Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI OPC UA Server

TABLE OF CONTENTS

PI OPC UA Server Quick Start

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 15, 2026
  • 2 minute read

The following is a concise overview to install and configure the PI OPC UA Server.

  1. Install the AVEVA PI OPC UA Server product following the Install AVEVA PI OPC UA Server guide for details.

  2. Using the Configurator, configure the available PI Systems to the PI OPC UA Server.

    1. If needed, use the PI System Explorer to modify servers listed in the Known Servers Table (KST).

  3. (Optional) Configure a firewall rule on the server to allow the OPC UA port to access TCP traffic.

  4. Authentication configuration:

    1. Generate a self-signed authentication certificate and associated private key used for authentication between the PI OPC UA server and OPC UA client. See Authentication for details.

      1. Copy the generated certificate (.der) and private key (.pem) to the client machine.

      2. Copy the same certificate (.der), but not private key, to the server machine.

      1. Configure the client certificate and private key at the OPC UA client. Remember to enable the authentication to use X.509 Certificates and reference both the certificate and private key.

      2. Using the Configurator (or during the installation process), import the client authentication certificate into trusted client certificates for the server. See AVEVA PI OPC UA Server configuration for details.

    2. SSL/Encryption configuration:

      1. (Optional) Customize the server’s SSL certificate as referenced in Communication. If not customized, the server will use the default self-signed certificate generated during the installation.

      2. Client configuration requires both establishing the mutual trust relationship between client and server but also trusting the application-level client's certificate itself.

        1. Configure the server’s OPC UA endpoint at the OPC UA client by setting the Security Policy to Basic256Sha256 and the Message Security Mode to Sign & Encrypt. Refer to your client's documentation for details.

        2. Attempt to connect the OPC UA Client to the PI OPC UA Server. The connection will likely fail because the secure channel has not yet been established between the client application and the server.

        3. Trust the server’s SSL certificate on the client machine. In many cases your client application will prompt to trust the server certificate on first connection; otherwise consult the client documentation for how to achieve this.

        1. Server configuration:

          1. Trust the client’s SSL certificate as explained in Trust a client certificate by importing it into the Local Machine\Trusted People certificate store of the server machine as referenced in Communication.

        2. Attempt to connect again which should succeed. Verify that the ability to browse a PI System(s) hierarchy and read current data.

        TitleResults for “How to create a CRG?”Also Available in