OPC UA under control: Smart management with GDS
The spread of OPC UA is growing rapidly – and with it the challenge of managing applications efficiently. Manual configurations via web interfaces are no longer a solution given the increasing number of applications. This is where the Global Discovery Server (GDS) comes into play: a central platform that takes management and security to a new level.
The OPC Foundation has specified the GDS as the central platform for managing certificates and registering applications. As a standalone network application with client and server interfaces, the GDS enables secure and efficient management of all OPC UA applications.
Efficient OPC UA registrationr
OPC UA servers can be quickly registered via the Discovery Service and found by clients. In smaller networks, registration is often handled by the OPC UA server itself, while on hosts with multiple OPC UA applications, this is usually handled by a Local Discovery Server (LDS).
The larger the network, the faster the GDS comes into play. It bundles the information from all LDSs, checks it and creates a central list of available servers. This ensures that only authorised servers communicate with clients.
For clients, using the GDS means less effort and more security: they only need the address of the GDS to retrieve the appropriate server addresses. This reduces configuration errors and automatically takes into account changes such as DHCP-related address changes. In addition, only servers that are currently online remain registered, as shut-down servers automatically log out.
Central certificate management
The GDS offers the greatest relief through its integrated certificate management. This allows all used, trusted and blocked certificates to be centrally managed, updated and automatically distributed to servers and clients.
For this mechanism, it is necessary to establish a certificate chain, which consists of four levels in the following image:
- Root certificate – created at company level and recognised throughout the network.
- Factory certificate – signed by the root certificate and used for the factory level.
- Production line certificate – signed by the factory certificate and valid for a production line.
- Application certificates – signed by the production line certificate.
In this example, the GDS is used at the production line level and manages all OPC UA applications used in the line. With the help of the factory certificate, the GDS signs the certificates of the individual OPC UA applications so that their certificates are all based on the same foundation and thus on the same certificate chain.
Thanks to this structure, applications only need to trust the certificates in the chain in order to communicate securely with other applications. Certificates are automatically renewed and distributed, minimising administrative effort.
In addition, the GDS manages trust lists (trusted certificates) and certificate revocation lists (CRL, revoked certificates). These lists are regularly updated and distributed to all managed applications, ensuring that the current security level is always maintained.
Flexible and future-proof
In order for certificate management to work for both OPC UA clients and OPC UA servers, the GDS server must provide a push and pull mechanism for certificate management. With the push mechanism, the GDS acts as a client and writes the certificates, trust lists and CRLs directly to the target systems. With the pull mechanism, the client retrieves the required data from the GDS.
The GDS is configured via a standard OPC UA client connection and the methods provided by the GDS in the information model. The GDS checks the access rights based on the access data, and administrators can add or remove new applications – the GDS automatically takes care of the management.
Conclusion
The Global Discovery Server is more than just a tool – it is a game changer for the management of OPC UA applications. Less effort, maximum security and full control in complex networks. Anyone who uses OPC UA will not be able to do without the GDS in the long term. We support you with the implementation.
