OPC Unified Architecture Specification - Part 12: Discovery (IEC 62541-12:2020)

This part of IEC 62541 specifies how OPC Unified Architecture (OPC UA) Clients and Servers
interact with DiscoveryServers when used in different scenarios. It specifies the requirements
for the LocalDiscoveryServer, LocalDiscoveryServer-ME and GlobalDiscoveryServer. It also
defines information models for Certificate management, KeyCredential management and
Authorization Services.

OPC Unified Architecture - Teil 12: Erkundung und globale Dienste (IEC 62541-12:2020)

Architecture unifiée OPC - Partie 12: Services globaux et de découverte (IEC 62541-12:2020)

IEC 62541-12:2020 spécifie la manière dont les Clients et les Serveurs de l'Architecture Unifiée OPC (OPC UA) interagissent avec les DiscoveryServers lorsqu'ils sont utilisés dans différents scénarios. Elle définit les exigences pour le LocalDiscoveryServer, le LocalDiscoveryServer-ME et le GlobalDiscoveryServer. Elle définit également les modèles d'information pour la gestion des Certificats, la gestion des KeyCredentials et les Services d'Autorisation.

Enotna arhitektura OPC - 12. del: Razkritje in globalne storitve (IEC 62541-12:2020)

General Information

Status
Published
Public Enquiry End Date
08-Nov-2018
Publication Date
05-Nov-2020
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
24-Aug-2020
Due Date
29-Oct-2020
Completion Date
06-Nov-2020

Buy Standard

Standard
EN IEC 62541-12:2020
English language
107 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN IEC 62541-12:2018
English language
95 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN IEC 62541-12:2020
01-december-2020
Enotna arhitektura OPC - 12. del: Razkritje in globalne storitve (IEC 62541-12:2020)
OPC Unified Architecture Specification - Part 12: Discovery (IEC 62541-12:2020)
OPC Unified Architecture - Teil 12: Erkundung und globale Dienste (IEC 62541-12:2020)
Architecture unifiée OPC - Partie 12: Services globaux et de découverte (IEC 62541-
12:2020)
Ta slovenski standard je istoveten z: EN IEC 62541-12:2020
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN IEC 62541-12:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 62541-12:2020

---------------------- Page: 2 ----------------------
SIST EN IEC 62541-12:2020


EUROPEAN STANDARD EN IEC 62541-12

NORME EUROPÉENNE

EUROPÄISCHE NORM
August 2020
ICS 25.040.40

English Version
OPC unified architecture - Part 12: Discovery and global
services
(IEC 62541-12:2020)
Architecture unifiée OPC - Partie 12: Services globaux et de OPC Unified Architecture - Teil 12: Erkundung und globale
découverte Dienste
(IEC 62541-12:2020) (IEC 62541-12:2020)
This European Standard was approved by CENELEC on 2020-07-21. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN IEC 62541-12:2020 E

---------------------- Page: 3 ----------------------
SIST EN IEC 62541-12:2020
EN IEC 62541-12:2020 (E)
European foreword
The text of document 65E/711/FDIS, future edition 1 of IEC 62541-12, prepared by SC 65E "Devices
and integration in enterprise systems" of IEC/TC 65 "Industrial-process measurement, control and
automation" was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as
EN IEC 62541-12:2020.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2021-04-21
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2023-07-21
document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62541-12:2020 was approved by CENELEC as a European
Standard without any modification.


2

---------------------- Page: 4 ----------------------
SIST EN IEC 62541-12:2020
EN IEC 62541-12:2020 (E)
Annex ZA
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TR 62541-1 - OPC unified architecture - Part 1: Overview CLC/TR 62541-1 -
and concepts
IEC/TR 62541-2 - OPC unified architecture - Part 2: Security CLC/TR 62541-2 -
model
IEC 62541-3 - OPC Unified Architecture - Part 3: Address - -
Space Model
IEC 62541-4 - OPC Unified Architecture - Part 4: Services - -
IEC 62541-5 - OPC Unified Architecture - Part 5: - -
Information Model
IEC 62541-6 - OPC Unified Architecture - Part 6: Mappings - -
IEC 62541-7 - OPC unified architecture - Part 7: Profiles - -
IEC 62541-9 - OPC Unified Architecture - Part 9: Alarms - -
and Conditions
IEC 62541-14 - OPC Unified Architecture - Part 14: PubSub - -
X.500: ISO/IEC 2017 Information technology - Open Systems
9594-1 Interconnection - The Directory - Part 1:
Overview of concepts, models and services
IETF RFC 1035 - Domain Names - Implementation and - -
Specification
IETF RFC 2986 - PKCS #10: Certification Request Syntax - -
Specification Version 1.7
IETF RFC 3927 - Dynamic Configuration of IPv4 Link-Local - -
Addresses
3

