Authentication

From PI System to AVEVA PI OPC UA Server

Authentication between the server and the PI System data source can be configured for either:

• Windows Integrated Security

• OpenID Connect (OIDC)

  • For PI Systems that use OIDC (PI System 2023 and greater), configure it here PI System configuration.

    Note: If using OIDC every PI System must use the same client ID and secret.

From AVEVA PI OPC UA Server to OPC UA client

By default the only method of authenticating to an OPC UA client from the PI OPC UA Server uses certificate authentication. Each OPC UA client should employ its own certificate and associated private key to connect to the PI OPC UA Server. The certificate may be signed by a certificate authority or self-signed.

Example Certificate and Private Key generation

There are multiple methods to generate a self-signed certificate. For example, use OpenSSL to generate an authentication certificate along with its associated private key (two separate files). Use the following command:

openssl req -x509 -newkey rsa:2048 `

-keyout private_key.pem `

-out cert.der `

-outform DER `

-days <days-to-expiration> `

-nodes `

-subj "/CN=SelfSignedCert"

Once generated, import the certificate (cert.der in the example above) into the PI OPC UA Server using the Configurator (see AVEVA PI OPC UA Server configuration). Both the private key (private_key.pem in the example above) and the certificate are required by the OPC UA client to authenticate with the server.