8.6 PubSubKeyPushTargetType
8.6.1 PubSubKeyPushTargetType definition
The PubSubKeyPushTargetType is formally defined in Table 221.
An instance of this ObjectType includes all information required to establish a secure connection to the Server that is the target of a push operation as described in 5.4.5.3. If any of the connection information changes, the PubSubKeyPushTarget must be removed and a new PubSubKeyPushTarget with updated connection information must be added.
| Attribute | Value | ||||
| BrowseName | PubSubKeyPushTargetType | ||||
| IsAbstract | False | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| Subtype of BaseObjectType defined in OPC 10000-5. | |||||
| HasPushed SecurityGroup | Object | <SecurityGroupName> | SecurityGroupType | OptionalPlaceholder | |
| HasProperty | Variable | ApplicationUri | String | PropertyType | Mandatory |
| HasProperty | Variable | EndpointUrl | String | PropertyType | Mandatory |
| HasProperty | Variable | SecurityPolicyUri | String | PropertyType | Mandatory |
| HasProperty | Variable | UserTokenType | UserTokenPolicy | PropertyType | Mandatory |
| HasProperty | Variable | RequestedKeyCount | UInt16 | PropertyType | Mandatory |
| HasProperty | Variable | RetryInterval | Duration | PropertyType | Mandatory |
| HasProperty | Variable | LastPushExecutionTime | DateTime | PropertyType | Mandatory |
| HasProperty | Variable | LastPushErrorTime | DateTime | PropertyType | Mandatory |
| HasComponent | Method | ConnectSecurityGroups | Defined in 8.6.3 | Mandatory | |
| HasComponent | Method | DisconnectSecurityGroups | Defined in 8.6.4 | Mandatory | |
| HasComponent | Method | TriggerKeyUpdate | Defined in 8.6.5 | Mandatory | |
| Conformance Units | |||||
| PubSub Model SKS Push | |||||
The Property ApplicationUri is the ApplicationUri of the Server that is the target of a push. The push operation shall fail if the ApplicationUri of the connected target Server does not match this parameter.
The Property EndpointUrl is the URL of the Endpoint of the Server that is the target of a push.
The Property SecurityPolicyUri is a String that contains the security policy the SKS shall use to establish a SecureChannel to the PubSubKeyPushTarget. The MessageSecurityMode shall always be SignAndEncrypt.
The Property UserTokenType contains the type of user toke to be used for the connection to the PubSubKeyPushTarget. The default is Anonymous and authorization is accomplished in this case with the application identity of the SKS.
The Property RequestedKeyCount is the number of keys that are to be pushed on each update. The minimum setting for this is three.
The Property RetryInterval defines the interval the SKS shall use to retry pushing keys after an error appeared.
The Property LastPushExecutionTime indicates the time the last push operation was executed successfully on the PubSubKeyPushTarget. A null DateTime value indicates that no successful push was executed.
The Property LastPushErrorTime indicates the last time a push operation failed on the PubSubKeyPushTarget. A null DateTime value indicates that no error has occurred.
8.6.2 Behaviour
The first push is started at the time a SecurityGroup is assigned to the PubSubKeyPushTarget. The assignment is done with the Method ConnectSecurityGroups or with a successful update of the PubSubKeyPushTargets with PubSubConfigurationType CloseAndUpdate. The sequence for push is described in 5.4.5.3.
In a period of half the KeyLifetime of a SecurityGroup, the SKS shall open a secure communication to each related PubSubKeyPushTargets and shall call SetSecurityKeys to push the security keys for a SecurityGroup into a Publisher or Subscriber. The SKS shall push the previous security key, the current key, and at least one future key to bridge longer unavailability time of the SKS. If it is not possible to push security keys to a PubSubKeyPushTarget due to errors in establishing the communication or due to errors returned from the SetSecurityKeys Method call, the SKS shall retry pushing the security keys in a period of RetryInterval. If multiple future security keys are pushed, it is up to the SKS to define when security keys are pushed, but at a minimum it shall be at the half KeyLifetime of the current key when only one future key is remaining.
Since the SKS is unaware of the state of a PubSubKeyPushTarget, it is recommended for a PubSubKeyPushTarget to persist security keys. This allows the PubSubKeyPushTarget to continue secured PubSub communication after a power cycle, as long as the outage time is smaller than the time covered with currentKey and FutureKeys. If keys are not persisted, it may take up to half the KeyLifetime to get the first set of security keys. The PubSubKeyPushTargets persisting security keys shall have an understanding of time (either synchronized or battery backup) allowing them to determine whether the current key is still valid to use, or whether to use a future key following a power interruption.
8.6.3 ConnectSecurityGroups
This Method connects instances of SecurityGroupType to this PubSubKeyPushTarget. This indicates that the SKS shall use the push model to distribute the keys of the SecurityGroup to the PubSubKeyPushTarget.
The SKS shall push keys following this assignment. If an assignment does already exist, the entry is ignored.
If the assignment for a SecurityGroup already exists, a Good_EntryReplaced should be returned for that SecurityGroup and a new push of the existing keys shall be triggered to the push target.
