C++ Based OPC UA Client/Server/PubSub SDK  1.7.4.520
Security

Application Authentication

OPC UA requires a bidirectional authentication of the Client and Server applications with X.509 application instance certificates during the establishment of a secure communication connection. Application instance certificates are required to uniquely identify each installation or instance of an application. The Server application provides its application instance certificate via the Discovery Service Set. The Client provides its application instance certificate in the OpenSecureChannel Service.

The Server application instance certificate can be created as self signed certificate during the installation or start of the OPC Server. The PKI library provides functionality to create and manage certificates.

As second option the Server application instance certificate can be provided by the administrator of the OPC Server. For this option the configuration tool of the Server needs to provide a way to replace the generated certificate or the change the name of the used certificate.

See Certificates, Certificate Store and Trust List in the general OPC UA introduction for background information regarding certificate management.

The interface ServerConfig is used to provide the certificate, the private key and the Endpoint Security Settings from the product specific implementation to the Server SDK.

For user level authentication see User Authentication and Authorization.

Endpoint Security Settings

There are different security settings possible for an Endpoint. The first setting is the SecurityPolicy. The SecurityPolicy describes the set of algorithms and key length used for the SecureChannel between the client and server application. See Security Policy in the OPC UA Introduction for more details on the available Security Policies.

The second setting is the Message Security Mode. It defines if the messages exchanged between the client and server is secured by signing the message or by signing and encrypting the message. There is also a mode without signing and encrypting.

The settings of the Endpoint define which security options can be used by the client.

See Security and Discovery in the general OPC UA introduction for background information for the Endpoint settings and security configuration.

The details of the possible settings in the SDK are described in the class UaEndpoint.

Continue with User Authentication and Authorization.