Search

153 result(s) for SecureChannel

• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.37 Secure Channel
  Secure Channel in OPC UA, a communication path established between an OPC UA Client and Server that have authenticated each other using certain OPC UA services and for which security
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.41 SecureChannel
  SecureChannel communication channel that ensures the confidentiality and/or integrity of all messages exchanged between a Client and a Server Note 1 to entry: If the security policy is None, then
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.3 SecureChannel Service Set
  SecureChannel Service Set This Service Set defines Services used to open a communication channel that ensures the confidentiality and integrity of all Messages exchanged with the Server . The base concepts ... security are defined in OPC 10000-2 . The SecureChannel Services are unlike other Services because they are typically not implemented by the OPC UA Application directly. Instead, they are provided
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.3 Resource Exhaustion
  could obtain all 10 Sessions . Or a malicious Client could try to open 10 SecureChannel s, without actually completing the process.The Client might not even open a Session , just open
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.4 Message spoofing
  avoid detection of their activities. Message spoofing impacts Integrity , Authorization and during session / SecureChannel establishment Authentication . See 5.1.4 for the reconciliation of this threat
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.5 Message alteration
  system. Message alteration impacts Integrity, Authorization, Auditability, Non-Repudiation and during session / SecureChannel establishment Authentication . See 5.1.5 for the reconciliation of this threat
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.6 Message replay
  establish a Session using a recorded Session . Message replay impacts Authorization and during Session / SecureChannel establishment Authentication. See 5.1.6 for the reconciliation of this threat
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.2 Session application layer
  specified in OPC 10000-4 . A Session in the application layer communicates over a SecureChannel that is created in the communication layer and relies upon it for secure communication ... passed to the communication layer for further processing. Although a Session communicates over a SecureChannel and has to be activated before it can be used, the binding of users, Sessions
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.3 Session communication layer
  security objective. One essential mechanism to meet these security objectives is to establish a SecureChannel (see 4.13 ) that is used to secure the communication between a Client and a Server ... SecureChannel provides encryption to maintain Confidentiality , Message Signature s to maintain Integrity and Certificates to provide application Authentication. In addition, the SecureChannel provides Perfect Forward Secrecy when the SecureChannel
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.5 Session-less Service invocation
  communication channel provides Confidentiality and Integrity. The communication channel could be an OPC UA SecureChannel (without a session). It could be a communication channel, such as HTTPS , which relies
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.6 SecurityPolicies
  supports and by the Client to select which one to use with the SecureChannel it wishes to open or for the session-less connection it wishes to make. SecurityPolicies
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.10 Application Authentication
  other. Each OPC UA ApplicationInstance has a Certificate ( ApplicationInstanceCertificate ) assigned that is exchanged during SecureChannel establishment. The receiver of the Certificate checks whether it trusts the Certificate and based
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.13 OPC UA security related Services
  Certificate s of specific OPC UA Server s. The services of the SecureChannel Service Set (specified in OPC 10000-4 ) are used to establish a SecureChannel which is responsible ... securing Message s sent between a Client and a Server . The challenge of the SecureChannel establishment is that it requires the Client and the Server to securely exchange cryptographic keys
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.4 Message spoofing
  counter message spoofing Clients and Server should restrict session-less communication to be over SecureChannel s. See 4.5.2.5 and for additional session-less security related information
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.6 Message replay
  replay a Message without it being detected and rejected. The establishment of a SecureChannel or Session includes the same signature, timestamps and sequence number that are part of all messages
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.9 Session hijacking
  this threat. OPC UA counters Session hijacking by assigning a security context (i.e. SecureChannel ) with each Session as specified in the CreateSession Service in OPC 10000-4 . Hijacking a Session
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.10 Rogue Server or Publisher
  communication is secured using ECC, then the Client would refuse to establish a SecureChannel with the rogue Server . If a rogue server attempted to hijack a running connection, it would
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.14 Message Suppression
  counter message suppression by using checking the SequenceNumber in the sequence header. A SecureChannel is required to be closed if a SequenceNumber is missed. This allows both a Server
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.6 Integrity
  security objective. The Asymmetric Signatures are used in the key agreement phase during the SecureChannel establishment. The Symmetric Signatures are applied to all other Message s including PubSub messages
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.3 Strict Message processing
  uses shall be limited as described in Part 4 Service Behaviours clause. Once the SecureChannel has been established then appropriate specific error codes are returned. Another attack vector that ... that requires the closing of the socket for any errors when establishing a SecureChannel . Vendors should be careful in their implementation to ensure that all paths that result
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.11 Audit event management
  with once they are received, the Subscription for Audit Events should be via a SecureChannel to ensure they are not tampered with while in transition, for Clients that log audit
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  8.4 Certificate management threats
  secure connection. For the push model of certificate management, the GDS establishes a SecureChannel using the highest security level available in the target Server . It does not provide updated CRLs
