All OPC UA applications support security; and this means that Administrators need to configure the security settings for the OPC UA application. Clause E.1 describes an XML Schema which can be used to read and update the security settings for an OPC UA application. This schema provides a reference for application developers adding support for security configuration to their applications.
The XML Schema released with this version of the standards can be found here:
http://www.opcfoundation.org/UA/schemas/1.05/SecuredApplication.xsd
NOTE The latest file that is compatible with this version of this specification can be found here:
http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd
The SecuredApplication schema can be supported in two ways:
- Providing an XML configuration file that can be edited directly;
- Providing an import/export utility that can be run as required;
If the application supports direct editing of an XML configuration file, then that file has exactly one element with the local name ‘SecuredApplication’ and URI equal to the SecuredApplication schema URI. A third-party configuration utility is able to parse the XML file, read and update the ‘SecuredApplication’ element. The administrator ensures that only authorized administrators can update this file. The following is an example of a configuration that can be directly edited:
<s1:SampleConfiguration xmlns:s1="http://acme.com/UA/Sample/Configuration.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>
<!-- any number of application specific elements -->
<SecuredApplication xmlns="http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>
<ApplicationType>Server_0</ApplicationType>
<ApplicationCertificate>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\My</StorePath>
<SubjectName>ACME UA Server</SubjectName>
</ApplicationCertificate>
</SecuredApplication>
<!-- any number of application specific elements -->
<DisableHiResClock>true</DisableHiResClock>
</s1:SampleConfiguration>
If an application provides an import/export utility, then the import/export file is a document that conforms to the SecuredApplication schema. The administrator ensures that only authorized administrators can run the utility. The following is an example of a file used by an import/export utility:
<?xml version="1.0" encoding="utf-8" ?>
<SecuredApplication xmlns="http://opcfoundation.org/UA/2011/03/SecuredApplication.xsd">
<ApplicationName>ACME UA Server</ApplicationName>
<ApplicationUri>urn:myfactory.com:Machine54:ACME UA Server</ApplicationUri>
<ApplicationType>Server_0</ApplicationType>
<ConfigurationMode>urn:acme.com:ACME Configuration Tool</ConfigurationMode>
<LastExportTime>2011-03-04T13:34:12Z</LastExportTime>
<ExecutableFile>%ProgramFiles%\ACME\Bin\ACME UA Server.exe</ExecutableFile>
<ApplicationCertificate>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\My</StorePath>
<SubjectName>ACME UA Server</SubjectName>
</ApplicationCertificate>
<TrustedCertificateStore>
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\UA applications</StorePath>
<!-- Offline CRL Checks by Default -->
<ValidationOptions>16</ValidationOptions>
</TrustedCertificateStore>
<TrustedCertificates>
<Certificates>
<CertificateIdentifier>
<SubjectName>CN=MyFactory CA</SubjectName>
<!-- Online CRL Check for this CA -->
<ValidationOptions>32</ValidationOptions>
</CertificateIdentifier>
</Certificates>
</TrustedCertificates>
<RejectedCertificatesStore>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\OPC Foundation\RejectedCertificates</StorePath>
</RejectedCertificatesStore>
</SecuredApplication>