This Global Discovery Server and Client implement the Global Discovery and Certificate Management Server
profile as specified in the OPC Unified Architecture Specification Part 12: Discovery Release 1.03.
The Solution is split into these projects:
- GlobalDiscoveryServer: Global Discovery Server for .Net 4.6 with SQL server as registration and certificate database.
- GlobalDiscoveryServerLibrary: Common Global Discovery Server classes for .Net 4.6 and .Net Standard.
- NetCoreGlobalDiscoveryServer: Global Discovery Server for .Net Standard with Json database implementation to demonstrate the abstracted database registration and certificate authority interface. (The gdsdb.json is not a secure database and should only be used for testing).
- GlobalDiscoveryClient: Global Discovery Client for .Net 4.6. with Windows forms user interface.
- GlobalDiscoveryClientControls: Global Discovery Client reusable controls for .Net 4.6.
- GlobalDiscoveryClientLibrary: Common Global Discovery Client classes for .Net 4.6 and .Net Standard.
- GlobalDiscoveryClientTest: Unit tests for .Net Standard Global Discovery client and server libraries.
- Open the solution UA Global Discovery Server.sln with VisualStudio.
- Choose the project
GlobalDiscoveryServer
in the Solution Explorer and set it with a right click asStartup Project
. - The server has a dependency on the Entity Framework and SQL server. By default the server connects to the data source
Data Source=(localdb)\MSSQLLocalDB
which is the SQL server installed with Visual Studio. The default location for the database files is the user home directory. To change the data source modify the connection string in theapp.config
file. - Hit
Ctrl-F5
to build and execute the sample. - The server loads and initializes all Certificates.
- If the SQL database is opened for the first time, the server initializes it according to the script in
\DB\Tables.sql
. - The server is now running and waiting for the connection of a GDS client.
This section describes how to run the NetCoreGlobalDiscoveryServer.
Please follow instructions in this article to setup the dotnet command line environment for your platform.
- Open a command prompt.
- Now navigate to the folder SampleApplications/Samples/GDS/NetCoreGlobalDiscoveryServer.
- Execute
dotnet restore
. This command calls into NuGet to restore the tree of dependencies. In latest .Net versions this command is optional. - To run the server type
dotnet run
. - The server loads and initializes all Certificates.
- The server is now running and waiting for the connection of a GDS client.
The sample GDS servers only implement the username/password authentication. The following combinations can be used to connect to the servers:
- GDS Administrator:
- Username: appadmin, PW: demo
- This user has the ability to register and unregister applications and to issue new certificates. It should be used by the GDS Client application to connect.
- GDS User:
- Username: appuser, PW: demo
- This user has only a limited ability to search for applications.
- System Administrator:
- Username: sysadmin, PW: demo
- This user is defined for server push management and has the ability to access the server configuration nodes of the GDS server to update the server certificate and the trust lists. Server push configuration management is not a requirement for a GDS server and only supported here to demonstrate the functionality.
The global discovery server creates the CA certificates for all configured certificate groups on the first start.
By default, a global discovery server accepts any incoming secure connection with an authenticated user (GDS Users).
The console server certificates are stored in %LocalApplicationData%/OPC Foundation/GDS/PKI while the Windows .Net 4.6 server stores the certificates in %CommonApplicationData%\OPC Foundation\GDS\PKI. %CommonApplicationData% maps to the path set by the environment variable ProgramData on Windows.
On Linux and macOS %LocalApplicationData% maps to ~/root/.local/share.
On Windows %LocalApplicationData% maps to %USERPROFILE%\AppData\Local.
Under PKI, the following stores contain certificates under certs, CRLs under crl or private keys under private.
- own contains the GDS public certificate and private key.
- rejected contains the rejected client certificates. To trust a client certificate, copy the rejected certificate to the trusted/certs folder.
- trusted contains trusted client and CAs certificates and CRLs.
- issuers contains CAs certificates and CRLs needed for validation of certificate chains.
Under PKI, the following stores contain certificates under certs, CRLs under crl or private keys under private.
- authorities contains the public certificates, CRLs and private keys of the CA authorities.
- applications contains the public certificates of all applications registered with the GDS.
- PKI/CA contains folders for all supported certificate groups. At this point only the
DefaultApplicationGroup
default is supported.- PKI/CA/default contains the issuer and trusted list for the default application group. Each store contains the CA certificates and CRLs.
To customize the CA certificate search for <SubjectName>CN=IOP-2017 CA, O=OPC Foundation</SubjectName>
and enter your new subject. Then search the code and the configuration files for SomeCompany
and enter your company name as appropriate.
- Open the solution UA Global Discovery Server.sln with VisualStudio.