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.4.2 Certificate management for developers
  determine if access should be granted. The OPC UA Application will communicate using a SecureChannel established using Asymmetric Cryptography with other applications. Administrator - The person or persons that administer ... passed to a Server after the ApplicationInstanceCertificate is used to create a SecureChannel . It can be used to determine access rights and to track activities (auditing). Certificate Authority
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  Annex A Mapping to ISA/IEC 62443-4-2 (informative)
  lock out for repeated user access failure, but an AuthenticationService could. OPC does monitor SecureChannel connection and could block secure channel connection for repeated user login failure. CR 1.12: System ... alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management OPC 10000-4 Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession, OPC 10000-7 -ConformanceUnits OPC 10000-7 - Profiles User Token
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.1 Overview
  trusted ApplicationInstance Certificate (see OPC 10000-4 ) and uses at least a signed communication channel. The standard mapping rules allow Roles to be granted based on: User identity; Application identity ... Client proves possession of a trusted Certificate by using it to create a Secure Channel or by providing a signature in ActivateSession (see OPC 10000-4 ). Endpoint identity mappings
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  8.56 AccessRestrictionType
  Description SigningRequired 0 The Client can only access the Node when using a SecureChannel which digitally signs all messages. This does not apply to the Browse permission if the ApplyRestrictionsToBrowse ... EncryptionRequired 1 The Client can only access the Node when using a SecureChannel which encrypts all messages. This does not apply to the Browse permission if the ApplyRestrictionsToBrowse
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  9.7 AuditChannelEventType
  subtype of AuditSecurityEventType and is used for categorization of security-related Events from the SecureChannel Service Set defined
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.1.12 SecurityToken
  SecurityTokens belong to a security context. For OPC UA the security context is the SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  4.1 Service Set model
  security configuration for each of those Endpoints . Figure 1 - Discovery Service Set The SecureChannel Service Set , illustrated in Figure 2 , defines Services that allow a Client to establish a communication ... ensure the Confidentiality and Integrity of Messages exchanged with the Server . Figure 2 - SecureChannel Service Set The Session Service Set , illustrated in Figure 3 , defines Services that allow the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.3 Service results
  band mechanism that the application or user credentials used to create a Session or SecureChannel have been compromised, then the Server should immediately terminate all sessions and channels that ... these cases, these errors may be treated as a communication fault which requires the SecureChannel to be re-established (see 5.6 ). The Client and Server reduce the chances
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.1 Overview
  same Session Endpoint that Clients use to establish a SecureChannel . Clients read the security information necessary to establish a SecureChannel by calling the GetEndpoints Service on the DiscoveryEndpoint . In addition ... discovery process using FindServers is illustrated in Figure 9 . The establishment of a SecureChannel (with MessageSecurityMode NONE ) for FindServers and GetEndpoints is omitted from the figure for clarity. Figure
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.1 Description
  supported by a Server and all of the configuration information required to establish a SecureChannel and a Session . This Service shall not require message security but it may require transport ... MessageSecurityMode and the SecurityPolicy tell the Client how to secure messages sent via the SecureChannel . The UserIdentityTokens tell the Client which type of user credentials shall be passed
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.5.1 Description
  separate configuration utility. Clients will not use this Service . A Server shall establish a SecureChannel with the Discovery Server before calling this Service . The SecureChannel is described ... serverUri provided does not match the applicationUri in Server Certificate used to create the SecureChannel . This Service can only be invoked via SecureChannels that support Client authentication (i.e. HTTPS cannot
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.1 Overview
  base concepts for OPC UA security are defined in OPC 10000-2 . The SecureChannel Services are unlike other Services because they are not implemented directly by the OPC UA Application ... Server may be built on a stack that allows applications to establish a SecureChannel using HTTPS. In these cases, the OPC UA Application shall verify that the Message it received
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.1 Description
  Description This Service is used to open or renew a SecureChannel that can be used to ensure Confidentiality and Integrity for Message exchange during a Session . This Service requires ... this Service for different Communication Stacks are described in OPC 10000-6 . Each SecureChannel has a globally-unique identifier and is valid for a specific combination of Client and Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.2 Parameters
  shall be one of the following: ISSUE creates a new SecurityToken for a new SecureChannel . RENEW creates a new SecurityToken for an existing SecureChannel . secureChannelId BaseDataType The identifier ... SecureChannel that the new token should belong to. This parameter shall be null when creating a new SecureChannel . The concrete security protocol definition in OPC 10000-6 chooses the concrete
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.3.1 Description
  Description This Service is used to terminate a SecureChannel . The request Messages shall be signed with the appropriate key associated with the current token for the SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.3.2 Parameters
  null. The type RequestHeader is defined in 7.32 . secureChannelId BaseDataType The identifier for the SecureChannel to close. The concrete security protocol definition in OPC 10000-6 chooses the concrete DataType
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  incoming request with a Session . Before calling this Service , the Client shall create a SecureChannel with the OpenSecureChannel Service to ensure the Integrity of all Messages exchanged during a Session ... This SecureChannel has a unique identifier which the Server shall associate with the a uthenticationToken . The Server may accept requests with the a uthenticationToken only if they are associated with
