Search

200 result(s) for Session

• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  2.1.41 Session
  Session logical long-running connection between a Client and a Server. Note 1 to entry: A Session maintains state information between Service calls from the Client to the Server
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  4.4.1.2 Discovery and Session establishment
  Discovery and Session establishment Application level security relies on a secure communication channel that is active for the duration of the application Session and ensures the integrity of all Messages ... exchanged. This means users need to be authenticated only once, when the application Session is established. The mechanisms for discovering Server s and establishing secure communication channels and application Sessions
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  4.5 Sessions
  ClientServer interaction requires a stateful model. The state information is maintained inside an application Session . Examples of state-information are Subscriptions , user credentials and continuation points for operations that span ... number of concurrent Sessions based on resource availability, licensing restrictions, or other constraints. Each Session is independent of the underlying communications protocols. Failures of these protocols do not automatically cause
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.3 SecureChannel Service Set
  security policy for the channel. A SecureChannel is separate from the UA Application Session ; however, a single UA Application Session may only be accessed via a single SecureChannel . This implies ... used to implement the SecureChannel Service Set . The relationship between the UA Application Session and the SecureChannel is illustrated in Figure 8 . The UA applications use the communication stack
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  6.4 Session Service Set
  Session Service Set This Service Set defines Services used to establish an application-layer connection in the context of a Session on behalf of a specific user
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.2 Message flooding
  with requests. Two cases exist, one in which the Client does not have a Session with the Server and one in which it does. Message flooding can impair the ability ... establish OPC UA Sessions or terminate an existing Session . In the second scenario, an attacker could use a malicious Client that floods an OPC UA Server with malformed Message
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.2.3 Resource Exhaustion
  SecureChannel s, without actually completing the process.The Client might not even open a Session , just open a socket to the Server . Resource exhaustion attacks do not occur in the same ... manner for PubSub communications since no session or resources are allocated. For PubSub communication, the Publisher is not susceptible. In broker-less PubSub communication, the Subscriber can, with
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.6 Message replay
  cause damage or property loss. An attacker could attempt to establish a Session using a recorded Session . Message replay impacts Authorization and during Session / SecureChannel establishment Authentication
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.3.9 Session hijacking
  Session hijacking An attacker could use information (retrieved by sniffing the communication or by guessing) about a running Session established between two applications to inject manipulated Message s (with valid ... session information) that allow him or her to take over the Session from the authorized user. An attacker could gain unauthorized access to data or perform unauthorized operations. Session hijacking
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.1 Overview
  Overview Client / Server communication can include both Session and session-less communication. Security in part is provided by the application or by the communications layers. It can also utilize transport
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.2 Session application layer
  Session application layer The routine work of a Client application and a Server application to transmit information, settings, and commands is done in a Session in the Application Layer ... security objectives that are managed by the application layer are addressed by the Session Services that are specified in OPC 10000-4 . A Session in the application layer communicates over
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.4 Transport layer
  require application Authentication , if this is required it can be included as part of Session establishment
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.7 Security Profiles
  Profile that specifies which of the security setting choices to use in the Session . The security policy does not specify the range of choices that the product offers, they
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.9 User Authentication
  achieved when the Client passes user credentials to the Server as specified via Session Services (described in OPC 10000-4 ). The Server can authenticate the user with these credentials ... owner (user) of a Session can be changed using the ActivateSession Service in order to meet needs of the application. User Authentication is not directly part of the Publish - Subscribe
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.12 Roles
  Roles illustrated in Figure 6 . Clients are then granted Roles based on connection information ( Session creation). Roles could be restricted by User Authentication , Application Authentication , SecurityModes , or Transports . The assignment
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.14.1 General
  connection attempts, results of security option negotiations, configuration changes, system changes, user interactions and Session rejections. OPC UA provides support for security audit trails through two mechanisms. First, it provides
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.4 Message spoofing
  well as the correct sequence number. OPC UA when operating as part of a Session , restricts user spoofing in the same manner since the user information is provided as part ... Session establishment. It is important that when a device starts up that the SessionId that is initially assigned to the first Session is a random number or a continuation
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.6 Message replay
  Message without it being detected and rejected. The establishment of a SecureChannel or Session includes the same signature, timestamps and sequence number that are part of all messages and thus ... concern in a CSMS, then these fields need to be enabled. For session-less communication, OPC UA uses Timestamps , sequence numbers and RequestIds for every request and response Message . Message
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.9 Session hijacking
  Session hijacking See 4.3.9 for a description of this threat. OPC UA counters Session hijacking by assigning a security context (i.e. SecureChannel ) with each Session as specified in the CreateSession ... Service in OPC 10000-4 . Hijacking a Session would thus first require compromising the security context
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.13 Repudiation
  that the message originated from the owner of the private key. During OpenSecureChannel and Session establishment the communicating parties are clearly identified and confirmed. Lastly Auditing as described
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.2 Appropriate timeouts:
  service: Denial of service conditions could exist when a Client does not reset a Session , if the timeouts are very large. Resource consumption: When a Client is idle for long
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.20 Changing Users in OPC UA
  ActivateSession Service allows a Client to change the user that is involved with the Session . This Service can have security related implications. Developers have to ensure that when a user
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  8.2 Rogue GDS
  that the EndpointUrl matches the Hostnames specified in the certificate before it creates a Session with a Server . After it creates a Session, it looks at the EndpointDescriptions returned
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.1 Overview
  Adding, deleting, and modifying Roles is restricted to callers with appropriate permissions. When a Session is created, or a Session-less Service is called, the Server must determine what Roles ... granted to that Session or Session-less Service invocation. This specification defines standard mapping rules which Servers may support. Servers may also use vendor specific mapping rules in addition
