Search

52 result(s) for TrustList

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.48 TrustList
  TrustList list of Certificate s that an OPC UA Application has been configured to trust
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.10 Application Authentication
  determines if the Certificate is signed, validated and trustworthy before placing it in a TrustList . A TrustList also stores Certificate Authorities (CA). TrustLists that include CAs, also include Certificate Revocation
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.5 Confidentiality
  length of the certificate chain is defined by the site CSMS (only local TrustList with self-signed Certificates or a full CA/CRL infrastructure
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.2 Self signed certificate management
  site requirements. Figure 11 illustrates the work that is required to maintain the TrustList for self-signed Certificates . Figure 11 - Manual Certificate handling An administrator would be required to copy
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.4.2 Certificate management for developers
  have the self-signed certificate signed by a CA. The configuration of a TrustList should also be easily accomplished. Typically, TrustLists for Public Keys of ApplicationInstances are kept ... replaced or in the case of a CA generated Certificate it is revoked. TrustList - When security is enabled, OPC UA Applications reject connections from peers whose Certificates
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.2 Obtaining and installing an ApplicationInstanceCertificate
  initial Certificate Authority signed Certificate , The CertificateManager interface includes features to get a TrustList and also Certificate updates from a central place. The Global Discovery Server (GDS) and CertificateManager functionality
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  with a CA. Any Certificate shall be rejected if it is not in a TrustList provided by the administrator. Both the Client and Server shall have a list of Certificates ... longer be trusted. Administrators can revoke a Certificate by removing it from the TrustList for all applications or the CA can add the Certificate to the Certificate Revocation List
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.7 Continuous security checks
  SecureChannel . OPC UA Applications may do additional verifications between SecurityToken renews e.g. if the TrustList is updated from a GDS. If the SecureChannel does not use ApplicationInstanceCertificates
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.5.3 Security
  valid TLS Certificate that is issued by CA that is installed in the Trust List for the web browser. To support these Clients, a Server may use a TLS Certificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.2 CertificateGroup
  CertificateGroup a context used to manage the TrustList and Certificate(s) associated with Applications or Users
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.1 Overview
  features: Onboarding (first time setup for a device/application); Renewal (renewing expired or compromised certificates); TrustList Update (updating the TrustLists including the Revocation Lists ); Revocation (removing a device/application from the system
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.2 Roles and Privileges
  Description CertificateAuthorityAdmin This Role grants rights to request or revoke any Certificate , update any TrustList or assign CertificateGroups to OPC UA Applications . RegistrationAuthorityAdmin This Role grants rights to approve Certificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.3 Pull Management
  Configuration Database. A similar process is used to renew certificates or to periodically update TrustList . Security in PullManagement requires an encrypted channel and authorized credentials. These credentials may be user ... CRLs needed to verify a Certificate are added to the CertificateManager's TrustList ) . Before a Client provides any secrets associated with credentials to a CertificateManager it needs to know that
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.4 Push Management
  diagram starts. A similar process is used to renew certificates or to periodically update TrustList . In Figure 14 the TrustList update is shown to happen first. This is necessary ... CRLs are provided to the Server before the new Certificate is updated. The TrustList update may be skipped If the current TrustList allows the Server to validate the new Certificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.5 Application Setup
  self-signed Certificate when they first start. They may also have a pre-configured TrustList with Applications that are allowed to setup the Server . For example, a machine vendor ... connection needed for setup using PushManagement . Once the Server has been given its initial TrustList the Server should then restrict access to those Clients with Certificates in the TrustList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.6 Pull Management Workflow
  CertificateManager . The cycle time is defined by the UpdateFrequency on the related TrustList Object in the CertificateManager . Connect Create a connection for option (2). For the connection management with ... next cycle GetTrustList If all Certificates for a CertificateGroup are up-to-date, the TrustList is checked for updates by calling the Method GetTrustList . The Method returns the NodeId
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.2 Update Certificates Workflow
  used to authenticate the CertificateManager are: CertificateManager ApplicationInstance Certificate ; UserIdentityToken provided in ActivateSession . Update TrustList Workflow The steps involved in updating the Certificate are described in the Update TrustList workflow ... each CertificateGroup the TrustList is updated first. The updates shall include all issuers and CRLs needed to validate new Certificates assigned to the CertificateGroup. If the CertificateManager needs to connect
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.3 Update TrustList Workflow
  Update TrustList Workflow The Update TrustList workflow starts if the CertificateManager determines that an update to an existing TrustList is required. This update can be part of another workflow ... Figure 18 . The boxes with blue text indicate Method calls. Figure 18 - PushManagement Update TrustList Workflow The steps of the PushManagement Update TrustList workflow are described in Table 23 . Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.5 Create Endpoint Workflow
