05/30/2017
OPC UA has “application authentication” and “user authentication”.
“application authentication” means client cannot create a session unless the server has been configured to trust the client which is identified by its application instance certificate.
“user authentication” identifies the user that is using an application. In some cases, valid user credentials can be rejected because they are not valid for the client application.
So there is no security issue with anonymous access if application authentication is enabled.
If application authentication is disabled then anonymous credentials represent a security risk.
11/15/2019
Thank you Randy for quick reply.
There are many ways to connect an OPC client with OPC server e.g., using HTTPS & opc.tcp protocol. When we use HTTPS, I understand what an application authentication means. It is like integrating an OAuth2 in a client application accessible in browser for application authentication & using username/password combination for user authentication.
When we use opc.tcp protocol, we use either anonymous or username/password or client-server certificate for user authentication. But, I didn’t understand how can we authenticate an application running over opc.tcp protocol using application instance certificate.
Of course, when we try to create a connection between OPC client & server using certificates very first time, client have to trust server’s certificate & vise versa. Then only a secured session or connection establishes between them.
Could you please elaborate a bit more about application instance certificate ? Is my understanding of application & user authentication is correct or am I understood something ?
Thank you
05/30/2017
There is generally no application authentication with HTTPS because HTTPS clients do not usually have certificates.
With opc.tcp, it is automatic. You can’t connect securely without doing it because opc.tcp clients are required to have certificates.
Every application has a certificate issued to it that identifies the application. This is called the application instance certificate.
I recommend you read the specification for more information:
https://reference.opcfoundatio…..rt4/5.5.1/
1 Guest(s)