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.2 Well Known Roles
  browse, read live data, read historical data/events or subscribe to data/events. In addition, the Session is allowed to write some live data and call some Methods . Engineer The Role
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.3 Evaluating Permissions with Roles
  access a Node, the Server goes through the list of Roles granted to the Session and logically ORs the Permissions for the Role on the Node. If there ... illustrate how the standard mapping rules can be used to determine which Roles a Session has access to and, consequently, the Permissions that are granted to the Session . Table
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.9 RolePermissions
  Server publishes information about the Roles for a Namespace assigned to the current Session, it shall add the DefaultUserRolePermissions Property to the NamespaceMetadata Object for that Namespace. The value ... shall be a readonly list of Permissions for each Role assigned to the current Session . If a particular Node in the Namespace overrides the default RolePermissions the Server shall also
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.10 UserRolePermissions
  specifies the Permissions that apply to a Node for all Roles granted to current Session . The value of the Attribute is an array of RolePermissionType Structures (see Table 8 ). Clients ... then the Server does not publish any information about Roles mapped to the current Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  3.1.3 DiscoveryEndpoint
  security Note 1 to entry: A DiscoveryEndpoint allows access to Discovery Services without a Session and without message security
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  4.1 Service Set model
  Integrity of Messages exchanged with the Server . Figure 2 - SecureChannel Service Set The Session Service Set , illustrated in Figure 3 , defines Services that allow the Client to authenticate the user ... whose behalf it is acting and to manage Sessions . Figure 3 - Session Service Set The NodeManagement Service Set , illustrated in Figure 4 , defines Services that allow the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.3 Service results
  band mechanism that the application or user credentials used to create a Session or SecureChannel have been compromised, then the Server should immediately terminate all sessions and channels that
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.1 Overview
  Servers. Every Server shall have a DiscoveryEndpoint that Clients can access without establishing a Session . This Endpoint may or may not be the same Session Endpoint that Clients
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.1 Overview
  requirements that depend on the technology used. The correlation between the OPC UA Application Session and the SecureChannel is illustrated in Figure 13 . The Communication Stack is used ... secure exchange of Messages . In the second step, the OPC UA Applications use the Session Service Set to establish an OPC UA Application Session . Figure 13 - SecureChannel and Session Services
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.1 Description
  that can be used to ensure Confidentiality and Integrity for Message exchange during a Session . This Service requires the Communication Stack to apply the various security algorithms to the Messages ... service attacks, the Server shall close the oldest unused SecureChannel that has no Session assigned before reaching the maximum number of supported SecureChannels . When Session -less Service invocation is done
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.1 Overview
  defines Services for an application layer connection establishment in the context of a Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  Description This Service is used by an OPC UA Client to create a Session and the Server returns two values which uniquely identify the Session . The first value ... sessionId which is used to identify the Session in the audit logs and in the Server's AddressSpace . The second is the authenticationToken which is used to associate an incoming
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.2 Parameters
  value provided. endpointUrl String The network address that the Client used to access the Session Endpoint . The Server uses this information for diagnostics and to determine what URLs to return ... recognize the HostName in the URL sessionName String Human readable string that identifies the Session . The Server makes this name and the sessionId visible in its AddressSpace for diagnostic purposes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.1 Description
  used by the Client to specify the identity of the user associated with the Session . This Service request shall be issued by the Client before it issues any Service request ... CloseSession after CreateSession . Failure to do so shall cause the Server to close the Session . Whenever the Client calls this Service the Client shall prove that it is the same
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.2 Parameters
  needs to be specified during the first call to ActivateSession during a single application Session . If it is null or empty the Server shall keep using the current localeIds ... Session . userIdentityToken Extensible Parameter UserIdentityToken The credentials of the user associated with the Client application. The Server uses these credentials to determine whether the Client should be allowed to activate
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.3 Service results
  IdentityChangeNotSupported The Server does not support changing the user identity assigned to the session. Bad_SecurityPolicyRejected See Table 178 for the description of this result code. Good_PasswordChangeRequired ... user succeeded but the user is required to change the password. The activated Session has limited rights and is mainly available to change the password. The detailed definitions for UserManagement
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.4.1 Description
  Description This Service is used to terminate a Session . The Server takes the following actions when it receives a CloseSession request: It stops accepting requests for the Session . All subsequent ... requests received for the Session are discarded. It returns negative responses with the StatusCode Bad_SessionClosed to all requests that are currently outstanding to provide for the timely return
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.3.1 Description
  Client in the original Browse request. The BrowseNext shall be submitted on the same Session that was used to submit the Browse or BrowseNext that is being continued
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.9.5.1 Description
  Value Attribute . Registered NodeIds are only guaranteed to be valid within the current Session . Clients shall unregister unneeded Ids immediately to free up resources. RegisterNodes does not validate the NodeIds
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.11.3.2 Parameters
  value is null or empty. Servers shall support at least one continuation point per Session . Servers specify a max history continuation points per Session in the Server capabilities Object defined ... shall remain active until the Client passes the continuation point to HistoryRead or the Session is closed. If the max continuation points have been reached the oldest continuation point shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.12.2.1 Description
  Properties of the Method . If the Method is invoked in the context of a Session and the Session is terminated, the results of the Method's execution cannot be returned
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.2.1 Description
  Client reuses a Subscription after a short network interruption by activating the existing Session on a new SecureChannel as described in 6.7 . If a Client called CreateMonitoredItems during the network ... Server shall verify that the Method is called within the Session context of the Session that owns the Subscription
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.13.2.2 Parameters
  unique within the Subscription , but might not be unique within the Server or Session . This parameter is present only if the statusCode indicates that the MonitoredItem was successfully created. revisedSampling
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.1 Description
