The Cyberlogic OPC UA Server is a free software add-on to all Cyberlogic OPC Server Suite products, which allows the OPC Unified Architecture (OPC UA) client applications access to the Cyberlogic OPC Server data. Prior to installation, make sure that at least one of the Cyberlogic OPC Server Suite products is installed, and the Cyberlogic OPC Server is configured.
In order to achieve the best interoperability and performance, the Cyberlogic OPC UA Server supports the binary protocol (opc.tcp).
The OPC UA was designed with security being one of the main pillars of its architecture. OPC UA security consists of authentication, authorization, encryption, and data integrity via digital signatures. For authentication, encryption and signatures, X.509 v3 certificates are used on both the server and the OPC UA client side. A username and password can also be used for authentication, and access to the server can be restricted to authorized users only.
A security policy specifies which security mechanisms are to be used. The OPC UA Server announces which mechanisms it supports, and the UA Client selects one to use with the secure channel it wishes to open or for the session-less connection it wishes to make. A security policy determines the algorithms for signing, encryption, and key derivation.
The choice of allowed security policies is normally made by the administrator typically during or right after the OPC UA applications are installed. Here are the security policies supported by the Cyberlogic OPC UA Server:
Authentication policies define the ways users are authenticated when UA clients connect to the server. Users can be authenticated by a username and password, or a digital certificate. Authentication can also be disabled by selecting, Anonymous. When using a certificate for authentication, the certificate must also be trusted and placed on the Client Certificates list.
OPC UA provides user authorization based on the authenticated users. The Authorized Users list defines the users that have access to the server when username and password authentication is used.
OPC UA uses a concept for application authentication that allows applications, which intend to communicate, to identify each other. Each OPC UA application instance (client or server) has a certificate (Application Instance Certificate) assigned that is exchanged during secure channel establishment. The receiver of the certificate checks whether it trusts the certificate, and based on this check, it accepts or rejects the request or response message from the sender.
OPC UA server has a single Application Instance Certificate, which is used to identify itself to the client applications. It is also used for signing and or encrypting messages. To simplify discovery of the server by UA Clients, this certificate is typically registered with the Local Discovery Server (LDS).
Each OPC UA server has a list of Application Instance Certificates for each trusted client. These certificates are used when a security policy requires signed and/or encrypted messages. The Cyberlogic OPC UA Server also uses the same list to include certificates that are used for authenticating users.
The Client Certificates list is typically created by a system administrator. An administrator determines if the certificate is signed, validated and trustworthy before placing it in this list.