High Performance OPC UA Server SDK  1.7.1.383
GDS

The HPSDK server supports the PUSH model for GDS.

The PUSH model is described in Part 12 chapter 7.3 Push Management of the OPC UA specification.

The procedure is used to provide the HPSDK server with a certificate signed by the CA of the UaGDS client. In addition the UaGDS client provides the HPSDK server with a trustlist which contains the certificate chain.

The UaGDS client requests from the HPSDK server an encoded signing request. The method CreateSigningRequest it used for that purpose. The certificate which is created based on the previous singing request is than forwarded to the HPSDK server. The HPSDK server verifies the certificate and stores it until it shall be activated. The activation of the certificate is triggered by the UaGDS using the ApplyChanges method. The HPSDK server now exchange the current certificate with the previous used certificate.

The UaGDS has to make sure to update the trust list of the HPSDK server correctly so the HPSDK server can verify it's private certificate and certificates from clients which connect using the UaGDS.

All GDS related methods need SecurityAdmin privileges to get called. The same is needed to get access to the certificate groups in the server configuration.

gds_push_management.png
GDS Push Management

This chapter describes the steps to connect the HPSDK server to the Unified Automation's UaGDS client.

Please see the following chapters to get more details about the configuration. Migration guide: Migration from 1.5.x to 1.6.0. Configuration: CAGroup Section, Endpoint Section (server only) and GDS Section (server only).

Start of the HPSDK server in provisioning mode.

The provisioning mode is described here: Provisioning Mode.

The server is set into provisioning using the "-g" argument. With activated provisioning mode the server accepts all incoming certificates. This avoids to manually trust the certificate of the UaGDS client. Starting the HPSDK server in normal mode is possibly, too, but the certificate of the UaGDS client needs to be trusted manually in this case.

The provisioning mode is only possible if the trust list of the HPSDK server is empty.

Registration of the HPSDK server to the UaGDS client.

To connect the HPSDK server with the UaGDS client the UaGDS Config Tool is used. Please see for more details within documentation of the tool.

Please follow the setup wizard to set the password for the root user and setup the certificate data. After finishing the wizard the following dialogue is displayed.

gds_add_push.png
Add Server using PUSH

Within the dialogue please double click <Add Server with PUSH Model>. This opens a new wizard which guides you through the process to add the HPSDK server.

In step 2 of the wizard you need to provide credentials for user authentication. The provided user must be part of the SecurityAdmin role.

The UaGDS client will now provide the trust list to the HPSDK server as well the new certificate.

After the procedure is finished the HPSDK server is added to the registered applications. The "Application Configuration" tab should look like the following example.

gds_success.png
Success

Setup the UaExpert to use the UaGDS to connect to the HPSDK server

To use the UaGDS you need to register the UaExpert to the UaGDS. This is done using the "Settings" menu followed by "Manage Certificates". The following dialogue will pop up. Please choose the tab "GDS Server 1".

manage_certificates.png
Register at GDS

Now choose the "GDS Configuration" tab to register to the UaGDS. At the tab hit the "Register at GDS" button. This will open a dialogue which allow you to choose the UaGDS server you want to connect to.

The UaExpert is now connected to the UaGDS server. The details of the UaGDS server are now displayed.

gds_server_info.png
GDS server information

The UaGDS Configuration tool now shows both the UaExpert and the HPSDK server as registered applications

gds_registered_applications.png
GDS server information

Connect the UaExpert to the HPSDK Demo Server using UaGDS

To connect to the server the "Add Server dialogue" is used in the known way. The important point is to choose the UaGDS Server as PKI Store.

connect_via_gds.png
Connect using the GDS server

Now hit the connect button and the UaExpert is connected to the HPSDK Server with the usage of the UaGDS server.

For more details please see the documentation of the UaExpert. https://documentation.unified-automation.com/uaexpert/1.6.2/html/index.html

The UaGDS documentation will follow in the future.

Notes for GDS used with static namespace 0

The GDS is working with static address space, too. An important difference is that the permissions and access rights can not be set during the initialization procedure of the GDS for nodes belonging to namespace 0. The permissions must be already set in the XML-file correctly. The SDK prints a warning if the rights are not set as expected. This will not stop the SDK from starting. In the current version of the XML-file the permissions are not set. Because of this the trustlist and certificate group objects are accessible not only for the SecurityAdmin. Therefore it is very important to set the permissions in the XML-file correctly.