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.2 Parameters
  that this ApplicationInstanceCertificate is the same as the one it used to create the SecureChannel . Requested SessionTimeout Duration Requested maximum number of milliseconds that a Session should remain open without ... that this Certificate is the same as the one it used to create the SecureChannel . The ApplicationInstanceCertificate type is defined in 7.3 . If the securityPolicyUri is None and none
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.1 Description
  called for the first time then the Server shall reject the request if the SecureChannel is not same as the one associated with the CreateSession request. Subsequent calls to ActivateSession ... Server shall verify that the Certificate the Client used to create the new SecureChannel is the same as the Certificate used to create the original SecureChannel . In addition, the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.4.1 Description
  before the Session is successfully activated, the Server shall reject the request if the SecureChannel is not the same as the one associated with the CreateSession request
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.2.1 Description
  Subscription after a short network interruption by activating the existing Session on a new SecureChannel as described in 6.7 . If a Client called CreateMonitoredItems during the network interruption
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.5.1 Description
  Server to process. In this situation, the Client will find that either the SecureChannel goes into a fault state and needs to be re-established or the Publish response returns
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  Creating a SecureChannel All OPC UA Applications shall establish a SecureChannel before creating a Session . This SecureChannel requires that both applications have access to Certificates that can be used ... used for this purpose. The steps involved in establishing a SecureChannel are shown in Figure 21 . Figure 21 - Establishing a SecureChannel Figure 21 assumes Client and Server have online access
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.5 Creating a Session
  Creating a Session Once an OPC UA Client has established a SecureChannel with a Server it can create an OPC UA Session . The steps involved in establishing a Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.7 Continuous security checks
  side. ApplicationInstanceCertificates verification shall be executed every time the SecurityToken is renewed for a SecureChannel . OPC UA Applications may do additional verifications between SecurityToken renews e.g. if the TrustList ... updated from a GDS. If the SecureChannel does not use ApplicationInstanceCertificates , the OPC UA Application should execute ApplicationInstanceCertificate checks for the Session at a rate used for SecureChannel renewals
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.8 Calculating Signatures used in CreateSession and ActivateSession
  calculation algorithm, called channel bound Signatures , requires that the Certificates used to establish the SecureChannel be used in the calculation. Certificates that are passed as parameters in CreateSession are used ... indicate that they are only accepted as correct when they are exchanged over a SecureChannel using the Certificates used to create it. The calculation method uses the following values
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.1 Description
  also be supported via the SessionlessInvoke Service . Session -less Services are invoked via a SecureChannel using the Access Token returned from the Authorization Service as the authenticationToken in the requestHeader ... SecureChannel shall have encryption enabled to prevent eavesdroppers from seeing the Access Token . The Access Token provides the user authentication. If application authentication through the SecureChannel is sufficient, Servers
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.2 Server requirements
  Subscriptions from the Failed Server . Failover may require a reconnection of the Client's SecureChannel but the EndpointUrl of the Server and the ServerUri shall not change. The Client shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.4.5.5 HotAndMirrored
  context for communication. On a Failover the Client will simply create a new SecureChannel on an alternate Server and then call ActivateSession ; all Client activities (browsing, subscriptions, history reads
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.4.3 Non-Transparent
  Failover the normal reconnect scenario described in 6.7 can be used. Only the SecureChannel is created with another Endpoint . Sessions and Subscriptions can be reused. Non-transparent network Redundancy
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.7 Re-establishing connections
  this the Client shall re-establish the connection by creating a new SecureChannel and activating the Session with the Service ActivateSession . If the OpenSecureChannel fails, the Client should delay ... retry for a configurable time. The ActivateSession assigns the new SecureChannel to the existing Session and allows the Client to reuse the Session and Subscriptions in the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.14 EndpointDescription
  apply to the messages. The type MessageSecurityMode type is defined in 7.20 . A SecureChannel may need to be created even if the securityMode is NONE. The exact behaviour depends
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.15 EphemeralKeyType
  current SecurityPolicyUri . signature ByteString The Signature calculated using the ApplicationInstanceCertificate used with the current SecureChannel .. The value of the Public Key field is the data used to calculate the Signature
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.35 SessionAuthenticationToken
  will not have access to the SecureChannelId or the Certificate used to create the SecureChannel. In these cases the application shall create a random ByteString value that is at least ... long. This value shall be kept secret and shall always be exchanged over a SecureChannel with encryption enabled. The Administrator is responsible for ensuring that encryption is enabled. In this
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.2.1 Overview
  EncryptedSecret format shall be used or the clear text password is sent over a SecureChannel that is encrypted. The EncryptedSecret format defined in 7.40.2.3 provides an extensible secret format together
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.2.5 EccEncryptedSecret DataType
  structure is used to provide a UserIdentityToken to a Server over a SecureChannel and the SigningCertificate is the Client ApplicationInstance Certificate . SigningTime DateTime See Table 183 KeyDataLength UInt16 The length