---------------------- Page: 5 ----------------------
SIST EN IEC 62541-12:2020
EN IEC 62541-12:2020 (E)
IETF RFC 5958 - Asymmetric Key Packages - -
IETF RFC 6762 - mDNS: Multicast DNS - -
IETF RFC 6763 - DNS-SD: DNS Based Service Discovery - -
IETF RFC 7030 - Enrollment over Secure Transport - -
PKCS #12 - Personal Information Exchange Syntax - -
DI - OPC Unified Architecture for Devices (DI) - -
ADI - OPC Unified Architecture for Analyzer - -
Devices (ADI)
PLCopen - OPC Unified Architecture / PLCopen - -
Information Model
FDI - OPC Unified Architecture for FDI - -
ISA-95 - ISA-95 Common Object Model - -



4

---------------------- Page: 6 ----------------------
SIST EN IEC 62541-12:2020



IEC 62541-12

®


Edition 1.0 2020-06




INTERNATIONAL



STANDARD




NORME


INTERNATIONALE











OPC unified architecture –

Part 12: Discovery and global services



Architecture unifiée OPC –

Partie 12: Services globaux et de découverte
















INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 25.040.40 ISBN 978-2-8322-8455-1




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 7 ----------------------
SIST EN IEC 62541-12:2020
– 2 – IEC 62541-12:2020 © IEC 2020
CONTENTS
FOREWORD . 8
1 Scope . 10
2 Normative references . 10
3 Terms, definitions, abbreviated terms and conventions . 11
3.1 Terms and definitions . 11
3.2 Abbreviated terms and symbols . 13
3.3 Conventions for namespaces . 13
4 The discovery process . 14
4.1 Overview. 14
4.2 Registration and announcement of Applications . 15
4.2.1 Overview . 15
4.2.2 Hosts with a LocalDiscoveryServer . 15
4.2.3 Hosts without a LocalDiscoveryServer . 16
4.3 The discovery process for Clients to find Servers . 16
4.3.1 Overview . 16
4.3.2 Security . 17
4.3.3 Simple Discovery with a DiscoveryUrl . 17
4.3.4 Local Discovery . 17
4.3.5 MulticastSubnet Discovery . 18
4.3.6 Global Discovery . 19
4.3.7 Combined Discovery Process for Clients . 19
5 Local Discovery Server . 20
5.1 Overview. 20
5.2 Security considerations for Multicast DNS . 21
6 Global Discovery Server . 21
6.1 Overview. 21
6.2 Network architectures . 22
6.2.1 Overview . 22
6.2.2 Single MulticastSubnet . 22
6.2.3 Multiple MulticastSubnet . 23
6.2.4 No MulticastSubnet. 23
6.2.5 Domain Names and MulticastSubnets . 24
6.3 Information Model . 25
6.3.1 Overview . 25
6.3.2 Directory . 25
6.3.3 DirectoryType . 25
6.3.4 FindApplications . 26
6.3.5 ApplicationRecordDataType. 27
6.3.6 RegisterApplication . 28
6.3.7 UpdateApplication . 29
6.3.8 UnregisterApplication . 30
6.3.9 GetApplication . 30
6.3.10 QueryApplications . 31
6.3.11 QueryServers (deprecated) . 33
6.3.12 ApplicationRegistrationChangedAuditEventType . 34
7 Certificate management overview . 35

