OPC UA Authentication and Message Encryption
The OPC UA standard provides a multi-layered security model for confidentiality, integrity, and authenticity of communications between clients and servers. The security model is based on three main mechanisms: encryption, authentication, and authorization.
Message Security Modes
Messages exchanged between an OPC UA client and server can use one of these
security modes, listed in descending order with SignAndEncrypt
having the highest security level:
SignAndEncrypt: Messages are signed by the sender to authenticate the origin of the message. Additionally, messages sent are encrypted.Sign: Messages are signed by the sender to authenticate the origin of the message. However, messages are not encrypted.None: Messages are not signed and not encrypted. Messages are sent in clear text.
Channel Security Policies
Encryption and signing of the messages is performed using industry standard
Asymmetric Cryptography schemes. A Channel Security Policy defines the specific
scheme to use for encryption and signing. The Channel Security Policies that are
currently supported in Industrial Communication Toolbox™ are listed here in descending order, with
Aes256_Sha256_RsaPss having the highest security level:
"Aes256_Sha256_RsaPss""Basic256Sha256""Aes128_Sha256_RsaOaep""None"
When setting up a connection between the OPC UA client and OPC UA server, each of the parties exchange Application Instance Certificates that are used to encrypt and sign messages sent between the parties. These certificates are checked against a certificate trust list. This list is maintained either by system administrators or by an organization. Each application uses this list to verify that connections are made to the correct server from the correct client. Industrial Communication Toolbox accepts connection to servers whose certificates are included in the OPC UA client's trusted certificate store when the connection is established. For more information, see OPC UA Certificate Management.
User Authentication
A server can use user authentication to restrict access to server features for specific users. Industrial Communication Toolbox supports the following user authentication options:
Anonymous: A username is not required. Some servers might not allow for anonymous user authentication.Username: A username and password combination authenticates the user making the connection.Certificate: A User Certificate (in X509 standard) authenticates the user. Before connecting, share the certificate’s public key with the server. To establish the connection, provide the public key, private key, and the password protecting the private key. Clear (passwordless) private keys are not supported by the toolbox.
Servers normally support more than one security model for clients to use when connecting to the server. The supported security models that a server supports are described through endpoints available from the server. Each endpoint defines one Channel Security Policy, the allowable Message Security Modes, and supported User Authentication types. To use that specific endpoint, the client makes a connection to the endpoint URL provided in the endpoints list and defines the Message Security Mode to use.
You query the available endpoints of a server using opcuaserverinfo, or by constructing an OPC UA client with opcua. You can set the security model while constructing the client
using the name-value arguments MessageSecurityMode and ChannelSecurityPolicy, or configure the security model for that
connection using setSecurityModel. You pass the user credentials when you connect to
the server using the connect function.