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.4 UserNameIdentityToken
  UserTokenPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None and no transport layer encryption is available. If None is specified ... then the password only contains the UTF-8 encoded password. The SecurityPolicy of the SecureChannel is used if no SecurityPolicy is specified in the UserTokenPolic y. The Server shall specify
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.5 X509IdentityTokens
  SecurityPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None. The Server shall specify a SecurityPolicy for any UserTokenPolicy if the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.6 IssuedIdentityToken
  UserTokenPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None and no transport layer encryption is available. The SecurityPolicy of the SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.41 UserTokenPolicy
  request. Clause 7.40 describes how this parameter is used. The security policy for the SecureChannel is used if this value is null or empty. When a UserTokenPolicy is returned ... SecurityPolicy is specified, it shall use the same PublicKey algorithm as the SecureChannel . An EndpointDescription shall have no more than one USERNAME UserTokenPolicy and no more than one ISSUEDTOKEN UserTokenPolicy
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  4 Overview
  existing Layer 5, 6 or 7 protocol such as TCP/IP, TLS or HTTP . The SecureChannel layer is always present even if the SecurityMode is None . In this situation, no security ... channel with a unique identifier. Users and administrators are expected to understand that a SecureChannel with SecurityMode set to None cannot be trusted unless the application is operating
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.1 Security Handshake and Security Policies
  CloseSecureChannel services defined in OPC 10000-4 . These Services specify how to establish a SecureChannel and how to apply security to Messages exchanged over that SecureChannel . The Messages exchanged ... implementation shall still maintain a logical channel and provide a unique identifier for the SecureChannel . The handshake shown also applies when using Session-less Service invocations, however the CreateSession steps
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.6 Certificate Chains
  including a partial or complete chain whenever they pass a Certificate. This includes GetEndpoints , SecureChannel negotiation and during the CreateSession / ActivateSession handshake. All OPC UA applications shall accept partial
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.3 Access Tokens
  with the token. If present, the Server shall not accept a token unless the SecureChannel has been created with the Certificate identified by this field. The field is a JSON
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.1 Overview
  Overview The structure of the MessageChunk s exchanged after a SecureChannel is negotiated depends on whether the SecurityPolicy requires a symmetric encryption algorithm that combines encryption and authentication (e.g. AuthenticatedEncryption
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.2 Message Header
  from the beginning of the MessageType field. SecureChannelId UInt32 A unique identifier for the SecureChannel assigned by the Server . If a Server receives a SecureChannelId which it does not recognize
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.3 Security Header
  Certificate identified does not match the Certificate it is using for the SecureChannel . The receiver shall close the communication channel if any of the fields in the security header have ... always 4 bytes. Name Data Type Description TokenId UInt32 A unique identifier for the SecureChannel SecurityToken used to secure the Message . This identifier is returned by the Server
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.4 Sequence Header
  monotonically increasing sequence number assigned by the sender to each MessageChunk sent over the SecureChannel . RequestId UInt32 An identifier assigned by the Client to OPC UA request Message . All MessageChunks ... processing of the OpenSecureChannel Message completes, the receiver checks the SequenceNumber and closes the SecureChannel if it is incorrect. The sequence header is followed by the Message body which
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.3 MessageChunks and error handling
  then the receiver shall ignore the Message but shall not close the SecureChannel . The Client shall report the error back to the application as StatusCode for the request
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.4 Establishing a SecureChannel
  Establishing a SecureChannel Most Messages require a SecureChannel to be established. A Client does this by sending an OpenSecureChannel request to the Server . The Server shall validate the Message ... soon as it finishes processing the OpenSecureChannel response. The Client shall close the SecureChannel if the Certificate used to sign the response is not the same as the Certificate used
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.5 ChannelThumbprint
  OpenSecureChannel Response . This additional Signature calculation is not done when renewing a SecureChannel since the key derivation method described in 6.8.1 always includes key data from the first OpenSecureChannel exchange ... ChannelThumbprint comes from the first OpenSecureChannel exchange. It is a unique identifier for the SecureChannel and is used in the calculation of Channel Bound Signatures
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.6 Deriving keys
  Deriving keys Once the SecureChannel is established the Messages are signed and encrypted with keys derived from the Nonces exchanged in the OpenSecureChannel call. These keys are derived by passing
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.7 Verifying Message Security
  SecurityPolicy shall be the same as the one used to originally create the SecureChannel . The receiver shall verify the ReceiverCertificateThumbprint and report a Bad_CertificateInvalid error if it does ... Certificate validation fails. If the Message is secured with symmetric algorithms, then a Bad_SecureChannel TokenUnknown e rror shall be reported if the TokenId refers to a SecurityToken that
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.8.1 Secure Channel Handshake
  create and verify a digital signature. To negotiate the keys used for the SecureChannel the Client generates a new key pair (J C , K C ) and passes the Public ... response. The new key pairs are used each time a SecureChannel is negotiated and they are called EphemeralKeys . ECC public-private key pairs are always based on a specific elliptic
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.8.2 UserIdentityToken Encryption