---------------------- Page: 8 ----------------------
SIST EN IEC 62541-12:2020
IEC 62541-12:2020 © IEC 2020 – 3 –
7.1 Overview. 35
7.2 Pull Management . 36
7.3 Push management . 36
7.4 Provisioning . 37
7.5 Common Information Model . 38
7.5.1 Overview . 38
7.5.2 TrustListType . 38
7.5.3 OpenWithMasks . 39
7.5.4 CloseAndUpdate . 40
7.5.5 AddCertificate . 41
7.5.6 RemoveCertificate . 42
7.5.7 TrustListDataType . 42
7.5.8 TrustListMasks . 43
7.5.9 TrustListOutOfDateAlarmType . 43
7.5.10 CertificateGroupType . 43
7.5.11 CertificateType . 44
7.5.12 ApplicationCertificateType . 45
7.5.13 HttpsCertificateType . 45
7.5.14 UserCredentialCertificateType . 45
7.5.15 RsaMinApplicationCertificateType . 46
7.5.16 RsaSha256ApplicationCertificateType . 46
7.5.17 CertificateGroupFolderType . 46
7.5.18 TrustListUpdatedAuditEventType . 47
7.6 Information Model for Pull Certificate Management . 48
7.6.1 Overview . 48
7.6.2 CertificateDirectoryType . 48
7.6.3 StartSigningRequest . 49
7.6.4 StartNewKeyPairRequest . 51
7.6.5 FinishRequest . 53
7.6.6 GetCertificateGroups . 54
7.6.7 GetTrustList . 55
7.6.8 GetCertificateStatus . 56
7.6.9 CertificateRequestedAuditEventType . 57
7.6.10 CertificateDeliveredAuditEventType . 58
7.7 Information Model for Push Certificate Management . 58
7.7.1 Overview . 58
7.7.2 ServerConfiguration . 59
7.7.3 ServerConfigurationType . 59
7.7.4 UpdateCertificate . 61
7.7.5 ApplyChanges . 62
7.7.6 CreateSigningRequest . 63
7.7.7 GetRejectedList . 64
7.7.8 CertificateUpdatedAuditEventType . 64
8 KeyCredential management . 65
8.1 Overview. 65
8.2 Pull management . 66
8.3 Push management . 66
8.4 Information Model for pull management . 67
8.4.1 Overview . 67

---------------------- Page: 9 ----------------------
SIST EN IEC 62541-12:2020
– 4 – IEC 62541-12:2020 © IEC 2020
8.4.2 KeyCredentialManagement . 68
8.4.3 KeyCredentialServiceType . 68
8.4.4 StartRequest . 69
8.4.5 FinishRequest . 70
8.4.6 Revoke . 71
8.4.7 KeyCredentialAuditEventType . 72
8.4.8 KeyCredentialRequestedAuditEventType . 73
8.4.9 KeyCredentialDeliveredAuditEventType . 73
8.4.10 KeyCredentialRevokedAuditEventType . 73
8.5 Information Model for push management . 74
8.5.1 General . 74
8.5.2 KeyCredentialConfiguration . 74
8.5.3 KeyCredentialConfigurationType . 75
8.5.4 UpdateCredential . 75
8.5.5 DeleteCredential . 76
8.5.6 KeyCredentialUpdatedAuditEventType . 77
8.5.7 KeyCredentialDeletedAuditEventType . 77
9 Authorization Services . 78
9.1 Overview. 78
9.2 Implicit . 78
9.3 Explicit . 79
9.4 Chained . 80
9.5 Information Model for Requesting Access Tokens . 81
9.5.1 Overview . 81
9.5.2 AuthorizationServices . 82
9.5.3 AuthorizationServiceType . 82
9.5.4 RequestAccessToken . 83
9.5.5 GetServiceDescription . 84
9.5.6 AccessTokenIssuedAuditEventType . 85
9.6 Information Model for configuring Servers . 85
9.6.1 Overview . 85
9.6.2 AuthorizationServices . 86
9.6.3 AuthorizationServiceConfigurationType . 86
Annex A (informative) Deployment and configuration . 87
A.1 Firewalls and discovery . 87
A.2 Resolving references to remote Servers . 89
Annex B (normative) Constants . 91
Annex C (normative) OPC UA Mapping to mDNS . 92
C.1 DNS Server (SRV) record syntax . 92
C.2 DNS Text (TXT) record syntax . 92
C.3 DiscoveryUrl mapping . 93
Annex D (normative) Server Capability Identifiers . 94
Annex E (normative) DirectoryServices . 95
E.1 Global Discovery via other directory services . 95
E.2 UDDI . 95
E.3 LDAP . 96
Annex F (normative) Local Discovery Server. 98
F.1 Certificate store directory layout . 98

