2. Features
Overview
The OPC UA Client module of the Edge One™ supports most of the OPC UA version 1.04 Specification. The sections of this guide describe the available features.
- Profiles. Describes the available OPC UA profiles.
- Connection Parameters. Describes the connection parameters supported including Node ID Types, Data Encoding and Data Types.
- Security. Describes the security methods supported including Authentication, Message Security, Security Policies and Session Parameters,
- Subscription Parameters. Describes the subscription parameters supported including Monitored Items and Event Logs.
Supported Features
Profiles
Supported OPC UA Profiles
Profile Description AddressSpace_Lookup_Client_Facet This Facet defines the ability to navigate through the AddressSpace and includes basic AddressSpace concepts, view and browse functionality and simple attribute read functionality. Attribute Read Client Facet This Facet defines the ability to read Attribute values of Nodes. Attribute Write Client Facet This Facet defines the ability to write Attribute values of Nodes. Core Client Facet This Facet defines the core functionality required for any Client. This Facet includes the core functions for Security and Session handling. Core 2017 Client Facet This Facet supersedes the Core Client Facet. DataAccess Client Facet This Facet defines the ability to utilize the DataAccess Information Model, i.e., industrial automation data like analog and discrete data items and their quality of service. Discovery Client Facet This Facet defines the ability to discover Servers and their Endpoints. UA-TCP UA-SC UA Binary This Facet combines the simple TCP based network protocol UA-TCP 1.0 with the binary security protocol UA-SecureConversation 1.0 and the binary message encoding UA-Binary 1.0. SecurityPolicy - Basic128Rsa15 This security Facet provides very basic security and has been deprecated in v1.04 since the hash algorithm Sha-1 is not considered secure anymore. SecurityPolicy - Basic256Sha256 This security Facet defines a security policy for configurations with high security needs. It requires a PKI infrastructure. SecurityPolicy - Basic256 This security Facet defines very basic security has been deprecated in v1.04 since the hash algorithm Sha-1 is not considered secure anymore. SecurityPolicy - None This security Facet defines a security policy used for configurations with the lowest security needs. This security policy can affect the behaviour of the CreateSession and ActivateSession Services. It also results in a SecureChannel which has no channel security. By default this security policy should be disabled if any other security policies are available.
Profiles to Connect to the OPC UA Server
Profile Description Nano embedded device Server This Profile is a FullFeatured Profile intended for chip level devices with limited resources. This Profile is functionally equivalent to the Core Server Facet and defines the OPC UA TCP binary protocol as the required transport profile.The support of Diagnostic Objects and Variables is optional for this Profile despite it being defined as “mandatory” in UA Part 5. Support of Diagnostic Objects and Variables is mandatory in some higher level Profiles. Micro embedded device Server This Profile is a FullFeatured Profile intended for small devices with limited resources. This Profile builds upon the Nano Embedded Device Server Profile. The most important additions are: support for subscriptions via the Embedded Data Change Subscription Server Facet and support for at least two sessions. A complete Type System is not required; however, if the Server implements any non-UA types then these types and their super-types must be exposed. Micro_Embedded_Device_2017_Server This profile supersedes the “Micro Embedded Device Server Profile”. Embedded UA Server This Profile is a FullFeatured Profile that is intended for devices with more than 50 MBs of memory and a more powerful processor. This Profile builds upon the Micro Embedded Device Server Profile. The most important additions are: support for security via the Security Policy – Basic128Rsa15 Facet, and support for the Standard DataChange Subscription Server Facet. This Profile also requires that servers expose all OPC-UA types that are used by the Server including their components and their super-types. Embedded 2017 UA Server This profile supersedes the “Embedded Device Server Profile” Standard server This Profile is a FullFeatured Profile that defines a minimum set of functionality required for PC based OPC UA servers. Such a server must provide the base AddressSpace structure with type nodes, instance nodes and diagnostic information. The Server must provide connection establishment through the OPC UA TCP binary protocol with security and the creation of at least 50 parallel sessions. It includes view services like browsing and the attribute services for reading and writing of current values. In addition, the monitoring of data changes is included with a minimum of 5 subscriptions for half of the required sessions (total 225) and a minimum of 500 monitored items for half of the subscriptions (total 56250).