- Choose the project
GlobalDiscoveryClient
in the Solution Explorer and set it with a right click asStartup Project
. - Hit
Ctrl-F5
to build and execute the sample. - Press the
Registration
button to connect to a running GDS. Use theGDS Administrator
credentials in GDS Users to connect and to be able to register applications and to issue certificates. - Select the appropriate
Registration Type
: Client or Server Pull Management or Server Push Management and proceed with the registration.
- Always
Clear
registration form to start a new or to update an existing registration. - Register the application in one of the described ways under Pull Registration.
- Press the
Certificate
button. Inspect an existing certificate in the form. To issue a CA signed certificate pressRequest New
certificate which triggers either a certificate signing request or a new keypair request, whichever is more appropriate. After a short while the new CA signed certificates are issued and the GDS client may ask to override existing certificates. - Press the
Trust List
button. Inspect the existing trusted and issuer list of the application. To add the CA certificate and the CRL to the trusted list press theMerge with GDS
button.
- In this case the entries in the
Client -
orServer - Pull management
form must be filled in. Some fields are ignored if the application type is Client, some fields are optional.
- Application ID: The unique identifier assigned by the GDS to the application.
- Application Name: The default name of the Application.
- Application URI: The URI for the Application. This URI is also stored in the application certificate extensions.
- Product URI: A globally unique URI for the product associated with the Application. This URI is assigned by the vendor of the Application.
- Discovery URLs: The list of discovery URLs for a Server Application.
- Server Capabilities: The list of Server capability identifiers for the Application.
- To use an existing store with or without existing public/private key:
- Certificate Store Path: local X509 store (CurrentUser\UA_MachineDefault) or directory store.
- Certificate Subject Name: The certificate distinguished name.
- or the path to new or existing public/private key pair:
- Certificate Public Key Path: A DER encoded certificate with a public key.
- Certificate Private Key Path: A PFX or PEM encoded private key.
- Trust List Store Path: optional to copy the GDS CA public certificate to the trusted store.
- Issuer List Store Path: optional to copy the GDS CA public certificate to the issuer store.
- Domains: Enter the domain names to be added to the certificate extension as hostnames or IP addresses.
Register
the application orApply Changes
.- The
Application ID
should display a proper NodeId after registration. Save
the configuration for future use.- Continue with
Certificate
andTrust List
management.
The manual registration is simplified if there is already an existing certificate available, with or without private key.
- Select
Client
orServer - Pull Management
. - Load existing certificate in the
Certificate Public Key Path
field. - Fill in remaining fields.
- Continue with step 2 in the previous section.
The GDS client can fill in the full information from a UA .Net Standard application configuration. However, for legacy .Net applications Windows certificate stores are not permitted.
Load
configuration, for example chose UA-.NETStandard\SampleApplications\Samples\Client.Net4\Opc.Ua.SampleClient.Config.xml- The registration type is
Server - Pull management
, because the UA Sample Client is also a server. Register
the UA Sample Client. TheApplication ID
should now contain a valid NodeId.- Press the
Certificate
button andRequest New
certificate. After a short while the UA Sample Server/Client certificate is updated with a CA signed application certificate. - Press the
Trust List
button to add the CA certificate and CRL withMerge with GDS
to the application trusted store. - UA Sample Client is now ready to use and trust the GDS issued and CA signed certificates.
Push configuration requires server configuration node support and a session with the managed server.
- Select
Server - Push Management
- Press
Pick Server
to connect to the managed server. Special system administrator credentials might be necessary to access the server configuration nodes - see GDS Users. - Fill the remaining registration fields which can not be extracted from the server endpoint information.
Register
the application orApply Changes
.- The
Application ID
should display a proper NodeId after registration. - Press the
Server Status
and then thegreen arrow
connect button to inspect the status. Being connected is mandatory to remote manage the server in the next steps. - Press the
Certificate
button. Inspect an existing certificate in the form. To issue a CA signed certificate pressRequest New
certificate, which triggers a certificate signing request. After a short while the new CA signed certificates is updated on the server directly. After the update, the GDS client user might be asked toApply Changes
in theServer Status
form. - Press the
Trust List
button.Reload
the trust list from the managed server. Manage the certificates andMerge with GDS
to add the GDS CA certificate to the trust list.Push To Server
to save the updated trust list on the server. - Press the
Server Status
button and then pressApply Changes
to update the security settings on the server. After a regular certificate update the managed server may require a reboot or at least closes all sessions and requires a reconnect. Press thegreen arrow
connect button to reconnect to the server using the new certificate. - Press the
Certificate
button and inspect the new CA signed certificate to verify the new certificate is being used for the new session.