The Client shall be authorized to modify the configuration for the SKS functionality and shall use at least a signed communication channel when invoking this Method on the Server.
Signature
ConnectSecurityGroups (
[in] NodeId[] SecurityGroupIds,
[out] StatusCode[] ConnectResults
);
| Argument | Description |
| SecurityGroupIds | The NodeIds of the SecurityGroups to connect to the PushTarget. |
| ConnectResults | The result codes for the SecurityGroups to connect. |
Method Result Codes
| ResultCode | Description |
| Bad_UserAccessDenied | The Session user is not allowed to connect SecurityGroups to the push target. |
| Bad_SecurityModeInsufficient | The communication channel is not using signing. |
Operation Result Codes
| ResultCode | Description |
| Good_EntryReplaced | The PushTarget was already assigned to the SecurityGroup, a new push was triggered |
| Bad_NodeIdUnknown | A SecurityGroupNodeId is unknown. |
| Bad_NodeIdInvalid | A SecurityGroupNodeId is not a NodeId of a SecurityGroupType Object. |
Table 222 specifies the AddressSpace representation for the ConnectSecurityGroups Method.
| Attribute | Value | ||||
| BrowseName | ConnectSecurityGroups | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| HasProperty | Variable | InputArguments | Argument[] | PropertyType | Mandatory |
| HasProperty | Variable | OutputArguments | Argument[] | PropertyType | Mandatory |
| ConformanceUnits | |||||
|---|---|---|---|---|---|
| PubSub Model SKS Push |
8.6.4 DisconnectSecurityGroups Method
This Method disconnects instances of SecurityGroupType from this PubSubKeyPushTarget. This indicates that the SKS shall stop using the push model to distribute the keys of those SecurityGroups to the PubSubKeyPushTarget.
The Client shall be authorized to modify the configuration for the SKS functionality and shall use at least a signed communication channel when invoking this Method on the Server.
Signature
DisconnectSecurityGroups (
[in] NodeId[] SecurityGroupIds,
[out] StatusCode[] DisconnectResults
);
| Argument | Description |
| SecurityGroupIds | The NodeIds of the SecurityGroups to disconnect. |
| DisconnectResults | The result codes for the SecurityGroups to disconnect. |
Method Result Codes
| ResultCode | Description |
| Bad_UserAccessDenied | The Session user is not allowed to disconnect SecurityGroups from the push target. |
| Bad_SecurityModeInsufficient | The communication channel is not using signing. |
Operation Result Codes
| ResultCode | Description |
| Bad_NodeIdUnknown | A SecurityGroupNodeId is unknown. |
| Bad_NodeIdInvalid | A SecurityGroupNodeId is not a NodeId of a SecurityGroupType Object. |
Table 223 specifies the AddressSpace representation for the DisconnectSecurityGroups Method.
| Attribute | Value | ||||
| BrowseName | DisconnectSecurityGroups | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| HasProperty | Variable | InputArguments | Argument[] | PropertyType | Mandatory |
| HasProperty | Variable | OutputArguments | Argument[] | PropertyType | Mandatory |
| ConformanceUnits | |||||
|---|---|---|---|---|---|
| PubSub Model SKS Push |
8.6.5 TriggerKeyUpdate Method
This Method triggers a key update of all SecurityGroups related to the PubSubKeyPushTarget. The SKS shall push the new set of keys for all related SecurityGroups, even if not currently scheduled.
The Client shall be authorized to modify the configuration for the SKS functionality and shall use at least a signed communication channel when invoking this Method on the Server.
Signature
TriggerKeyUpdate ();
Method Result Codes
| ResultCode | Description |
| Bad_UserAccessDenied | The Session user is not allowed to trigger a key update on this push target. |
| Bad_SecurityModeInsufficient | The communication channel is not using signing. |
8.6.6 HasPushedSecurityGroup
The HasPushedSecurityGroup ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the HierarchicalReferences ReferenceType.
The SourceNode of References of this type shall be an Object of ObjectType PubSubKeyPushTargetType or an ObjectType that is a subtype of PubSubKeyPushTargetType defined in 8.6.1.
The TargetNode of this ReferenceType shall be an Object of the ObjectType SecurityGroupType defined in 8.4.1.
Servers shall provide the inverse Reference that relates a SecurityGroup Object back to a PubSubKeyPushTargetType Object.
The representation of the HasPushedSecurityGroup ReferenceType in the AddressSpace is specified in Table 224.
| Attributes | Value | ||
| BrowseName | HasPushedSecurityGroup | ||
| InverseName | HasPushTarget | ||
| Symmetric | False | ||
| IsAbstract | False | ||
| References | NodeClass | BrowseName | Comment |
|---|---|---|---|
| Subtype of HierarchicalReferences defined in OPC 10000-5. | |||
| Conformance Units | |||
| PubSub Model SKS Push | |||
Table 225 specifies the AddressSpace representation for the TriggerKeyUpdate Method.
| Attribute | Value |
| BrowseName | TriggerKeyUpdate |
| ConformanceUnits | |
|---|---|
| PubSub Model SKS Push |