  GetEndpoints response. A UserTokenPolicy may specify a SecurityPolicyUri that is different than the SecureChannel (see OPC 10000-4 ). For example, an EndpointDescription providing an ECC SecurityPolicyUri does not specify ... SecurityPolicyUris in the UserTokenPolicies . When a Client calls CreateSession via a SecureChannel based on an ECC or RSA_DH SecurityPolicy the Client specifies the ECDHPolicyUri it plans
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.9 Diffie-Hellman Key Agreement (RSA)
  original RSA based profiles used AsymmetricEncryption to negotiate the symmetric keys used for the SecureChannel . Diffie-Hellman Key Agreement (RSA-DH) allows for key negotiation using the same pattern ... Figure 17 - RSA-DH Key Negotiation To negotiate the keys used for the SecureChannel a finite field group is determined by the PublicKey lengths allowed by the SecurityPolicy . The finite
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.1 Overview
  TransportConnections allow responses to be returned in any order. If the TransportConnection breaks the SecureChannel is interrupted and a new SecureChannel needs to be created. The OPC UA Connection Protocol ... designed to work with the SecureChannel implemented by a layer higher in the stack. For this reason, the OPC UA Connection Protocol defines its interactions with the SecureChannel in addition
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.2.2 Message Header
  Message . ACK an Acknowledge Message . ERR an Error Message . RHE a ReverseHello Message . The SecureChannel layer defines additional values which the OPC UA Connection Protocol layer shall accept. Reserved Byte ... Table 57 . This allows the OPC UA Connection Protocol layer to extract the SecureChannel Messages from the incoming stream even if it does not understand their contents
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.2.3 Hello Message
  Server does not have sufficient resources to allow the establishment of a new SecureChannel it shall immediately return a Bad_TcpNotEnoughResources Error Message and gracefully close the socket. Client should ... overload Servers that return this error by immediately trying to create a new SecureChannel
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.2.6 ReverseHello Message
  EndpointUrl String The URL of the Endpoint which the Client uses when establishing the SecureChannel . This value shall be passed back to the Server in the Hello Message . The encoded ... open ports to connect to a Client and request that the Client establish a SecureChannel using the socket created by the Server . For message-based protocols the ReverseHello Message allows
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.3 Establishing a connection
  which completes the buffer negotiation. The negotiated buffer size shall be reported to the SecureChannel layer. The negotiated SendBufferSize specifies the size of the MessageChunks to use for Messages sent ... receives the OpenSecureChannel response. The Server application does not do any processing while the SecureChannel is negotiated; however, the Server application shall provide the Stack with the list of trusted
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.4 Closing a connection
  Connection Protocol connection The Server application does not do any processing when the SecureChannel is closed; however, the Stack shall provide notifications to the Server application whenever a CloseSecureChannel request ... received or when the Stack cleans up an abandoned SecureChannel
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.5 Error handling
  Message type is not accepted. Some of the Message types are defined by the SecureChannel layer. Bad_TcpSecureChannelUnknown The SecureChannelId and/or TokenId are not currently in use. This error ... reported by the SecureChannel layer. Bad_TcpMessageTooLarge The size of the MessageChunk specified in the header is too large. The Server returns this error if the MessageChunk size exceeds
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.4.1 Overview
  None . All HTTPS communications via a URL shall be treated as a single SecureChannel that is shared by multiple Clients . Stacks shall provide a unique identifier for the SecureChannel which ... allows applications correlate a request with a SecureChannel. This means that Sessions can only be considered secure if the AuthenticationToken (see OPC 10000-4 ) is long (>20 bytes
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.5.1 Overview
  WebSocket Figure 23 assumes the opcua+uacp sub-protocol (see 7.5.2 ). There is no SecureChannel negotiation when using opcua+json sub-protocol. The default UserIdentity for any Session-less Service
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.2 Roles and Privileges
  Application the right to update its own registration. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application. ApplicationAdmin This Privilege grants ... rights to update one or more registrations. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application and what
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.6 RegisterApplication
  register a new applicationwith a GlobalDiscoveryServer . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the DiscoveryAdmin Role or the ApplicationAdmin Privilege ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 9 specifies the AddressSpace representation for the RegisterApplication Method . Table 9 - RegisterApplication
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.7 UpdateApplication
  existing application in a GlobalDiscoveryServer . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the DiscoveryAdmin Role, the ApplicationSelfAdmin Privilege ... UserAccessDenied The current user does not have the required rights. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 10 specifies the AddressSpace representation for the UpdateApplication Method . Table 10 - UpdateApplication
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.8 UnregisterApplication
  remove an application from a GlobalDiscoveryServer . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the DiscoveryAdmin Role, the ApplicationSelfAdmin Privilege ... user does not have the rights required to unregister the application. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 11 specifies the AddressSpace representation for the UnregisterApplication Method . Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.2 Roles and Privileges
  Certificate or read its own CertificateGroups and TrustLists . The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application. ApplicationAdmin This Privilege grants ... CertificateGroups for one or more OPC UA Applications. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.2 Open
  existing transaction if Open is called with the Write Mode bit set. If the SecureChannel is not authenticated the Server shall return Bad_SecurityModeInsufficient . Method Result Codes Result Code Description ... opened because it is part of a transaction is in progress. Bad_SecurityModeInsufficient The SecureChannel is not authenticated
