The UaGDS consists of a configuration tool and a central network service. The network service is an OPC UA Server that implements the OPC UA Global Discovery Server and the central OPC UA Certificate Management. The certificate management includes a built-in Certificate Authority (CA) for certificate signing and the Pull and Push management for certificate and trust list updates.

Any OPC UA application either Client or Server can register at the UaGDS and, after being approved, create signing request with the UaGDS’s built-in CA. All UA applications that belong to the same security group thereafter only need to trust the CA in order to trust all UA applications that have been signed by this CA. After the initial onboarding with the UaGDS the UA application is automatically managed via the UaGDS, hence there is no further manual interaction required. The UA applications will automatically be updated with security certificates, trust lists and revocations.

UaGDS ConfigurationTool provides a monitoring view for a quick status overview, a configuration view for application management and provides administration functionality for the general UaGDS and CA configuration. It uses a secured, roll-based authenticated UA connection to configure just one or all UaGDS in your installation. After initial registration at UaGDS, your UA applications wait for adminstrative approval (pending registration). Thereafter the first signing requests is created and waiting for acceptance (pending sigining requests). After final acceptance the onboarding of the UA application is completed. UaGDS now knows the application and downloads (Push/Pull) the signed certificate plus the revocation list. UaGDS manages, updates and renews the trust and revocation as given in configured interval.

OPC UA Discovery and Global Network Services

• OPC UA DirectoryType for registration and discovery
• OPC UA CertificateDirectoryType for certificate and trust list management (Pull)
• Update of OPC UA servers via ServerConfigurationType (Push)
• Provides Certificate Authority (CA) for certificate signing
• Automated renewal of signed certificates and revocation lists

Application management

• Single registration (Push configuration) via Server Discovery
• Mass registration (Push configuration) via file import (CSV file)
• Registration of clients (Pull configuration)
• Provisioning mode for anonymous registration
• Administrative confirmation and removal of applications
• Global trust list per certificate group and per application for application specific trust
• Overview certificate and trust list status, last seen and last action result

Administration options for UaGds

• Expiry period and renewal settings for CA certificate and revocation list
• Expiry period and renewal settings for signed application certificates
• Manual start of CA certificate renew or application certificate renew

You increase the security measures in your system and minimize the risk for attacks by only allowing authorized applications to access your sensitive data. The centralized approach simplifies the security configuration and administration. It ties up the security management into one authority. You minimize potential downtimes caused by manually miss-configured security policies and the distributed use of self-signed certificates only. Especially in larger OPC UA deployments, the decentralized manual distribution of self-signed certificates becomes an administrative nightmare. The UaGDS allows you to reveal the full power of Public Key Infrastructure (PKI) in your OPC UA based equipment.

Using UaGDS you will:

• Enable use of OPC UA security in OPC UA deployments
• Add and remove OPC UA applications in one central place
• Automated deployment of certificate and trust list updates and modifications
• Increased security using CA-signed certificates instead of self-issued and self-signed
• Reduced risk for downtimes caused by expired certificates