8.6 Information Model for Push Management

8.6.1 Overview

The AddressSpace used for PushManagement is shown in Figure 28. Clients interact with the Nodes defined in this model when they update the KeyCredentials used by a Server to access resources such as Brokers or Authorization Servers. The KeyCredentialConfiguration Folder is a well-known Object that appears in the AddressSpace of any Server which supports KeyCredential management.

Figure 28 – The Address Space used for Push KeyCredential Management

8.6.2 KeyCredentialConfigurationFolderType

This ObjectType is the TypeDefinition for an Folder Object that contains the KeyCredentialConfiguration Objects which may be accessed via the Server.

Table 133 – KeyCredentialConfigurationFolderType Definition
Attribute Value
BrowseName0:KeyCredentialConfigurationFolderType
IsAbstractFalse
References NodeClass BrowseName TypeDefinition Modelling Rule
Subtype of the 0:FolderType defined in OPC 10000-5.
0:HasComponentObject0:<ServiceName>0:KeyCredentialConfigurationType

Optional

Placeholder

0:HasComponentMethod0:CreateCredentialDefined in 8.6.3.Optional
Conformance Units
Push Model for KeyCredential Service

8.6.3 CreateCredential

CreateCredential is used to add a new KeyCredentialConfiguration Object.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2).

Signature 

CreateCredential (
	[in]  String Name
	[in]  String ResourceUri
	[in]  String ProfileUri
	[in]  String[] EndpointUrls
	[out] NodeId CredentialNodeId
);
Argument Description
NameThis the BrowseName of the new Object.
ResourceUriThe ResourceUri uniquely identifies the resource that accepts the KeyCredentials. A valid URI shall be provided.
ProfileUriThe specified URI assigned in OPC 10000-7 to the protocol used to communicate with the resource identified by the ResourceUri. A valid URI shall be provided.
EndpointUrlsThe specifies URLs used by the Server to communicate with the resource identified by the ResourceUri. Valid URLs shall be provided.
CredentialNodeIdA unique identifier for the new KeyCredentialConfiguration Object Node.

Method Result Codes (defined in Call Service)

Result Code Description
Bad_InvalidArgument The ResourceUri, ProfileUri, or one or more EndpointUrls are not valid.
Bad_UserAccessDeniedThe current user does not have the rights required.
Bad_SecurityModeInsufficientThe SecureChannel is not encrypted.

Table 134 specifies the AddressSpace representation for the CreateCredential Method.

Table 134 – CreateCredential Method AddressSpace Definition
Attribute Value
BrowseName0:CreateCredential
References NodeClass BrowseName DataType TypeDefinition ModellingRule
0:HasPropertyVariable0:InputArgumentsArgument[] 0:PropertyTypeMandatory
0:HasPropertyVariable0:OutputArgumentsArgument[] 0:PropertyTypeMandatory

8.6.4 KeyCredentialConfiguration

This Object is an instance of FolderType. It contains The Objects which may be accessed via the Server. It is the target of an HasComponent reference from the ServerConfiguration Object defined in 7.10.4. It is defined in Table 135.

Table 135 – KeyCredentialConfiguration Object Definition
Attribute Value
BrowseName0:KeyCredentialConfiguration
TypeDefinition0:KeyCredentialConfigurationFolderType defined in 8.6.2.
References NodeClass BrowseName TypeDefinition Modelling Rule
Conformance Units
Push Model for KeyCredential Service

8.6.5 KeyCredentialConfigurationType

This ObjectType is the TypeDefinition for an Object that allows the configuration of KeyCredentials used by the Server. It also includes basic status information which report problems accessing the resource that might be related to bad KeyCredentials. It is defined in Table 136.

