Overview

One of the reasons for the success of OPC UA as a communication technology is the integrated security mechanisms. Data communication based on OPC UA can be secured on two layers: transport and application layer. When connecting to the server, the client first selects an endpoint, which specifies the security functions to be used.

Endpoints

A server offers the client a list of different endpoints to which the client can connect. An endpoint describes, among other things, which security functions (e.g. Message Security mode, Security Policy and available Identity Tokens) the communication connection via this endpoint should fulfill. For example, an endpoint may require signing and encryption of data packets (transport layer), as well as additional authentication of the client based on user name/password (application layer).

Transport layer

A communication connection based on OPC UA can be secured at the transport layer. This is done through the use of client/server certificates and a mutual trust relationship between client and server application. Here, the client must trust the server certificate and vice versa in order for a communication connection to be established. This requires a mutual certificate exchange.

Application layer

In addition to the transport layer, a communication connection can also be secured at the application layer. For this purpose, various authentication mechanisms are available, which are offered by the server endpoint.