  Client in response to Publish requests. Publish requests are normally queued to the Session as they are received, and one is de-queued and processed by a Subscription related ... this Session for each publishing cycle, if there are Notifications to report. When there are not, the Publish request is not de-queued from the Session , and the Server waits
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.3 State variables and parameters
  TRUE only when the Subscription related Service is called with the Session the Subscription is assigned to. A Subscription is assigned to the Session that created it. That assignment
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.1.4 Functions
  same user and supports the same Profiles as the Client of the previous Session . CreateNotificationMsg() Increment the SeqNum and create a NotificationMessage from the MonitoredItems assigned to the Subscription . Save ... lifetime expires and Good_SubscriptionTransferred is used if the Subscriptions was transferred to another Session. ResetKeepAliveCounter() Reset the keep-alive counter to the maximum keep-alive count of the Subscription
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.2.2 Parameters
  definition). This identifier shall be unique for the entire Server , not just for the Session , in order to allow the Subscription to be transferred to another Session using the TransferSubscriptions
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.1 Description
  Description This Service is used to transfer a Subscription and its MonitoredItems from one Session to another. For example, a Client may need to reopen a Session and then transfer ... Subscriptions to that Session . It may also be used by one Client to take over a Subscription from another Client by transferring the Subscription to its Session . The authenticationToken contained
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.3 Service results
  description of this result code. Bad_InsufficientClientProfile The Client of the current Session does not support one or more Profiles that are necessary for the Subscription
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.7.4 StatusCodes
  Table 178 for the description of this result code. The Client of the current Session is not operating on behalf of the same user as the Session that owns ... Subscription . Bad_TooManySubscriptions The Server has reached its maximum number of Subscriptions for the Session . Bad_NothingToDo See Table 178 for the description of this result code. This result code
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.14.8.1 Description
  invoked to delete one or more Subscriptions that belong to the Client's Session . Successful completion of this Service causes all MonitoredItems that use the Subscription to be deleted ... this is the last Subscription for the Session , then all Publish requests still queued for that Session are de-queued and shall be returned with Bad_NoSubscription. Subscriptions that were
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  Creating a SecureChannel All OPC UA Applications shall establish a SecureChannel before creating a Session . This SecureChannel requires that both applications have access to Certificates that can be used ... this reason, OPC UA Applications will need to exchange their ApplicationInstanceCertificates when creating a Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.5 Creating a Session
  Creating a Session Once an OPC UA Client has established a SecureChannel with a Server it can create an OPC UA Session . The steps involved in establishing a Session ... shown in Figure 22 . Figure 22 - Establishing a Session Figure 22 illustrates the interactions between a Client , a Server , a Certificate Authority (CA) and an identity provider
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.6 Impersonating a User
  Impersonating a User Once an OPC UA Client has established a Session with a Server it can change the user identity associated with the Session by calling the ActivateSession service
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.7 Continuous security checks
  does not use ApplicationInstanceCertificates , the OPC UA Application should execute ApplicationInstanceCertificate checks for the Session at a rate used for SecureChannel renewals. The recovery mechanisms for ApplicationInstanceCertificate replacement scenarios
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.1 Description
  Description The Session -less Service invocation is introduced for Services, such as Read , Write or Call , that do not require any caller specific state information. It is accessible through ... SessionlessInvoke Service which provides the context information required to call Services without a Session . Session -less invocation is limited to Services of the View Service Set (with exception of RegisterNodes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.5.6 Auditing for Session Service Set
  Auditing for Session Service Set All Services in this Service Set for Servers that support auditing may generate audit entries and shall generate audit Events for both successful and failed ... generate AuditSessionEventType events or subtypes of it. It shall always be generated if a Session is terminated like Session timeout expiration or Server shutdown. The SourceName for Events of this
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.1 Client behaviour
  ServiceLevel of each Server, and which Server is currently responsible for the Client Session . This information is specified in TransparentRedundancyType ObjectType defined in OPC 10000-5 . Since the ServerUri
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.2 Server requirements
  Server requirements All OPC UA interactions within a given Session shall be supported by one Server and the Client is able to identify which Server that is, allowing a complete ... that information is synchronized between the Servers . A functional Server will take over the Session and Subscriptions from the Failed Server . Failover may require a reconnection of the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.3 Client Redundancy
  information in the Server diagnostic information. Since Subscription lifetime is not tied to the Session in which it was created, backup Clients may use standard diagnostic information available to monitor ... active Client's Session with the Server . Upon detection of an active Client failure, a backup Client would then instruct the Server to transfer the Subscriptions to its own session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.7 Re-establishing connections
  Client shall re-establish the connection by creating a new SecureChannel and activating the Session with the Service ActivateSession . If the OpenSecureChannel fails, the Client should delay the retry ... configurable time. The ActivateSession assigns the new SecureChannel to the existing Session and allows the Client to reuse the Session and Subscriptions in the Server . To re-establish the SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.8 Durable Subscriptions
  durable Subscription . The Server shall verify that the Method is called within the Session context of the Session that owns the Subscription . A value of 0 for the parameter lifetimeInHours ... communication interruptions Use the Service TransferSubscriptions to assign the durable Subscription to a new Session for data transfer Store SubscriptionId , MonitoredItem client and server handles and the last confirmed sequence
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.9 ContinuationPoint
  there are more results to return. Servers shall support at least one ContinuationPoint per Session . Servers specify a maximum number of ContinuationPoints per Session in the ServerCapabilities Object defined ... until the Client retrieves the remaining results, the Client releases the ContinuationPoint or the Session is closed. A Server shall automatically free ContinuationPoints from prior requests from a Session
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.22.3 EventFilter
  UserAccessDenied if the value is not accessible to the user associated with the Session . If a Value Attribute has an uncertain or bad StatusCode associated with it then the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.32 RequestHeader
  RequestHeader Name Type Description RequestHeader structure Common parameters for all requests submitted on a Session . authenticationToken Session AuthenticationToken The secret Session identifier used to verify that the request is associated ... with the Session. The SessionAuthenticationToken type is defined in 7.35 . timestamp UtcTime The time the Client sent the request. The parameter is only used for diagnostic and logging purposes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.35 SessionAuthenticationToken
