Main Content

OPC UA Security

OPC Unified Architecture has been designed to support secure, authenticated connections between OPC UA servers and clients. Nonproprietary, industry standard protocols are used to achieve security in OPC UA communication. Security in OPC UA is provided using three mechanisms:

  • Messages passed between an OPC UA client and server can be sent in one of three Message Security Modes:

    • None: No security. Messages are sent in clear text.

    • Sign: Messages are signed by the sender, to authenticate the origin of the message. However, messages are not encrypted.

    • SignAndEncrypt: Messages are signed by the sender, to authenticate the origin of the message, and encrypted to ensure privacy.

  • Encryption and signing of the messages is performed using industry standard Asymmetric Cryptography schemes. A Channel Security Policy defines the specific scheme to use for encryption and signing. For a list of currently supported Channel Security Policies in Industrial Communication Toolbox™, type the following command in MATLAB®:


    When setting up a secure connection between the OPC UA Client and OPC UA Server, each of the parties exchange Application Instance Certificates that are used to encrypt and sign messages sent between the parties. These certificates can optionally be checked against a certificate trust list maintained by system administrators for each application to ensure that connections are made to the correct server, from the correct client. Industrial Communication Toolbox currently accepts server certificates automatically when the connection is established. For more information, see OPC UA Certificate Management.

  • User Authentication may be used by the server to restrict access to features of the server based on the specific user making the connection. Industrial Communication Toolbox supports the following user authentication options:

    • Anonymous: A user name is not provided. Some servers might not allow for anonymous user authentication.

    • Username: A user name and password combination authenticates the specific user making the connection.

    • Certificate: A User Certificate (in X509 standard) is used to authenticate the user. The public key of the certificate must be pre-shared with the server, and when establishing the connection the user must provide the public key, private key, and a password used to protect the private key. Clear (passwordless) private keys are not supported by the toolbox.

Servers normally support more than one security model for clients to use when connecting to the server. The supported security models that a server supports are described through endpoints available from the server. Each endpoint defines one Channel Security Policy, the allowable Message Security Modes, and supported User Authentication types. To use that specific endpoint, the client makes a connection to the endpoint URL provided in the endpoints list and defines the Message Security Mode to use.

You query the available endpoints of a server using opcuaserverinfo, or by constructing an OPC UA client with opcua. Once you construct an OPC UA client, you can set the security model to use for that connection using setSecurityModel. You pass the user credentials when you connect to the server using the connect function.

Related Topics