OPC UA GDS Pull

OPC UA GDS Pull enables centralized discovery and certificate management for OPC UA applications by leveraging a Global Discovery Server (GDS). The GDS automates certificate deployment, trust relationships, and security updates, streamlining configuration and ongoing management for both clients and servers. Integration requires initial certificate setup and acceptance in the GDS, after which applications are managed automatically.

Any OPC UA application, either client or server, can register with the GDS and, once approved, create a signing request to the GDS that represents a Certificate Authority (CA). All UA applications belonging to the same security group then only need to trust the CA in order to trust all UA applications signed by that CA.

After the initial on-boarding with the GDS, the UA application is automatically managed by the GDS and no further manual interaction is required. UA applications are updated automatically with security certificates, trust lists, and revocations.

Configuration

A WinCC OA OPC UA Client must be running in the project. Afterwards, the configuration can be done in the System Management under Driver OPC > UA GDS Pull.

Figure 1. System Management OPC

For using GDS it is mandatory to create a certificate for the driver, which is used for initial communication with the GDS and for providing information in all Certificate Sign Requests sent to the GDS.

Warning:
If the certificate is not found, a warning is shown:
Figure 2. No certificate found warning

The certificate creation panel is already filled with the default Name, Application URI, and DNS Name used by the driver when communicating with the GDS. All other fields must be filled manually.

Figure 3. Create GDS certificate

Enter the GDS URL and the update interval in minutes. The certificate of the GDS must be trusted:

Figure 4. Untrusted GDS certificate
Figure 5. Trusted GDS certificate

Using the Trigger Update button, the GDS interaction can be triggered. The WinCC OA OPC UA Client then has to be accepted in the GDS by selecting the client application and pressing the green OK symbol.

Figure 6. Accept application

After acceptance, the client receives its certificate from the GDS and is configured.

Figure 7. Configuration done

When using Discovery for a connection configured for a GDS-connected driver, all servers known to the GDS can be discovered using the Discover GDS button.

Figure 8. Discover GDS
Tip:
If a driver is configured using GDS, the default certificate for connections will be the one signed by the GDS.
Important:
When using a redundant or remote WinCC OA project, the configuration must be done on all hosts where a WinCC OA OPC UA Client is running.

Diagnostic

Using the debug flag -dbg GDS for the WinCC OA OPC UA Client, a detailed log concerning the interaction with the GDS is written.