Uwe Steinkrauss - fs-media.nmm.defs-media.nmm.de › ... › automatica_2018_presentation... · OPC LDS UA Server LDS Discovery with LDS:-Network nodes with OPC UA server must be

2018 Automatica Munich

Uwe Steinkrauss

Base Concepts

OPC Unified Architecture

� OPC UA Base Concepts – Information Model, Base Services

� OPC UA Transports – Client/Server, Pub/Sub

� OPC UA Security – Transport & Application Layer

� OPC UA Scalability – Profiles, Conformance Units

� OPC UA Utilities – LDS, LDSme, GDS


� Definition 2003 – 2006� Verification and Implementation 2006 – 2008� Final OPC Foundation Release 2009� IEC 62541 Release 2010 – 2012

� OPC UA = established OPC features+ Platform independence+ Standard internet and IP based protocols+ Built in security features+ Generic object model+ Extensible type system+ Scalability through profiles+ Migration path from Classic OPC

Expose Data

Device

Consume Data

System


Information Model

OPC UA Meta Model

Built-In Information Models

Companion Information Models

Vendor Specific Extensions

OPC UA = Information Centric Layered Architecture

� Basic rules for exposing information with OPC UA

� Generic Object Model, extendabel Type System

� Built-In Models for:◦ Data Access

◦ Alarms Conditions

◦ Historic Data & Events

◦ Programs

◦ Device Description







◦ Programs








◦ Programs








◦ Programs








◦ Programs



� Everything in the UA Address Space is a Node

� UA defines a none extensible list of 8 Node Classes

� Each Node Class has a defined set of Attributes

� Nodes are connected by References


� AnalogMeasurementType is part of Built-In DataAccess Model

Object Type AnalogMeasurement

ObjectType

Object

Variable


Object Instance AnalogMeasurement

Object Type AnalogMeasurement


OPC Foundation collaborates with organizations and domain experts

� OPC UA defines HOW

� Domain experts define WHAT

◦ PLCopen ◦ FDI, FDT ◦ BACnet ◦ MDIS◦ ISA95◦ AutomationML◦ MTConnect◦ IEC 61850/61400 and more coming OPC UA Meta Model





OPC UA Client/Server Communication Model

� Client-friendly API to access information in the server

� 36 Services Request/Response ◦ SecureChannel Service Set

◦ Session Service Set

◦ NodeManagement Service Set

◦ Attribute Service Set (read/write)

◦ Method Service Set (invoke)

◦ MonitoredItem Service Set

◦ Subscription Service Set

Client-Server

OPC UA Meta Model




Services








Service Oriented Architecture – Request-Response� UA TCP (mandatory)◦ Binary Encoding ◦ UA TCP Transport

� Webservice (deprecated)◦ XML Encoding ◦ HTTP/HTTPS Transport

� Hybrid (optional)◦ Binary Encoding◦ TLS Transport OPC UA Meta Model




Client-Server

Services

Protocols


� IANA: 4840

� Firewall-friendly

� UA Binary= mandatory

� Message Security

� Transport Security

[graphic: copyright ascolab GmbH]


� TCP based Request/Response◦ Connection/session context required (peer-

to-peer)

◦ High resource consumption when many connections (>500)

◦ “Private” subscription for each client

◦ Save transport, acknowledgement of every message

◦ Late polling for “DataChange”, keep alive

◦ Use Case: huge amount of flexible data

Server

ClientClient

Client

Server


� UDP based Pub/Sub◦ Connection-less, broadcast-style

communication◦ Low resource consumption many

subscribers (>1000)◦ “Public” subscription, same data for all

clients◦ Fire and forget transportation◦ Cyclic publish of “all” data (deterministic

via TSN)◦ Use Case: small amount of fixed data

Publisher

Subscriber

Broker

Publisher

Subscriber

Additional Use Cases !


Utility Type Specification Parts

Part 13 - Aggregates

Part 12 - Discovery

Part 14 – Pub/Sub

Released February 2018

v1.04


OPC UA Pub/Sub Communication Model (Part 14, v1.04)

� Generic Pub/Sub Information Model

� Pub/Sub Configuration◦ Connections

◦ Meta Data (description)

◦ Data Sets (content)

� Security Configuration◦ Groups

◦ KeysOPC UA Meta Model




Client-Server

Services

Protocols

Pub-Sub

Model

Extension, but no change to existing !


