C++ Based OPC UA Client/Server SDK  1.5.3.346
Security

Application Authentication

OPC UA requires a bidirectional authentication of the Client and Server applications with X.509 application instance certificates during the establishment of a secure communication connection. Application instance certificates are required to uniquely identify each installation or instance of an application. The Server application provides its application instance certificate via the Discovery Service Set. The Client provides its application instance certificate in the OpenSecureChannel Service.

The Server application instance certificate can be created as self signed certificate during the installation or start of the OPC Server. The PKI library provides functionality to create and manage certificates.

As second option the Server application instance certificate can be provided by the administrator of the OPC Server. For this option the configuration tool of the Server needs to provide a way to replace the generated certificate or the change the name of the used certificate.

The interface method ServerConfig::getEndpointConfiguration is used to provide the certificate, the private key and the Endpoint Security Settings from the product specific implementation to the Server SDK.

Endpoint Security Settings

There are different security settings possible for an Endpoint. The first setting is the SecurityPolicy. The SecurityPolicy describes the set of algorithms and key length used for the SecureChannel between the client and server application. The second setting is the Message Security Mode. It defines if the messages exchanged between the client and server is secured by signing the message or by signing and encrypting the message. There is also a mode without signing and encrypting. The settings of the Endpoint define which security options can be used by the client. The details of the possible settings are described in the class UaEndpoint.