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.3 OpenWithMasks
  receives a consistent snapshot. For PullManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationSelfAdmin Privilege ... ApplicationAdmin Privilege (see 7.2 ). For PushManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature OpenWithMasks
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.5 CloseAndUpdate
  field is not changed. For PullManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationSelfAdmin Privilege ... ApplicationAdmin Privilege (see 7.2 ). For PushManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature CloseAndUpdate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.6 AddCertificate
  Object is read only. For PullManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role (see 7.2 ). For PushManagement ... this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature AddCertificate( [in] ByteString Certificate [in] Boolean IsTrustedCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.7 RemoveCertificate
  Object is read only. For PullManagement , this Method shall be called from an authenticated SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role (see 7.2 ). For PushManagement ... this Method shall be called from an authenticated SecureChannel and from a Session that has access to the SecurityAdmin Role (see 7.2 ). Signature RemoveCertificate( [in] String Thumbprint [in] Boolean IsTrustedCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.2 GetRejectedList
  present on the CertificateGroup . For PushManagement , this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature GetRejectedList ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 42 specifies the AddressSpace representation for the GetRejectedList Method . Table 42 - GetRejectedList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.3 StartSigningRequest
  DiscoveryUrls known to the CertificateManager . This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege ... text associated with the error shall indicate the exact problem. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 75 specifies the AddressSpace representation for the StartSigningRequest Method . Table 75 - StartSigningRequest
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.4 StartNewKeyPairRequest
  private key is generated. This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin ... text associated with the error should indicate the exact reason. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 76 specifies the AddressSpace representation for the StartNewKeyPairRequest Method . Table 76 - StartNewKeyPairRequest
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.5 FinishRequest
  process by calling StartNewKeyPairRequest again. This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege ... text associated with the error should indicate the exact reason. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 77 specifies the AddressSpace representation for the FinishRequest Method . Table 77 - FinishRequest
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.6 RevokeCertificate
  UnregisterApplication Method is called (see 6.5.8 ). This Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role (see 7.2 ). If auditing ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 78 specifies the AddressSpace representation for the RevokeCertificate Method . Table 78 - RevokeCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.7 GetCertificateGroups
  assigned to an application. This Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 79 specifies the AddressSpace representation for the GetCertificateGroups Method . Table 79 - GetCertificateGroups
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.8 GetCertificates
  application and associated with the CertificateGroup . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 80 specifies the AddressSpace representation for the GetCertificates Method . Table 80 - GetCertificates
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.9 GetTrustList
  with issuer Certificates in the TrustList . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 81 specifies the AddressSpace representation for the GetTrustList Method . Table 81 - GetTrustList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.10 GetCertificateStatus
  Method shall return UpdateRequired =TRUE. This Method shall be called from an authenticated SecureChannel and from a Client that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 82 specifies the AddressSpace representation for the GetCertificateStatus Method . Table 82 - GetCertificateStatus
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.11 CheckRevocationStatus
  Certificate and may do additional validation. This Method shall be called from an authenticated SecureChannel . Signature CheckRevocationStatus ( [in] ByteString certificate [out] StatusCode CertificateStatus [out] UtcTime ValidityTime ); Argument Description INPUTS certificate ... unknown. Method Result Codes (defined in Call Service) Result Code Description Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 83 specifies the AddressSpace representation for the CheckRevocationStatus Method . Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.5 UpdateCertificate
  another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server shall return Bad_SecurityModeInsufficient. If the Server returns ApplyChangesRequired =FALSE then ... requirements specified for the ApplyChanges Method . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature UpdateCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.6 CreateSelfSignedCertificate
  another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server shall return Bad_SecurityModeInsufficient . The Server shall continue an existing transaction or create ... Server shall return Bad_NotSupported . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature CreateSelfSignedCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.7 DeleteCertificate
  another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server shall return Bad_SecurityModeInsufficient . The Server shall continue an existing transaction or create ... associated PrivateKey if no longer needed. This Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature DeleteCertificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.8 GetCertificates
  CertificateTypes associated with a CertificateGroup . This Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature GetCertificates ... have the rights required. Bad_InvalidArgument The CertificateGroupId is not valid. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 92 specifies the AddressSpace representation for the GetCertificates Method . Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.9 ApplyChanges
  Session and associated Subscriptions are closed. This Method shall be called from an authenticated SecureChannel and from the Session that created the transaction and has access to the SecurityAdmin Role ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Bad_NothingToDo There is no active transaction. Bad_BadSessionIdInvalid The session
