Method, computer program product, and system for providing a service
By introducing the Local Discovery Server (LDS) and the Agent Component (UAP), the problem of discovery and integration of OPC UA servers in container virtualization environments is solved, achieving simplified integration and improved network security, avoiding port conflicts, and supporting seamless operation of OPC UA servers from multiple vendors in the same network.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SIEMENS AG
- Filing Date
- 2022-07-07
- Publication Date
- 2026-06-05
Smart Images

Figure CN117716683B_ABST
Abstract
Description
Technical Field
[0001] This invention discloses a method, computer program product, and system for providing services, particularly in industrial automation systems.
[0002] Industrial automation systems typically comprise multiple interconnected automated devices via an industrial communication network, used to control or regulate equipment, machines, or devices within the scope of manufacturing and process automation. Due to the time-critical nature of industrial automation systems, communication between automated devices primarily utilizes real-time communication protocols such as PROFINET, PROFIBUS, Real-time Ethernet, or Time-Sensitive Networking (TSN). This particularly enables the automation of control services or applications and allows for load-based distribution across currently available servers or virtual environments within the industrial automation system.
[0003] The communication connections between computer units or automated devices in an industrial automation system can lead to unwanted or unnecessary duplication of service request transmissions. Furthermore, incomplete or faulty message transmissions can, for example, prevent the industrial automation system from transitioning to or maintaining a safe operating state.
[0004] A potential problem in Ethernet-based communication networks is the competition of network resources for transmitting data streams or frames with real-time requirements and for transmitting data frames with large amounts of data that do not have real-time requirements. This can ultimately lead to the transmission of data streams or frames with implementation requirements that do not meet the required or necessary quality of service.
[0005] By leveraging the industrial edge, users of automation technologies can easily and modularly install, update, and extend the functionality desired for their automation in the form of so-called Apps. On one hand, users benefit from centralized and easily measurable management of multiple industrial edge devices; on the other hand, they benefit from the market of third-party vendors that also offer such applications. Another key point is that automation users want to be able to easily install and run applications from different vendors directly with minimal additional integration costs.
[0006] For semantically high-value and secure data exchange, OPC UA (OPC Unified Architecture, www.opcfoundation.org) is established within automation technologies. Application vendors enhance the attractiveness of their applications by providing computationally processed data from production data analysis, image analysis, and the like, for example, through integrated OPC UA servers with other automation functions. However, compared to the traditional world of equipment, integration into the same (industrial edge) equipment now includes not only traditional equipment OPC servers, but also multiple applications with OPC UA server capabilities from various (third-party) vendors.
[0007] Manual integration into the world of single devices, as has been the case to date, is costly and error-prone, and in part impossible due to the lack of configuration points in OPC UA. However, this integration includes not only applications within the device, but also the interaction between the external parts of the automation application and the device application.
[0008] If the OPC UA server application is implemented in a virtualization solution, such as a (Docker) container, then the application is initially idle in the network resources it occupies, such as, in particular, TCP ports – specifically, port 4840 is pre-defined for a single server in OPC UA.
[0009] This simple plug-and-play integration approach is described in “OPC UA for Plug & Produce: Automatic Device Discovery using LDS-ME”, 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA) XP033292903, Stefan Profanter et al.
[0010] Users of control applications for industrial automation systems, implemented using container virtualization or similar virtualization solutions, expect such applications to integrate into their existing infrastructure with minimal complexity. With network access and application process control environments, OPC UA servers involve configurations that vary significantly between different user sides and must be considered by control application developers when configuring automation for their applications. The limited range of IP addresses and TCP ports available on the user side in network access represents a particular requirement for integrating control applications into existing infrastructure.
[0011] However, OPC UA server applications cannot be implemented externally without additional measures, which requires users to manipulate the server ports between the application layer and the industrial edge device layer. In this process, attention must be paid to port conflicts and possible limitations of the network environment, such as the limited number of ports that can be opened in the firewall and their specific value range or pre-set standard rules, without applying additional (configuration) costs.
[0012] In addition, users of automation technology must connect other parts of their automation applications to the server via the correct network addressing information. Background Technology
[0013] The OPC Fundamentals describe the functionality of the Local Discovery Server (LDS), which allows OPC UA servers to be discovered within directly accessible network segments after they have been pre-registered on the LDS (through a so-called "registration server" service). The basic functionality of an OPC UA proxy is known. For example, it works similarly to an (ingress) web proxy, forwarding incoming connections on public network ports according to additional standards at the OPC UA application layer level (from the ISO / OSI layer model).
