How to publish or subscribe to secure OPC UA PubSub messages

From OPC Labs Knowledge Base
Jump to navigation Jump to search

Publish secure messages in UADemoPublisher

Enter the following command at the UADemoPublisher> prompt:

publish --EnabledConnection DynamicLayoutConnection --EnabledDataSetWriter SimpleWriter --SecurityMode SignAndEncrypt --SecurityKeyServiceUri opc.tcp://localhost:48010 --SecurityKeyServiceMessageSecurity SignAndEncrypt --SecurityKeyServiceUserInfo root:secret --SecurityGroupId TestGroup --SaveConfiguration

Explanation of the command line arguments and options used:

--EnabledConnection DynamicLayoutConnection 
Normally, messages are published on multiple connections. For easier troubleshooting, this option selects just one of them.
--EnabledDataSetWriter SimpleWriter 
Normally, multiple dataset writers contribute to a network message. For easier troubleshooting, this option selects just one of them.
--SecurityMode SignAndEncrypt 
Specifies the security mode for the PubSub network messages produced.
--SecurityKeyServiceUri opc.tcp://localhost:48010 
Specifies the URL of the SKS (Security Key Service) endpoint.
--SecurityKeyServiceMessageSecurity SignAndEncrypt 
Specifies the security mode that will be used to connect to the SKS.
--SecurityKeyServiceUserInfo root:secret 
Specifies the user name and password used for "logging in" to the SKS.
--SecurityGroupId TestGroup 
Specifies the Id of the security group in the SKS that will be used (the security group in the SKS is configured to use certain security policy, and has other parameters detailing how the security keys are generated).
--SaveConfiguration 
Tells the application to create a file named UADemoPublisher.uabinary with the configuration the publisher is using (influenced by all the other options provided). The configuration file also contains metadata for the published datasets, and might be used by subscribers in consuming the published messages.

This command publishes message with dynamic layout that are (to certain extent) self-describing, and data can be extracted from them by subscribers without the necessity to have the associated metadata available too.

Publish (secure) messages with fixed layout

In order to publish (secure) messages with fixed layout, replace --EnabledConnection DynamicLayoutConnection in the above command by --EnabledConnection FixedLayoutConnection. In this case, subscribers will need the associated metadata in order to fully parse the published messages. The metadata is contained in the UADemoPublisher.uabinary file generated by the command.

Subscribe to secure messages in OpcCmd utility

Enter the following command at the OpcCmd> prompt:

uaSubscriber subscribeDataSet opc.udp://239.0.0.1:4840 --SecurityKeyServiceUri opc.tcp://localhost:48010 --SksTemplateMessageSecurity SecuritySignAndEncrypt --SksTemplateUser root:secret --SecurityGroupId TestGroup --SecurityMode SecuritySignAndEncrypt 

Explanation of the command line arguments and options used:

opc.udp://239.0.0.1:4840 
The URL of the UDP multicast group on which the subscriber will be listening for PubSub network messages.
--SecurityMode SecuritySignAndEncrypt 
Specifies the security mode for the PubSub network messages received.
--SecurityKeyServiceUri opc.tcp://localhost:48010 
Specifies the URL of the SKS (Security Key Service) endpoint.
--SksTemplateMessageSecurity SecuritySignAndEncrypt 
Specifies the security mode that will be used to connect to the SKS.
--SksTemplateUser root:secret 
Specifies the user name and password used for "logging in" to the SKS.
--SecurityGroupId TestGroup 
Specifies the Id of the security group in the SKS that will be used (the security group in the SKS is configured to use certain security policy, and has other parameters detailing how the security keys are generated).

Use publisher configuration, and subscribe to fixed layout messages

uaSubscriber subscribeDataSet --ResolverPublisherFileResourceUri UADemoPublisher.uabinary --PublishedDataSetName Simple

Enable security event tracing in command-line tools

Use the following command in the OpcCmd utility or in UADemoPublisher (at the beginning of the program session) to enable tracing of security-related events:

!diagnostics switches setValue 1 --multiple --contains Security --typeName BooleanSwitch

Use the following command to show the trace entries after a command has been run:

traceEntries?

Related reading