Connection Parameters
Parameter Description Lifetime count Keep-alive count Priority
Node ID Types
The Edge One™ OPC UA Client supports all the Node ID format and data types defined in the specification.
Node ID Type Namespace Example Numeric (i) 1 ns=1;i=25 String (s) 2 ns=2;s=Channel1.Device1.Tag1 GUID (g) 3 g={A374567B-0CDF-3A8F-230C-123456A7BCDE} Opaque (b) 1 ns=1;b=O/MbHCrTUjfOCcNbxy11iBC==
Data Encoding Method
The Edge One™ OPC Client supports the following data encoding method:
- Binary format which enables more efficient data transfers.
Data Types
The Edge One™ OPC UA Client supports all DataTypes in the 1.04 Specification. The major DataTypes are:
Data Type Description Built-in A fixed set of DataTypes (see Part 6 for a complete list of Built-in DataTypes). They have no encodings visible in the AddressSpace since the encoding should be known to all OPC UA products. Examples of Built-in DataTypes are Int32 and Double. Simple Subtypes of the Built-in DataTypes. They are handled like Built-in DataTypes and cannot have their encodings defined in the AddressSpace. Clients can read the DataType Attribute of a Variable or VariableType to identify the Simple DataType of the Value Attribute. An example of a Simple DataType is Duration. It is handled on the wire as a Double but the Client can read the DataType Attribute and thus interpret the value as defined by Duration. Structured Structured DataTypes inherit directly or indirectly from the DataType Structure. Structured DataTypes may have several encodings and the encodings are exposed in the AddressSpace. The encoding of the Structured DataType is transmitted with each value, thus Clients are aware of the DataType without reading the DataType Attribute. The encoding has to be transmitted so the Client is able to interpret the data. An example of a Structured DataType is Argument. Enumeration DataTypes that represent discrete sets of named values. Enumerations are always encoded as Int32 on the wire as defined in Part 6. Enumeration DataTypes inherit directly or indirectly from the DataType Enumeration. Enumerations have no encodings exposed in the AddressSpace. To expose the human-readable representation of an enumerated value, the DataType Node may have the EnumStrings Property that contains an array of LocalizedText. The Integer representation of the enumeration value points to a position within that array. EnumValues Property can be used instead of the EnumStrings to support integer representation of enumerations that are not zero-based or have gaps. It contains an array of a Structured DataType containing the integer representation as OPC Unified Architecture, Part 3 37 Release 1.04 well as the human-readable representation. An example of an enumeration DataType containing a sparse list of Integers is NodeClass. Enumeration is constructed as a list in MQTT.
In addition to the DataTypes described above, abstract DataTypes are also supported, which do not have any encodings and cannot be exchanged on the wire. Variables and VariableTypes use abstract DataTypes to indicate that their Value may be any one of the subtypes of the abstract DataType. An example of an abstract DataType is Integer
Security
Part 2 of the OPC UA Specification defines a number of objectives to ensure system security. These are:
- Authentication: Entities such as clients, Servers, and users should prove their identities. Authentication can be based on something the entity is, has, or knows.
- Authorization: The access to read, write, or execute resources should be authorized for only those entities that have a need for that access within the requirements of the system. Authorization can be as coarse grained as allowing or disallowing a Client to access a Server, or it could be much finer grained, such as allowing specific actions on specific information items by specific users.
- Confidentiality: Data is protected from passive attacks such as eavesdropping, whether the data is being transmitted, in memory, or being stored. To provide Confidentiality, data encryption algorithms using special secrets for securing data are used along with Authentication and Authorization mechanisms for accessing that secret.
- Integrity: Receivers receive the same information that the original sender sent, without the data being changed during transmission.
- Auditability: Actions taken by a system must be recorded in order to provide evidence to stakeholders:
- that this system works as intended (successful actions are tracked).
- that identify the initiator of certain actions (user activity is tracked).
- that attempts to compromise the system were denied (unsuccessful actions are tracked).
