BS EN IEC 62541-12:2020
$215.11
OPC unified architecture – Discovery and global services
| Published By | Publication Date | Number of Pages |
| BSI | 2020 | 110 |
This part of IEC 62541 specifies how OPC Unified Architecture (OPC UA) Clients and Servers interact with DiscoveryServers when used in different scenarios. It specifies the requirements for the LocalDiscoveryServer, LocalDiscoveryServer-ME and GlobalDiscoveryServer. It also defines information models for Certificate management, KeyCredential management and Authorization Services.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 5 | Annex ZA(normative)Normative references to international publicationswith their corresponding European publications |
| 7 | English CONTENTS |
| 13 | FOREWORD |
| 15 | 1 Scope 2 Normative references |
| 16 | 3 Terms, definitions, abbreviated terms and conventions 3.1 Terms and definitions |
| 18 | 3.2 Abbreviated terms and symbols 3.3 Conventions for namespaces |
| 19 | 4 The discovery process 4.1 Overview Tables Table 1 โ GDS NamespaceMetadataType Object definition |
| 20 | 4.2 Registration and announcement of Applications 4.2.1 Overview 4.2.2 Hosts with a LocalDiscoveryServer |
| 21 | 4.2.3 Hosts without a LocalDiscoveryServer 4.3 The discovery process for Clients to find Servers 4.3.1 Overview Figures Figure 1 โ The Registration process with an LDS |
| 22 | 4.3.2 Security 4.3.3 Simple Discovery with a DiscoveryUrl 4.3.4 Local Discovery Figure 2 โ The simple Discovery process |
| 23 | 4.3.5 MulticastSubnet Discovery Figure 3 โ The Local Discovery process Figure 4 โ The MulticastSubnet Discovery process |
| 24 | 4.3.6 Global Discovery 4.3.7 Combined Discovery Process for Clients Figure 5 โ The Global Discovery process |
| 25 | 5 Local Discovery Server 5.1 Overview Figure 6 โ The Discovery Process for Clients |
| 26 | 5.2 Security considerations for Multicast DNS 6 Global Discovery Server 6.1 Overview Figure 7 โ The relationship between GDS and other components |
| 27 | 6.2 Network architectures 6.2.1 Overview 6.2.2 Single MulticastSubnet Figure 8 โ The Single MulticastSubnet architecture |
| 28 | 6.2.3 Multiple MulticastSubnet 6.2.4 No MulticastSubnet Figure 9 โ The Multiple MulticastSubnet architecture |
| 29 | 6.2.5 Domain Names and MulticastSubnets Figure 10 โ The No MulticastSubnet architecture |
| 30 | 6.3 Information Model 6.3.1 Overview 6.3.2 Directory 6.3.3 DirectoryType Figure 11 โ The Address Space for the GDS Table 2 โ Directory Object definition |
| 31 | 6.3.4 FindApplications Table 3 โ DirectoryType definition |
| 32 | 6.3.5 ApplicationRecordDataType Table 4 โ FindApplications Method AddressSpace definition |
| 33 | 6.3.6 RegisterApplication Table 5 โ ApplicationRecordDataType definition |
| 34 | 6.3.7 UpdateApplication Table 6 โ RegisterApplication Method AddressSpace definition |
| 35 | 6.3.8 UnregisterApplication 6.3.9 GetApplication Table 7 โ UpdateApplication Method AddressSpace definition Table 8 โ UnregisterApplication Method AddressSpace definition |
| 36 | 6.3.10 QueryApplications Table 9 โ GetApplication Method AddressSpace definition |
| 38 | 6.3.11 QueryServers (deprecated) Table 10 โ QueryApplications Method AddressSpace definition |
| 39 | 6.3.12 ApplicationRegistrationChangedAuditEventType Table 11 โ QueryServers Method AddressSpace definition |
| 40 | 7 Certificate management overview 7.1 Overview Table 12 โ ApplicationRegistrationChangedAuditEventType definition |
| 41 | 7.2 Pull Management 7.3 Push management Figure 12 โ The Pull Certificate management model |
| 42 | 7.4 Provisioning Figure 13 โ The Push Certificate management model |
| 43 | 7.5 Common Information Model 7.5.1 Overview 7.5.2 TrustListType |
| 44 | 7.5.3 OpenWithMasks Table 13 โ TrustListType definition |
| 45 | 7.5.4 CloseAndUpdate Table 14 โ OpenWithMasks Method AddressSpace definition |
| 46 | 7.5.5 AddCertificate Table 15 โ CloseAndUpdate Method AddressSpace definition Table 16 โ AddCertificate Method AddressSpace definition |
