Hello everyone.
I'm new to this forum and hoping to find some help here.
I'm trying to separate functionality with my OPC UA interface in a way, that only certificate authenticated clients can connect to one endpoint and all other clients can connect to another endpoint.
The idea behind that is, that a user, that logs in from a certified client can performa actions an access data, that a user, that connects to the endpoint via unauthenticated client cannot access.
So far, I figured out, how I can create different endpoints, one with a check for client certificates and one without.
What i want to do now is, attach different NodeManagers to those endpoints, so that I can have different address spaces for them.
Is this the correct way or is it possible to attach two different address spaces with one node manager to two different endpoints.
I'm using The C++ SDK.
An example would be great.
Thank you, in advance.
Address Space per Endpoint
Moderator: Support Team
-
Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Address Space per Endpoint
Hello,
the OPC UA security concepts distinguishes between "Application Authentication" and "User Authentication" plus "User Authorisation".
In our C++ SDK you can configure different Endpoints, and each of them can have it's own CertificateStore (and its's own TrustList). In the default configuratoin, as shipped with the SDK, we use one single Store for all endpoints, but this can be changed in configuration. This is used for "Application Authentication". A Server could have 2 Endpoints in different networks (e.g. internal and external) and for each you could run different security policy, plus you can allow different Client-Applications by having separated TrustLists. E.g. your could allow applications from internal network, but deny if they connect from outside.
For the "User Authentication" OPC UA has a different mechanizm. You can use User/PWD or User-Certificate or other Token to identify the person sitting in front of the application. Each endpoint can allow one ore more Tokentypes for user identification.
The "User Authorisation" is the mechanizm that has impact on the NodeManager. Here you would define which node can be accesses (viewed) by whom. Special folders or nodes may be visible to certain groups, or being read-only for certain users.
However, using different NodeManagers and different Namespaces to implement access rights for different users/groups might not be a good idea, as you need to doublicate shared nodes that are accessable by more people. Namespaces typically represent a certain type of data source or an information model, but is typically not used for grouping access rights.
the OPC UA security concepts distinguishes between "Application Authentication" and "User Authentication" plus "User Authorisation".
In our C++ SDK you can configure different Endpoints, and each of them can have it's own CertificateStore (and its's own TrustList). In the default configuratoin, as shipped with the SDK, we use one single Store for all endpoints, but this can be changed in configuration. This is used for "Application Authentication". A Server could have 2 Endpoints in different networks (e.g. internal and external) and for each you could run different security policy, plus you can allow different Client-Applications by having separated TrustLists. E.g. your could allow applications from internal network, but deny if they connect from outside.
For the "User Authentication" OPC UA has a different mechanizm. You can use User/PWD or User-Certificate or other Token to identify the person sitting in front of the application. Each endpoint can allow one ore more Tokentypes for user identification.
The "User Authorisation" is the mechanizm that has impact on the NodeManager. Here you would define which node can be accesses (viewed) by whom. Special folders or nodes may be visible to certain groups, or being read-only for certain users.
However, using different NodeManagers and different Namespaces to implement access rights for different users/groups might not be a good idea, as you need to doublicate shared nodes that are accessable by more people. Namespaces typically represent a certain type of data source or an information model, but is typically not used for grouping access rights.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
marc.fuerst
- Jr. Member
- Posts: 4
- Joined: 18 Jan 2017, 11:22
Re: Address Space per Endpoint
Hello,
thank you for your explanation. I got those facts in mind.
What I want to achive is, that if a user "A" connects with his/her credentials via OPC-UA, I want to present him/her information and features.
If the same user "A" connects through my custom client software with his/her credentials, I want to present him/her more information and features as via the "un-certified" OPC-UA connection.
But the credentials the user is using are the same for both ways. I want to make the authorization decission based on the client certificate. Is this possible in any way.
Best regards.
thank you for your explanation. I got those facts in mind.
What I want to achive is, that if a user "A" connects with his/her credentials via OPC-UA, I want to present him/her information and features.
If the same user "A" connects through my custom client software with his/her credentials, I want to present him/her more information and features as via the "un-certified" OPC-UA connection.
But the credentials the user is using are the same for both ways. I want to make the authorization decission based on the client certificate. Is this possible in any way.
Best regards.
-
Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Address Space per Endpoint
Hi,
in the Server SDKs the Session object gives you the user information but also information about the client application.
in the Server SDKs the Session object gives you the user information but also information about the client application.
Best regards
Unified Automation Support Team
Unified Automation Support Team