SecurePubSubABB-logo

 

 

The SecurePubSub Project

The SecurePubSub Project is about extending an existing implementation of the OPC UA standard, called open62541. OPC UA is a popular specification in the field of industrial automation, as it serves the purpose to support the integration and correct communication between inudstrial components of different types. The interaction between these elements might become very cumbersome, especially in contexts like large companies where hundreds or thousands of devices have to constantly exchange data. OPC UA is used to achieve a common abstraction in data representation that all inudstrial components can use to understand each other and correctly interpret the data being transmitted.
More specifically, this project is concerned with the publish-subscribe model of communication between devices, therefore OPC UA instances will take the role of Publishers or Subscribers.

 

The goals for this project

Turning a standard device into an OPC UA node is not a straightforward task. All OPC UA implementations (open62541 included) require a complex setup of the nodes in order to have all the necessary information to make the nodes interact with other OPC UA instances. As an example, a simple sensor measuring the light intensity in a room needs to wrap the measurement into complex and abstract structures within the OPC UA framework before exchanging this data with other OPC UA instance. It also needs to establish network connections that require their own setup. The open62541 implementation of the OPC UA standard mandates all developers to provide these configurations in a programmatic way. The light sensor would need custom code dedicated to turn that specific sensor into a functioning OPC UA node. But this is not really a scalable and modular approach because all devices require their precise configurations and therefore would need dedicated code to work. One of the main goals of this project is that of providing to developers of the open62541 stack an alternative solution, in which configurations are extracted from the codebase and placed into a text-based file, written in XML. 

Moreover, security related features are also addressed in this project. The current implementation of the open62541 stack does not really provide a strong framework to support encryption when the OPC UA instances are exchanging data in a publish-subscribe model. Due to the implicit nature of the communication in publish-subscribe architecture, it is necessary to delegate the task of distributing cryptographic symmetric keys to an external entity, which is called SKS (Secure Key Server) in this case. This server knows the entire set of running nodes in the system and can be configured itself to dispatch the same cryptographic keys to all the nodes belonging to the same security group. Multiple security groups might be present, in which case the SKS will distribute different sets of keys. This project enhances the capabilities of the SKS implementation by providing:

  1. Full configuration of the node via text-based files
  2. Recovery mechanism integrated to make the system survive a brief crash of the SKS node

Finally, the client requested a measuring tool to deploy a simple OPC UA architecture, with a pair of nodes communicating, that is able to measure the RTT (Round Trip Time) of the messages exchanged between the OPC UA instances.

 

Project Features

The main features that have been integrated with the existing open62541 stack by this project are:

  • External XML configuration supported for all OPC UA nodes
  • Recovery mechanism for the SKS node to make the system able to continue the communication even if the SKS is briefly unavailable
  • RTT tool, which is a measuring tool for performance, able to deploy a simple OPC UA pair of nodes exchanging data and keep track of the Round Trip Time elapsed between the communications.

 

Architecture Overview

The project wraps around a series of components that interact to provide the above specifed features. 

  1. The parser: a custom parser for this project has been designed with the support of PugiXML library. The parser has been tailored to be able to extract XML configurations that are suitable for OPC UA nodes. The parser acts as the entry point of the program as it takes the XML configuration file as input and builds the OPC UA node accordingly.
  2. The SKS recovery mechanism: this is a submodule of this project that extended the SKS implementation by integrating a DB storage, leveraging Sqlite technology, and making the SKS able to recover from a system crash without interrupting the ongoing communications between Publishers and Subscribers.
  3. The RTT tool: this is another submodule of the architecture that uses the other modules to deploy a simple cluster of OPC UA nodes and makes them exchange simple toy data. It measures the RTT elapsed between data transmissions multiple times and logs the results into a file for further analysis.

 

Demonstration of the product

The following video shows some examples of how the new features are integrated in the previous implementation of the open62541 stack. In particular, the demo aims to illustrate how this solution provides flexibility to the previous implmentation, allowing developers to quickly reuse configuration files to setup different OPC UA architectures without modifying a single line of code. 

The demo is divided in three parts:

1. Simple deployment

 

 The first deployment consists in a simple pair of OPC UA nodes, a Publisher and a Subscriber, communicating over the network with the support of the SKS distributing cryptographic keys.

 

2. Concurrent Publishers

 

In the second deployment, two Publisher are instantiated, both publishing data towards the same Subscriber. One of the two publishers transmits a very high integer value, that is decrementing, while the second one transmits a very little counter incrementing from 0.

 

3. Complex deployment with multiple security groups

 

 The third case is more complex because the SKS has to manage separate security groups. The two publishers at the bottom of the picture belong to the same security group and they still publish against the same subscriber. A new publisher and a new subscriber are added to the scene on top. They are completely isolated from the rest of the communication as the SKS will distribute different sets of cryptographic keys to the two groups.

In the tutorial, the internal state of all these OPC UA nodes is going to be inspected through an external tool called UAExpert, which offers a user-friendly graphical interface to see what is happening inside all these Publisher and Subscriber instances. The goal of this tutorial is to show how it is possible for a developer using this solution to employ the same exact code to instantiate all the publishers and subscribers of these clusters. The only thing that changes and that determines the internal behaviour of these nodes is the external XML configuration file.