| 47 | 7.5.6 RemoveCertificate 7.5.7 TrustListDataType Table 17 โ RemoveCertificate Method AddressSpace definition Table 18 โ TrustListDataType definition |
| 48 | 7.5.8 TrustListMasks 7.5.9 TrustListOutOfDateAlarmType 7.5.10 CertificateGroupType Table 19 โ TrustListMasks values Table 20 โ TrustListOutOfDateAlarmType definition |
| 49 | 7.5.11 CertificateType Table 21 โ CertificateGroupType definition |
| 50 | 7.5.12 ApplicationCertificateType 7.5.13 HttpsCertificateType 7.5.14 UserCredentialCertificateType Table 22 โ CertificateType definition Table 23 โ ApplicationCertificateType definition Table 24 โ HttpsCertificateType definition |
| 51 | 7.5.15 RsaMinApplicationCertificateType 7.5.16 RsaSha256ApplicationCertificateType 7.5.17 CertificateGroupFolderType Table 25 โ UserCredentialCertificateType definition Table 26 โ RsaMinApplicationCertificateType definition Table 27 โ RsaSha256ApplicationCertificateType definition |
| 52 | 7.5.18 TrustListUpdatedAuditEventType Table 28 โ CertificateGroupFolderType definition Table 29 โ TrustListUpdatedAuditEventType definition |
| 53 | 7.6 Information Model for Pull Certificate Management 7.6.1 Overview 7.6.2 CertificateDirectoryType Figure 14 โ The Certificate Management AddressSpace for the GlobalDiscoveryServer |
| 54 | 7.6.3 StartSigningRequest Table 30 โ CertificateDirectoryType ObjectType definition |
| 56 | 7.6.4 StartNewKeyPairRequest Table 31 โ StartSigningRequest Method AddressSpace definition |
| 58 | 7.6.5 FinishRequest Table 32 โ StartNewKeyPairRequest Method AddressSpace definition |
| 59 | 7.6.6 GetCertificateGroups Table 33 โ FinishRequest Method AddressSpace definition |
| 60 | 7.6.7 GetTrustList Table 34 โ GetCertificateGroups Method AddressSpace definition |
| 61 | 7.6.8 GetCertificateStatus Table 35 โ GetTrustList Method AddressSpace definition |
| 62 | 7.6.9 CertificateRequestedAuditEventType Table 36 โ GetCertificateStatus Method AddressSpace definition |
| 63 | 7.6.10 CertificateDeliveredAuditEventType 7.7 Information Model for Push Certificate Management 7.7.1 Overview Table 37 โ CertificateRequestedAuditEventType definition Table 38 โ CertificateDeliveredAuditEventType definition |
| 64 | 7.7.2 ServerConfiguration 7.7.3 ServerConfigurationType Figure 15 โ The AddressSpace for the Server that supports Push Management Table 39 โ ServerConfiguration Object definition |
| 65 | Table 40 โ ServerConfigurationType definition |
| 66 | 7.7.4 UpdateCertificate |
| 67 | 7.7.5 ApplyChanges Table 41 โ UpdateCertificate Method AddressSpace Definition |
| 68 | 7.7.6 CreateSigningRequest Table 42 โ ApplyChanges Method AddressSpace Definition |
| 69 | 7.7.7 GetRejectedList 7.7.8 CertificateUpdatedAuditEventType Table 43 โ CreateSigningRequest Method AddressSpace definition Table 44 โ GetRejectedList Method AddressSpace definition |
| 70 | 8 KeyCredential management 8.1 Overview Table 45 โ CertificateUpdatedAuditEventType definition |
| 71 | 8.2 Pull management 8.3 Push management Figure 16 โ The Pull Model for KeyCredential management |
| 72 | 8.4 Information Model for pull management 8.4.1 Overview Figure 17 โ The Push Model for KeyCredential management |
| 73 | 8.4.2 KeyCredentialManagement 8.4.3 KeyCredentialServiceType Figure 18 โ The Address Space used for Pull KeyCredential management Table 46 โ KeyCredentialManagement Object definition |
| 74 | 8.4.4 StartRequest Table 47 โ KeyCredentialServiceType definition |
| 75 | 8.4.5 FinishRequest Table 48 โ StartRequest Method AddressSpace definition |
| 76 | 8.4.6 Revoke Table 49 โ FinishRequest Method AddressSpace definition |
| 77 | 8.4.7 KeyCredentialAuditEventType Table 50 โ Revoke Method AddressSpace definition Table 51 โ KeyCredentialAuditEventType definition |
| 78 | 8.4.8 KeyCredentialRequestedAuditEventType 8.4.9 KeyCredentialDeliveredAuditEventType 8.4.10 KeyCredentialRevokedAuditEventType Table 52 โ KeyCredentialRequestedAuditEventType definition Table 53 โ KeyCredentialDeliveredAuditEventType definition |
