OPC UA under control: Smart management with GDS

Efficient OPC UA registry

OPC UA servers can be quickly registered and found by clients via the Discovery Service. In smaller networks, registration is often performed by the OPC UA server itself; on hosts with several OPC UA applications, this is usually performed by a Local Discovery Server (LDS).

The larger the network, the faster the GDS comes into play. It bundles the information from all LDSs, checks it and creates a central list of available servers. In this way, administrators ensure that only authorized servers communicate with clients. 

For clients, the use of the GDS means less effort and more security: they only need the address of the GDS to retrieve the appropriate server addresses. This reduces configuration errors and changes such as DHCP-related address changes are automatically considered. In addition, only servers that are currently online remain registered, as servers that are shut down are automatically logged off. 

Central certificate management

The greatest simplification offered by the GDS is the integrated certificate management. This allows all used, trusted and revoked certificates to be centrally managed, updated and automatically distributed to servers and clients. 

For this mechanism, it is necessary to set up a certificate chain, which consists of four levels in the following diagram:

1. root certificate - created at company level and recognized throughout the network.
2. factory certificate - signed by the root certificate and used for the factory level.
3. production line certificate - signed by the factory certificate and valid for a production line.
4. application certificates - signed by the production line certificate. 

In this example, the GDS is used at the production line level and manages all OPC UA applications that are used in the line. With the help of the factory certificate, the GDS signs the certificates of the individual OPC UA applications so that their certificates are all based on the same basis and therefore on the same certificate chain. 

This structure means that applications only need to trust the certificates in the chain in order to communicate securely with other applications. Certificates are automatically renewed and distributed, which minimizes the administration effort. 

The GDS also manages trust lists (trusted certificates) and certificate revocation lists (CRL, revoked certificates). These lists are regularly updated and distributed to all managed applications so that the current security level is always guaranteed. 

Flexible and future-proof

To ensure that certificate management works for both OPC UA Client and OPC UA Server, the GDS server must provide a push and a pull mechanism for certificate management. With the push mechanism, the GDS acts as a client and writes the certificates, trust lists and CRLs directly to the target systems. With the pull mechanism, the client retrieves the required data from the GDS. 

The GDS is configured via a standard OPC UA client connection and the methods provided by the GDS in the information model. The GDS checks the access rights based on the access data, and administrators can add or remove new applications - the GDS automatically takes over the administration. 

Conclusion

The Global Discovery Server is more than just a tool - it is a game changer for the management of OPC UA applications. Less effort, maximum security and full control in complex networks. Anyone who uses OPC UA cannot do without the GDS. Contact us for more information on GDS and its implementation.