[0014] The Local Discovery Server (LDS) maintains a list of all OPC UA applications.
[0015] The problem in virtualized environments such as (Docker) containers is that OPC UA servers can only register on the Local Discovery Server (LDS) using their “internal” network information (IP address / hostname and port). Here, this internal network information is the network address and port that are visible to the container itself, but in principle, it looks different at the cluster or industrial edge device level.
[0016] The patent application EP 20198692 A1, entitled “Method and System for Providing Time-Critical Services with the Aid of a Process Control Environment,” describes a mechanical mechanism for detecting registration information from an application with an OPC UA server, such as in a cloud system, via a so-called “sidecar” container, and for editing and providing a load balancing / entry unit that operates at the entry point of the cluster according to the desired cluster entry mode.
[0017] The previous patent application EP 20193690.3 disclosed a method for providing time-critical services, each corresponding to at least one server component, which consists of process control components that can be loaded and implemented in a process control environment. Each server component provides functional units for processing a communication protocol stack, which are connected to functional units in the corresponding process control environment for processing the communication protocol stack. These services each include a directory service component for deriving the services provided via the process control environment. The directory service components are connected to each other via separate communication interfaces. Aggregator components, formed by additional sequence control components, are connected to separate communication interfaces, making information about the services provided by the server components available outside the sequence control environment.
[0018] The application cited above does not explain the technical issues involved in establishing a connection at the service layer of OPC UA.
[0019] Existing service identification methods (service / device discovery), particularly for OPC UA, are primarily designed to derive services, which are provided using physical or virtual super-administrator-based machines. In particular, the relatively high operating and maintenance costs of super-administrator-based virtual machines make virtualization schemes with lower resource requirements compared to full system virtualization, such as container virtualization, increasingly attractive. This also applies to industrial automation systems.
[0020] According to the OPC UA specification, a Local Discovery Server (LDS) may even be set up for OPC UA-based services. However, it is possible to identify only hosts within the broadcast domain using appropriate identification methods. Furthermore, multicast communication in systems used for container virtualization is typically closed.
[0021] Document US2017 / 0111476 A1 also proposes a method for integrating new plug-and-play resources into existing networks in each case via a newly generated API. Summary of the Invention
[0022] The object of this invention is to provide a method for providing services that enables reliable user-side deriving of services provided by means of container virtualization or similar virtualization schemes, and to provide suitable means for performing the method.
[0023] According to the present invention, this objective is achieved by a method having the features described herein, a computer program product having the features described herein, and a system having the features described herein.
[0024] Advantageous improvements are further given in the dependent claims.
[0025] A method for providing time-critical services to customers using process control components within a process control environment includes the following steps:
[0026] - Assign services to at least one server component (UAS, 101), each server component consisting of a process control component that can be loaded into and implemented within the process control environment.
[0027] - At least one agent component (UAP, 200) of the sub-network including the process control environment receives service requests.
[0028] - The Central Directory Service (LDS, 201) transmits valid addressing information within the subnet to the agent component.
[0029] - Register the server component (UAS, 101) on the central directory service component (LDS, 201) using the server component's internal connection data (111).
[0030] - Obtain globally valid access information for the valid addressing information within the subnet assigned to the server component (UAS, 101).
[0031] - Modify internal connection data (discovery URI and / or endpoint URI) using external network addressing information (102) derived from the Central Directory Service component (LDS, 201).
[0032] This enables at least one proxy component (UAP, 200) to forward service requests to the server component (UAS, 101) based on the modified addressing information.
[0033] The invention disclosed herein is based on patent application EP20198692 A1 and specifies in more detail the functionality required for a load balancing / ingress unit (“agent”) to operate with an OPC UA, particularly the endpoint determination operations for individual servers, and the so-called OPC UA “secure session” at layer 7 of the ISO / OSI layer model.
[0034] Specifically, the process control component is a software container that runs independently of other software containers or groups of containers within the process control environment on the host operating system of the server device. In principle, micro-virtualization solutions such as Snaps can also be used interchangeably for the process control component.
