OPCDA.NET-UA
UA Security
Send comments on this topic.
OPCDA.NET-UA > Getting Started > UA Security

Glossary Item Box

The UA security concept is explained in the document The OPC UA Security Model for Administrators v1.00.pdf This document is included in the OPCDA.NET-UA distribution.

The UA security bases on X509 Certificates.
Each UA server and client application requires a certificate with the ApplicationUri of the application. Some UA servers can be configured for the certificate validation to be disabled. In this mode any proper certificate is accepted. It doesn't have to match the application.

OPCDA.NET-UA has properties, methods and handlers that control the certificate handling. See UA Server Access for details.


Self-signed certificates can be created with the uaPLUS UaClientConfigHelper utility.
OPCDA.NET-UA maintains certificates in the Windows Certificates Store.
The certificates are by default in the stores LocalMachine\UA Applications and LocalMachine\Trusted UA Applications
The stores are defined in the application UA configuration and can be changed if necessary.

The UaClientConfigHelper utility creates and imports certificates into the stores defined in the configuration.
With the server and client on the same machine the certificates are in the right place when created or imported with the Advosol UaServerConfigHelper and UaClientConfigHelper utilities.

With server and client on different machine the following steps are required:

  1. On the UA client machine create a certificate for the client application with the UaClientConfigHelper utility. It automatically exports the created certificate into a .DER (or .CER)  file in the directory of the utility executable.
  2. Copy the client certificate .DER file to the server machine and import it according the UA server documentation. For Advosol UA servers with the UaServerConfigHelper utility.
  3. Copy the UA server .DER certificate file to the client machine and import it with the UaClientConfigHelper utility.


OPCDA.NET-UA stores untrusted certificates it receives from the server in the store defined in the UA configuration settings for rejected certificates (default: LocalMachine\Rejected UA Certificates). Instead of importing the server certificate before the server is connected, the rejected certificate can be copied after a failed connect. The UaClientConfigHelper utility has an option (button) to copy the certificate.
Note:  The certificates must be configured for the Windows store type.



The Windows Certificates manager can be used to check and maintain the certificates beyond the capabilities of the UaServerConfigHelper utility.

 

 

Copyright © 2020 Advosol Inc. All Rights Reserved.