protocol.rst 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. .. _protocol:
  2. Protocol
  3. ========
  4. In this section, we give an overview on the OPC UA binary protocol. We focus on
  5. binary since that is what has been implemented in open62541. The TCP-based
  6. binary protocol is by far the most common transport layer for OPC UA. The
  7. general concepts also translate to HTTP and SOAP-based communication defined in
  8. the standard. Communication in OPC UA is best understood by starting with the
  9. following key principles:
  10. Request / Response
  11. All communication is based on the Request/Response pattern. Only clients can
  12. send a request to a server. And servers can only send responses to a request.
  13. Usually, the server is hosted on the (physical) device, such as a sensor or a
  14. machine tool.
  15. Asynchronous Responses
  16. A server does not have to immediately respond to requests and responses may be
  17. sent in a different order. This keeps the server responsive when it takes time
  18. until a specific request has been processed (e.g. a method call or when
  19. reading from a sensor with delay). Furthermore, Subscriptions (aka
  20. push-notifications) are implemented via special requests where the response is
  21. delayed until a notification is generated.
  22. Establishing a Connection
  23. -------------------------
  24. A client-server connection in OPC UA consists of three nested levels: The raw
  25. connection, a SecureChannel and the Session. For full details, see Part 6 of the
  26. OPC UA standard.
  27. Raw Connection
  28. The raw connection is created by opening a TCP connection to the corresponding
  29. hostname and port and an initial HEL/ACK handshake. The handshake establishes
  30. the basic settings of the connection, such as the maximum message length.
  31. SecureChannel
  32. SecureChannels are created on top of the raw TCP connection. A SecureChannel
  33. is established with an *OpenSecureChannel* request and response message pair.
  34. **Attention!** Even though a SecureChannel is mandatory, encryption might
  35. still be disabled. The *SecurityMode* of a SecureChannel can be either
  36. ``None``, ``Sign``, or ``SignAndEncrypt``. As of version 0.2 of open62541,
  37. message signing and encryption is still under ongoing development.
  38. With message signing or encryption enabled, the *OpenSecureChannel* messages
  39. are encrypted using an asymmetric encryption algorithm (public-key
  40. cryptography) [#key-mgmnt]_. As part of the *OpenSecureChannel* messages,
  41. client and server establish a common secret over an initially unsecure
  42. channel. For subsequent messages, the common secret is used for symmetric
  43. encryption, which has the advantage of being much faster.
  44. Different *SecurityPolicies* -- defined in part 7 of the OPC UA standard --
  45. specify the algorithms for asymmetric and symmetric encryption, encryption key
  46. lengths, hash functions for message signing, and so on. Example
  47. SecurityPolicies are ``None`` for transmission of cleartext and
  48. ``Basic256Sha256`` which mandates a variant of RSA with SHA256 certificate
  49. hashing for asymmetric encryption and AES256 for symmetric encryption.
  50. The possible SecurityPolicies of a server are described with a list of
  51. *Endpoints*. An endpoint jointly defines the SecurityMode, SecurityPolicy and
  52. means for authenticating a session (discussed in the next section) in order to
  53. connect to a certain server. The *GetEndpoints* service returns a list of
  54. available endpoints. This service can usually be invoked without a session and
  55. from an unencrypted SecureChannel. This allows clients to first discover
  56. available endpoints and then use an appropriate SecurityPolicy that might be
  57. required to open a session.
  58. Session
  59. Sessions are created on top of a SecureChannel. This ensures that users may
  60. authenticate without sending their credentials, such as username and password,
  61. in cleartext. Currently defined authentication mechanisms are anonymous login,
  62. username/password, Kerberos and x509 certificates. The latter requires that
  63. the request message is accompanied by a signature to prove that the sender is
  64. in possession of the private key with which the certificate was created.
  65. There are two message exchanges required to establish a session:
  66. *CreateSession* and *ActicateSession*. The ActivateSession service can be used
  67. to switch an existing session to a different SecureChannel. This is important,
  68. for example when the connection broke down and the existing session is
  69. reused with a new SecureChannel.
  70. .. [#key-mgmnt] This entails that the client and server exchange so-called
  71. public keys. The public keys might come with a certificate from a key-signing
  72. authority or be verified against an external key repository. But we will not
  73. discuss certificate management in detail in this section.
  74. Structure of a protocol message
  75. -------------------------------
  76. For the following introduction to the structure of OPC UA protocol messages,
  77. consider the example OPC UA binary conversation, recorded and displayed with the
  78. `Wireshark <https://www.wireshark.org/>`_ tool, shown in :numref:`ua-wireshark`.
  79. .. _ua-wireshark:
  80. .. figure:: ua-wireshark.png
  81. :figwidth: 100 %
  82. :alt: OPC UA conversation in Wireshark
  83. OPC UA conversation displayed in Wireshark
  84. The top part of the Wireshark window shows the messages from the conversation in
  85. order. The green line contains the applied filter. Here, we want to see the OPC
  86. UA protocol messages only. The first messages (from TCP packets 49 to 56) show
  87. the client opening an unencrypted SecureChannel and retrieving the server's
  88. endpoints. Then, starting with packet 63, a new connection and SecureChannel are
  89. created in conformance with one of the endpoints. On top of this SecureChannel,
  90. the client can then create and activate a session. The following *ReadRequest*
  91. message is selected and covered in more detail in the bottom windows.
  92. The bottom left window shows the structure of the selected *ReadRequest*
  93. message. The purpose of the message is invoking the *Read* :ref:`service
  94. <services>`. The message is structured into a header and a message body. Note
  95. that we do not consider encryption or signing of messages here.
  96. Message Header
  97. As stated before, OPC UA defines an asynchronous protocol. So responses may be
  98. out of order. The message header contains some basic information, such as the
  99. length of the message, as well as necessary information to relate messages to
  100. a SecureChannel and each request to the corresponding response. "Chunking"
  101. refers to the splitting and reassembling of messages that are longer than the
  102. maximum network packet size.
  103. Message Body
  104. Every OPC UA :ref:`service <services>` has a signature in the form of a
  105. request and response data structure. These are defined according to the OPC UA
  106. protocol :ref:`type system <types>`. See especially the :ref:`auto-generated
  107. type definitions<generated-types>` for the data types corresponding to service
  108. requests and responses. The message body begins with the identifier of the
  109. following data type. Then, the main payload of the message follows.
  110. The bottom right window shows the binary payload of the selected *ReadRequest*
  111. message. The message header is highlighted in light-grey. The message body in
  112. blue highlighting shows the encoded *ReadRequest* data structure.