Annex E (normative) Security settings management ToC Previous Next

E.1 Overview ToC Previous Next

All OPC UA applications shall support security; however, this requirement means that Administrators need to configure the security settings for the OPC UA application. This appendix describes an XML Schema which can be used to read and update the security settings for a OPC UA application. All OPC UA applications may support configuration by importing/exporting documents that conform to the schema (called the SecuredApplication schema) defined in this Annex.

The XML Schema released with this version of the standards can be found here:

http://www.opcfoundation.org/UA/schemas/1.04/SecuredApplication.xsd

NOTE The latest file that is compatible with this version of this specification can be found here:

http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd

The SecuredApplication schema can be supported in two ways:

  1. Providing an XML configuration file that can be edited directly;
  2. Providing an import/export utility that can be run as required; If the application supports direct editing of an XML configuration file, then that file shall have exactly one element with the local name ‘SecuredApplication’ and URI equal to the SecuredApplication schema URI. A third party configuration utility shall be able to parse the XML file, read and update the ‘SecuredApplication’ element. The administrator shall ensure that only authorized administrators can update this file. The following is an example of a configuration that can be directly edited:
<s1:SampleConfiguration xmlns:s1="http://acme.com/UA/Sample/Configuration.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>

<!-- any number of application specific elements -->

<SecuredApplication xmlns="http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>
<ApplicationType>Server_0</ApplicationType>
<ApplicationCertificate>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\My</StorePath>
<SubjectName>ACME UA Server</SubjectName>
</ApplicationCertificate>
</SecuredApplication>

<!-- any number of application specific elements -->

<DisableHiResClock>true</DisableHiResClock>
</s1:SampleConfiguration>

If an application provides an import/export utility, then the import/export file shall be a document that conforms to the SecuredApplication schema. The administrator shall ensure that only authorized administrators can run the utility. The following is an example of a file used by an import/export utility:

<?xml version="1.0" encoding="utf-8" ?>
<SecuredApplication xmlns="http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>
<ApplicationType>Server_0</ApplicationType>
<ConfigurationMode>urn:acme.com:ACME Configuration Tool</ConfigurationMode>
<LastExportTime>2011-03-04T13:34:12Z</LastExportTime>
<ExecutableFile>%ProgramFiles%\ACME\Bin\ACME UA Server.exe</ExecutableFile>
<ApplicationCertificate>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\My</StorePath>
<SubjectName>ACME UA Server</SubjectName>
</ApplicationCertificate>
<TrustedCertificateStore>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\UA applications</StorePath>
<!-- Offline CRL Checks by Default -->
<ValidationOptions>16</ValidationOptions>
</TrustedCertificateStore>
<TrustedCertificates>
<Certificates>
<CertificateIdentifier>
<SubjectName>CN=MyFactory CA</SubjectName>
<!--  Online CRL Check for this CA -->
<ValidationOptions>32</ValidationOptions>
</CertificateIdentifier>
</Certificates>
</TrustedCertificates>
<RejectedCertificatesStore>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\OPC Foundation\RejectedCertificates</StorePath>
</RejectedCertificatesStore>
</SecuredApplication>

Previous Next