4 OPC UA security architecture ToC Previous Next

4.10 Application Authentication ToC Previous Next

OPC UA uses a concept conveying Application Authentication to allow applications that intend to communicate to identify each other. Each OPC UA Application Instance has a Certificate (Application Instance Certificate) assigned that is exchanged during Secure Channel establishment. The receiver of the Certificate checks whether it trusts the Certificate and based on this check it accepts or rejects the request or response Message from the sender. This trust check is accomplished using the concept of TrustLists. TrustLists are implemented as a CertificateStore designated by an administrator. An administrator determines if the Certificate is signed, validated and trustworthy before placing it in a TrustList. A TrustList also stores Certificate Authorities (CA). TrustLists that include CAs, also include Certificate Revocation Lists (CRLs). OPC UA makes use of these industry standard concepts as defined by other organizations.

In OPC UA, HTTPS can be used to create Secure Channels, however, these channels do not provide Application Authentication. If Authentication is required, it is based on user credentials (User Authentication see 4.9). More details on Application Authentication can be found in OPC 10000-4.

Previous Next