Introduction

The BMENUA0100 module embedded OPC UA server stack supports both discovery and security services.

To connect to the OPC UA server in the BMENUA0100 module, an OPC UA client requires information describing the server, including its network address, protocol, and security settings. OPC UA defines a set of discovery features a client can use to obtain this information.

The information needed to establish a connection between an OPC UA client and an OPC UA server is stored in an endpoint. An OPC UA server can possess several endpoints, each containing:

• Endpoint URL (network address and protocol), for example:

  • For IPv4: opc.tcp://172.21.2.30:4840, where:

    - opc.tcp = protocols

    - 172.21.2.30 = IPv4 address

    - 4840 = opcua-tcp port number configured in Control Expert

  • For IPv6: opc.tcp://[2a01:cb05:431:f00:200:aff:fe02:a0a]:50000, where:

    - opc.tcp = protocols

    - [2a01:cb05:431:f00:200:aff:fe02:a0a] = IPv6 address

    - 50000 = opcua-tcp port number configured in Control Expert

• Security Policy (including a set of security algorithms and key length)

• Message Security Mode (security level for exchanged messages)

• User Token Type (server supported types of user authentication)

One or more OPC UA servers can exist. In the case of multiple servers, a discovery server can be used to provide information regarding each server. Individual servers can register with the discovery server. Clients can request a list of some or all of the available servers from the discovery server and use the GetEndpoints service to acquire connection information from an individual server.

The BMENUA0100 module supports several discovery and security services, including:

• Discovery Service Set

• SecureChannel Service Set

• Session Service Set

The decision to enable or disable services depends on the cybersecurity policy you decide to implement for the server.

Discovery Service Set

The BMENUA0100 OPC UA server stack supports the Discovery Service Set, which is incorporated in the Core 2017 Server Facet. As implemented in the BMENUA0100 module, the supported services include:

• FindServers: As implemented in the BMENUA0100 module OPC UA server stack, this service finds all servers only on the local OPC UA server.

• GetEndpoints: Returns the Endpoints supported by a server and all of the configuration information required to establish a SecureChannel and a Session. Can provide a filtered Endpoints return list, based on profiles.

SecureChannel Service Set

The BMENUA0100 OPC UA server stack supports the SecureChannel Service Set, which includes the following services:

• OpenSecureChannel: Opens or renews a SecureChannel that provides confidentiality and integrity for the exchange of messages during a session. This Service requires the OPC UA server stack to apply the various security algorithms to the messages as they are sent and received.

• CloseSecureChannel: Terminates a SecureChannel.

Session Service Set

The BMENUA0100 OPC UA server stack supports the Session Service Set, which is incorporated in the Core 2017 Server Facet. As implemented in the BMENUA0100 module, the supported services include:

• CreateSession: After creating a SecureChannel with the OpenSecureChannel service, a client uses this service to create a session. The server returns two values which uniquely identify the session:

  • A sessionId, which is used to identify the session in the audit logs and in the server's AddressSpace.

  • An authenticationToken, which is used to associate an incoming request with a session.

• ActivateSession: Used by the client to specify the identity of the user associated with the session. It cannot be used to change the session user.

• CloseSession: Terminates a session.