- Availability: Availability is impaired when the execution of software that needs to run is turned off or when the software or communication system is overwhelmed by processing input. Impaired Availability in OPC UA can
Supported Authentication Methods
OPC UA Applications support Authentication of users by providing the necessary Authentication credentials to the other entities. As described in the OpenSecureChannel service in Part 4, the OPC UA Client accepts a UserIdentityToken from the user and passes it to the OPC UA Server. The OPC UA Server authenticates the user token. OPC UA Applications accept tokens in any of the following three forms: username/password, an X.509v3 Certificate (see [X509]) or a WS-SecurityToken (Web Services security token).
The Edge One™ OPC Client supports all available Authentication Methods.
Method Description Username/Password Basic authentication method X.509 Certificates A X.509 Certificate is an electronic ID that can be held by an application. The ID includes information that identifies the holder, the issuer, and a unique key that is used to create and verify Digital Signatures. It conforms to the X509 public key certificates specification. Anonymous Allows a user client to create an application Session without providing a username and password.
Supported Message Security Modes
OPC UA provides three security modes for the exchange of messages: Sign, Sign and Encrypt and None. Message signatures are digital signatures used to provide integrity in the communications between the Client and the Server. Encryption is used ot scramble the messages to render them unreadable to parties that do not have the key to decrypt the messages.
The Edge One™ OPC UA Module supports all three message security modes.
Message Mode Description Signed Messages have a digital signature for authentication and integrity. Signed_&_Encrypted Messages have a digital signature and are encrypted using the security policy selected. The goal is confidentiality. None Messages are not protected. It is the least safe but fastest mode of sending messages.
Security Policies
OPC UA provides a flexible set of security mechanisms that can be configured to meet a variety of security policies and enforcement regimes. The Edge One™ OPC UA module supports the following security policies.
Security Policy Description None Messages are not encrypted Basic256 Algorithm suite that uses 256-bit Basic as the message encryption algorithm. Basic128Rsa15 Algorithm suite that uses RSA15 (RSA with 15 bits long exponent) as the key wrap algorithm and 128-bit Basic as the message encryption algorithm. Basic256Sha256 More secure algorithm suite that uses SHA256 (Secure Hash Algorithm computed with 32-bit words) for the signature digest and 256-bit Basic as the message encryption algorithm.
Session Parameters
Parameter Description Connector timeout Idle session timeout Channel renewal interval Reconnect interval Watchdog interval
Subscription Parameters
This section describes the features that are supported when the OPC UA Client subscribes to server services.
Monitored Items
The MonitoredItem Service Set is used by the Client to create and maintain MonitoredItems. MonitoredItems monitor Variables, Attributes and EventNotifiers. They generate Notifications when they detect certain conditions. They monitor Variables for a change in value or status; Attributes for a change in value; and EventNotifiers for newly generated Alarm and Event reports.
Each MonitoredItem identifies the item to monitor and the Subscription to use to periodically publish Notifications to the Client. Each MonitoredItem also specifies the rate at which the item is to be monitored (sampled) and, for Variables and EventNotifiers, the filter criteria used to determine when a Notification is to be generated.
The Edge One™ OPC UA Client supports the following monitoring modes:
- Subscribe to changes in data values. The OPC UA Client will only receive data when the value changes.
- Subscribe to all data published with a sampling rate. The Client will only get data at a specified interval.
Event Logs
All events generated by the OPC UA stack are sent to the MQTT events queue. Events are published in the topic:
notification/<pid OPC UA>/<group id>
Where PID is the project ID available under Project Information and group ID is the GID available under the Groups tab of the
project configuration.
The event notifications have the following data structure:
{
"pid": 666,
"mod": "opc-ua",
"vals": [
{
"dt": "EventId",
"v": "776589478759098413524080",
"k": "ns=0;i=2253"
},
{
"dt": "EventType",
"v": "ExclusiveLevelAlarmType",
"k": "ns=0;i=2253"
},
{
"dt": "SourceName",
"v": "MyLevel",
"k": "ns=0;i=2253"
},
{
"dt": "SourceNode",
"v": "ns=2;s=MyLevel",
"k": "ns=0;i=2253"
},
{
"dt": "Severity",
"v": "700",
"k": "ns=0;i=2253"
},
{
"dt": "Time",
"v": "131654653650120000",
"k": "ns=0;i=2253"
},
{
"dt": "Message",
"v": "Level exceeded",
"k": "ns=0;i=2253"
}
],
"g": 4,
"ts": 1520991765319
}