  will not be enabled. An Endpoint that has a valid Certificate but an empty TrustList will exist but no connections will be possible. The TOFU mode used during application Setup
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.1 TrustListType
  TrustListType This type defines a FileType that can be used to access a TrustList . The CertificateManager uses this type to implement the Pull Model. Servers use this type when implementing ... This may be a CertificateManager administrative user that can change the contents of a TrustList , it may be an administrative user that is reading a TrustList to configure applications
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.2 Open
  Codes Result Code Description Bad_NotSupported The mode is not supported. Bad_TransactionPending The TrustList cannot be opened because it is part of a transaction is in progress. Bad_SecurityModeInsufficient
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.3 OpenWithMasks
  OpenWithMasks The OpenWithMasks Method allows a Client to read only a portion of the TrustList. This Method can only be used to read the TrustList . After calling this Method ... Client calls Read one or more times to get the TrustList . If the Server is able to detect out of band changes to theTrustList before the Client calls the Close
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.4 Read
  Server is able to detect out of band changes to the TrustList before the Client calls the Close Method , then this Method returns Bad_InvalidState . Additional Method Result Codes Result ... Code Description Bad_InvalidState The state of the TrustList has changed
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.5 CloseAndUpdate
  CloseAndUpdate The CloseAndUpdate Method closes the TrustList and applies the changes to the TrustList . It can only be called if the TrustList was opened for writing. If the Close Method ... called any cached data is discarded and the TrustList is not changed. If only part of the TrustList is being updated the Server creates a new TrustList that includes
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.6 AddCertificate
  AddCertificate The AddCertificate Method allows a Client to add a single Certificate to the TrustList . The Purpose of the associated CertificateGroup determines the validation rules for the Certificate . For ApplicationCertificateType ... issued by a CA and the Certificate for the issuer is not in the TrustList . This Method cannot provide CRLs so issuer Certificates cannot be added with this Method . Instead
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.7 RemoveCertificate
  RemoveCertificate The RemoveCertificate Method allows a Client to remove a single Certificate from the TrustList . It returns Bad_InvalidArgument if the Thumbprint does not match a Certificate in the TrustList ... Certificate is a CA Certificate needed to validate another Certificate in the TrustList . This Method returns Bad_TransactionPending if a transaction is in progress (see 7.10.9 ). This Method returns
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.8 TrustListDataType
  TrustListDataType This type defines a DataType which stores the TrustList of a Server. Its values are defined in Table 32 . Table 32 - TrustListDataType Structure Name Type Description TrustListDataType Structure Subtype ... Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.11 TrustListOutOfDateAlarmType
  TrustListOutOfDateAlarmType This SystemOffNormalAlarmType is raised by the Server when the UpdateFrequency elapses and the TrustList has not been updated. This alarm automatically returns to normal when the TrustList is updated ... Mandatory Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management TrustListId Property specifies the NodeId of the out-of-date TrustList Object . LastUpdateTime Property
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.12 TrustListUpdateRequestedAuditEventType
  TrustListUpdateRequestedAuditEventType This event is raised when a Method that changes the TrustList is called It is raised when CloseAndUpdate, AddCertificate or RemoveCertificate Method on a TrustListType Object is called ... Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management This EventType inherits all Properties of the AuditUpdateMethodEventType . Their semantic is defined
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.13 TrustListUpdatedAuditEventType
  TrustListUpdatedAuditEventType This event is raised when a TrustList is successfully changed. This is the result of a CloseAndUpdate Method on a TrustListType Object or the result of a ApplyChanges Method ... also be raised when the AddCertificate or RemoveCertificate Method causes an update to the TrustList . Its representation in the AddressSpace is formally defined in Table 40 . Table 40 - TrustListUpdatedAuditEventType Definition
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.1 CertificateGroupType
  which represent CertificateGroups in the AddressSpace . A CertificateGroup is a context that contains a TrustList and one or more CertificateTypes that can be assigned to an application. This ObjectType allows ... Rule Subtype of the BaseObjectType defined in OPC 10000-5 . 0:HasComponent Object 0:TrustList 0:TrustListType Mandatory 0:HasProperty Variable 0:CertificateTypes 0:NodeId[] 0:PropertyType Mandatory 0:HasProperty
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.3 CertificateGroupFolderType
  Placeholder Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management The DefaultApplicationGroup Object represents the default CertificateGroup for Applications . It is used to access ... default application TrustList and to define the CertificateTypes allowed for the Certificates used by the application when communicating with peers: For OPC UA Applications and CertificateManagers these CertificateTypes specify what
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.7 GetCertificateGroups
  CertificateGroupIds An identifier for the CertificateGroups assigned to the application. A CertificateGroup provides a TrustList and one or more CertificateTypes which may be assigned to an application. This Method shall
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.9 GetTrustList
  GetTrustList The GetTrustList Method is used to retrieve the NodeId of a TrustList assigned to an application. Signature GetTrustList( [in] NodeId ApplicationId [in] NodeId CertificateGroupId [out] NodeId TrustListId ); Argument Description ... TrustListId for a suitable default group for the application. TrustListId The NodeId for a TrustList Object that can be used to download the TrustList assigned to the application. Access permissions
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.11 CheckRevocationStatus