---------------------- Page: 10 ----------------------
SIST EN IEC 62541-12:2020
IEC 62541-12:2020 © IEC 2020 – 5 –
F.2 Installation directories on Windows . 99
Annex G (normative) Application installation process . 100
G.1 Provisioning with Pull Management . 100
G.2 Provisioning with Push Management . 100
G.3 Setting permissions . 101
Annex H (informative)  Comparison with RFC 7030 . 102
H.1 Overview. 102
H.2 Obtaining CA Certificates . 102
H.3 Initial enrolment . 102
H.4 Client Certificate reissuance . 103
H.5 Server key generation . 103
H.6 Certificate Signing Request (CSR) attributes request . 103

Figure 1 – The Registration process with an LDS . 16
Figure 2 – The simple Discovery process . 17
Figure 3 – The Local Discovery process . 18
Figure 4 – The MulticastSubnet Discovery process . 18
Figure 5 – The Global Discovery process . 19
Figure 6 – The Discovery Process for Clients . 20
Figure 7 – The relationship between GDS and other components . 21
Figure 8 – The Single MulticastSubnet architecture . 22
Figure 9 – The Multiple MulticastSubnet architecture . 23
Figure 10 – The No MulticastSubnet architecture . 24
Figure 11 – The Address Space for the GDS. 25
Figure 12 – The Pull Certificate management model . 36
Figure 13 – The Push Certificate management model . 37
Figure 14 – The Certificate Management AddressSpace for the GlobalDiscoveryServer. 48
Figure 15 – The AddressSpace for the Server that supports Push Management . 59
Figure 16 – The Pull Model for KeyCredential management . 66
Figure 17 – The Push Model for KeyCredential management . 67
Figure 18 – The Address Space used for Pull KeyCredential management . 68
Figure 19 – The AddressSpace used for Push KeyCredential management . 74
Figure 20 – Roles and Authorization Services . 78
Figure 21 – Implicit authorization . 79
Figure 22 – Explicit authorization . 80
Figure 23 – Chained authorization . 81
Figure 24 – The Model for Requesting Access Tokens from Authorization Services . 82
Figure 25 – The Model for configuring Servers to use Authorization Services . 85
Figure A.1 – Discovering Servers outside a firewall . 87
Figure A.2 – Discovering Servers behind a firewall . 88
Figure A.3 – Using a Discovery Server with a firewall . 89
Figure A.4 – Following References to Remote Servers. 90
Figure E.1 – The UDDI or LDAP Discovery process . 95
Figure E.2 – UDDI registry structure . 96

---------------------- Page: 11 ----------------------
SIST EN IEC 62541-12:2020
– 6 – IEC 62541-12:2020 © IEC 2020
Figure E.3 – Sample LDAP hierarchy .
...

SLOVENSKI STANDARD
oSIST prEN IEC 62541-12:2018
01-november-2018
Enotna arhitektura OPC - 12. del: Odkritje
OPC Unified Architecture Specification - Part 12: Discovery
Ta slovenski standard je istoveten z: prEN IEC 62541-12:2018
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
oSIST prEN IEC 62541-12:2018 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN IEC 62541-12:2018

---------------------- Page: 2 ----------------------
oSIST prEN IEC 62541-12:2018
65E/615/CDV

COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62541-12 ED1
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2018-08-24 2018-11-16
SUPERSEDES DOCUMENTS:
65E/562/CD,65E/604/CC

IEC SC 65E : DEVICES AND INTEGRATION IN ENTERPRISE SYSTEMS
SECRETARIAT: SECRETARY:
United States of America Mr Donald (Bob) Lattimer
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:


Other TC/SCs are requested to indicate their interest, if
any, in this CDV to the secretary.
FUNCTIONS CONCERNED:
EMC ENVIRONMENT QUALITY ASSURANCE SAFETY

SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft
for Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.

This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which
they are aware and to provide supporting documentation.

