The UaGDS® is a OPC UA Global Discovery Server that provides Security Management and Central Network Services.

The UaGDS from Unified Automation manages the security aspects of OPC UA applications in a network. The centralized approach simplifies the security configuration and administration. It enables the use of OPC UA security and application discovery in larger OPC UA deployments.

As a Global Discovery Server the UaGDS allows for registering OPC UA capable devices and applications for central discovery services. You easily configure, manage and roll out the application certificates and trust relation among your OPC UA applications. Being a Certificate Authority (CA) in itself, the UaGDS will sign the identities and automatically roll out certificate, trust list and revocation list for every managed application. The fully automated interaction with OPC UA applications is done via standardized OPC UA APIs supporting “Pull” for updating clients and “Push” for updating servers including automated renewal of certificates before expiry. The UaGDS ties together applications in so called security groups and takes care on roll out and update of the security relations of the managed applications in that group.

You can install and run a UaGDS in your machine, in your production cell or in your production line depending on the trust relation of the involved OPC UA applications. You could also run UaGDS in the production hall or the complete facility.

Software Architecture

UaGDS Functionality

The UaGDS consists of a configuration tool and a central network service. The network service is an OPC UA Server that implements the OPC UA Global Discovery Server and the central OPC UA Certificate Management. The certificate management includes a built-in Certificate Authority (CA) for certificate signing and the Pull and Push management for certificate and trust list updates.

Any OPC UA application either Client or Server can register at the UaGDS and, after being approved, create signing request with the UaGDS’s built-in CA. All UA applications that belong to the same security group thereafter only need to trust the CA in order to trust all UA applications that have been signed by this CA. After the initial onboarding with the UaGDS the UA application is automatically managed via the UaGDS, hence there is no further manual interaction required. The UA applications will automatically be updated with security certificates, trust lists and revocations.

UaGDS ConfigurationTool provides a monitoring view for a quick status overview, a configuration view for application management and provides administration functionality for the general UaGDS and CA configuration. It uses a secured, roll-based authenticated UA connection to configure just one or all UaGDS in your installation. After initial registration at UaGDS, your UA applications wait for adminstrative approval (pending registration). Thereafter the first signing requests is created and waiting for acceptance (pending sigining requests). After final acceptance the onboarding of the UA application is completed. UaGDS now knows the application and downloads (Push/Pull) the signed certificate plus the revocation list. UaGDS manages, updates and renews the trust and revocation as given in configured interval.

OPC UA Discovery and Global Network Services

  • OPC UA DirectoryType for registration and discovery
  • OPC UA CertificateDirectoryType for certificate and trust list management (Pull)
  • Update of OPC UA servers via ServerConfigurationType (Push)
  • Provides Certificate Authority (CA) for certificate signing
  • Automated renewal of signed certificates and revocation lists

Application management

  • Single registration (Push configuration) via Server Discovery
  • Mass registration (Push configuration) via file import (CSV file)
  • Registration of clients (Pull configuration)
  • Provisioning mode for anonymous registration
  • Administrative confirmation and removal of applications
  • Global trust list per certificate group and per application for application specific trust
  • Overview certificate and trust list status, last seen and last action result

Administration options for UaGds

  • Expiry period and renewal settings for CA certificate and revocation list
  • Expiry period and renewal settings for signed application certificates
  • Manual start of CA certificate renew or application certificate renew

Benefits & Features

You increase the security measures in your system and minimize the risk for attacks by only allowing authorized applications to access your sensitive data. The centralized approach simplifies the security configuration and administration. It ties up the security management into one authority. You minimize potential downtimes caused by manually miss-configured security policies and the distributed use of self-signed certificates only. Especially in larger OPC UA deployments, the decentralized manual distribution of self-signed certificates becomes an administrative nightmare. The UaGDS allows you to reveal the full power of Public Key Infrastructure (PKI) in your OPC UA based equipment.

Using UaGDS you will:

  • Enable use of OPC UA security in OPC UA deployments
  • Add and remove OPC UA applications in one central place
  • Automated deployment of certificate and trust list updates and modifications
  • Increased security using CA-signed certificates instead of self-issued and self-signed
  • Reduced risk for downtimes caused by expired certificates