OPC UA provides options to take care of security aspects while exchanging data. The security level is specified via so called security policies. The following options exist as security policy:
- None: no security measures taken
This is already implemented in the OPC UA adapter by choosing unauthenticated under access mode.
- Sign (username & password): integrity and authenticity are ensured via user authentication and authorization.
This is already implemented in the OPC UA adapter by choosing Username/Password under access mode.
- SignAndEncrypt: additionally, confidentiality is ensured. Identification of the user is done via a X509 certificate.
This is not yet implemented.
There are three different options to handle the certificate management in the OPC UA server
- Self-signed certificates and trust-list mechanism
- Easy and flexible
- Each certificate has to be registered at each server and added to the trust list to allow a connection
- Only recommended for smaller OPC-UA set ups
- Public key infrastructure (PKI) and trust-list mechanism
- Trust-list contain only root certificates
- New servers or clients get a certificate from the PKI, that can be validated via the root certificate
- Certificate Manager (OPC UA component)
- Enables not only provision of certificates but renewal and withdrawal of certificates
- Not specified in the OPC UA standard -> product specific
To establish an encrypted connection to the OPC UA server the following preconditions have to be met:
- Certificate is included in the server’s trust list
- Certificate and private key are present to establish a connection
Possibilities to test:
- Eclipse Milo supports encrypted communication via self signed certificates and trust-list mechanism. The demo server allows to add certificates to the trust list via upload (http://milo.digitalpetri.com/)
Next steps:
- Establish encrypted connection via UA Expert with milo demo server
- Implement functionality with eclipse milo in StreamPipes
References:
- https://github.com/digitalpetri/opc-ua-demo-server
- https://github.com/apache/plc4x/tree/develop/plc4j/integrations/opcua-server/src/main/java/org/apache/plc4x/java/opcuaserver
- Schleipen, Miriam (2020): Praxishandbuch OPC UA. Grundlagen-Implementierung-Nachrüstung-Praxisbeispiele