TITLE:
OPC Unified Architecture Specification: Part 12 - Discovery

PROPOSED STABILITY DATE: 2021

NOTE FROM TC/SC OFFICERS:


Copyright © 2018 International Electrotechnical Commission, IEC. All rights reserved. It is permitted to download this
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

---------------------- Page: 3 ----------------------
oSIST prEN IEC 62541-12:2018
65E/615/CDV - 2 - IEC CDV 62541-12 © IEC 2017
CONTENTS
Page
FIGURES . 6
TABLES . 7
FOREWORD . 9
1 Scope . 11
2 Normative references . 11
3 Terms, definitions, and conventions . 12
3.1 Terms and definitions . 12
3.2 Abbreviations and symbols . 14
3.3 Conventions for Namespaces. 14
4 The Discovery Process . 15
4.1 Overview. 15
4.2 Registration and announcement of Applications . 15
4.2.1 Overview . 15
4.2.2 Hosts with a LocalDiscoveryServer . 15
4.2.3 Hosts without a LocalDiscoveryServer . 16
4.3 The Discovery Process for Clients to find Servers . 16
4.3.1 Overview . 16
4.3.2 Security . 17
4.3.3 Simple Discovery with a DiscoveryUrl . 17
4.3.4 Local Discovery . 17
4.3.5 MulticastSubnet Discovery . 18
4.3.6 Global Discovery . 19
4.3.7 Combined Discovery Process for Clients . 19
5 Local Discovery Server . 20
5.1 Overview. 20
5.2 Security considerations for Multicast DNS . 21
6 Global Discovery Server . 21
6.1 Overview. 21
6.2 Network Architectures . 22
6.2.1 Overview . 22
6.2.2 Single MulticastSubnet . 23
6.2.3 Multiple MulticastSubnet . 23
6.2.4 No MulticastSubnet. 24
6.2.5 Domain Names and MulticastSubnets . 24
6.3 Information Model . 25
6.3.1 Overview . 25
6.3.2 Directory . 25
6.3.3 DirectoryType . 26
6.3.4 FindApplications . 26
6.3.5 ApplicationRecordDataType. 27
6.3.6 RegisterApplication . 27
6.3.7 UpdateApplication . 28
6.3.8 UnregisterApplication . 29
6.3.9 GetApplication . 29
6.3.10 QueryApplications . 30

---------------------- Page: 4 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 3 - 65E/615/CDV
6.3.11 QueryServers (depreciated) . 31
6.3.12 ApplicationRegistrationChangedAuditEventType . 32
7 Certificate Management Overview . 33
7.1 Overview. 33
7.2 Pull Management . 34
7.3 Push Management . 35
7.4 Provisioning . 36
7.5 Common Information Model . 36
7.5.1 Overview . 36
7.5.2 TrustListType . 36
7.5.3 OpenWithMasks . 37
7.5.4 CloseAndUpdate . 38
7.5.5 AddCertificate . 38
7.5.6 RemoveCertificate . 39
7.5.7 TrustListDataType . 40
7.5.8 TrustListMasks . 40
7.5.9 TrustListOutOfDateAlarmType . 40
7.5.10 CertificateGroupType . 41
7.5.11 CertificateType . 41
7.5.12 ApplicationCertificateType . 42
7.5.13 HttpsCertificateType . 42
7.5.14 UserCredentialCertificateType . 42
7.5.15 RsaMinApplicationCertificateType . 42
7.5.16 RsaSha256ApplicationCertificateType . 43
7.5.17 CertificateGroupFolderType . 43
7.5.18 TrustListUpdatedAuditEventType . 43
7.6 Information Model for Pull Certificate Management . 44
7.6.1 Overview . 44
7.6.2 CertificateDirectoryType . 44
7.6.3 StartSigningRequest . 45
7.6.4 StartNewKeyPairRequest . 47
7.6.5 FinishRequest . 49
7.6.6 GetCertificateGroups . 49
7.6.7 GetTrustList . 50
7.6.8 GetCertificateStatus . 51
7.6.9 CertificateRequestedAuditEventType . 52
7.6.10 CertificateDeliveredAuditEventType . 52
7.7 Information Model for Push Certificate Management . 53
7.7.1 Overview . 53
7.7.2 ServerConfiguration . 53
7.7.3 ServerConfigurationType . 54
7.7.4 UpdateCertificate . 55
7.7.5 ApplyChanges . 56
7.7.6 CreateSigningRequest . 56
7.7.7 GetRejectedList . 57
7.7.8 CertificateUpdatedAuditEventType . 58
8 KeyCredential Management . 58
8.1 Overview. 58
8.2 Pull Management . 59