Message Oriented - Publish/Subscribe pattern

� Different Use Cases: one-to-many, Cloud, determinism

� Different Protocols◦ UADP over UDP (mandatory)

◦ AMQP, MQTT (optional)

◦ UADP over TSN (optional)

pre-configured data content formsmessage for certain use cases

OPC UA Meta Model




Client-Server

Services

Protocols

Pub-Sub

Model

Pro

toc

ols


� OPC UA specific selection of events or life data to be included in messages

Network Message

Writer

OPC UA Server’s

Information Space

Filtered List of Values

DataSetCollector

Different Encoding Options

UADP

AMQP

MQTT

JSON

UA BinaryDataSetWriter

f

Values

Events

DataSetMetaData ----

--------

Network Message

� Messaging protocol specific encoding and transport

� Different protocols can be supported e.g. AMQP, MQTT


deterministic

Information Model

configuration Client/Server

Pu

bli

sh

/Su

bs

cri

be

Device / Data

acyclic

controller-controllerOPC UA

Device

on demand

read/write/browse/invoke/notify

UA Client Cloud

Broker

cyclic

controller-controllermeta data

security

redundancy

file transfer

events

historical

TSN


Pub-Sub = optimized Subscription

� Best effort high speeddata streaming (UDP)

� Real-time with TSN

� Cloud connectivity withAMQP and MQTT

� Offloading of messagedistribution to broker

Constraints

� Only preconfigured dataand event streaming

� Configuration requiresClient-Server

Client/Server vs. Publish/Subscribe








� Client/Server Security (layered architecture)

◦ PKI and asymmetric algorithms to exchange session keys

◦ Session keys are used for communication with symmetric algorithms

◦ Session keys are frequently rotated

◦ Authentication of Applications

◦ Authentication of Users

◦ User/Role based Authorization

◦ Auditing relevant operations

◦ Availability

Security for both Communications

[gra

ph

ic: co

pyr

igh

t a

sco

lab G

mbH

]


� Pub/Sub Security (end-to-end)

◦ Session keys must be shared between Publishers and Subscribers

◦ Keys are managed for a security group

◦ Messages are sent in the context of a security group

◦ Key distribution is done with OPC UA Client-Server security

◦ Authentication and Authorization during access to security groupat key server

MessageOriented

Midleware

DirectoryQuery

Publisher SubscriberSubscriberSubscriberKey

Server

KeyServer

Register

GetKeyGetKey








Profile

� Conformance Unit◦ Represents specific feature

◦ Defines a list of test cases for the feature

� Profile◦ Named grouping of features

◦ Full FeaturedCombination of Profiles and Conformance Units that can be used stand alone

◦ Facet Profile that can be used only in combination with other Profiles

� Certification Test◦ Vendor defines list of supported Profiles

◦ Certification Test executes test cases

◦ End users can rely on tested Profiles

Conformance Unit

Conformance Unit

TestCases

TestCases

Certification Test


Standard UA Server

Address Space Data Access

Security Binary Protocol

Event SubscriptionServer Facet

Method Server Facet

Alarms & Conditions

His

tori

ca

l Acce

ss

Co

mp

lex

Da

ta

Re

du

nd

an

cy

De

vic

e In

teg

ratio

n

PL

Co

pe

n

Full Featured Profile

Facets building on top of Full Featured Profile

Pu

b/S

ub

Pro

file

s

un

de

r c

on

str

uc

tio

n


http://www.opcfoundation.org/profilereporting








PLC PC

OPC UA Client

OPC UA Client

OPC UA Client

OPC UA Server

OPC UA Server

LDSOPC UA Server

LDS

Discovery with LDS:-Network nodes with OPC UA server must be known-Servers register with local LDS or have LDS included-LDS is running on defined port (4840)-LDS provides Server and Endpoint Discovery for local network node-Manual security configuration

Register


PLC PC

OPC UA Client

OPC UA Client

OPC UA Client

OPC UA Server

OPC UA Server

LDS-MEOPC UA Server

Features provided:- Host name resolution without

central DNS server- Find network nodes with OPC

UA in local network

Advantage:- No central infrastructure required

Limitation:- Works only in local subnet

ZeroconfmDNS

LDS-MELDS-MELDS-ME


PLC PC

OPC UA Client

OPC UA Client

OPC UA Client

OPC UA Server

OPC UA Server

LDSOPC UA Server

LDS

Central ServerGDS (Port:4840)

Pull / PushCertificates

CertificateAuthority (CA)

List of registered UA Servers

GDS Features:- Certificate creation / management- Certificate Authority (CA)- Management of Certificate

Revocation Lists (CRL)- Push / Pull of Certificates / CRL- Network wide server registry - Security Config

- Register Server

- Security Config- Find Servers

- Certificate Rollout- Plant wide central security management


OPC UA – communication platform for information models (HOW)

Domain experts define information models (WHAT)

Protocol Agnostic – Transport depends on Use Case

Security built into Architecture (managed by GDS)

Scales for all Application Scenarios in IoT and i4.0

Client-Server extended with Publish-Subscribe


Uwe SteinkraussUnified Automation GmbH

< [email protected] >

Documents

Uwe Steinkrauss - fs-media.nmm.defs-media.nmm.de › ... › automatica_2018_presentation... · OPC LDS UA Server LDS Discovery with LDS:-Network nodes with OPC UA server must be