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.10 CreateSigningRequest
  called from a different Session . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature CreateSigningRequest ... TransactionPending There is already a transaction active for another session. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 94 specifies the AddressSpace representation for the CreateSigningRequest Method . Table 94 - CreateSigningRequest
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.11 CancelChanges
  waiting for the Client to ApplyChanges . This Method shall be called from an authenticated SecureChannel and from the Session that created the transaction and has access to the SecurityAdmin Role ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Bad_NothingToDo There is no active transaction. Bad_BadSessionIdInvalid The session
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.12 GetRejectedList
  entire list to be returned. This Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature GetRejectedList ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 96 specifies the AddressSpace representation for the GetRejectedList Method . Table 96 - GetRejectedList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.13 ResetToServerDefaults
  default configuration are vendor specific. This Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Signature ResetToServerDefaults (); Method ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Table 97 specifies the AddressSpace representation for the ResetToServerDefaults Method . Table 97 - ResetToServerDefaults
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.20 ApplicationConfigurationFileType
  ConfirmUpdate is called. Methods that update the configuration shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2 ). Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.25 UserTokenSettingsDataType
  accept. For other UserIdentityTokens this value shall specify the SecurityPolicy to use when the SecureChannel uses SecurityPolicy = None. CertificateGroupName 0:String The name of the corresponding entry in the CertificateGroups
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.2 Roles and Privileges
  Application the right to request its own KeyCredentials . The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application. ApplicationAdmin This Privilege grants ... KeyCredentials for one or more OPC UA Applications. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.5 StartRequest
  requestor is not the same as the application used to create the Secure Channel then a Certificate should be provided. PublicKey A Public Key used to encrypt the returned KeyCredential
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.6 FinishRequest
  KeyCredentialService has completed the request. This Method shall be called from an encrypted SecureChannel and from a Client that has access to the KeyCredentialAdmin Role, the ApplicationAdmin Privilege ... ApplicationSelfAdmin Privilege (see 8.2 ) . In addition, this Method shall only be called SecureChannel using that same Certificate that Client used to call StartRequest . Signature FinishRequest ( [in] NodeId RequestId [in] Boolean
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.7 Revoke
  KeyCredentials shall be deleted when revoked. This Method shall be called from an encrypted SecureChannel and from a Client that has access to the KeyCredentialAdmin Role, the ApplicationAdmin Privilege ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 128 specifies the AddressSpace representation for the RevokeCredential Method . Table 128 - Revoke
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.6.3 CreateCredential
  KeyCredentialConfiguration Object . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2 ) . Signature CreateCredential ( [in] String Name ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 134 specifies the AddressSpace representation for the CreateCredential Method . Table 134 - CreateCredential
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.6.6 GetEncryptingKey
  used to encrypt a KeyCredential . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2 ) . Signature GetEncryptingKey ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 137 specifies the AddressSpace representation for the GetEncryptingKey Method . Table 137 - GetEncryptingKey
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.6.7 UpdateCredential
  encrypted data is described in 8.5.6 . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2 ) . Signature UpdateCredential ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 139 specifies the AddressSpace representation for the UpdateKeyCredential Method . Table 138 - UpdateCredential
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.6.8 DeleteCredential
  KeyCredential used by a Server . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2 ) . Signature DeleteCredential(); Method ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 138 specifies the AddressSpace representation for the DeleteKeyCredential Method . Table 139 - DeleteCredential
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  Application the right to request AccessTokens . The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application. A KeyCredential (see 8 ) provided
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.5 RequestAccessToken (Deprecated)
  UserIdentityToken secrets in OPC 10000-4 . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2 ) . Signature RequestAccessToken ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 148 specifies the AddressSpace representation for the RequestAccessToken Method . Table 148 - RequestAccessToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.6 StartRequestToken
  freed when the Session is closed. This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2 ) . Signature StartRequestToken ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 150 specifies the AddressSpace representation for the StartRequestToken Method . Table 150 - StartRequestToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.7 FinishRequestToken
  RequestorData replaces the ClientNonce . This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2 ) . Signature FinishRequestToken ( [in] Guid ... UserAccessDenied The current user does not have the rights required. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 148 specifies the AddressSpace representation for the FinishRequestToken Method . Table 151 - FinishRequestToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.8 RefreshToken
  RefreshToken. The CurrentRefreshToken shall only be accepted if the ClientCertificate used to create the SecureChannel is the same as the ClientCertificate used when the FinishRequestToken Method returned the original RefeshToken ... This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2 ) . Signature RefreshToken ( [in] String ResourceId [in] String CurrentRefreshToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.1 Application Setup with PullManagement