  opaque identifier that is used to identify requests associated with a particular Session . This identifier is used in conjunction with the SecureChannelId or Client Certificate to authenticate incoming messages
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.38.2 Common StatusCodes
  CompletesAsynchronously The processing will complete asynchronously. Good_SubscriptionTransferred The Subscription was transferred to another session. Bad_CertificateHostNameInvalid The HostName used to connect to a Server does not match a HostName ... valid. Bad_ServiceUnsupported The Server does not support the requested service. Bad_SessionIdInvalid The Session id is not valid. Bad_SessionClosed The Session was closed by the Client . Bad_SessionNotActivated
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.5 X509IdentityTokens
  X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with ... Anonymous Role . If the Server does not allow anonymous users, it should close the Session . Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.6 IssuedIdentityToken
  IssuedIdentityTokens have an expiration time, and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with ... Anonymous Role . If the Server does not allow anonymous users, it should close the Session . Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  5.1 General
  specific role permissions can be provided. UserRolePermissions Optionally the role permissions of the current Session can be provided. The value is server-specific and depends on the RolePermissions Attribute ... provided) and the current Session . AccessRestrictions Optionally server-specific access restrictions can be provided
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.2 ServerCapabilitiesType
  parallel continuation points of the Browse Service that the Server can support per session. The value specifies the maximum the Server can support under normal circumstances, so there ... parallel continuation points of the QueryFirst Services that the Server can support per session. The value specifies the maximum the Server can support under normal circumstances, so there
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.3 ServerDiagnosticsType
  also used as Variables referenced by other Variables . SessionsDiagnosticsSummary contains diagnostic information per session, as defined in 6.3.4 . EnabledFlag identifies whether or not diagnostic information is collected by the Server ... static diagnostic Nodes except the EnabledFlag Property . Dynamic diagnostic Nodes (such as the Session Nodes ) will not appear in the AddressSpace . If the collection of diagnostic information is not supported
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.5 SessionDiagnosticsObjectType
  SessionDiagnosticsObjectType This ObjectType defines diagnostic information about a session of the OPC UA Server . This ObjectType is formally defined in Table 13 . Table 13 - SessionDiagnosticsObjectType definition Attribute Value BrowseName SessionDiagnosticsObjectType ... PropertyType Optional Conformance Units Base Info ServerType SessionDiagnostics contains general diagnostic information about the session; the SessionSecurityDiagnostics Variable contains security-related diagnostic information. Because the information of the second Variable
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.7 ServerRedundancyType
  Redundant Set ; including their service levels (see 12.7 ). This array may change during a Session ; the order of the array elements shall always be the same order as the array
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.8 TransparentRedundancyType
  currently-used Server in the Redundant Set . This Server is valid only inside a Session ; if a Client opens several Sessions , different Servers of the redundant set of Servers ... Redundant Set ; including their service levels (see 12.7 ). This array may change during a Session
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.4.10 AuditActivateSessionEventType
  SecureChannel. The application shall use the same identifier in all AuditEvents related to the Session Service Set (AuditCreateSessionEventType, AuditActivateSessionEventType and their subtypes) and the SecureChannel Service Set (AuditChannelEventType ... array providing the NodeId of each Role the Server has granted to the activated Session . The additional definition for the conformance units of AuditActivateSessionEventType are defined in Table 35 . Table
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.4.35 ProgressEventType
  Property for Events of this type shall be assigned to the NodeId of the Session Object where the operation was initiated. The SourceName for Events of this type shall ... finished. It is recommended that Servers only expose ProgressEvents for Service calls to the Session that invoked the Service
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  9.1 GetMonitoredItems
  Method was not called in the context of the Session that owns the Subscription . Table 118 specifies the AddressSpace representation for the GetMonitoredItems Method . Table 118 - GetMonitoredItems Method AddressSpace definition
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  9.2 ResendData
  Method was not called in the context of the Session that owns the Subscription . Table 119 specifies the AddressSpace representation for the ResendData Method . Table 119 - ResendData Method AddressSpace definition
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  9.3 SetSubscriptionDurable
  Method was not called in the context of the Session that owns the Subscription . Table 120 specifies the AddressSpace representation for the SetSubscriptionDurable Method . Table 120 - SetSubscriptionDurable Method AddressSpace definition
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  5.1.12 QualifiedName, NodeId and ExpandedNodeId String Encoding
  known from the context. For example, when a Client establishes a Session with a Server , the Server supplies the NamespaceTable that is used for all exchanges within that Session . Another
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.1 General
  also used as form of UserIdentityToken which identifies a user associated with a Session . Clause 6.2.3 describes Certificates used as UserIdentityTokens
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.3 Access Tokens
  issuer. Access Tokens expire and all Servers should revoke any privileges granted to the Session when the Access Token expires. If the Server allows for anonymous users, the Server could ... allow the Session to stay open but treat it as an anonymous user. If the Server does not allow anonymous users, it should close the Session immediately. Clients know when
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.8.3 ECC and RSA-DH Encrypted Secret
  mechanism that allows the sender to acquire the receiver EphemeralKey when using a Session . Using the EccEncryptedSecret in other contexts requires a different mechanism. Once the sender has the receiver
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.3 Establishing a connection
  Servers shall maintain at least one open socket without an active Session with each Client it is configured to connect to. Servers may delay re-connecting if the Client reports ... future (the sequence may pause here). Client may use SecureChannel for Discovery or Session-less Service invocations. Once a SecureChannel is established, the Server shall create a new socket
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.4.2 Session-less Services
  Session-less Services Session - less Services (see OPC 10000-4 ) may be invoked via HTTPS POST. The HTTP Authorization header is used to specify the UserIdentity used to determine what
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.5.1 Overview
  SecureChannel negotiation when using opcua+json sub-protocol. The default UserIdentity for any Session-less Service calls made over the WebSocket is specified by the opcua+token sub-protocol ... also be used to determine if the Client is allowed to create a Session
• OPC-10000-8 – OPC Unified Architecture - Part 8: Data Access
  5.6.4.4 Mapping of UN/CEFACT to EUInformation
  each displayName . However, if none of the LocaleIds specified by the Client for the Session matches these additional locales, the Server shall return the invariant locale. The Name field shall ... each description . However, if none of the LocaleIds specified by the Client for the Session matches these additional locales, the Server shall return the invariant locale
