- OPC UA Local Discovery is a service provided by OPC Foundation which lists all the OPC UA's on a Machine. It listen to Port 4840
- OPC UA Security has several message security modes:
- 1: No Security. The messages are neighther signed or encrypted
- 2: With Security. The messages are signed or but not encrypted
- 3: With Security. The messages are signed and encrypted
So what does this mean?
- The OPC UA specification allows all these type of communication. Yes, including 'no security'!
- However, an OPC UA Server will determine which one is allowed.
- When a client is connecting to an OPC Server, he has the option to request what level of security he wants to connect to.
- If 'No security' is used, this means:
- There is no encryiption
- NO SSL CERTIFICATE IS NEEDED. The client does not need to show a cert
- The Server will accept all clients (Will not verify the SSL Cert)
- When an SSL Cert is required, OPC UA requres that such a cert is validated.
- A Thumbprint is a unique id that is calculated by hashing via SHA-1 the contents of the cert. It has 40 characters
- Validation is based on Subject Name which should be in the form of 'DC=ComputerName,CN=ProgramName". DC is distinguished name, CN is Common Name
- A client will need to scan the OPC UA Server and determin which security policy it implements. OPC UA Security Policies
http://opcfoundation.org/UA/SecurityPolicy#None
http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 (Obsolete)
http://opcfoundation.org/UA/SecurityPolicy#Basic256 (Obsolete)
http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 [B]
http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep [A]
- OPC UA Also allows authentication, typically authenticated againt windows username and password.
- In OPCUA Tree, each item is called a NODE. A Node can be of the following types; these are NODE TYPES (OR Sometimes refer to as Node CLASS)
- Object = 1,
- AN OBJECT IS BRANCH (YOU CANNOT SUBSCRIBE TO IT)
- Variable = 2,
- A VARIABLE CAN BE SUBSCRIBED TO. IT CAN ALSO BE A BRANCH
- Method = 4,
- A METhOD CAN BE CALLED
- ObjectType = 8,
- VariableType = 16,
- ReferenceType = 32,
- DataType = 64,
- View = 128,
- Each Node regardless of whatever types, will have attributes. The following attributes must exist in all node types:
- NodeId - Uniquely identifies a Node in an OPC UA server and is used to address the Node in the OPC UA Services
- in OPCUA the NodeId, is rather confusing, like OPC Classic, the NodeId is a string, However, in OPC UA, it first
- Starts with a NameSpace Index
- A value between 0-65535 (Ushort)
- Normally Namespace is zero (meaning no namespace)
- The actual ID, which can be of 4 types:
- Numeric = 0 (Unsigned Integer UINT, ranging from 0 to 4Billion)
- String = 1
- Guid = 2 (A specific guid)
- Opaque = 3 (An Array of bytes)
- Fully Qualified Name
- Since this naming can be complicated, it is common to use a combined name which will look like the following:
- ns=<namespaceIndex>;<identifiertype>=<identifier>
- Identifier type can be:
- i NUMERIC (UInteger)
- s STRING (String)
- g GUID (Guid)
- b OPAQUE (ByteString)
- Specfying the Fully Qualified Name seems to be the common practice for OPCUA Connectivity
-
- NodeClass - An enumeration identifying the NodeClass of a Node such as Object, Variable or Method
- BrowseName - Identifies the Node when browsing the OPC UA server. It is not localized
- DisplayName - ontains the Name of the Node that should be used to display the name in a user interface.
- Nodes may have some additional attributes
- The Variable Node Type must have in addition the the values
- Value - The actual value of the Variable. The data type of the value is specified by the DataType, ValueRank, and ArrayDimensions Attributes
- DataType - DataTypes are represented as Nodes in the Address Space. This Attribute contains a NodeId of such a Node and thus defines the DataType of the Value Attribute
- ValueRank - Identifies if the value is an array and when it is an array it allows specifying the dimensions of the array
- AccessLevel
- A bit mask indicating whether the current value of the Value Attribute is readable and writable as well as whether the history of the value is readable and changeable
- Readable = 1,
- Readable | Writable = 3
- UserAccessLevel - Contains the same information as the AccessLevel but takes user access rights into account
- The Attributes have attribute IDs
- 1 = NodeId
- 2 = NodeClass
- 3 = BrowseName (A non-localized, human readable name for the node)
- 4 = DisplayName (A localized, human readable name for the node)
- 5 = Description (A localized description for the node)
- 6 = WriteMask (Indicates which attributes are writeable)
- 7 = UserWriteMask (Indicates which attributes are writeable by the current user)
- 8 = IsAbstact (Indicates that a type node may not be instantiated)
- 9 = Symmetric (Indicates that forward and inverse references have the same meaning)
- 10= InverseName (The browse name for an inverse reference)
- 11= ContainsNoLoops (Indicates that following forward references within a view will not cause a loop)
- 12= EventNotifier (Indicates that the node can be used to subscribe to events)
- 13= Value (The value of a variable) ---------------------------------------------------------------------------- MOST IMPORTANT!!!!!!
- 14= DataType (The node id of the data type for the variable value)
- 15= ValueRank (The number of dimensions in the value)
- 16= ArrayDimensions (The length for each dimension of an array value)
- 17= AccessLevel (How a variable may be accessed)
- 18= UserAccessLevel (How a variable may be accessed after taking the user's access rights into account)
- 19= MinimumSamplingInterval (Specifies (in milliseconds) how fast the server can reasonably sample the value for changes)
- 20= Historizing (Specifies whether the server is actively collecting historical data for the variable)
- 21= Executable (Whether the method can be called)
- 22= UserExecutable
- 23= DataTypeDefinition (Provides the metadata and encoding information for custom DataTypes)
- 24= Permissions (The permissions available for the node)
- 25= UserPermissions (The subset of permissions available for the current user)
- 26= RolePermissions (The permissions granted to roles)