  location is known the application can connect to the CertificateManager and establish a SecureChannel . The application may choose to connect even if it has not been pre-configured to trust ... provide any secret information to a CertificateManager that is not trusted. After establishing a SecureChannel with the CertificateManager , the application needs to demonstrate that it has permission to request Certificates
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  6.2.12.3 PubSubKeyPushTargetDataType
  push. SecurityPolicyUri String The security policy the SKS shall use to establish a SecureChannel to the push target. UserTokenType UserTokenPolicy The type of user toke to be used
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.6.1 PubSubKeyPushTargetType definition
  String that contains the security policy the SKS shall use to establish a SecureChannel to the PubSubKeyPushTarget . The MessageSecurityMode shall always be SignAndEncrypt . The Property UserTokenType contains the type
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.2 AddRole Method
  added. Bad_UserAccessDenied The caller does not have the necessary Permissions . Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Bad_AlreadyExists The Role already exists in the Server . Bad_ResourceUnavailable
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.3 RemoveRole Method
  removed. Bad_UserAccessDenied The caller does not have the necessary Permissions . Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Bad_RequestNotAllowed The specified Role Object cannot be removed. The RemoveRole Method
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  other Endpoint settings are compared with the configured Endpoint that is used by the SecureChannel for the Session . The EndpointType DataType is defined in 4.4.2 . Fields that have default values
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.5 AddIdentity Method
  UserAccessDenied The session user is not allowed to configure the object. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. The AddIdentity Method representation in the AddressSpace is formally defined in Table
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.6 RemoveIdentity Method
  UserAccessDenied The session user is not allowed to configure the object. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. The RemoveIdentity Method representation in the AddressSpace is formally defined in Table
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.7 AddApplication Method
  UserAccessDenied The session user is not allowed to configure the object. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Bad_ResourceUnavailable The Server does not have enough resources
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.8 RemoveApplication Method
  UserAccessDenied The session user is not allowed to configure the object. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. The RemoveApplication Method representation in the AddressSpace is formally defined in Table
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.10 RemoveEndpoint Method
  UserAccessDenied The session user is not allowed to configure the object. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. The RemoveEndpoint Method representation in the AddressSpace is formally defined in Table
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  3.1.10 DeviceIdentity Certificate
  ProductInstanceUri is the ApplicationUri when the DeviceIdentity Certificate is used to create a SecureChannel
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.1 Overview
  that the Device possesses the PrivateKey associated with the Certificate . The Registrar uses the SecureChannel to provide an Application Instance Certificate to the DCA which will allow ... ApplicationId which is used to request new Certificates . The DCA reconnects using a new SecureChannel with the selected Certificate which provides proof that the Device possesses the PrivateKey associated with
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.3 Push Management
  Endpoints . If none found it chooses any one and establishes a SecureChannel and calls RequestTickets . The Registrar needs to validate the Tickets returned by the Device which requires access ... Registrar finds an EndpointDescription that matches a valid Ticket it will create a new SecureChannel using that EndpointDescription . It provides the DCA Certificate and TrustList to the Device . Once
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.4.2.2 Integration with the Registrar
  supplies the FDO device with a Certificate that can be used to create a SecureChannel with the Registrar . The Registrar is preconfigured with the CA Certificate used
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.3 ProvideIdentities
  validate one of the Certificates . This Method shall be called from an authenticated SecureChannel . Signature ProvideIdentities ( [in] 0:ByteString [] identities, [in] 0:ByteString [] issuers, [in] 0:EncodedTicket [] tickets
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.4 UpdateSoftwareStatus
  provide information about a manual process. This Method shall be called from an authenticated SecureChannel and from a Session that has access to the SoftwareUpdateAdmin Role (see 4.2.6 ). Signature UpdateSoftwareStatus
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.5 RegisterDeviceEndpoint
  PushManagement to complete the onboarding process. This Method shall be called from an authenticated SecureChannel and from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature RegisterDeviceEndpoint
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.6 GetManagers
  network Endpoints accessible to the DCA. This Method shall be called from an authenticated SecureChannel and from a Session that has access to the DCA Privilege (see 4.2.6 ). Signature GetManagers
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.8 RegisterManagedApplication
  authorized the Registrar returns Bad_RequestNotAllowed . This Method shall be called from an authenticated SecureChannel and from a Session that has access to the DCA Privilege (see 4.2.6 ). Signature RegisterManagedApplication
• OPC-30010 – OPC UA for AutoId Devices - AutoID: OPC UA for AutoId Devices
  6.5.3.6 Method SetTagPassword
  password for a specific transponder. The Method should only be called via a SecureChannel with encryption enabled. See Annex B for technology specific mappings. Signature SetTagPassword ( [in] ScanData Identifier
• OPC-30300 – Using Generic Trust Anchor (GTA) API with OPC UA - Part 1: Generic Trust Anchor (GTA) API Profile for OPC UA
  5.2.3.2 Push Management
  returned to the Registar . The Registrar selects one DeviceIdentity and starts a create SecureChannel Request . Details for establishing a SecureChannel are explained in 5.5 . The DeviceIdentity selected by the Registrar