OPC Unified Architecture

The OPC Unified Architecture (UA), released in 2008, is a platform independent service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework.

The most significant difference between classical OPC and OPC UA is that it doesn’t rely on OLE or DCOM technology from Microsoft that makes it possible to implement it on any platform if that being Apple, Linux (JAVA) or Windows. The other very important part of UA is the possibility to use structures or models. This means that the data tags or points can be grouped and be given context which make governance and maintenance much easier. These models can be identified in runtime which makes it possible for a client to explore connection possible by asking the server.

OPC UA is as said before built to be platform independent and the communication is built into layers on top of the standard TCP/IP stack. Above the standard transport layers there are two layers, one that handles the session and one to establish a secure channel between the client and server. The transport layer is made up of TCP/IP and on top of that SSL, HTTP or HTTPS. The Communication layer secure the communication channel not just that the data is corrupted but also it secure the authentication so that the end points can’t be infiltrated and changed. This is based on X.509 certificates that have three parts to it and the first peer to peer trust needs to be manually done but after that the rest is taken care of securely.

Protocols

Transport => TCP/IP , HTTPS , HTTP

Messaging => UA TCP, optimized binary protocol , HTTPS, binary/XML encapsulated in standard HTTP , SOAP, generic messaging

Message Security => UA Security (UA TCP) , TLS Security (HTTPS) , Web Service (WS) Security

Message encoding => UA Binary , UA XML

OPC UA is an application layer protocol that can be built on an existing layer 5, 6 or 7 protocol such TCP/IP, TLS or HTTP.The OPC UA application layer consists of four sublayers: UA Application, Serialization Layer, Secure Channel Layer and Transport Layer(see Figure 1).

OPC UA supports two protocols. This is visible to application programmers only via changes to the URL. The binary protocol is opc.tcp://Server and http://Server is for Web Service. Otherwise OPC UA works completely transparent to the API.

The binary protocol offers the best performance/least overhead, takes minimum resources (no XML Parser, SOAP and HTTP required, which is important for embedded devices), offers best interoperability (binary is explicitly specified and allows fewer degrees of freedom during implementation) and uses a single arbitrarily choosable TCP port for communication easing tunneling or easy enablement through a firewall.

The Web Service (SOAP) protocol is best supported from available tools, e.g., from Java or .NET environments, and is firewall-friendly, using standard HTTP(S) ports.

Binary is supported by all implementations, while only .NET implementation supports SOAP.

Serialization Layer includes two kinds of data encoding methods: UA Binary and UA XML.The UA XML, based on SOAP/HTTP or SOAP/HTTPS, is firewall friendly.On the other hand, the UA Binary, with least overhead and resource cost, offers an optimized speed and throughput.

The security layer varies according to the selected encoding format. For the HTTPS-based situation, security is guaranteed at TLS but Security Channel should still be presented even empty. It is worthwhile noting that the communication based on SOAP/HTTP has been deprecated since 2015 due to the lack of industrial approbation in the WS Secure Conversation.

For the transport layer(not the layer in OSI 7 layer model), options can be UA TCP, HTTPS, SOAP/HTTPS, and SOAP/HTTP.OPC UA defines a UA TCP protocol, which differs from HTTP in two main features: the allowance of responses to be returned in any order and to be returned on a different TCP transport end-point.In addition, UA TCP defines the interaction with the upper security channel.

Request/Response Model

The message exchange in UA binary mode is illustrated in Figure 2. After opening the socket, the client starts the connection with the server by using "hello" (HEL) and "acknowledge" (ACK) messages. Afterwards, a pair of messages is needed to open the security channel and define the encryption property.Then another two pairs of messages are exchanged so as to create and activate a session between the client and the server respectively.After these steps, the connection is initiated and the client can send request messages for services.When the request/response process is finished, a reverse process is required for disconnection.

OPC UA security model

OPC UA security model include three layers: application layer, communication layer and transport layer, as shown in Figure 3. These security layers cover essential data security objectives such as integrity, confidentiality, availability, authorization and authentication.OPC UA is the application layer protocol of OSI model, but the mentioned security layers are different from the OSI model layers.

Figure 3. OPC UA security mode

In Figure 3, in the application layer, the session provides user authentication and authorization by using a logical connection between OPC UA server and OPC UA client.User authentication can be achieved by username/password, digital certificates or WS-Security token. The authorization for authenticated user depends on the implementation of the OPC UA server by each manufacturer.

The communication layer provides confidentiality, integrity and application authentication.The secure channel is built to ensure real-time data exchanged in security between OPC UA client and OPC UA server in a session. In order to obtain application authentication, the communication layer can use encryption, digital signature and security digital certificate.

The transport layer uses socket connection, here, error recovery techniques are used to maintain the availability of services in transport layer.Therefore, system accessibility is enhanced.