9.1.3.3 SetSecurityKeys
This Method is used to push the security keys for a SecurityGroup into a Publisher or Subscriber. It is used if Publisher or Subscriber have no OPC UA Client functionality.
Encryption is required for this Method. The Method shall return Bad_SecurityModeInsufficient if the communication is not encrypted.
The OPC UA Client calling this Method shall be the SKS application with the ApplicationUri that matches the ApplicationUri in the SecurityKeyServices parameter of the WriterGroup, ReaderGroup or DataSetReader objects using the SecurityGroupId.
Signature
SetSecurityKeys (
[in] String SecurityGroupId,
[in] String SecurityPolicyUri,
[in] IntegerId CurrentTokenId,
[in] ByteString CurrentKey,
[in] ByteString[] FutureKeys,
[in] Duration TimeToNextKey,
[in] Duration KeyLifetime
);
| Argument | Description |
| SecurityGroupId | The identifier for the SecurityGroup. |
| SecurityPolicyUri | The URI for the set of algorithms and key lengths used to secure the messages. The SecurityPolicies are defined in OPC 10000-7. |
| CurrentTokenId | The SecurityTokenId that appears in the header of messages secured with the CurrentKey. It starts at 1 and is incremented by 1 each time the KeyLifetime elapses even if no keys are requested. If the CurrentTokenId increments past the maximum value of UInt32 it restarts at 1. If the PubSub Object has key material from previous SetSecurityKeys Method calls, the CurrentTokenId is used to match the existing list with the available list and to eliminate duplicates. If the CurrentTokenId is unknown, the existing list shall be discarded and replaced. |
| CurrentKey | The current key used to secure the messages. This key is not used directly since the protocol associated with the PubSubGroup(s) specifies an algorithm to generate distinct keys for different types of cryptography operations. |
| FutureKeys | An ordered list of future keys that are used when the KeyLifetime elapses. The SecurityTokenId associated with the first key in the list is 1 more than the CurrentTokenId. All following keys have a SecurityTokenId that is incremented by 1 for every key returned. |
| TimeToNextKey | The time, in milliseconds, before the CurrentKey is expected to expire. If a Publisher receives the keys from a SKS through this Method, the TimeToNextKey and KeyLifetime are used to calculate the time the Publisher shall switch to the next key. The TimeToNextKey defines the time when to switch from CurrentKey to FutureKeys and the KeyLifetime defines when to switch from one future key to the next future key. For a Subscriber the TimeToNextKey and KeyLifetime are used to calculate the time the Subscriber expects that the Publishers use the next key. Due to network latency, out of order delivery and the use of keys for several Publishers, a Subscriber needs to expect some overlap time where NetworkMessages are received that are using the previous or the next key. |
| KeyLifetime | The lifetime of a key in milliseconds. |
Method Result Codes
| ResultCode | Description |
| Bad_NotFound | The SecurityGroupId is unknown. |
| Bad_UserAccessDenied | The caller is not allowed to set the keys for the SecurityGroup. |
| Bad_SecurityModeInsufficient | The communication channel is not using encryption. |
Table 234 specifies the AddressSpace representation for the SetSecurityKeys Method.
| Attribute | Value | ||||
| BrowseName | SetSecurityKeys | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| HasProperty | Variable | InputArguments | Argument[] | PropertyType | Mandatory |
| ConformanceUnits | |||||
|---|---|---|---|---|---|
| PubSub Model Base |