Errata exists for this version of the document.

The UserNameIdentityToken is used to pass simple username/password credentials to the Server.

This token shall be encrypted by the Client if required by the SecurityPolicy of the UserTokenPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None and no transport layer encryption is available. If None is specified for the UserTokenPolicy and SecurityPolicy is None then the password only contains the UTF-8 encoded password. The SecurityPolicy of the SecureChannel is used if no SecurityPolicy is specified in the UserTokenPolic y.

If the token is to be encrypted the password shall be converted to a UTF-8 ByteString, encrypted and then serialized as shown in Table 181.

The Server shall decrypt the password and verify the ServerNonce.

If the SecurityPolicy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but it would make the password visible in clear text.

Table 186 defines the UserNameIdentityToken parameter.

Table 186 – UserNameIdentityToken

Name

Type

Description

UserNameIdentityToken

Structure

UserName value.

policyId

String

An identifier for the UserTokenPolicy that the token conforms to.

The UserTokenPolicy structure is defined in 7.37.

userName

String

A string that identifies the user.

password

ByteString

The password for the user. The password can be an empty string.

This parameter shall be encrypted with the Server’s public key using the algorithm specified by the SecurityPolicy. The format used for the encrypted data is described in 7.36.2.2.

encryptionAlgorithm

String

A string containing the URI of the AsymmetricEncryptionAlgorithm.

The URI string values are defined names that may be used as part of the security profiles specified in OPC 10000-7.

This parameter is null if the password is not encrypted.

Table 187 describes the dependencies for selecting the AsymmetricEncryptionAlgorithm for the UserNameIdentityToken. The SecureChannel SecurityPolicy URI is specified in the EndpointDescription and used in subsequent OpenSecureChannel requests. The UserTokenPolicy SecurityPolicy URI is specified in the EndpointDescription. The encryptionAlgorithm is specified in the UserNameIdentityToken or IssuedIdentityToken provided by the Client in the ActivateSession call. The SecurityPolicy Other in the table refers to any SecurityPolicy other than None. The selection of the EncryptionAlgorithm is based on the UserTokenPolicy. The SecureChannel SecurityPolicy is used if the UserTokenPolicy is null or empty.

Table 187 – EncryptionAlgorithm selection

SecureChannel SecurityPolicy

UserTokenPolicy SecurityPolicy

UserIdentityToken EncryptionAlgorithm

Security Policy - None

Null or empty

No encryption

Security Policy - None

Security Policy - None

No encryption

Security Policy - None

Security Policy - Other

Asymmetric algorithm for "Other"

Security Policy - Other

Null or empty

Asymmetric algorithm for "Other"

Security Policy - Other

Security Policy - Yet another

Asymmetric algorithm for "Yet another"

Security Policy - Other

Security Policy - Other

Asymmetric algorithm for "Other"

Security Policy - Other

Security Policy - None

No encryption