• OPC-10000-8 – OPC Unified Architecture - Part 8: Data Access
  5.6.4.5 Mapping of IEC 62720 to EUInformation
  each displayName . However, if none of the LocaleIds specified by the Client for the Session matches these additional locales, the Server shall return the invariant locale. The Preferred Name field ... each description . However, if none of the LocaleIds specified by the Client for the Session matches these additional locales, the Server shall return the invariant locale
• OPC-10000-9 – OPC Unified Architecture - Part 9: Alarms & Conditions
  5.5.7 ConditionRefresh Method
  being refreshed. The Server shall verify that the SubscriptionId provided is part of the Session that is invoking the Method . Method result codes in Table 19 (defined in Call ... result code Bad_UserAccessDenied The Method was not called in the context of the Session that owns the Subscription See 10000-4 for the general description of this result code
• OPC-10000-9 – OPC Unified Architecture - Part 9: Alarms & Conditions
  5.5.8 ConditionRefresh2 Method
  being refreshed. The Server shall verify that the SubscriptionId provided is part of the Session that is invoking the Method . MonitoredItemId The identifier of the MonitoredItem being refreshed. The MonitoredItemId ... result code Bad_UserAccessDenied The Method was not called in the context of the Session that owns the Subscription See 10000-4 for the general description of this result code
• OPC-10000-10 – OPC Unified Architecture - Part 10: Programs
  5.2.8 ProgramDiagnostic2 DataType
  Name Type Description ProgramDiagnostic2DataType structure createSessionId NodeId The CreateSessionId contains the SessionId of the Session on which the call to the Create Method was issued to create the Program Invocation ... createClientName String The CreateClientName is the name of the Client of the Session that created the Program Invocation . invocationCreationTime UtcTime The InvocationCreationTime identifies the time the Program Invocation was created
• OPC-10000-11 – OPC Unified Architecture - Part 11: Historical Access
  5.8.1 General
  generate an AuditEvent describing the Variable as the source and the user and Client Session as the initiators of the Event . Not all Servers support auditing, but if a Server
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.2 Roles and Privileges
  provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.3 Client connections to global services
  should first close Sessions without GDS management Privileges . Otherwise, it may close the Session that was inactive for the longest time. It is also recommended to use a short maximum ... session timeout on the GDS. Actions performed cyclically by applications during PullManagement shall start the second cycle with a random delay that is between one and at least ten percent
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.10 QueryApplications
  ApplicationType ApplicationType ApplicationNames ApplicationName The name that best matches the preferredLocales for the current Session is returned. If there is no Session the first element is returned. ProductUri ProductUri discoveryUrls
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.11 QueryServers (deprecated)
  ApplicationType -- Ignored ApplicationNames serverName The name that best matches the preferredLocales for the current Session is returned. If there is no Session the first element is returned. ProductUri -- Ignored discoveryUrls
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.2 Roles and Privileges
  provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.6 Pull Management Workflow
  following options are possible to start the PullManagement . Continue application setup using the Session available from the application registration workflow described in 6.4 . Cyclic check of the application status using
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.2 Update Certificates Workflow
  Server . Connect The CertificateManager creates a secure connection using encryption and a Session with the Server . The Session requires access to the SecurityAdmin Role or equivalent. Possible credentials used ... happens the CertificateManager may need to use the new Certificate to re-establish a Session with the Server . Disconnect Disconnect from Server
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.6 Update Configuration Workflow
  when a CertificateManager has completed updates to a local copy of the ApplicationConfiguration . A Session with SecurityAdmin access rights exists. The ConfigurationFile Object belongs to the ApplicationConfiguration being updated
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.2 Open
  code is Bad_NotSupported . If a transaction is in progress (see 7.10.9 ) on another Session then the Server shall return Bad_TransactionPending if Open is called with the Write Mode
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.5 CloseAndUpdate
  existing transaction and sets ApplyChangesRequired to TRUE. If a transaction exists on the current Session , the Server does not update the TrustList until ApplyChanges (see 7.10.9 ) is called. Any Clients ... that exceeds the MaxTrustListSize for the Server . Bad_TransactionPending Changes are queued on another Session (see 7.10.9 ). Table 29 specifies the AddressSpace representation for the CloseAndUpdate Method . Table 29 - CloseAndUpdate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.7 RemoveCertificate
  PullManagement , this Method shall be called from an authenticated SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role (see 7.2 ). For PushManagement , this Method shall be called ... from an authenticated SecureChannel and from a Session that has access to the SecurityAdmin Role (see 7.2 ). Signature RemoveCertificate( [in] String Thumbprint [in] Boolean IsTrustedCertificate ); Argument Description Thumbprint The SHA1
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.5.2 CloseAndUpdate
  VersionToUpdate does not match the CurrentVersion . Bad_ChangesPending Changes are queued on another Session (see 7.10.9 ) Bad_SecurityModeInsufficient The SecureChannel is not authenticated. Operation Result Codes (Returned in UpdateResults) Result
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.3 StartSigningRequest
  CertificateManager . This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin Privilege
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.4 StartNewKeyPairRequest
  generated. This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin Privilege
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.5 FinishRequest
  StartNewKeyPairRequest again. This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin Privilege
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.2 Transaction Lifecycle
  shall queue the changes in the order that they were requested within the current Session . When ApplyChanges is called the Server verifies that all the changes are consistent ... expected to support exactly one active transaction. Once a transaction has started in Session all other Sessions will not be able to modify TrustLists or Certificates . Transactions are automatically cancelled
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.5 UpdateCertificate
  PrivateKey was not provided. If a transaction is in progress (see 7.10.9 ) on another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server ... integrity of the Certificate . Bad_TransactionPending There is already a transaction active for another session. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 89 specifies the AddressSpace representation
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.6 CreateSelfSignedCertificate
  InvalidState error is returned. If a transaction is in progress (see 7.10.9 ) on another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server ... SecureChannel is not authenticated. Bad_TransactionPending There is already a transaction active for another session. Bad_InvalidState There is already a Certificate assigned to the CertificateType slot. Bad_NotSupported
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.7 DeleteCertificate
  InvalidState error is returned. If a transaction is in progress (see 7.10.9 ) on another Session then the Server shall return Bad_TransactionPending . If the SecureChannel is not authenticated the Server ... SecureChannel is not authenticated. Bad_TransactionPending There is already a transaction active for another session. Bad_InvalidState There is no Certificate assigned to the CertificateType slot. Table 42 specifies
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.9 ApplyChanges
