OPC UA communications security

Introduction

To establish communication between client and server, a client must know some information and configurations of the server. This information, listed below, is set on the server in an endpoint:

  • Endpoint URL

  • Security policy requested by the server (algorithms)

  • Security level of messages requested by the server (signature and encryption)

In UNIQO, this information is defined in the respective properties of the Server OPC UA object.

Endpoint URL

The URL of an endpoint is always composed of the following elements, in the order described.

  • Communications protocol: opc.tcp

  • Network address, expressed in one of the following modes:

    • keyword localhost: any local address

    • hostname: name of the network device on which the server is hosted

    • IP address: IP address of the network device on which the server is hosted

      Note

      unless there are specific requirements, use the keyword localhost.

  • Port

In UNIQO, in the OPC UA Server object, the predefined URL is opc.tcp://localhost:59100.

Security policy

OPC UA requires the following security policy, supported by UNIQO, each of which defines a set of algorithms and the length of the keys to make the client-server message exchange secure:

  • Aes256_Sha256_RsaPss

  • Aes128_Sha256_RsaOaep

  • Basic256Sha256

  • None (valid only when no message signature or encryption is performed - see Message security)

For details on the policy, please refer to the OPC UA specifications.

Note

the policies supported by the standard are updated regularly. Some deprecated policies, for example Basic128Rsa15 and Basic256, are supported only for backward compatibility.

In UNIQO, the minimum security policy required by the server for the client is set in the OPC UA Server object.

Message security

UA defines the following security levels, supported by UNIQO, for the messages exchanged between server and client:

  • No signature/encryption

  • Signature of all messages

  • Signature and encryption of all messages

In UNIQO, the minimum security level required by the server for the client is set in the OPC UA Server object.

Client: types of user authentication

When a client connects to a server, it also transmits information that identifies the user. OPC UA requires the following types of authentication, supported by UNIQO:

  • Anonymous Identity Token: no information available on the user.

  • Username Identity Token: user identified by username and password. The client sends the server the user password to demonstrate that it recognizes their identity.

  • X.509 Identity Token: user identified by an X.509v3-type certificate. The client sends the server a signature created with the private key associated with the certificate to demonstrate that it knows the user’s identity. In this case the certificate must be installed on the server.

To protect the credentials sent to the server, they must be encrypted with its public key, even when there is no message signature and encryption.

In UNIQO, in the OPC UA Client object, the type of authentication is set.

Certificates and keys in OPC UA

To identify the participants in a communication and to guarantee the authenticity and confidentiality of the exchanged messages, every OPC UA application must have a public certificate (Application Instance Interface) and a public key/private key pair.

The public key is distributed with the certificate, whereas the private key remains secret. The keys are used as follows:

  • The private key is used to sign messages to send and to decrypt the messages received.

  • The public key of the partner is used to verify the signature of the messages received and to encrypt the messages to send.

The certificates are archived in a “Certificate Store”, subdivided in the following locations:

  • Own: contains the application certificate

  • Trusted: contains the certificates of trusted remote applications

  • Rejected: contains the certificates of remote applications that are connected but not yet considered trusted

  • Certificate Revocation List (CRL): certificates revoked by a Certification Authority (CA) before their expiration.

The certificates released by an application are said to be self-signed and must be installed with the trusted ones, both on the server and on the client, to allow communication. When the certificate is removed from the trusted list, communication is no longer possible.

Certificates issued by a CA do not need to be installed among the trusted ones. In fact, it is sufficient to install the CA certificate. To exclude a certificate issued by a CA, it must be included in the CA CRL.

Note

each CA certificate must include the corresponding CRL, necessary to verify the certificate of an application.

Certificates and the CRLs must comply with the X.509v3 standard with DER binary coding. They are usually contained in files with the .der extension. For each certificate there is a private key and Base64 ASCII encoding, usually contained in a file with the extension .pem.

All of the valid security policies require the signature of certificates with the SHA-256 algorithm with RSA encryption (2048, 3072, or 4096). The two deprecated policies (Basic128Rsa15 and Basic256) require that the certificate be signed with the SHA1 algorithm with RSA encryption (1024 or 2048).

Certificates and keys in UNIQO

In Q Studio, in the OPC UA Server and OPC UA Client objects, it is possible to set the public certificate and the private key of the server/client. If these elements are absent, typically when testing a project, when Q Studio generates a Q Application server it also generates a public certificate and the corresponding private key of the server.

Important

to communicate securely, the client and server public certificates must be considered trusted by both parties. A Q Application only considers trusted the certificates in its ProjectFiles/PKI/Trusted/ folder.

At design time, if you have your own certificates or those of other clients/servers in the field, they can be imported into Q Studio to consider them trusted (see Set up the trusted certificates at design time).

Note

if you do not have a certificate for your own application, one can be generated in Q Studio (see Generate OPC UA certificates in Q Studio).

If the certificates of other clients/servers in the field are not available at design time, they can be imported into the project, and then be considered trusted at runtime once the link between the parties has taken place (see Set the trusted certificates at runtime). In fact, at runtime when a client connects to a server and the respective certificates are not considered trusted, the client certificate is copied in the QApplication/ApplicationFiles/PKI/Rejected/Client folder of the server application and the server certificate is copied in the QApplication/ApplicationFiles/PKI/Rejected/Server folder of the client application.

Note

the name of the copied certificate is a string composed of its Common Name (CN) and its thumbprint (signature).

Lastly, at design time, if the import of nodes from a OPC UA server is executed using an OPC UA Client object and the project does not have the public certificate for the server, Q Studio displays an error message displaying the rejection of the server certificate and the copy of the certificate in the ApplicationFiles/PKI/Rejected/Server project folder. In this case also, the certificate can be imported into the project to consider it trusted (Set up the trusted certificates at design time).

Location of certificates and keys in UNIQO projects and Q Applications

In UNIQO, the certificates and keys are organized in the following folder structure:

QApplication/ProjectFiles/PKI/

  • Own/

    • Client/: client certificates and private keys

    • Server/: server certificates and private keys

    • User/: user certificates and private keys

  • Revoked/

    • Client/: CRL of revoked client certificates. It is used by the OPC UA Server object.

    • Issuer/: CRL of revoked CA certificates. It is used by both OPC UA Server objects and OPC UA Client objects.

    • Server/: CRL of revoked server certificates. It is used by the OPC UA Client object.

    • User/: CRL of revoked user certificates. It is used by the OPC UA Server object.

  • Trusted/

    • Client/: trusted client certificates. It is used by the OPC UA Server object.

    • Issuer/: trusted CA certificates. It is used by both OPC UA Server objects and by OPC UA Client objects.

    • Server/: trusted server certificates. It is used by the OPC UA Client object.

    • User/: trusted user certificates. It is used by the OPC UA Server object.

QApplication/ApplicationFiles/PKI/

  • Own/

    • Server/: certificate and private key generated automatically by the OPC UA Server object

  • Rejected/

    • Client/: certificates of clients that have connected to the server and that are not yet considered trusted

    • Server/: certificates of servers that to which OPC UA clients have connected and that are not yet considered trusted

    • User/: certificates of users that have connected to the server and that are not yet considered trusted