oSIST prEN IEC 62541-21:2024

SLOVENSKI STANDARD
01-marec-2024
Enotna arhitektura OPC - 21. del: Vključevanje naprav
OPC unified architecture - Part 21: Device onboarding
Ta slovenski standard je istoveten z: prEN IEC 62541-21:2024
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

65E/1046/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62541-21 ED1
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2024-01-26 2024-04-19
SUPERSEDES DOCUMENTS:
65E/956/NP, 65E/1016/RVN
IEC SC 65E : DEVICES AND INTEGRATION IN ENTERPRISE SYSTEMS
SECRETARIAT: SECRETARY:
United States of America Mr Donald (Bob) Lattimer
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:

Other TC/SCs are requested to indicate their interest, if any,
in this CDV to the secretary.
FUNCTIONS CONCERNED:
EMC ENVIRONMENT QUALITY ASSURANCE SAFETY
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft for
Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which
they are aware and to provide supporting documentation.
Recipients of this document are invited to submit, with their comments, notification of any relevant “In Some Countries”
clauses to be included should this proposal proceed. Recipients are reminded that the CDV stage is the final stage for
submitting ISC clauses. (SEE AC/22/2007 OR NEW GUIDANCE DOC).

TITLE:
OPC Unified Architecture – Part 21: Device Onboarding

PROPOSED STABILITY DATE: 2026
NOTE FROM TC/SC OFFICERS:
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

IEC CDV 62541-21 © IEC 2023
1 CONTENTS
2 Page
3 FIGURES . iii
4 TABLES . iv
5 1 Scope . 1
6 2 Normative references . 1
7 3 Terms, definitions, and conventions . 2
8 3.1 Terms and definitions . 2
9 3.2 Abbreviations and symbols . 4
10 4 Onboarding Model . 5
11 4.1 Device Lifecycle . 5
12 4.2 Concepts . 7
13 4.2.1 Secure Elements . 7
14 4.2.2 Firmware and Applications . 7
15 4.2.3 Transfer of Physical Control . 8
16 4.2.4 Trust on First Use (TOFU) . 8
17 4.2.5 SoftwareUpdateManager . 9
18 4.2.6 Roles and Privileges . 9
19 4.3 Device Workflows . 10
20 4.3.1 Distribution . 10
21 4.3.2 Onboarding . 10
22 4.3.3 Application Setup . 10
23 4.3.4 Configuration . 10
24 4.3.5 Operation . 10
25 4.3.6 Decommissioning . 11
26 5 Identities . 11
27 5.1 Overview . 11
28 5.2 Device Identity . 11
29 5.3 ProductInstanceUri . 12
30 5.4 Composite Identity . 12
31 6 Ticket Semantics . 13
32 6.1 Tickets . 13
33 6.2 Ticket Distribution. 14
34 6.3 Authentication . 14
35 6.4 Acquiring and Validating Tickets . 15
36 7 Device Authentication . 16
37 7.1 Overview . 16
38 7.2 Pull Management . 18
39 7.3 Push Management . 20
40 7.4 Alternate Authentication Models . 21
41 8 Ticket Syntax . 22
42 8.1 Signed Ticket Encoding . 22
43 8.2 Ticket Types . 23
44 8.2.1 EncodedTicket . 23
45 8.2.2 BaseTicketType . 24
46 8.2.3 DeviceIdentityTicketType . 24
47 8.2.4 CompositeIdentityTicketType . 25
48 8.2.5 TicketListType . 25

IEC CDV 62541-21 © IEC 2023 ii

49 8.2.6 CertificateAuthorityType . 26
50 9 Information Model . 26
51 9.1 Overview . 26
52 9.2 Registrar . 26
53 9.2.1 Overview . 26
54 9.2.2 DeviceRegistrarType . 27
55 9.2.3 ProvideIdentities . 28
56 9.2.4 UpdateSoftwareStatus. 29
57 9.2.5 RegisterDeviceEndpoint . 29
58 9.2.6 GetManagers . 30
59 9.2.7 ManagerDescription . 31
60 9.2.8 RegisterManagedApplication . 31
61 9.2.9 DeviceRegistrar . 32
62 9.2.10 DeviceRegistrarAdminType . 32
63 9.2.11 RegisterTickets . 33
64 9.2.12 UnregisterTickets . 33
65 9.2.13 DeviceRegistrationAuditEventType . 34
66 9.2.14 DeviceIdentityAcceptedAuditEventType . 34
67 9.2.15 DeviceSoftwareUpdatedAuditEventType . 35
68 9.3 Device Configuration Application (DCA) . 35
69 9.3.1 Overview . 35
70 9.3.2 ProvisionableDevice . 36
71 9.3.3 ProvisionableDeviceType . 37
72 9.3.4 RequestTickets . 37
73 9.3.5 SetRegistrarEndpoints . 38
74 9.3.6 ApplicationConfigurationType . 38
75 10 Namespaces . 39
76 10.1 Namespace Metadata . 39
77 10.2 Handling of OPC UA Namespaces . 39
78 Annex A (normative) Namespaces and Identifiers . 41
79 A.1 Namespace and Identifiers for the Onboarding Information Model . 41
iii IEC CDV 62541-21 © IEC 2023

82 FIGURES
83 Figure 1 – The Lifecycle of a Device . 5
84 Figure 2 – Device Hardware and Software Layers . 7
85 Figure 3 – Possible Transfers of Physical Control . 8
86 Figure 3 – Relationship between Devices, Actors, Identifiers and Tickets . 11
87 Figure 4 – Device Authentication using Pull Management . 18
88 Figure 5 – Requesting Certificates using Pull Management . 19
89 Figure 6 – Device Authentication using Push Management . 20
90 Figure 7 – Updating Certificates using Push Management . 21
91 Figure 8 – Alternate Authentication Models with Pull Management . 22
92 Figure 9 – Registrar Address Space for Onboarding Workflow . 27
93 Figure 10 – Device Address Space for Onboarding Workflows . 36
IEC CDV 62541-21 © IEC 2023 iv

96 TABLES
97 Table 1 – The Actors in the Device Lifecycle . 5
98 Table 2 – The Stages in the Device Lifecycle . 6
99 Table 3 – Well-known Roles for Onboarding . 9
100 Table 4 – Privileges for Onboarding . 9
101 Table 5 – RFC 7515 Header Fields . 23
102 Table 6 – EncodedTicket Definition . 24
103 Table 7 – BaseTicketType Structure .
...