  applied and ApplyChanges can be called again after the TrustList is closed. If a Session is closed or abandoned then the transaction is closed and all pending changes are discarded ... Client reconnect logic (see OPC 10000-4 ) allows them to recover their Session and Subscriptions . Note that some Clients may not be able to reconnect because they are no longer
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.10 CreateSigningRequest
  shall be available for UpdateCertificate even if it is called from a different Session . This Method shall be called from an encrypted SecureChannel and from a Client that has access ... have the rights required. Bad_TransactionPending There is already a transaction active for another session. Bad_SecurityModeInsufficient The SecureChannel is not encrypted. Table 94 specifies the AddressSpace representation
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.11 CancelChanges
  ApplyChanges . This Method shall be called from an authenticated SecureChannel and from the Session that created the transaction and has access to the SecurityAdmin Role (see 7.2 ). Signature CancelChanges(); Method ... SecureChannel is not authenticated. Bad_NothingToDo There is no active transaction. Bad_BadSessionIdInvalid The session is not valid for the active transaction. Table 93 specifies the AddressSpace representation
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.19 ApplicationConfigurationDataType
  shall have a CertificateType slot compatible with the Server Certificate used for the current Session . If no such slot exists the configuration update is rejected. The TrustList associated with that ... CertificateGroup shall trust the Client Certificate used for the current Session. Updates to the configuration are applied in the following order: ApplicationIdentity CertificateGroups UserTokenSettings SecuritySettings ServerEndpoints ClientEndpoints AuthorizationServices While processing
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.20 ApplicationConfigurationFileType
  ApplicationConfiguration defined in 7.10.19 . If a transaction is in progress (see 7.10.9 ) on another Session then the Server shall return Bad_TransactionPending if Open is called with Write Mode
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.2 Roles and Privileges
  provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.3 Implicit
  case describes how the Client's ApplicationInstance Certificate and any UserIdentityToken associated with the Session is used to determine whether an AccessToken is permitted and what claims are available. This ... credentials used can be any type of user credential including X.509 and JWT. The Session with the "Authorization Server" may be created explicitly with a call to CreateSession
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.4 Explicit
  authenticates itself with a UserIdentityToken provided in the FinishRequestToken Method call. User credentials for Session with the Authorization Server are not required. This use case is illustrated in Figure ... claims granted to the Client . The StartRequestToken and FinishRequestToken Methods can be invoked via Session -less Method calls
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.5 RequestAccessToken (Deprecated)
  provided the Server should use the ApplicationInstanceCertificate and/or the UserIdentityToken provided for the Session (or the request if using a Session -less Method Call ) to determine privileges. If the associated
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.6 StartRequestToken
  FinishRequestToken immediately after this Method returns. The RequestId is only accessible via the current Session and resources are freed when the Session is closed. This Method shall be called from
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.2 Application setup with the PushManagement
  good practice for a Client to always check the ServerState after creating a Session . If the ServerState is NoConfiguration then the Client should check the InApplicationSetup Property on the ServerConfiguration
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.4.2 InvalidateKeys Method
  Method on the Server . Signature InvalidateKeys (); Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed invalidate the keys on this SecurityGroup . Bad_SecurityModeInsufficient The communication channel
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.4.3 ForceKeyRotation Method
  Method on the Server . Signature ForceKeyRotation (); Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed force key rotation on this SecurityGroup . Bad_SecurityModeInsufficient The communication channel
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.5.2 AddSecurityGroup Method
  Object . Bad_InvalidArgument The SecurityPolicyUri is not supported by the SKS. Bad_UserAccessDenied The Session user is not allowed to configure the object. Bad_SecurityModeInsufficient The communication channel
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.5.3 RemoveSecurityGroup Method
  NodeIdInvalid The SecurityGroupNodeId is not a NodeId of a SecurityGroupType Object . Bad_UserAccessDenied The Session user is not allowed to delete the SecurityGroupType Object . Bad_SecurityModeInsufficient The communication channel
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.5.4 AddSecurityGroupFolder Method
  Name may be too long or may contain invalid characters. Bad_UserAccessDenied The Session user is not allowed to add a folder. Table 219 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.5.5 RemoveSecurityGroupFolder Method
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The SecurityGroupFolderNodeId is unknown. Bad_UserAccessDenied The Session user is not allowed to delete the folder. Table 220 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.6.3 ConnectSecurityGroups
  codes for the SecurityGroups to connect. Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed to connect SecurityGroups to the push target. Bad_SecurityModeInsufficient The communication
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.6.4 DisconnectSecurityGroups Method
  codes for the SecurityGroups to disconnect. Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed to disconnect SecurityGroups from the push target. Bad_SecurityModeInsufficient The communication
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.6.5 TriggerKeyUpdate Method
  Method on the Server . Signature TriggerKeyUpdate (); Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed to trigger a key update on this push target. Bad_SecurityModeInsufficient
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.7.2 AddPushTarget Method
  input arguments is invalid. The InputArgumentResult provides further details. Bad_UserAccessDenied The Session user is not allowed to configure the object. Bad_SecurityModeInsufficient The communication channel is not using signing
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.7.3 RemovePushTarget Method
  NodeIdInvalid The PushTargetId is not a NodeId of a PubSubKeyPushTarget Object . Bad_UserAccessDenied The Session user is not allowed to delete the PushTargetType Object . Bad_SecurityModeInsufficient The communication channel
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.7.4 AddPushTargetFolder Method
  Name may be too long or may contain invalid characters. Bad_UserAccessDenied The Session user is not allowed to add a folder. Table 229 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.7.5 RemovePushTargetFolder Method
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The PushTargetFolderNodeId is unknown. Bad_UserAccessDenied The Session user is not allowed to delete the folder. Table 230 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.3.4 AddConnection Method (Deprecated)
  Server has not enough resources to add the PubSubConnection Object . Bad_UserAccessDenied The Session user is not allowed to create a PubSubConnection Object . Table 235 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.3.5 RemoveConnection Method (Deprecated)
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The ConnectionId is unknown. Bad_UserAccessDenied The Session user is not allowed to delete the PubSubConnection Object . Table 236 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.3.7.1 PubSubConfigurationType
  UABinaryFileDataType shall match the NamespaceArray in the OPC UA Server for a Session with the Server . The FileType functionality is used instead of passing the PubSubConfiguration2DataType to read and write
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.3.7.5 ReserveIds Method