[0035] The process control environment can include, for example, Docker power or Snap kernels, which run on a server device. Advantageously, the software containers share the host operating system kernel of the server device with other software containers running on their respective server devices. The storage mapper used for the software containers can be invoked, for example, from memory and a provisioning system that allows multiple users to read or write access.
[0036] Each server component corresponds to a directory service component, which enables local discovery services (directory service component 201). This approach is described in detail in the old European patent application EP 20193690.3, which is cited here. In this case, the directory service component transmits valid addressing information within the subnet or a locally valid URL to the configuration unit and aggregator component 104 via the comparison unit. Attached Figure Description
[0037] The solution proposed here is also Figure 1 The implementation is based on an instance of an industrial edge with OPC UA communication. Detailed Implementation
[0038] This describes a smart agent for the OPC UA server in a virtual machine or Docker environment (such as the industrial edge) that intervenes in initially insecure service communications to ensure that OPC UA clients can successfully connect to the OPC UA server in the container host / industrial edge.
[0039] The proposed agent component UAP,200 with local discovery server functionality (LDS,201) can solve multiple problems simultaneously.
[0040] On the one hand, the OPC UA client UAC,100 can discover multiple OPC UA servers UAS,101 installed on a single network device (e.g., industrial edge / container host) with the help of the local discovery server LDS,201.
[0041] The OPC UA server UAS,101 can be addressed via the proxy component UAP,200 and preferably via only one port (such as the known port 4840), which improves the security aspects of the network topology from the administrator's perspective.
[0042] Another advantage is that the administrator's view of network resources is decoupled from the internal server or container view via the proxy component (200).
[0043] It is not important for the solution according to the invention whether the agent component UAP, 200 and the directory service component, local discovery server LDS, 201 are designed as a single unit or separate units (processes, procedures, etc.). However, it is important to compare the information (111) between the directory service component, the local discovery server LDS, 201, and the agent component UAP, 200. The information 111 provided by LDS enables the agent component UAP, 200 to correctly forward connection requests from the OPC UA client UAC, 100, and to independently respond to specific, still unencrypted portions of the communication related to the service request (typically in the initial phase) based on the provided information 111, or alternatively, to correctly rewrite the associated service response (ACK).
[0044] In an advantageous design, each service in its container is able to include a separate directory service component (LDS) and the registration of the server component (UAS, 101) is performed on the directory service component (LDS) assigned to the service having its internal connection data (111).
[0045] The desired functionality is achieved through the following steps:
[0046] 1. Registration:
[0047] When a server registers itself on the local discovery server LDS, 201 with its internal connection data 110 (internal host addressing information), its discovery URI is replaced or updated via the (external) network addressing information 102 of the (OPC UA) proxy component UAP, 200.
[0048] For example, a URI that uniquely identifies a single server entity (101) can be added by a separate URI attribute.
[0049] For example:
[0050] <internal connection data> :port / path
[0051] <fqdn host-ip>:4840 / robot,
[0052] <fqdn host-ip>:4840 / camera
[0053] When a connection is established from the UA client UAC, 100 to one of the (external) network addressing information entries (endpoint URIs) 102, for example, via the HEL(LO) message specified in the OPC UA standard, the (OPC UA) agent component UAP, 200 checks:
[0054] If the server endpoint URI specified in the connection request "HEL(LO)" addresses the Local Discovery Server (LDS), 201, then the connection is forwarded to the latter, so that the Local Discovery Server (LDS) can respond to subsequent service requests and responses.
[0055] Here, the aforementioned OPC UA instance is typically an OPC UA service.
[0056] "FindServers" or
[0057] "FindServersOnNetwork".
[0058] In the following text, a service request refers to the entire communication (e.g., a TCP / IP connection), and not just a single OPC UA service request.
[0059] If the server endpoint URI specified in the connection request "HEL(LO)" addresses server UAS, 101, then the corresponding internal server endpoint URI is identified and the connection to the internal server endpoint URI is established.
