Please consider registering

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —

— Match —

— Forum Options —

Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Clarification on OpenSecureChannel messages and X509IdentityToken specifications
October 9, 2017
13:56, EET
Forum Posts: 6
Member Since:
May 25, 2016
sp_UserOfflineSmall Offline

Dear Team,

Kindly clarify on the following queries about the OPC UA specification Part 4 Services,

1.From my understanding after the GetEndpoints Service messages, the client sends a OpenSecureChannel request to the server which means the request is signed or signed & encrypted according the security policy in the desired endpoint. I saw the following lines in the specification Part 4 Services, pg.no 33,

‘The OpenSecureChannel request and response Messages shall be signed with the sender’s Certificate. These Messages shall always be encrypted. If the transport layer does not provide encryption, then these Messages shall be encrypted with the receiver’s Certificate.’ In this it is mentioned that the messages ‘shall’ always be encrypted. How does it rely on transport layer ?

and I also see another description in the OPC Unified Architecture Book by Wolfgang Mahnke, Stefan-Helmut Leitner, Matthias Damm as follows,

‘If the certificate is considered as trustworthy, then as the second step an OpenSecureChannel request secured in accordance to the Security Policy and the Security Mode is sent to the selected Session Endpoint of the server.’ Here, it highlights that the message is secured in accordance to the Security Policy and Security Mode so I request a clarification on the scenario if the security mode is sign ? Will the message be encrypted also ?

2. When the Message Security Mode is None then the Security Policy ‘must’ be None ?

3. X509IdentityToken specification Part 4 Services section 7.35.4

‘This token shall always be accompanied by a signature in the userTokenSignature parameter of ActivateSession if required by the SecurityPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None.’ In the first line it is mentioned that ‘if required by the SecurityPolicy’, what is context of ‘if required’ when the userTokenSignature is a required field for X509IdentityToken ? In the second line it is mentioned that a explicit Security Policy is required if the SecureChannel has a SecurityPolicy of None, where ‘None’ means no certificates are exchanged and so X509IdentityToken cannot be used, referring to the following lines in the same specification (Section 5.6.3 ActvateSession, pg.no: 40) ?
‘If the token is an X509IdentityToken then the proof is a signature generated with private key associated with the Certificate. The data to sign is created by appending the last serverNonce to the serverCertificate specified in the CreateSession response.’

For your kind information I use the specification released on November 2015 to study. Please clarify.


October 10, 2017
18:50, EET
Jouni Aro
Forum Posts: 853
Member Since:
December 21, 2011
sp_UserOnlineSmall Online

Yes, it seems like there is a bit of unclarity.

OPC UA defines three alternative MessageSecurityModes:

None, in which case no security measures are applied and the Application Instance Certificates are not used, in general
Sign, in which case the messages are only signed
Sign&Encrypt, in which case the messages are signed and fully encrypted

SecurityPolicy defines a set of cipher algorithms to use for signing and encryption, when these are applied.

The alternative User Authentication Modes can be applied independent of the Message Security Mode. the alternatives are:

None = Anonymous access
Username&Password identification
User Certificates (X.509)
External Tokens

If passwords are sent, they will be encrypted as defined by the UserTokenPolicy (which is separate from SecurityPolicy, but similar). The Application Instance Certificates will be used for the encryption in this case – and therefore they are required to be exchanged even when MessageSecurityMode=None.

User Certificates are separate from the Application Instance Certificates.

The server application always defines which modes are available (via the Endpoints). The client application always decides which modes it will use for the connection (SecureChannel) and for the session.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online: Jouni Aro
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 103

pramanj: 86

ibrahim: 70

kapsl: 57

gjevremovic: 49

TimK: 41

Fransua33: 39

fred: 38

Rainer Versteeg: 32

Thomas Reuther: 31

Member Stats:

Guest Posters: 0

Members: 1160

Moderators: 15

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1048

Posts: 4416

Newest Members:

jonas.rahm, sophiekohler, zqecortney, adeletoscano947, forestgenders23, auroratrumper, ericmclain04, rblu, starlowery23194, dakotadalgety82

Moderators: Jouni Aro: 853, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 579, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Teppo Uimonen: 21, Markus Johansson: 24, Matti Siponen: 72, Lusetti: 0

Administrators: admin: 1