  reserved yet. When a Client reserves IDs, these reservations are valid while the Session is open. The reserved IDs can only be used for configuration modifications through the same Session ... only valid until the ID is used in the configuration or until the Session is closed. The IDs can be re-used if a PubSub component that uses
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.3.7.6 CloseAndUpdate Method
  valid. Bad_InvalidState The file was not opened for writer access. Bad_UserAccessDenied The Session user is not allowed to modify the PubSub configuration. Bad_NothingToDo The ConfigurationReferences array
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.2.3 AddExtensionField Method
  Name may be too long or may contain invalid characters. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 250 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.2.4 RemoveExtensionField Method
  NodeId of a Property of the ExtensionFieldsType Object . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 251 specifies the AddressSpace representation for the RemoveExtensionField Method
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.3.2 AddVariables Method
  DataSetClass and the size of the PublishedData array cannot be changed. Bad_UserAccessDenied The Session user is not allowed to configure the object. Operation Result Codes ResultCode Description Bad_NodeIdInvalid
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.3.3 RemoveVariables Method
  configuration version did not match the current state of the Object . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Operation Result Codes ResultCode Description Bad_InvalidArgument
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.4.2 ModifyFieldSelection Method
  Object . Bad_EventFilterInvalid The event filter is not valid. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 257 specifies the AddressSpace representation for the ModifyFieldSelection
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.2 AddPublishedDataItems Method
  BrowseNameDuplicated A data set Object with the name already exists. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Bad_InvalidArgument The Server is not able
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.3 AddPublishedEvents Method
  Server . Bad_EventFilterInvalid The Event filter is not valid. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Bad_InvalidArgument The Server is not able to apply
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.4 AddPublishedDataItemsTemplate Method
  BrowseNameDuplicated A data set Object with the name already exists. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Bad_InvalidArgument The VariablesToAdd parameter does not match
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.5 AddPublishedEventsTemplate Method
  Server . Bad_EventFilterInvalid The Event filter is not valid. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Bad_InvalidArgument The Server is not able to apply
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.6 RemovePublishedDataSet Method
  NodeIdInvalid The DataSetNodeId is not a NodeId of a published DataSet . Bad_UserAccessDenied The Session user is not allowed to delete a PublishedDataSetType . Table 263 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.7 AddDataSetFolder Method
  Name may be too long or may contain invalid characters. Bad_UserAccessDenied The Session user is not allowed to add a folder. Table 264 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.4.5.8 RemoveDataSetFolder Method
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The DataSetFolderNodeId is unknown. Bad_UserAccessDenied The Session user is not allowed to delete a data set. Table 265 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.5.3 AddWriterGroup Method (Deprecated)
  Server does not have enough resources to add the group. Bad_UserAccessDenied The Session user does not have rights to create the group. Table 267 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.5.4 AddReaderGroup Method (Deprecated)
  Server does not have enough resources to add the group. Bad_UserAccessDenied The Session user does not have rights to create the group. Table 268 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.5.5 RemoveGroup Method (Deprecated)
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The GroupId is unknown. Bad_UserAccessDenied The Session user does not have rights to delete the group. Table 269 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.6.4 AddDataSetWriter Method (Deprecated)
  ResourceUnavailable The Server has not enough resources to add the DataSetWriter . Bad_UserAccessDenied The Session user does not have rights to create the DataSetWriter . Table 277 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.6.5 RemoveDataSetWriter Method (Deprecated)
  NodeIdInvalid The DataSetWriterNodeId is not a NodeId of a DataSetWriter . Bad_UserAccessDenied The Session user is not allowed to delete a DataSetWriter . Table 278 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.6.10 AddDataSetReader Method (Deprecated)
  Server does not have enough resources to add the DataSetReader . Bad_UserAccessDenied The Session user does not have rights to create the DataSetReader . Table 283 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.6.11 RemoveDataSetReader Method (Deprecated)
  NodeIdInvalid The DataSetReaderNodeId is not a NodeId of a DataSetReader . Bad_UserAccessDenied The Session user does not have rights to delete the DataSetReader . Table 284 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.8.5 CreateTargetVariables Method
  ConfigurationVersion does not match the version in the Publisher . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Operation Result Codes ResultCode Description Bad_NodeIdInvalid
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.8.6 CreateDataSetMirror Method
  ConfigurationVersion does not match the version in the Publisher . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 295 specifies the AddressSpace representation for the CreateDataSetMirror
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.2.2 AddTargetVariables Method
  ConfigurationVersion does not match the version in the Publisher . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Operation Result Codes ResultCode Description Bad_NodeIdInvalid
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.2.3 RemoveTargetVariables Method
  ConfigurationVersion does not match the version in the DataSetMetaData . Bad_UserAccessDenied The Session user is not allowed to configure the Object . Operation Result Codes ResultCode Description Bad_InvalidArgument The provided
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.4.2 AddSubscribedDataSet Method
  Server does not have enough resources to add the subscribed DataSet . Bad_UserAccessDenied The Session user does not have rights to create the subscribed DataSet . Table 302 specifies the AddressSpace
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.4.3 RemoveSubscribedDataSet Method
  SubscribedDataSetNodeId is not a NodeId of a standalone subscribed DataSet . Bad_UserAccessDenied The Session user does not have rights to delete the Object . Table 303 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.4.4 AddDataSetFolder Method
  Name may be too long or may contain invalid characters. Bad_UserAccessDenied The Session user is not allowed to add a folder. Table 304 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.9.4.5 RemoveDataSetFolder Method
  Method Result Codes ResultCode Description Bad_NodeIdUnknown The DataSetFolderNodeId is unknown. Bad_UserAccessDenied The Session user is not allowed to delete the folder. Table 305 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.10.2 Enable Method
  Description Bad_InvalidState The state of the Object is not disabled. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 308 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.10.3 Disable Method
  Description Bad_InvalidState The state of the Object is not operational. Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 309 specifies the AddressSpace representation
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  9.1.11.3 Reset Method
  Method on the Server . Signature Reset (); Method Result Codes ResultCode Description Bad_UserAccessDenied The Session user is not allowed to configure the Object . Table 312 specifies the AddressSpace representation
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.1 General
  each Node in the AddressSpace . Clients are then granted Roles when they create a Session based on the information provided by the Client . Roles are used to separate authentication (determining