[0060] If insecure service requests and responses are subsequently transmitted over this connection, the proxy component may interfere with these services according to the following rules:
[0061] If the connection forwarded by the proxy component UAP,200 to the business server UAS,101 initially remains in a normal, insecure mode (i.e., no "secure session," unencrypted), the proxy component monitors the connection used to transmit the "Get Endpoint" service request. The UA client UAC,100 typically applies the "Get Endpoint" service request to select among multiple endpoints simultaneously offered by the server. However, because the UA server UAS,101 only recognizes its internal endpoints and not the external perspective of the proxy component UAP,200, the proxy component must intervene in this service; essentially, several theoretically equivalent design variations exist:
[0062] The proxy component forwards the "Get Endpoint" service request to the relevant UA server (UAS), but overwrites (modifies) its service response:
[0063] Here, the internal server recorded by the UA server UAS is replaced by the associated external "endpoint URI" based on endpoint information 111.
[0064] If a "Get Endpoint" request from a directory service component, local discovery server (LDS), or proxy component (UAP), is executed on the server, then its "endpoint URI" can be pre-tuned, stored, or cached.
[0065] Continuing with the example above:
[0066] <external connection data> :port / path
[0067] <fqdn host-ip>:4840 / <internal connection data‘> / Robo t,
[0068] <fqdn host-ip>:4840 / <internal connection data‘> / Came ra
[0069] Therefore, the following additional versions are possible:
[0070] The proxy component UAP, 200, responds to the "Get Endpoint" service request itself without forwarding it to the UA server UAS, 101; here, the established connection to the UA server UAS is no longer used. The proxy component UAP responds based on the endpoint information 111 transmitted to it using the external "endpoint URI" belonging to the addressing service server UAS that made the request.
[0071] Alternatively, the proxy component UAP, 200 forwards the "Get Endpoint" service request to the directory service component, Local Discovery Server (LDS), 201, which, acting as a representative of the UA server (UAS), replies to it with the correct external "Endpoint URI".
[0072] The proxy component UAP, 200 does not interfere with the OPC UA client UAC, 100 and the OPC UA server UAS, 101 in any additional and subsequent potentially secure communication within the scope of "secure sessions".
[0073] Various players in the industrial edge ecosystem want to automatically integrate OPC UA server applications, regardless of the provider. This also necessitates support for current OPC UA security mechanisms, particularly so-called "secure sessions." For example, to keep "external" integration in automated applications as simple as possible, even considering subsequent changes, externally defined network addressing information should be kept to a minimum to avoid addressing conflicts with other applications.
[0074] This leads to another advantageous effect. The proposed method and system will improve and / or simplify the commissioning and security of devices with multiple OPCUA servers, for example, by using only a single TCP port and simplifying the security measures required in the customer's infrastructure.
[0075] Server configuration decouples the dependency of OPC UA applications / containers from the network connectivity of the device to the server application.
[0076] This enables OPC UA clients not only to correctly discover OPC UA server applications installed at the industrial edge via the OPC UA service, but also to successfully establish connections with them.
[0077] It can avoid TCP port conflicts on the device, such as when an OPC UA server application competes for the predefined port 4840.
[0078] Where possible, partner with various OPC UA server application vendors to avoid users having to manage TCP ports (including security measures) in a way that is prone to errors.< / fqdn> < / fqdn> < / fqdn> < / fqdn>
Claims
1. A method for providing services to a service customer (UAC, 100) using a process control component in a process control environment, wherein, - At least one server component (UAS, 101) is assigned to the service, and the server component is formed by a process control component that can be loaded into and implemented in the process control environment. - At least one agent component (UAP, 200) of the sub-network of the process control environment receives inquiries from service customers (UAC, 100). The Central Directory Service (LDS) component transmits valid addressing information within the sub-network to the agent component (UAP, 200). - Register the server component (UAS, 101) on the central directory service component (LDS) with the server component's internal connection data (111), the internal connection data including the network address and the port visible to the server component itself. - Obtain globally valid access information for the valid external network addressing information within the sub-network assigned to the server component (UAS, 101), and - The internal connection data is modified in the Central Directory Service (LDS) component using the derived external network addressing information (102). This enables at least one of the proxy components (UAP, 200) to forward service requests to the server component (UAS, 101) based on the modified addressing information.
2. The method according to claim 1, wherein the method is used to provide services via a process control environment, characterized in that, The proxy component (200) receives a service request and examines the initially unencrypted portion of the service request to determine whether the recipient addressed in the service request is the Central Directory Service Component (LDS, 201). The service request is then forwarded to the recipient, so that the central directory service component (LDS, 201) can respond to subsequent service requests.