| 79 | 8.5 Information Model for push management 8.5.1 General 8.5.2 KeyCredentialConfiguration Figure 19 โ The AddressSpace used for Push KeyCredential management Table 54 โ KeyCredentialRevokedAuditEventType definition Table 55 โ KeyCredentialConfiguration Object definition |
| 80 | 8.5.3 KeyCredentialConfigurationType 8.5.4 UpdateCredential Table 56 โ KeyCredentialConfigurationType definition |
| 81 | 8.5.5 DeleteCredential Table 57 โ UpdateCredential Method AddressSpace definition |
| 82 | 8.5.6 KeyCredentialUpdatedAuditEventType 8.5.7 KeyCredentialDeletedAuditEventType Table 58 โ DeleteCredential Method AddressSpace definition Table 59 โ KeyCredentialUpdatedAuditEventType definition Table 60 โ KeyCredentialUpdatedAuditEventType definition |
| 83 | 9 Authorization Services 9.1 Overview 9.2 Implicit Figure 20 โ Roles and Authorization Services |
| 84 | 9.3 Explicit Figure 21 โ Implicit authorization |
| 85 | 9.4 Chained Figure 22 โ Explicit authorization |
| 86 | 9.5 Information Model for Requesting Access Tokens 9.5.1 Overview Figure 23 โ Chained authorization |
| 87 | 9.5.2 AuthorizationServices 9.5.3 AuthorizationServiceType Figure 24 โ The Model for Requesting Access Tokens from Authorization Services Table 61 โ AuthorizationServices Object definition Table 62 โ AuthorizationServiceType definition |
| 88 | 9.5.4 RequestAccessToken |
| 89 | 9.5.5 GetServiceDescription Table 63 โ RequestAccessToken Method AddressSpace definition |
| 90 | 9.5.6 AccessTokenIssuedAuditEventType 9.6 Information Model for configuring Servers 9.6.1 Overview Figure 25 โ The Model for configuring Servers to use Authorization Services Table 64 โ GetServiceDescription Method AddressSpace definition Table 65 โ AccessTokenIssuedAuditEventType definition |
| 91 | 9.6.2 AuthorizationServices 9.6.3 AuthorizationServiceConfigurationType Table 66 โ AuthorizationServices Object definition Table 67 โ AuthorizationServiceConfigurationType definition |
| 92 | Annex A (informative)Deployment and configuration A.1 Firewalls and discovery Figure A.1 โ Discovering Servers outside a firewall |
| 93 | Figure A.2 โ Discovering Servers behind a firewall |
| 94 | A.2 Resolving references to remote Servers Figure A.3 โ Using a Discovery Server with a firewall |
| 95 | Figure A.4 โ Following References to Remote Servers |
| 96 | Annex B (normative)Constants |
| 97 | Annex C (normative)OPC UA Mapping to mDNS C.1 DNS Server (SRV) record syntax C.2 DNS Text (TXT) record syntax Table C.1 โ Allowed mDNS service names |
| 98 | C.3 DiscoveryUrl mapping Table C.2 โ DNS TXT record string format Table C.3 โ DiscoveryUrl to DNS SRV and TXT Record Mapping |
| 99 | Annex D (normative)Server Capability Identifiers Table D.1 โ Examples of ServerCapabilityIdentifiers |
| 100 | Annex E (normative)DirectoryServices E.1 Global Discovery via other directory services E.2 UDDI Figure E.1 โ The UDDI or LDAP Discovery process |
| 101 | E.3 LDAP Figure E.2 โ UDDI registry structure Table E.1 โ UDDI tModels |
| 102 | Figure E.3 โ Sample LDAP hierarchy Table E.2 โ LDAP object class schema |
| 103 | Annex F (normative)Local Discovery Server F.1 Certificate store directory layout Table F.1 โ Application Certificate store directory layout |
| 104 | F.2 Installation directories on Windows |
| 105 | Annex G (normative)Application installation process G.1 Provisioning with Pull Management G.2 Provisioning with Push Management |
| 106 | G.3 Setting permissions |
| 107 | Annex H (informative)Comparison with RFC 7030 H.1 Overview H.2 Obtaining CA Certificates H.3 Initial enrolment Table H.1 โ Verifying that a Server is allowed to provide Certificates Table H.2 โ Verifying that a Client is allowed to request Certificates |
| 108 | H.4 Client Certificate reissuance H.5 Server key generation H.6 Certificate Signing Request (CSR) attributes request |