  issuer Certificate has a crlDistributionPoint extension, an authorityInformationAccess extension (see RFC 6960) or the TrustList is configured to require online Certificate revocation checks (see 7.8.2.1 ). The CertificateManager will typically
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.3 ServerConfigurationType
  Object 0:ConfigurationFile 0:ApplicationConfigurationFileType Optional Conformance Units Push Model for Global Certificate and TrustList Management The ApplicationUri Property specifies the ApplicationUri assigned to the application. The ProductUri Property specifies ... external Clients to update the PrivateKey . The MaxTrustListSize is the maximum size of the TrustList in bytes. 0 means no limit. The default is 65 535 bytes. If MulticastDnsEnabled
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.5 UpdateCertificate
  defined in OPC 10000-4 shall be reported. The validation process requires that the TrustList associated with the CertificateGroup already contains the IssuerCertificates . Revocation checks may be done with CRLs ... TrustList or using online CRL checks. For Purposes other than ApplicationCertificateType , the validation rules are not defined by this specification. This Method may be called within the context
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.9 ApplyChanges
  ApplyChanges The ApplyChanges Method is used to apply pending Certificate and TrustList updates and to complete a transaction as described in 7.10.2 . ApplyChanges returns Bad_InvalidState if any TrustList ... writing. No changes are applied and ApplyChanges can be called again after the TrustList is closed. If a Session is closed or abandoned then the transaction is closed
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.17 TransactionDiagnosticsType
  included in the transaction. It is updated each time as soon as a TrustList is added to the transaction. The AffectedCertificateGroups Property specifies the NodeIds of the CertificateGroups are included
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.19 ApplicationConfigurationDataType
  current Session . If no such slot exists the configuration update is rejected. The TrustList associated with that CertificateGroup shall trust the Client Certificate used for the current Session. Updates
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.25 UserTokenSettingsDataType
  configure how to validate UserIdentityTokens . If a CertificateGroup is specified it refers to the TrustList used to verify credentials by either verifying that an X509IdentityToken is trusted or by using ... Certificate in the TrustList to verify the Signature on an IssuedIdentityToken . The CertificateGroup is not specified for UserName or Anonymous TokenTypes . The KeyCredentialName is only specified for IssuedIdentityTokens and refers
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.1 Application Setup with PullManagement
  user credentials when the application has to renew its Certificate or update its TrustList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.2 Application setup with the PushManagement
  Clients to connect securely and assign the SecurityAdmin Role to Anonymous user if the TrustList is empty; Connect to the Server after toggling a physical switch on the device which ... ApplicationUri to SecurityAdmin Role , remove Anonymous from SecurityAdmin Role ; Provide a new Certificate and TrustList ; Set the configuration flag to OFF. Subsequent updates to TrustLists or Certificates can be allowed
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.3 Setting Permissions
  addition to the Private Key , Applications shall be protected from unauthorized updates to their TrustList . This can also be done by setting operating system permissions on the directory where ... TrustList is stored that deny write access to anyone who is not using an account authorized to administer the application. Finally, Applications may depend on one or more configuration files
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  H.2 Obtaining CA Certificates
  Certificates are returned when the CertificateManager client reads the TrustList assigned to the application from the CertificateManager . Prior to these operations the Client should verify that the server is authorized ... HTTPS certificate. Preconfigure the client by adding the CertificateManager Certificate to the client TrustList . Manual approval of the CA Certificate after comparing the certificate with out of band information. Manual
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  7.3.2.4.1 General
  information on this). That is, the DefaultApplicationGroup Object is used as the Certificate and TrustList for DTLS communication. A separate certificate group may optionally be used for the DTLS transport
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.3.3 Application Setup
  Setup Application Setup is the process of issuing an Application Instance Certificate and a TrustList to one or more Applications running on a Device that will allow the Applications
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.3.5 Operation
  deployed to do. In this stage it is possible to update the TrustList and/or renew the Application Instance Certificate using the CertificateManager PushManagement or PullManagement described
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.2 Pull Management
  trust any Registrar it finds since it does not have a valid TrustList (see 4.2.4 ). If multiple Registrars are on the network, the DCA shall attempt to connect to each ... that accepts it and allows it to request a DCA Certificate and a TrustList . Once configured, the DCA shall not attempt to connect to Registrars that
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.3 Push Management
  will create a new SecureChannel using that EndpointDescription . It provides the DCA Certificate and TrustList to the Device . Once a Device has a DCA TrustList and all software updates have ... shall accept the first one to provide an Application Instance Certificate and a TrustList . Once configured, the DCA shall reject connections from Registrars that are not in the TrustList
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.4.2.1 Overview
  Signature and determines if the FDO Device can be trusted by checking a TrustList provided to the FDO Owner . The FDO Owner presents the FDO Ownership Voucher for FDO Device
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.3.1 Overview
  DefaultApplicationGroup Object is a well-known CertificateGroup that stores the Application Instance Certificate and TrustList for the DCA provided by the Registrar . This group is initially empty when the Device