PKI and User Access Rights Management for OPC UA based Applications

Abstract

The growing need for end-to-end security in distributed communication for industrial automation as emphasized in Industrie 4.0 requires an investigation of the security features of relevant protocols. One of the security requirements is authentication and authorization of users within and across organizational boundaries. OPC UA (Open Platform Communication Unified Architecture) is a service-oriented architecture for platform independent communication in automation industry. This research work is on OPC UA to understand its security architecture's support for end-to-end communication and an implementation of a demo PKI (Public Key Infrastructure) to illustrate the same. The design and implementation of such a PKI facilitates both, offline and online validation services. This work emphasizes different concepts of PKIs used in enabling security in applications based on OPC UA standards. The information modelling provided by OPC UA has options to enable user access rights. The applicability of access level attributes in differentiating access rights between different users is demonstrated. The results of this work illustrate a single level hierarchical trust model for end-to-end communication using X509IdentityToken authentication for a user to access services provided by an OPC UA server. The demonstration of online validation for X.509 certificate using OCSP (Online Certificate Status Protocol) protocol is illustrated. The offline validation using CRL (Certificate Revocation List) is also illustrated. The X.509 certificates required for OPC UA based applications can be generated using a tool called keytool. A open source project of keytool is used to create the OPC UA specific extensions for the certificates. There are several challenges in implementing such an infrastructure for distributed systems and they are described. The scope for further research is discussed briefly.