4 OPC UA security architecture ToC Previous Next

4.5 OPC UA security architecture ToC Previous Next

4.5.2 Client / Server ToC Previous Next

Client / Server communication can include both Session and session-less communication.

The routine work of a Client application and a Server application to transmit information, settings, and commands is done in a Session in the Application Layer. The Application Layer also manages the security objectives user Authentication and user Authorization. The security objectives that are managed by the Application Layer are addressed by the Session Services that are specified in OPC 10000-4. A Session in the Application Layer communicates over a Secure Channel that is created in the Communication Layer and relies upon it for secure communication. All of the Session data is passed to the Communication Layer for further processing.

Although a Session communicates over a Secure Channel and has to be activated before it can be used, the binding of users, Sessions, and Secure Channels is flexible.

Impersonation allows a user to take ownership of an existing Session.

If a Secure Channel breaks, the Session will remain valid for a period of time allowing the Client to re-establish the connection to the Session via a new Secure Channel. Otherwise, the Session closes after its lifetime expires.

The Communication Layer provides security mechanisms to meet Confidentiality, Integrity and application Authentication as security objectives. One essential mechanism to meet these security objectives is to establish a Secure Channel (see 4.13) that is used to secure the communication between a Client and a Server. The Secure Channel provides encryption to maintain Confidentiality, Message Signatures to maintain Integrity and Certificates to provide application Authentication. The data that comes from the Application Layer is secured and passes the “secured” data to the Transport Layer. The security mechanisms that are managed by the Communication Layer are provided by the Secure Channel Services that are specified in OPC 10000-4.

The security mechanisms provided by the Secure Channel services are implemented by a protocol stack that is chosen for the implementation. Mappings of the services to some of the protocol stack options are specified in OPC 10000-6 which define how functions in the protocol stack are used to meet the OPC UA security objectives.

The Communication Layer can represent an OPC UA connection protocol stack. OPC UA specifies alternative stack mappings that can be used as the Communication Layer. These mappings are described in OPC 10000-6.

If the OPC UA Connection Protocol (UACP) is used, then functionality for Confidentiality, Integrity, application Authentication, and the Secure Channel are similar to the SSL/TLS specifications, as described in OPC 10000-6.

The Transport Layer handles the transmission, reception, and the transport of data that is provided by the Communication Layer.

To survive the loss of the Transport Layer connections (e.g. TCP connections) and resume with a new connection, the Communication Layer is responsible for re-establishing the Transport Layer connection without interrupting the logical Secure Channel.

The transport layer can also be used to implement Confidentiality and Integrity by using HTTPS as described in OPC 10000-6. It is important to note that HTTPS certificates can be (and often are) shared by multiple applications on a platform and that they can be compromised outside of the OPC UA usage of them. All applications on the platform that use the same shared certificate have the same settings, such as disabling of SSLv2.

OPC UA provides a session-less Service invocation (see OPC 10000-4 overview and see OPC 10000-6 for details). The session-less communication provides User Authentication. The communication channel provides Confidentiality and Integrity. The communication channel might be an OPC UA Secure channel (without a session). It might be a communication channel, such as HTTPS, which relies on transport protocols to provide security. In addition, User Authentication and/or Application Authentication can also be established by the use of an Access Token which is obtained from an AuthorizationService (see OPC 10000-6 for details).

Additional communication mappings are described in OPC 10000-6. These mappings may rely on transport protocols to provide Confidentiality and Integrity. One example is Websockets, which utilizes HTTPS transport layer security to provide Confidentiality and Integrity.

Previous Next