetEndpoints and make sure the Server configuration has not changed
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.5 Auditing for SecureChannel Service Set
  shall generate audit Events for failed service invocations and for successful invocation of the OpenSecureChannel and CloseSecureChannel Services. The Client generated audit entries should be setup prior to the actual ... call, allowing the correct audit record Id to be provided. The OpenSecureChannel Service shall generate an audit Event of type AuditOpenSecureChannelEventType or a subtype of it for the requestType ISSUE
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.7 Re-establishing connections
  creating a new SecureChannel and activating the Session with the Service ActivateSession . If the OpenSecureChannel fails, the Client should delay the retry for a configurable time. The ActivateSession assigns ... SecureChannel may be rejected, because of a new Server ApplicationInstanceCertificate or other security errors. OpenSecureChannel returns Bad_CertificateInvalid in the case of a new Server ApplicationInstance Certificate . In case
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.4.5 AuditChannelEventType
  shall be "SecureChannel/" and the Service that generates the Event (e.g. SecureChannel/ OpenSecureChannel or SecureChannel/ CloseSecureChannel ). If the ClientUserId is not available for a CloseSecureChannel call, then this
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.1 Security Handshake and Security Policies
  Security Handshake and Security Policies All SecurityProtocols shall implement the OpenSecureChannel and CloseSecureChannel services defined in OPC 10000-4 . These Services specify how to establish a SecureChannel
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.1 General
  Internet based application. The ServerCertificate and ClientCertificate parameters used in the abstract OpenSecureChannel service are typically instances of the ApplicationInstance Certificate DataType . Clause 6.2.2 describes how to create an X.509 ... used as an ApplicationInstance Certificate . Other types of Certificates that may be used in OpenSecureChannel are defined in OPC 10000-21 . Certificates are also used as form of UserIdentityToken which
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.1 Overview
  appended after the encrypted data. Figure 12 - MessageChunk for Authenticated Encryption Algorithms The OpenSecureChannel negotiations use asymmetric algorithms. The MessageChunk structure is shown in Figure 13 . When using
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.3 Security Header
  asymmetric algorithms is defined in Table 58 . Asymmetric algorithms are used to secure the OpenSecureChannel Messages . PKCS #1 defines a set of asymmetric algorithms that may be used by UASC ... used to secure the Message . This identifier is returned by the Server in an OpenSecureChannel response Message . If a Server receives a TokenId which it does not recognize it shall
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.4 Sequence Header
  around shall be 0. Some applications will find it takes time to validate the OpenSecureChannel Requests and Responses used to renew a TokenId . In these situations, the receiver may assume ... which allows it to process subsequent messages secured with the existing TokenId before the OpenSecureChannel Message is validated. When processing of the OpenSecureChannel Message completes, the receiver checks the SequenceNumber
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.4 Establishing a SecureChannel
  Messages require a SecureChannel to be established. A Client does this by sending an OpenSecureChannel request to the Server . The Server shall validate the Message and the ClientCertificate and return ... OpenSecureChannel response. Some of the parameters defined for the OpenSecureChannel service are specified in the security header (see 6.7.2 ) instead of the body of the Message . Table 64 lists
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.5 ChannelThumbprint
  ChannelThumbprint When using SecurityPolicies with SecureChannelEnhancements = TRUE, the Signature on the OpenSecureChannel Response is calculated by appending the bytes of the Signature from the first OpenSecureChannel Request to the bytes ... first OpenSecureChannel Response . The ChannelThumbprint is the Signature on the OpenSecureChannel Response . This additional Signature calculation is not done when renewing a SecureChannel since the key derivation method described
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.6 Deriving keys
  Messages are signed and encrypted with keys derived from the Nonces exchanged in the OpenSecureChannel call. These keys are derived by passing the Nonces to a pseudo-random function ... secret and a seed. These values are derived from the Nonces exchanged in the OpenSecureChannel request and response. Table 65 specifies how to derive the secrets and seeds when using
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.7 Verifying Message Security
  attempt to re-open the channel and request a new SecurityToken by sending an OpenSecureChannel request. The mechanism for sending transport errors to the Client depends on the communication channel ... first check the SecureChannelId . This value may be 0 if the Message is an OpenSecureChannel request. For other Messages, it shall report a Bad_SecureChannelUnknown error if the SecureChannelId
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.8.1 Secure Channel Handshake
  SecurityPolicy in OPC 10000-7 . Clause 6.7.4 specifies the contents of the OpenSecureChannel request and response messages. When using an ECC SecurityPolicy the ClientNonce is the Public ... UTF8 encoding of the string literal 'label'; ServerNonce is the Server EphemeralKey from the OpenSecureChannel response; ClientNonce is the Client EphemeralKey from the OpenSecureChannel request; | concatenates sequences of bytes; Salt
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.3 Establishing a connection
  have a default value which does not exceed two minutes. The Client sends the OpenSecureChannel request once it receives the Acknowledge back from the Server . If the Server accepts ... response to the Client . The Client does the same when it receives the OpenSecureChannel response. The Server application does not do any processing while the SecureChannel is negotiated; however
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.4 Application Registration Workflow
  generic GDS configuration tool. Connect For the connection management with the GDS the services OpenSecureChannel , CreateSession and ActivateSession are used to create a connection with MessageSecurityMode SignAndEncrypt and a user
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.6 Pull Management Workflow
  connection for option (2). For the connection management with the CertificateManager the Services OpenSecureChannel , CreateSession and ActivateSession are used to create a connection with MessageSecurityMode SignAndEncrypt and an Anonymous user
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  13.2.1 Locating Server
  located following the standard procedure as defined in OPC 10000-12 , i.e., FindServers , GetEndpoints , OpenSecureChannel , CreateSession and ActivateSession on the Server Address with the specified SecurityMode