---------------------- Page: 5 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 4 - 65E/615/CDV

8.3 Push Management . 59
8.4 Information Model for Pull Management . 60
8.4.1 Overview . 60
8.4.2 KeyCredentialManagement . 61
8.4.3 KeyCredentialServiceType . 61
8.4.4 StartRequest . 62
8.4.5 FinishRequest . 63
8.4.6 Revoke . 64
8.4.7 KeyCredentialAuditEventType . 64
8.4.8 KeyCredentialRequestedAuditEventType . 65
8.4.9 KeyCredentialDeliveredAuditEventType . 65
8.4.10 KeyCredentialRevokedAuditEventType . 66
8.5 Information Model for Push Management . 66
8.5.1 KeyCredentialConfiguration . 67
8.5.2 KeyCredentialConfigurationType . 67
8.5.3 UpdateCredential . 67
8.5.4 DeleteCredential . 68
8.5.5 KeyCredentialUpdatedAuditEventType . 69
8.5.6 KeyCredentialDeletedAuditEventType . 69
9 Authorization Services . 69
9.1 Overview. 69
9.2 Implicit . 70
9.3 Explicit . 71
9.4 Chained . 72
9.5 Information Model for Requesting Access Tokens . 73
9.5.1 Overview . 73
9.5.2 AuthorizationServices . 74
9.5.3 AuthorizationServiceType . 74
9.5.4 RequestAccessToken . 75
9.5.5 GetServiceDescription . 76
9.5.6 AccessTokenIssuedAuditEventType . 76
9.6 Information Model for Configuring Servers . 77
9.6.1 Overview . 77
9.6.2 AuthorizationServices . 77
9.6.3 AuthorizationServiceConfigurationType . 77
Annex A (informative) Deployment and Configuration . 79
A.1 Firewalls and Discovery . 79
A.2 Resolving references to remote Servers . 81
Annex B (normative) Constants. 83
B.1 Numeric Node Ids . 83
Annex C (normative) OPC UA Mapping to mDNS . 84
C.1 DNS Server (SRV) Record syntax . 84
C.2 DNS Text (TXT) Record syntax . 84
C.3 DiscoveryUrl mapping . 85
Annex D (normative) Server Capability Identifiers . 86
Annex E (normative) DirectoryServices . 87
E.1 Global Discovery via other directory services . 87
E.2 UDDI . 87

---------------------- Page: 6 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 5 - 65E/615/CDV
E.3 LDAP . 88
Annex F (normative) Local Discovery Server . 90
F.1 Certificate store directory layout . 90
F.2 Installation directories on Windows . 90
Annex G (normative) Application installation process . 92
G.1 Provisioning with Pull Management . 92
G.2 Provisioning with the Push Management . 92
G.3 Setting permissions . 93
Annex H (informative)  Comparison with RFC 7030 . 94
H.1 Overview. 94
H.2 Obtaining CA Certificates . 94
H.3 Initial enrolment . 94
H.4 Client Certificate reissuance . 95
H.5 Server key generation . 95
H.6 Certificate Signing Request (CSR) attributes request . 95

---------------------- Page: 7 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 6 - 65E/615/CDV

FIGURES
Figure 1 – The Registration process with an LDS . 16
Figure 2 – The simple Discovery process . 17
Figure 3 – The Local Discovery process . 18
Figure 4 – The MulticastSubnet Discovery process . 18
Figure 5 – The Global Discovery process . 19
Figure 6 – The Discovery Process for Clients . 20
Figure 7 – The relationship between GDS and other components . 22
Figure 8 – The Single MulticastSubnet architecture . 23
Figure 9 – The Multiple MulticastSubnet architecture . 24
Figure 10 – The No MulticastSubnet architecture . 24
Figure 11 – The Address Space for the GDS . 25
Figure 12 – The Pull Certificate management model . 34
Figure 13 – The Push Certificate management model . 35
Figure 14 – The Certificate Management AddressSpace for the GlobalDiscoveryServer . 44
Figure 15 – The AddressSpace for the Server that supports Push Management. 53
Figure 16 – The Pull Model for KeyCredential management . 59
Figure 17 – The Push Model for KeyCredential management . 60
Figure 18 – The Address Space used for Pull KeyCredential management. 61
Figure 19 – The Address Space used for Push KeyCredential management . 66
Figure 20 – Roles and Authorization Services . 70
Figure 21 – Implicit authorization . 71
Figure 22 – Explicit authorization . 72
Figure 23 – Chained authorization . 73
Figure 24 – The Model for Requesting Access Tokens from Authorization Services . 74
Figure 25 – The Model for Configuring Servers to use Authorization Services . 77
Figure 26 – Discovering Servers outside a firewall . 79
Figure 27 – Discovering Servers behind a firewall . 80
Figure 28 – Using a Discovery Server with a firewall . 81
Figure 29 – Following References to Remote Servers . 82
Figure 30 – The UDDI or LDAP Discovery process . 87
Figure 31 – UDDI registry structure . 88
Figure 32 – Sample LDAP hierarchy . 89