3. The method according to any one of the preceding claims, wherein the method is used to provide services via a process control environment, characterized in that, The proxy component (UAP, 200) receives the service request having an initially unencrypted portion included in the service request and checks whether the recipient addressed in the service request is the business server (UAS, 101). And obtain the address information of the corresponding internal business server (UAS, 101), and Continue to establish a connection with the address information derived from the internal server component (UAS, 101).
4. The method according to any one of claims 2 or 3, wherein the method is used to provide services via a process control environment, wherein, The proxy component (UAP, 200) monitors connections used for the transmission of other insecure service requests.
5. The method according to claim 4, wherein the method is used to provide services via a process control environment, wherein, The proxy component responds to the service request itself instead of forwarding the service request to the business server.
6. The method of claim 4, wherein the method is used to provide services via a process control environment, wherein, The proxy component forwards the service request to the directory service component (LDS, 201), which responds to the service request on behalf of the addressed business server with the correct address information.
7. The method according to any one of the preceding claims, wherein the method is used to provide services via a process control environment, wherein, The business server (UAS, 101) can be accessed via the proxy component (UAP, 200) preferably via only a predetermined port.
8. The method according to any one of the preceding claims, wherein the method is used to provide services via a process control environment, wherein, Each service includes its own directory service component and registers the server component (UAS, 101) on the directory service component (LDS) assigned to the service with the internal connection data (111) of the server component, the internal connection data including the network address and the port visible to the server component itself.
9. A computer program product for providing services using a flow control environment for the steps of the method according to any one of the preceding claims.
10. A system for providing services using process control components within a process control environment, comprising: - At least one server component (UAS, 101) is assigned to the service, and the server component is formed by the process control component that can be loaded into and implemented in the process control environment. - Including at least one agent component (UAP, 200) of the sub-network of the process control environment, said agent component being configured and adapted to accept requests from service customers (UAC, 100) inquiry, - A central directory service component (LDS, 201), configured and adapted to transmit valid external network addressing information within the subnet to the proxy component (UAP, 200), and to accept registration from the server (UAS, 101) using the server's internal connection data (111), the internal connection data including the network address and a port visible to the server component itself, and to replace the internal connection data (discovery URI) with derived external network addressing information (102). -in, At least one of the proxy components (UAP, 200) forwards the service access query to the server component based on the modified addressing information.
11. The system of claim 10, wherein the system is used to provide services by means of a process control component in a process control environment, characterized in that, The agent component (UAP, 200) is designed as an OPC UA agent with local discovery server functionality (LDS, 201).
12. The system according to claim 10 or 11, wherein the system is used to provide services by means of process control components in a process control environment, characterized in that, The proxy component (200) is configured and adapted to receive service requests and examine the initially unencrypted portion contained in the service request to determine whether the recipient addressed in the service request is the Central Directory Service Component (LDS, 201). The service request is then forwarded to the recipient, so that the central directory service component (LDS, 201) can respond to subsequent service requests.
13. The system according to any one of claims 10 to 12, wherein the system is used to provide services by means of a process control component in a process control environment, characterized in that, The proxy component (UAP, 200) is configured and adapted to receive the initially unencrypted portion of the service request and to check whether the recipient addressed in the service request is the business server (UAS, 101). And obtain the address information of the corresponding internal server component (UAS, 101), and Continue to establish a connection with the address information derived from the internal server component (UAS, 101).
14. The system according to any one of claims 10 to 13, wherein the system is used to provide services by means of a process control component in a process control environment, characterized in that, The proxy component (UAP, 200) is configured and adapted to monitor connections used for transmitting other unencrypted portions of the service request.
15. The system of claim 14, wherein the system is used to provide services by means of process control components in a process control environment, characterized in that, The proxy component (UAP, 200) is configured and adapted to respond to the service request itself without forwarding the service request to the business server.
16. The system of claim 14, wherein the system is configured to provide services using process control components within a process control environment, characterized in that, The proxy component (UAP, 200) is configured and adapted to forward the service request to the directory service component (LDS, 201), which responds to the service request with the correct address information on behalf of the addressed business server.
17. The system according to any one of claims 10 to 16, wherein the system is used to provide services by means of a process control component in a process control environment, characterized in that, The business server (UAS, 101) can be accessed via the proxy component (UAP, 200) preferably via only a predetermined port.