Scribd
Upload
75 views31 pages

Information Revolution 2014: Matthias Damm

The document discusses OPC UA discovery and security configuration. It describes how OPC UA servers initially configure endpoints and register with a local discovery server. It also describes how OPC UA clients can find servers, get endpoint configurations, and securely connect to servers.

Uploaded by

HK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views31 pages

Information Revolution 2014: Matthias Damm

The document discusses OPC UA discovery and security configuration. It describes how OPC UA servers initially configure endpoints and register with a local discovery server. It also describes how OPC UA clients can find servers, get endpoint configurations, and securely connect to servers.

Uploaded by

HK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Information Revolution 2014

OPC UA Discovery Matthias Damm


Executive Director ascolab GmbH
Consultant Unified Automation GmbH
matthias.damm@ascolab.com

www.unifiedautomation.com
2 | OPC UA Discovery

Agenda

> OPC UA Discovery and Security Configuration

> Network Wide Discovery

> Centralized Security Configuration

© Unified Automation GmbH – All rights reserved.


3 | OPC UA Discovery

OPC UA Server Initial Configuration

PC 1: MyServer
OPC UA Server Trust List
List of trusted
opc.tcp://MyServer:48001 application instance
Endpoints
certificates
 Endpoint URL • Basic256
 Security Policy • SignAndEncrypt
• Username/Certificate
 Message Security Mode
 User Token Type
opc.tcp://MyServer:48001
Server configuration by • Basic128Rsa15
administrator • SignAndEncrypt Rejected List
• Username
List of rejected
application instance
certificates

Application Instance Certificate


Public and Private Key
Generated by server
or provided by admin
© Unified Automation GmbH – All rights reserved.
4 | OPC UA Discovery

Local Discovery Server (LDS) – Registration

PC

OPC UA Servers register


Server with LDS

OPC UA
Server LDS

OPC UA
Server

Registration requires security

© Unified Automation GmbH – All rights reserved.


5 | OPC UA Discovery

OPC UA Client Configuration

PC 2: MyClient
OPC UA Client
List of selected Server Connection List
Server Endpoint(s)
Trust List
List of trusted application
instance certificates

Application Instance Certificate


Public and Private Key
Generated by client
or provided by admin

© Unified Automation GmbH – All rights reserved.


6 | OPC UA Discovery

Local Discovery Server (LDS) – Discovery

PC PC
OPC UA Find Servers LDS
Client

OPC UA
Client need to know server host Server

FindServers
OPC UA
 Called on known LDS port 4840 Server
 Returns a list of servers

GetEndpoint OPC UA
Server
 Called on server
 Returns server security config

© Unified Automation GmbH – All rights reserved.


7 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
OPC UA Client GetEndpoints OPC UA Server
opc.tcp://MyServer:48001
Server Connection List
• Basic256
• SignAndEncrypt
• Username/Certificate

opc.tcp://MyServer:48001
• Basic128Rsa15
• SignAndEncrypt
• Username

UA Call to get Endpoints

© Unified Automation GmbH – All rights reserved.


8 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
OPC UA Client OPC UA Server
opc.tcp://MyServer:48001
Server Connection List
• Basic256
• SignAndEncrypt
• Username / Certificate

opc.tcp://MyServer:48001
• Basic128Rsa15
• SignAndEncrypt
• Username

Manual accept on client

© Unified Automation GmbH – All rights reserved.


9 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
OPC UA Client OPC UA Server
Server Connection List opc.tcp://MyServer:48001
opc.tcp://MyServer:48001 • Basic256
• Basic256
• SignAndEncrypt
• SignAndEncrypt
• Username • Username/Certificate

opc.tcp://MyServer:48001
• Basic128Rsa15
• SignAndEncrypt
• Username

Client configured

© Unified Automation GmbH – All rights reserved.


10 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
OPC UA Client CreateSecureChannel OPC UA Server
Server Connection List opc.tcp://MyServer:48001
opc.tcp://MyServer:48001 • Basic256
• Basic256
• SignAndEncrypt
• SignAndEncrypt
• Username • Username/Certificate

opc.tcp://MyServer:48001
• Basic128Rsa15
• SignAndEncrypt
• Username

Client connect rejected

© Unified Automation GmbH – All rights reserved.