Table 136 – KeyCredentialConfigurationType Definition
Attribute Value
BrowseName0:KeyCredentialConfigurationType
IsAbstractFalse
References NodeClass BrowseName DataType TypeDefinition Modelling Rule
Subtype of the BaseObjectType defined in OPC 10000-5.
0:HasPropertyVariable0:ResourceUri0:String0:PropertyTypeMandatory
0:HasPropertyVariable0:ProfileUri0:String0:PropertyTypeMandatory
0:HasPropertyVariable0:EndpointUrls0:String[]0:PropertyTypeOptional
0:HasPropertyVariable0:CredentialId0:String0:PropertyTypeOptional
0:HasPropertyVariable0:ServiceStatus0:StatusCode0:PropertyTypeOptional
0:HasComponentMethod0:GetEncryptingKeyDefined in 8.6.6.Optional
0:HasComponentMethod0:UpdateCredentialDefined in 8.6.7.Optional
0:HasComponentMethod0:DeleteCredentialDefined in 8.6.8.Optional
Conformance Units
Push Model for KeyCredential Service

The ResourceUri Property uniquely identifies the resource that accepts the KeyCredentials.

The ProfileUri Property specifies on of the URIs assigned in OPC 10000-7 to the authentication mechanism used to communicate with the resource that accepts KeyCredentials provided by the Object. Examples of ProfileUris are:

http://opcfoundation.org/UA-Profile/Authentication/mqtt-username;

http://opcfoundation.org/UA-Profile/Security/UserToken/Server/UserNamePassword;

http://opcfoundation.org/UA-Profile/Authentication/amqp-sasl-plain.

The EndpointUrls Property specifies the URLs that the Server uses to access the resource.

The CredentialId Property is the identifier, such as a user name, which often needs to be presented when using the CredentialSecret.

The ServiceStatus Property indicates the result of the last attempt to communicate with the resource. The following common error values are defined:

ServiceStatus Description
Bad_OutOfServiceCommunication was not attempted by the Server because Enabled is FALSE.
Bad_IdentityTokenRejectedCommunication failed because the KeyCredentials are not valid.
Bad_NoCommunication

Communication failed because the endpoint is not reachable.

Where possible a more specific error code should be used.

See OPC 10000-4 for a complete list of standard StatusCodes.

The GetEncryptingKey Method is used request a Public Key that can be used to encrypt the KeyCredentials.

The UpdateKeyCredential Method is used to change the KeyCredentials used by the Server.

The DeleteKeyCredential Method is used to delete the KeyCredentials stored by the Server.

8.6.6 GetEncryptingKey

The GetEncryptingKey Method is used to request a key that can be used to encrypt a KeyCredential.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2).

Signature 

GetEncryptingKey(
	[in]  String CredentialId
	[in]  String RequestedSecurityPolicyUri
	[out] ByteString PublicKey
	[out] String RevisedSecurityPolicyUri
);
Argument Description
CredentialIdThe unique identifier associated with the KeyCredential.
RequestedSecurityPolicyUri

The SecurityPolicy used to encrypt the secret.

If not specified the Server chooses a suitable default.

PublicKey

The Public Key used to encrypt the secret.

The format depends on the SecurityPolicyUri.

RevisedSecurityPolicyUri

The SecurityPolicy used to encrypt the secret.

It also specifies the contents of the PublicKey.

This may be different from the RequestedSecurityPolicyUri.

Method Result Codes (defined in Call Service)

Result Code Description
Bad_InvalidArgumentThe CredentialId is not valid.
Bad_UserAccessDeniedThe current user does not have the rights required.
Bad_SecurityModeInsufficientThe SecureChannel is not encrypted.

Table 137 specifies the AddressSpace representation for the GetEncryptingKey Method.

Table 137 – GetEncryptingKey Method AddressSpace Definition
Attribute Value
BrowseName0:GetEncryptingKey
References NodeClass BrowseName DataType TypeDefinition ModellingRule
0:HasPropertyVariable0:InputArguments0:Argument[] 0:PropertyTypeMandatory
0:HasPropertyVariable0:OutputArguments0:Argument[] 0:PropertyTypeMandatory

8.6.7 UpdateCredential

The UpdateCredential Method is used to update a KeyCredential used by a Server.