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  FALSE. If the configuration of a Role is changed, the Role assignment to active Session shall be re-evaluated and applied. The Identities Property specifies the currently configured rules ... array and CustomConfiguration is not TRUE , then the Role cannot be granted to any Session . The Role shall only be granted to the Session if all of the following conditions
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.3 IdentityMappingRuleType
  defined in 4.4.4 . criteria String The criteria which the UserIdentityToken must meet for a Session to be mapped to the Role . The meaning of the criteria depends on the criteriaType ... trusted ApplicationInstance Certificate . The Client Certificate shall be trusted by the Server and the Session shall use at least a signed communication channel. If the criteriaType is Application , the criteria
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.1 UserManagementType definition
  ChangePassword Method requires an encrypted channel and can be called by the Session user if the user token type for the Session is USERNAME. The Users Property specifies the currently
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.6 ModifyUser Method
  disabled user shall be closed by the Server. If the user of the Session used to call the Method is to be disabled, the Method shall fail with Bad_InvalidSelfReference ... using encryption. Bad_InvalidSelfReference The user to be disabled is the user of the Session calling the Method . The ModifyUser Method representation in the AddressSpace is formally defined in Table
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.7 RemoveUser Method
  SecurityAdmin Role when invoking this Method on the Server . If the user of the Session used to call the Method is to be removed, the Method shall fail with ... using encryption. Bad_InvalidSelfReference The user to remove is the user of the Session calling the Method . The RemoveUser Method representation in the AddressSpace is formally defined in Table
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.8 ChangePassword Method
  Method This Method is used to change the password of the user for the Session used to call the Method . The Method shall fail with Bad_InvalidState if the user ... token type for the Session is not USERNAME. The bit MustChangePassword in the UserConfigurationMask defined in 5.2.3 indicates if the Server requires that the user changes the password
• OPC-10000-20 – OPC Unified Architecture - Part 20: File Transfer
  4.4.1 TemporaryFileTransferType
  accessed with the NodeId and FileHandle returned by the Methods in the same Session . This Object is used to transfer the temporary file between OPC UA Client and Server ... corresponding transfer transaction. Any open temporary transfer file shall be deleted if the Session used to create the file is no longer valid. The TransferState Objects are used to expose
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.2.6 Roles and Privileges
  provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to named Privileges which are assigned to Sessions
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.4 UpdateSoftwareStatus
  manual process. This Method shall be called from an authenticated SecureChannel and from a Session that has access to the SoftwareUpdateAdmin Role (see 4.2.6 ). Signature UpdateSoftwareStatus( [in] 0:String productInstanceUri ... FALSE). Method Result Codes (defined in Call Service) Result Code Description Bad_UserAccessDenied The Session does not have the permissions needed to call the Method . Bad_NotFound The productInstanceUri does
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.5 RegisterDeviceEndpoint
  onboarding process. This Method shall be called from an authenticated SecureChannel and from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature RegisterDeviceEndpoint ( [in] 0:ApplicationDescription application ... Model. Method Result Codes (defined in Call Service) Result Code Description Bad_UserAccessDenied The Session does not have the permissions needed to call the Method . Table 20 specifies the AddressSpace
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.6 GetManagers
  This Method shall be called from an authenticated SecureChannel and from a Session that has access to the DCA Privilege (see 4.2.6 ). Signature GetManagers ( [out] 2:ManagerDescription [] managers ); Argument Description ... Method Result Codes (defined in Call Service) Result Code Description Bad_UserAccessDenied The Session does not have the permissions needed to call the Method . Table 21 specifies the AddressSpace representation
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.8 RegisterManagedApplication
  RequestNotAllowed . This Method shall be called from an authenticated SecureChannel and from a Session that has access to the DCA Privilege (see 4.2.6 ). Signature RegisterManagedApplication ( [in] 3:ApplicationRecordDataType application
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.11 RegisterTickets
  returned in the results output argument. This Method shall be called from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature RegisterTickets ( [in] 0:EncodedTicket [] tickets
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.12 UnregisterTickets
  exist the error is Bad_NotFound . This Method shall be called from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature UnregisterTickets ( [in] 0:EncodedTicket [] tickets
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.3.5 SetRegistrarEndpoints
  provide information that cannot be discovered automatically. This Method shall be called from a Session that has access to the SecurityAdmin Role (see 4.2.6 ). Signature SetRegistrarEndpoints ( [in] 0:ApplicationDescription [] registrars ... PullManagement . Method Result Codes (defined in Call Service) Result Code Description Bad_UserAccessDenied The Session does not have rights to call the Method . Table 35 specifies the AddressSpace representation
• OPC-10000-25 – OPC Unified Architecture - Part 25: Object Serialization
  6.3.2 SerializedData Variable
  SerializationValue is typically read-only. If the Server supports write access, the Client's Session shall be able to successfully write all original Variables in the SerializationScope . If the write
• OPC-10000-25 – OPC Unified Architecture - Part 25: Object Serialization
  6.3.3 ConfigureSerialization Method
  array is empty. Bad_Locked The SerializationEntity is locked by a different Client's Session . Bad_RequiresLock The SerializationEntity is not locked. Clients must lock the SerializationEntity before invoking
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  6.2.4.3.6 Command EstablishControlCmd
  null or empty (see 10.15 ). This command shall pass the ApplicationUri of the Session associated with the EstablishConnections Method Call as LockContext Argument to EstablishControl (see 6.5.3 ). The EstablishConnections implementation
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  6.7.4 EditConnectionConfigurationSets method
  ConnectionConfigurationSets that allow editing, the Method shall also set the Lock to the Client Session associated with this Method Call . The Lock shall behave as described ... renew the Lock and to remove the Lock in the case of the Client Session exiting. If the Lock exits for any reason, the internal action on the ConnectionConfigurationSets shall
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  13.1 Overview
  ConnectionManager shall behave as a standard Client , including the ability to recover an interrupted Session if a Session is being used. A ConnectionManager may also use Session- less Service invocations
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  13.2.1 Locating Server
  vendor-specific means, and all portable node identifiers can be resolved locally. The Session established by the ConnectionManager shall support the use of authentication and/or encryption. This includes: Application Authentication
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  13.2.2 Session-less Client connection
  Session-less Client connection The Server can also be accessed via a Session- less Service invocation (illustrated in Figure 66 ). Session- less Service invocations still access the Server with security ... cannot be used for a ReserveCommunicationIdsCmd since the communication IDs are released when the Session ends. Figure 66 - Session-less Service invocation
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  E.1.2 Single logical connection
  containing the configuration required for the ConnectionManager to be able to establish a secure Session to ServerA and ServerB