Often, OPC UA is only associated with a machine-to-machine communication protocol for industrial automation. However, the standard is also a good solution for connecting machine networks and company networks. This is because OPC UA not only transmits machine information – for example, target values, measured values, and process parameters – but also defines and describes the data.

The OPC UA information model enables new processes to be set up efficiently between a controller and any higher-level, business-oriented software layer. In addition, the software update model specified in the OPC UA specification 10000-100 can be used to realize a software management system for an asset. This system includes, for example, installing new software, updating existing software, updating firmware, and performing a limited backup and recovery of parameters and firmware whenever this is necessary for the update process. However, to exchange data with an asset securely and with a high level of trust, OPC UA offers the option of certificate-based communication. This is where the OPC UA Global Discovery Server (GDS) comes into play.

Access point to the central certificate management

First, the GDS concept of OPC UA allows the configuration of cross-subnet Discovery Services. Second, it provides interfaces for a central certificate management system. A Global Discovery Server includes mechanisms for the central management of CA-signed (Certificate Authority) and self-signed certificates, as well as for the management of trustworthy lists and certificate revocation lists (certificate revocation list, CRL). This means that the GDS is an access point to the central certificate management system and therefore takes on the role of a security server within an OPC UA network.

The main application of the Global Discovery Server is the administration of CA-signed certificates with the associated CRLs. For this purpose, the GDS can generate initial OPC UA application certificates, regularly update the associated CRLs and trust lists, and renew the OPC UA application certificate. All in all, the OPC UA Global Discovery Server plays a critical role in ensuring the hardened and efficient operation of OPC UA systems by providing key identification, management, and security capabilities.

Real-time client notification

The GDS Push Service is a function of the OPC UA Global Discovery Server that notifies clients in real time when new endpoints or applications are added to the GDS or when existing endpoints and applications are changed or deleted. With the GDS Push Service, clients can subscribe to notifications regarding specific events or changes, such as when a new OPC UA server is added to the network or the end point URL of an existing server changes. This means that the clients are always up to date on adaptations in the OPC UA network and can automatically adjust their configurations when necessary.

The GDS Push Service can also work alongside the OPC UA Pub/Sub protocol, which enables the efficient and scalable communication of event notifications. Clients can subscribe to specific topics or events that are of interest to them. The GDS then automatically sends messages if these events occur. Overall, the GDS Push Service is a powerful feature of the OPC UA Global Discovery Server. This is because the service allows the real-time identification and management of OPC UA applications and endpoints, which is a huge boost to efficient and secure data transmission in industrial and IoT systems.

Identification of devices in a network

Implementing the OPC UA Global Discovery Server is a great benefit to a device management tool, such as the Device and Update Management system from Phoenix Contact. First of all, the GDS supports the user in identifying and managing OPC UA-enabled devices and applications more easily. The Global Data Server provides a central location for the identification and administration of OPC UA endpoints and applications, meaning that the device management tool can identify the devices in the network more easily and connect with them.

In cooperation with a device management tool, the GDS is also available for managing the security of OPC UA-enabled devices and applications. The Global Discovery Server includes functions for the management of certificates and security directives, thus ensuring that communication between the devices is secure and trustworthy. Last but not least, the GDS Push Service can deliver real-time notifications regarding changes in the network, meaning that the device management tool is always up to date in terms of changes to OPC UA-capable devices and applications. This enables the device management tool to automatically adjust its configuration when necessary.

Remote configuration

There are a large number of applications that will require automated commissioning of new or replacement devices in the future – in particular as we move toward a networked world in the All Electric Society. The buzz phrase zero-touch or one-touch provisioning is often used here. Within a company network, intelligent end devices (edge devices) can be configured remotely – without human intervention on site. This saves time and money.

In combination with an OPC UA Global Discovery Server, an intelligent device management tool enables a decisive step to be made here. This is because identifying new devices via the GDS, trusting them, or issuing them with a trustworthy identity, and then installing a previously defined global configuration on the devices are essential functions for automated commissioning. Using the OPC UA standard is a key advantage here. This is the only way that corresponding scenarios can be implemented regardless of the device manufacturer.

Even if a device management tool does not necessarily need an OPC UA Global Discovery Server, it can still benefit from its functions and the ability to identify, manage, and secure OPC UA-enabled devices and applications, as well as provide real-time notifications of changes in the network.

OPC UA server certificates in PLCnext controllers

The embedded OPC UA server built into the PLCnext controllers from Phoenix Contact requires X.509 certificates to ensure trustworthy communication with OPC UA clients. There are four main types of certificates that can be used:

Automatically generated self-signed certificates
The necessary certificates are generated automatically by the controller. This function is easy to set up and is particularly useful for tests and permanent use in secure LANs.

Manually generated self-signed certificates
These have no additional security advantages over automatically generated self-signed certificates. However, the manager has greater control over certificate management.

Certificates signed by the company’s own certification authority (CA)
Compared with automatically and manually generated self-signed certificates, these have no security advantages. However, a structured certification management system can be set up.

Certificates issued by a trusted certification authority
These certificates must be purchased from a trusted certification authority, such as GeoTrust or Symantec, for example. This option is recommended for public or unsecured networks, because all clients should accept a certificate signed by a trusted certification authority.

Arno Martin Fast, B. Eng., Senior Specialist Digital Services in the Business Unit Automation Systems, Phoenix Contact Electronics GmbH