Overview

This example shows how to register the server application at a Global Discovery Server (GDS) and receive and use a signed certificate and a trust list managed by the GDS.

When implementing the Push Management, the GDS will be responsible for updating the server certificate and trust list. When implementing the Pull Management, the server itself is responsible for getting the certificate and the trust list from the GDS.

Attention: The application instance certificate of the GDS must get accepted by the server application.

Note: A running Global Discovery Server must be available. This tutorial shows the usage of UaGDS (https://www.unified-automation.com/products/ua-runtime-software/uagds.html).

Push Management

Configure SecurityAdmin

The GDS application must be elevated as SecurityAdmin to be able to push a certificate or a trust list to the server. The Role assignment to a specific user or the GDS application shall be configured in the RoleConfiguration file.

When specifying a user, the user credentials must be known by the GDS. The credentials can be set in the GDS Configuration Tool. Alternatively the Role SecurityAdmin can be assigned to GDS application. In this case the server ApplicationUri of the GDS must be known on server side.

<Role Name="SecurityAdmin" NodeId="i=15704">
  <Identities>
    <Identity CriteriaType="UserName">joe</Identity>
    <Identity CriteriaType="Application">APPLICATIONURI_OF_GDS</Identity>
  </Identities>
</Role>

Register Server with GDS Configuration Tool

The Push Configuring the servers is described in the documentation of the GDS.

The data entered in "Step 3: Configure Push" is dependent on the role configuration. If the GDS application gets the SecurityAdmin Role by its ApplicationUri, the Authentication Settings can be set to Anonymous.

Self Registration

The server application can register itself at the GDS using the class GdsRegisterManagement. An instance of this class shall be set at ApplicationInstanceBase.GdsHandler before the application has been started. Additionally the EndpointUrl of the GDS has to be set in the application settings of the server application.

The class GdsRegisterManagement has several EventHandlers that can be implemented by the application.

                var gdsHandler = new UnifiedAutomation.UaClient.GdsRegisterManagement(application);
                gdsHandler.ApplicationRegistered += (s, e) =>
                {
                    Console.WriteLine($"Application registered at GDS. ApplicationId {e.ApplicationId}, Mode {e.RegisteredApplicationMode}.");
                    Console.WriteLine("Check if registration must be accepted in GDS Configuration Tool and GDS Model shall be changed to \"Push Model\".");
                };
                application.GdsHandler = gdsHandler;

<Extension>
  <GdsSettings xmlns="http://unifiedautomation.com/schemas/2011/12/Application.xsd">
    <GdsDiscoveryUrl>opc.tcp://localhost:48060</GdsDiscoveryUrl>
  </GdsSettings>
</Extension>

After the server has been started for the first time, the server application will be visible in the Pending List in the GDS Configuration Tool. After accepting the registration the GDS Model can be changed to "Push Model".

Accept application in pending list for application registration

Change Gds Model to Push Model

Note: The class GdsRegisterManagement is implemented in UnifiedAutomation.UaClient. So you need to add this NuGet package to your VS project.

Pull Management

The server application can register itself at the GDS and do the complete GDS handling itself using the class GdsPullManagement. An instance of this class shall be set at ApplicationInstanceBase.GdsHandler before the application has been started. Additionally the EndpointUrl of the GDS has to be set in the application settings of the server application.

The class GdsPullManagement has several EventHandlers that can be implemented by the application.

                var gdsHandler = new UnifiedAutomation.UaClient.GdsPullManagement(application);
                gdsHandler.NewCertificate += (s, e) =>
                {
                    // The new certificate will be used by the server after the transport listeners have been re-initialized.
                    server.RestartTransportListeners();
                    Console.WriteLine("Certificate signed by GDS assigned. Restarting server.");
                };
                gdsHandler.ApplicationRegistered += (s, e) =>
                {
                    Console.WriteLine($"Application registered at GDS. ApplicationId {e.ApplicationId}, Mode {e.RegisteredApplicationMode}");
                    Console.WriteLine("Check if registration must be accepted in GDS Configuration Tool.");
                };
                gdsHandler.SignCertificateFailed += (s, e) => { Console.WriteLine($"Sign certificate failed with message {e.Exception}."); };
                gdsHandler.TrustListUpdated += (s, e) => { Console.WriteLine("TrustList updated"); };
                application.GdsHandler = gdsHandler;

<Extension>
  <GdsSettings xmlns="http://unifiedautomation.com/schemas/2011/12/Application.xsd">
    <GdsDiscoveryUrl>opc.tcp://localhost:48060</GdsDiscoveryUrl>
  </GdsSettings>
</Extension>

After the server has been started for the first time, the server application will be visible in the Pending Lists for applications to register and certificate signing requests in the GDS Configuration Tool. After accepting both, the server will receive a new certificate and trust list.

Note: If the server gets a new certificate from the GDS its endpoints have to re-initialized. This can be implemented with the NewCertificate EventHandler.