SecureChannel Service Set

This topic contains the following sections:

SecureChannel Services
See Also

This Service Set defines Services used to open a communication channel that ensures the confidentiality and integrity of all Messages exchanged with the Server. The base concepts for UA security are defined in section Security Model.

SecureChannel Services

The SecureChannel Services are unlike other Services because they are typically not implemented by the UA application directly. Instead, they are provided by the communication stack that the UA application is built on. For example, a UA Server may be built on a SOAP stack that allows applications to establish a SecureChannel using the WS SecureConversation specification. In these cases, the UA application simply needs to verify that a WS SecureConversation is active whenever it receives a Message. section Mappings describes how the SecureChannel Services are implemented with different types of communication stacks.

A SecureChannel is a long-running logical connection between a single Client and a single Server. This channel maintains a set of keys that are known only to the Client and Server and that are used to authenticate and encrypt Messages sent across the network. The SecureChannel Services allow the Client and Server to securely negotiate the keys to use.

The exact algorithms used to authenticate and encrypt Messages are described in the security policies for a Server. These policies are exposed via the Discovery Service Set. A Client selects the appropriate endpoint that supports the desired security policy by the Server when it creates a SecureChannel.

When a Client and Server are communicating via a SecureChannel they verify that all incoming Messages have been signed and/or encrypted according to the security policy. A UA application is expected to ignore any Message that does not conform to the security policy for the channel.

A SecureChannel is separate from the UA Application Session; however, a single UA Application Session may only be accessed via a single SecureChannel. This implies that the UA application is able to determine what SecureChannel is associated with each Message. A communication stack that provides a SecureChannel mechanism but that does not allow the application to know what SecureChannel was used for a given Message cannot be used to implement the SecureChannel Service Set.

The relationship between the UA Application Session and the SecureChannel is illustrated in Figure 1. The UA applications use the communication stack to exchange Messages. First, the SecureChannel Services are used to establish a SecureChannel between the two communication stacks, allowing them to exchange Messages in a secure way. Second, the UA applications use the Session Service Set to establish a UA application Session.
Figure 1: SecureChannel and Session Services

Other Resources

Discovery Service Set

Session Service Set

NodeManagement Service Set

View Service Set

Query Service Set

Method Service Set

MonitoredItem Service Set

Subscription Service Set