The OPC Foundation has recently released the version 1.02 of the specification and the stack components along with some sample applications and a new version of the Local Discovery Server (LDS).
Following this release we also announced the public availability of the Java SDK 2.0 Beta, which is based on the new stack.
Highlights
The highlights of the new specification are:
- Support for HTTPS protocol
- Basic256Sha256 Security Policy
- Big certificates (>2048 bits)
- Final release of the Historical Access and Aggregates parts
- FileTransfer through FileType objects
- Standard XML schema for Information Models (http://opcfoundation.org/UA/2011/03/UANodeSet.xsd)
- Global Discovery Service
- Enhanced redundancy mode and network redundancy
HTTPS
Support for the HTTPS protocol is added to all the stacks. These have now been prepared in a project coordinated by the Software Management Group of OPC Foundation, which decides on the direction of the software components provided by the OPC Foundation.
In practice, HTTPS becomes another alternative for the UA Binary and SOAP protocols that have been defined in earlier specifications. The UA Binary will stay as the primary protocol available in all stacks. It incorporates the UA security. SOAP remains implemented in the .NET stack only, incorporating WS-Security (which makes it challenging for the other stacks). HTTPS will be used without UA security; but the same level of security is applied by the standard SSL/TLS layer that is used in the transport level (HTTP with SSL is HTTPS).
In practice, the difference between UA binary and HTTPS is that since the security is applied on different levels, also different certificates are used. UA security is based on Application Instance certificates, whereas HTTPS uses a bit different certificates. They are both similar X.509 certificates, but have minor differences in the field values, so your application will need both, if it supports both protocols.
Support for HTTPS is included in the Java SDK 2.0: you can “just use it” 🙂 Read more, for example from the Migration Guide.
Basic256Sha256
This is a new security policy, which enhances the former Basic256 policy.
The policy defines that AES-256 is used for symmetric encryption as before with Basic256, but the message digest algorithm is updated from SHA-1 to SHA-256, which provides additional confidentiality.
Support for this new policy is not implemented yet in all stacks, so you should not be worried about this yet.
The Java SDK 2.0 allows usage of the new policy, but it’s still not enabled by default in the servers.
Big certificates
The former specification had a minor flaw, which prevented the usage of application instance certificates with more than 2048 bits. Version 1.02 fixes this flaw, but due to backward compatibility, it does not come without some complications. The stacks will use a bit different message structure depending on the size of the certificate. For this reason, big certificates are only allowed along with the new Basic256Sha256 policy – which on the hand is defined not to be available with 1024 bit certificates.
In practice, if you wish to support all policies (Basic128Rsa15, Basic256, Basic256) you must use a certificate of 2048 bits, or two separate application instance certificates.
The Java SDK 2.0 sample applications demonstrate how to enable usage of several certificates (see the application source codes).
FileType
The FileType object will enable transfer of files through OPC UA. The object type contains the properties:
- Size
- Writable
- UserWritable
- OpenCount
and methods
- Open
- Close
- Read
- Write
- GetPosition
- SetPosition
So the idea is that it can be used to provide access to the file system in the UA Server Address Space and the files can be transferred using the methods. This enables unlimited file sizes as well: GetPosition and SetPosition enable moving the position in an underlying file stream; Read and Write will transfer a specified amount of bytes from or to the stream.
Information Model schemas
The new Information Model schemas will enable transfer of information models and also other address space information between modeling applications, but also between server and client applications.
The stacks do not contain support for the information models, but the Java SDK enables loading of the models from XML to the server address space. We are also working on improved support for creating instances out of the UA types and generating Java classes that implement the UA instance structures. This will open up exiting new possibilities in future.
Global Discovery Service
The Global Discovery Service (GDS) is a specification of an application that can provide the discovery service on network level. So far we only have had the Local Discovery Server (LDS) components that can provide information of server applications installed in the local computer. The idea behind the GDS is to provide the same information on network level, so that it would be easier to locate all the servers installed in a complete site.
Another feature of the GDS is to serve as a centralized Certificate Authority, which can sign application certificates for all UA applications. This will make it easier to establish a secure UA network as each application will not use a self-signed certificate that must be accepted separately by each other application.
The OPC Foundation will provide a sample implementation of the GDS.
The new specification also defines ways for ad-hoc discovery of applications in a network.
The Part 12. which defines the new discovery features is not yet released, though, so details of these options are still subject to change a bit.