---------------------- Page: 8 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 7 - 65E/615/CDV
TABLES
Table 1 – GDS NamespaceMetadataType Object definition . 14
Table 2 – Directory Object definition . 25
Table 3 – DirectoryType definition. 26
Table 4 – FindApplications Method AddressSpace definition . 27
Table 5 – ApplicationRecordDataType definition . 27
Table 6 – RegisterApplication Method AddressSpace definition . 28
Table 7 – UpdateApplication Method AddressSpace definition . 29
Table 8 – UnregisterApplication Method AddressSpace definition . 29
Table 9 – GetApplication Method AddressSpace definition . 30
Table 10 – QueryApplications Method AddressSpace definition . 31
Table 11 – QueryServers Method AddressSpace definition . 32
Table 12 – ApplicationRegistrationChangedAuditEventType definition . 33
Table 13 – TrustListType definition . 36
Table 14 – OpenWithMasks Method AddressSpace definition . 37
Table 15 – CloseAndUpdate Method AddressSpace definition . 38
Table 16 – AddCertificate Method AddressSpace definition . 39
Table 17 – RemoveCertificate Method AddressSpace definition . 40
Table 18 – TrustListDataType definition . 40
Table 19 – TrustListMasks values . 40
Table 20 – TrustListOutOfDateAlarmType definition . 40
Table 21 – CertificateGroupType definition . 41
Table 22 – CertificateType definition . 41
Table 23 – ApplicationCertificateType definition . 42
Table 24 – HttpsCertificateType definition . 42
Table 25 – UserCredentialCertificateType definition . 42
Table 26 – RsaMinApplicationCertificateType definition . 42
Table 27 – RsaSha256ApplicationCertificateType definition . 43
Table 28 – CertificateGroupFolderType definition . 43
Table 29 – TrustListUpdatedAuditEventType definition . 44
Table 30 – CertificateDirectoryType ObjectType definition . 45
Table 31 – StartSigningRequest Method AddressSpace definition. 47
Table 32 – StartNewKeyPairRequest Method AddressSpace definition . 48
Table 33 – FinishRequest Method AddressSpace definition . 49
Table 34 – GetCertificateGroups Method AddressSpace definition . 50
Table 35 – GetTrustList Method AddressSpace definition . 51
Table 36 – GetCertificateStatus Method AddressSpace definition . 52
Table 37 – CertificateRequestedAuditEventType definition . 52
Table 38 – CertificateDeliveredAuditEventType definition . 52
Table 39 – ServerConfiguration Object definition . 53
Table 40 – ServerConfigurationType definition . 54
Table 41 – UpdateCertificate Method AddressSpace Definition . 56
Table 42 – ApplyChanges Method AddressSpace Definition . 56

---------------------- Page: 9 ----------------------
oSIST prEN IEC 62541-12:2018
IEC CDV 62541-12 © IEC 2017 - 8 - 65E/615/CDV

Table 43 – CreateSigningRequest Method AddressSpace definition . 57
Table 44 – GetRejectedList Method AddressSpace definition . 58
Table 45 – CertificateUpdatedAuditEventType definition . 58
Table 46 – KeyCredentialManagement Object definition . 61
Table 47 – KeyCredentialServiceType definition . 61
Table 48 – StartRequest Method AddressSpace definition . 63
Table 49 – FinishRequest Method AddressSpace definition . 64
Table 50 – Revoke Method AddressSpace definition . 64
Table 51 – KeyCredentialAuditEventType definition .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.