The KeyCredential secret may be encrypted using the key returned by GetEncryptingKey. The SecurityPolicyUri species the algorithm used for encryption. The format of the encrypted data is described in 8.5.6.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2).

Signature 

UpdateCredential(
	[in] String 	CredentialId
	[in] ByteString CredentialSecret
	[in] String 	CertificateThumbprint
	[in] String 	SecurityPolicyUri
);
Argument Description
CredentialIdThe CredentialId is the identifier, such as a user name, which often needs to be presented when using the CredentialSecret.
CredentialSecretThe secret associated with the KeyCredential.
CertificateThumbprint

The SHA1 hash of the Certificate used to encrypt the secret.

For RSA SecurityPolicies this shall be one of the ApplicationInstance Certificates assigned to the Server. For ECC or RSA-DH SecurityPolicies this field is not specified. Not specified if the secret is not encrypted.

SecurityPolicyUri

The SecurityPolicy used to encrypt the secret.

If not specified the secret is not encrypted.

Method Result Codes (defined in Call Service)

Result Code Description
Bad_InvalidArgumentThe CredentialId or CredentialSecret is not valid.
Bad_CertificateInvalidThe Certificate is invalid or it is not one of the Server’s Certificates.
Bad_SecurityPolicyRejectedThe SecurityPolicy is unrecognized or not allowed.
Bad_UserAccessDeniedThe current user does not have the rights required.
Bad_SecurityModeInsufficientThe SecureChannel is not encrypted.

Table 139 specifies the AddressSpace representation for the UpdateKeyCredential Method.

Table 138 – UpdateCredential Method AddressSpace Definition
Attribute Value
BrowseName0:UpdateCredential
References NodeClass BrowseName DataType TypeDefinition ModellingRule
0:HasPropertyVariable0:InputArguments0:Argument[] 0:PropertyTypeMandatory

8.6.8 DeleteCredential

The DeleteCredential Method is used to delete a KeyCredential used by a Server.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 8.2).

Signature 

DeleteCredential();

Method Result Codes (defined in Call Service)

Result Code Description
Bad_UserAccessDeniedThe current user does not have the rights required.
Bad_SecurityModeInsufficientThe SecureChannel is not encrypted.

Table 138 specifies the AddressSpace representation for the DeleteKeyCredential Method.

Table 139 – DeleteCredential Method AddressSpace Definition
Attribute Value
BrowseName0:DeleteCredential
References NodeClass BrowseName DataType TypeDefinition ModellingRule

8.6.9 KeyCredentialUpdatedAuditEventType

This event is raised when a KeyCredential is updated.

This Event and its subtypes report sensitive security related information. Servers shall only report these Events to Clients which are authorized to view such information.

This is the result of a UpdateCredential Method completing.

Its representation in the AddressSpace is formally defined in Table 140.

Table 140 – KeyCredentialUpdatedAuditEventType Definition
Attribute Value
BrowseName0:KeyCredentialUpdatedAuditEventType
IsAbstractFalse
References NodeClass BrowseName DataType TypeDefinition Modelling Rule
Subtype of the 0:KeyCredentialAuditEventType defined in 8.5.8.
Conformance Units
Push Model for KeyCredential Service

This EventType inherits all Properties of the KeyCredentialAuditEventType.

8.6.10 KeyCredentialDeletedAuditEventType

This event is raised when a KeyCredential is updated.

This is the result of a DeleteCredential Method completing.

Its representation in the AddressSpace is formally defined in Table 141.

Table 141 – KeyCredentialDeletedAuditEventType Definition
Attribute Value
BrowseName0:KeyCredentialDeletedAuditEventType
IsAbstractFalse
References NodeClass BrowseName DataType TypeDefinition Modelling Rule
Subtype of the 0:KeyCredentialAuditEventType defined in 8.5.8.
Conformance Units
Push Model for KeyCredential Service

This EventType inherits all Properties of the KeyCredentialAuditEventType.