11 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
OPC UA Client OPC UA Server
Server Connection List opc.tcp://MyServer:48001
opc.tcp://MyServer:48001 • Basic256
• Basic256
• SignAndEncrypt
• SignAndEncrypt
• Username • Username/Certificate

opc.tcp://MyServer:48001
• Basic128Rsa15
• SignAndEncrypt
• Username

Manual accept on Server

© Unified Automation GmbH – All rights reserved.


12 | OPC UA Discovery

Connection Configuration

PC 2: MyClient PC 1: MyServer
CreateSecureChannel
OPC UA Client OPC UA Server
Server Connection List opc.tcp://MyServer:48001
opc.tcp://MyServer:48001 • Basic256
• Basic256 Create Session • SignAndEncrypt
• SignAndEncrypt
• Username • Username/Certificate
User
PW
opc.tcp://MyServer:48001
• Basic128Rsa15
ActivateSession • SignAndEncrypt
• Username

Secure Connection

© Unified Automation GmbH – All rights reserved.


13 | OPC UA Discovery

Agenda

> OPC UA Discovery and Security Configuration

> Network Wide Discovery

> Centralized Security Configuration

© Unified Automation GmbH – All rights reserved.


14 | OPC UA Discovery

Ad-Hoc Discovery/Multicast DNS (mDNS)

OPC UA OPC UA OPC UA


Client Client Client
LDS-ME LDS-ME LDS-ME

Features provided: Advantage:


- Host name resolution No central infrastructure required
without central DNS server
- Find OPC UA servers with Limitation:
feature list in local network Works only in local subnet

PLC OPC PC LDS-ME


UA Server
OPC UA OPC UA
Server Server

© Unified Automation GmbH – All rights reserved.


15 | OPC UA Discovery

LDS-ME – Announcing Servers

LDS-ME on Server
 Servers are registered with local LDS
 LDS with Multicast Extension (LDS-ME) announces servers

Embedded Server
 Announce themselves in the network

PLC OPC PC LDS-ME


UA Server
OPC UA OPC UA
Server Server

© Unified Automation GmbH – All rights reserved.


16 | OPC UA Discovery

LDS-ME – Provide Server List to Client

OPC UA OPC UA OPC UA


Client Client Client
LDS-ME LDS-ME LDS-ME

LDS-ME on Client
 LDS-ME provides cache of servers announced in the network
 Client can access list through OPC UA Service from LDS

PLC OPC PC LDS-ME


UA Server
OPC UA OPC UA
Server Server

© Unified Automation GmbH – All rights reserved.


17 | OPC UA Discovery

LDS-ME – Discovery

PC mDNS mDNS PC
LDS-ME LDS-ME

Find Register

OPC UA OPC UA
Client
Get Endpoints Server

FindServersOnNetwork
 Called on local LDS
 Returns a list of servers in the network

GetEndpoint
 Still called on server – returns server security configuration

© Unified Automation GmbH – All rights reserved.


18 | OPC UA Discovery

Global Directory Service (GDS)


GDS
 Central discovery server Central Server
 Full OPC UA Server
 DirectoryType is discovery GDS
interface with UA Methods
List of registered
DirectoryType UA Servers
DirectoryType
 RegisterApplication
 UpdateApplication
 UnregisterApplication
 QueryServers

© Unified Automation GmbH – All rights reserved.


19 | OPC UA Discovery

GDS – Server Registration

Central Server

GDS

List of registered
DirectoryType UA Servers
OPC UA Server
Server Admin RegisterApplication

Server Setup
 Server registration with GDS
during setup
 Registration requires security

© Unified Automation GmbH – All rights reserved.


20 | OPC UA Discovery

GDS – Client Discovery

Central Server

GDS

List of registered
DirectoryType UA Servers
OPC UA
Client QueryServers

Client Discovery
 QueryServers used to find servers
 Filter (LIKE string filter) for
◦ ApplicationName/ApplicationURI
◦ ProductURI
◦ Server Capabilities
© Unified Automation GmbH – All rights reserved.
21 | OPC UA Discovery

GDS – How to Find GDS

PC mDNS Central Server


LDS-ME
mDNS
Find GDS

List of registered
DirectoryType UA Servers
OPC UA
Client QueryServers

Client Discovery
 Local LDS-ME delivers GDS
location (capability filter)
 QueryServers used to find servers

© Unified Automation GmbH – All rights reserved.


