8.4 SecurityGroupType
8.4.1 SecurityGroupType definition
The SecurityGroupType is formally defined in Table 213.
The configuration parameter RolePermissions contained in the SecurityGroupDataType controls the access to the security keys for the SecurityGroup through the Method GetSecurityKeys. The GetSecurityKeys Method is defined in 8.3.2. The Permission to access the keys is different to the Permission necessary to modify the configuration of SecurityGroups.
| Attribute | Value | ||||
| BrowseName | SecurityGroupType | ||||
| IsAbstract | False | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| Subtype of BaseObjectType defined in OPC 10000-5. | |||||
| HasProperty | Variable | SecurityGroupId | String | PropertyType | Mandatory |
| HasProperty | Variable | KeyLifetime | Duration | PropertyType | Mandatory |
| HasProperty | Variable | SecurityPolicyUri | String | PropertyType | Mandatory |
| HasProperty | Variable | MaxFutureKeyCount | UInt32 | PropertyType | Mandatory |
| HasProperty | Variable | MaxPastKeyCount | UInt32 | PropertyType | Mandatory |
| HasComponent | Method | InvalidateKeys | Defined in 8.4.2. | Optional | |
| HasComponent | Method | ForceKeyRotation | Defined in 8.4.3. | Optional | |
| Conformance Units | |||||
| PubSub Model SKS | |||||
The Property SecurityGroupId contains the identifier for the SecurityGroup used in the key exchange Methods GetSecurityKeys and SetSecurityKeys in the PubSubGroupType.
The Property KeyLifetime defines the lifetime of a key in milliseconds.
The Property SecurityPolicyUri is the identifier for a SecurityPolicy. SecurityPolicies define the set of algorithms and key lengths used to secure the messages exchanged in the context of the SecurityGroup. The SecurityPolicies are defined in OPC 10000-7.
The Property MaxFutureKeyCount defines the maximum number of future keys returned by the Method GetSecurityKeys.
The Property MaxPastKeyCount defines the maximum number of historical keys stored by the SKS. The historical keys are necessary to allow Subscribers to request keys for older NetworkMessages.
8.4.2 InvalidateKeys Method
This Method invalidates the current and all future keys of this SecurityGroup. The keys will be replaced by new keys; indicated by a new current SecurityTokenId. The new current SecurityTokenId shall be incremented beyond the SecurityTokenId of the last invalidated future key.
If the SecurityGroup is related to one or more PubSubKeyPushTargets, the SKS shall push the new set of keys to all related PubSubKeyPushTargets.
The Client shall be authorized to modify the configuration for the SKS functionality and shall use at least a signed communication channel when invoking this Method on the Server.
Signature
InvalidateKeys ();
Method Result Codes
| ResultCode | Description |
| Bad_UserAccessDenied | The Session user is not allowed invalidate the keys on this SecurityGroup. |
| Bad_SecurityModeInsufficient | The communication channel is not using signing. |
Table 214 specifies the AddressSpace representation for the InvalidateKeys Method.
| Attribute | Value |
| BrowseName | InvalidateKeys |
| ConformanceUnits | |
|---|---|
| PubSub Model SKS |
8.4.3 ForceKeyRotation Method
This Method forces a key update prior to expiration of KeyLifetime, i.e. it initiates an unplanned key rotation. The future keys of this SecurityGroup remain valid.
InvalidateKeys makes all keys invalid immediately and most likely this causes communication interruptions. The ForceKeyRotation Method allows faster rotation of keys without breaking communication e.g. for removing applications from a UDP multicast group.
If the SecurityGroup is related to one or more PushTargets, the SKS shall push an updated set of keys to all PushTargets.
The Client shall be authorized to modify the configuration for the SKS functionality and shall use at least a signed communication channel when invoking this Method on the Server.
Signature
ForceKeyRotation ();
Method Result Codes
| ResultCode | Description |
| Bad_UserAccessDenied | The Session user is not allowed force key rotation on this SecurityGroup. |
| Bad_SecurityModeInsufficient | The communication channel is not using signing. |
Table 215 specifies the AddressSpace representation for the ForceKeyRotation Method.
| Attribute | Value |
| BrowseName | ForceKeyRotation |
| ConformanceUnits | |
|---|---|
| PubSub Model SKS |