22 | OPC UA Discovery

Server Discovery URL for GetEndpoints

PC mDNS Central Server


LDS-ME
mDNS
Find GDS

List of registered
DirectoryType UA Servers
OPC UA
Client QueryServers

GetEndpoints
 Server DiscoveryURL from
OPC UA
◦ GDS QueryServers
Server
◦ LDS FindServers
◦ LDS-ME FindServerOnNetwork

© Unified Automation GmbH – All rights reserved.


23 | OPC UA Discovery

Discovery – Big Picture


LDS-ME – mDNS GDS
 Ad-Hoc discovery GDS  Network wide discovery
 Local Subnet  Security can be applied

OPC UA OPC UA
Client Client
OPC UA OPC UA OPC UA OPC UA
Client Client Client Server

mDNS mDNS

OPC UA OPC UA OPC UA OPC UA


Server Server Server Server

© Unified Automation GmbH – All rights reserved.


24 | OPC UA Discovery

Agenda

> OPC UA Discovery and Security Configuration

> Network Wide Discovery

> Centralized Security Configuration

© Unified Automation GmbH – All rights reserved.


25 | OPC UA Discovery

Global Directory Service (GDS)


GDS as Certificate Authority
 Central CA
Central Server
 Full OPC UA Server
 CertificateDirectoryType is
GDS
interface with UA Methods DirectoryType
Pull/Push
Certificates
CertificateDirectoryType
 RequestCertificate CA
 SignCertificate
Certificate
 RenewCertificate DirectoryType
 CheckRequestStatus
 GetTrustList

© Unified Automation GmbH – All rights reserved.


26 | OPC UA Discovery

GDS – Application Setup

Central Server
OPC UA
Client GDS
DirectoryType
Admin Pull/Push
OPC UA Certificates
RegisterApplication
Server
SignCertificate
CA
Certificate
DirectoryType
Application Setup
 Application registration with GDS
during setup
 Signing of application certificate
 Setup requires security

© Unified Automation GmbH – All rights reserved.


27 | OPC UA Discovery

GDS – Application Security Update – Pull


Pull
 Applications are clients for GDS
Central Server
OPC UA
Client GDS
DirectoryType
Pull/Push
OPC UA GetTrustList Certificates
Server
CA
Certificate
DirectoryType
Application Security Update
 Frequent update of trust list and
CA revocation list
 Update requires security

© Unified Automation GmbH – All rights reserved.


28 | OPC UA Discovery

GDS – Application Security Update – Push

GDS Central Server


Client

GetTrustList GDS
Update DirectoryType
Pull/Push
OPC UA Certificates
Server
TrustListType CA
Certificate
DirectoryType
Push
 Client gets trust list from GDS
 Server implements TrustListType
 Client updates server trust list with
latest setting from GDS

© Unified Automation GmbH – All rights reserved.


29 | OPC UA Discovery

Global Directory Service (GDS)

Pull Pull or Push


Central Administration
OPC UA OPC UA
Client Server
GDS

OPC UA Pull/Push OPC UA


Client Certificates Server
List of
CA registered
UA Servers
OPC UA OPC UA
Client Server

Find Servers Application Registration


Initial Configuration/Certificate Generation
Update Trust List/Revocation Lists

© Unified Automation GmbH – All rights reserved.


30 | OPC UA Discovery

Global Directory Service (GDS)

Central Administration
OPC UA OPC UA
Client Server
GDS

OPC UA OPC UA
Client OPC UA OPC UA Server
Any Any
CA Directory
OPC UA OPC UA
Client Server

GDS is OPC UA wrapper around


any directory or CA

© Unified Automation GmbH – All rights reserved.


31 | OPC UA Discovery

Summary

> Discovery used to


> Find servers
> Get security configuration
> Discovery options
> Discover on known port 4840 of a network node
> Use mDNS for ad-hoc discovery in local network
> Use GDS as central discovery server
> GDS for central certificate management

© Unified Automation GmbH – All rights reserved.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy