Configuring and Deploying the OPC UA Service

The AVEVA OPC UA Service provides access from an OPC UA client to Application Server data, without the need for the Galaxy Browser, a gateway, or other protocol translation mechanism.

To configure and deploy the OPC UA Server Service

1. On the ribbon, select Galaxy, then select Configure.

2. Select System, then select Services.

3. The Configure Services utility opens.

   

4. Expand the tree in the left-hand pane as needed. Right-click the instance name and select Check-out from the context menu.

5. Edit the port number for the OPC UA server instance. The default port is 48031.

6. Security Configuration (require encrypted communication): It is strongly recommended that you enable this option, as this will encrypt the payloads across the connection. Note that the client must match this configuration.

   Important! An OPC UA connection cannot be established if you do not enable this option while OS security is enabled, even if the option "Allow authenticated Galaxy Users to write attributes" (Step 7) is enabled.

7. Allow anonymous client connection: Allowing anonymous client connections is recommended ONLY for initial setup configurations and testing. Anonymous client connections should be disabled for production environments.

   If anonymous client connections are allowed and OS security is enabled for the Galaxy, anonymous client connections will be READ-ONLY.

   Refer to Client access rules and galaxy security to see the effect that this option has on data access in different scenarios.

8. Allow authenticated Galaxy Users to write attributes: Enabling this setting will only take effect when encrypted communication is also enabled (see Step 5, above). The OPC UA client must match this configuration.

9. The Assignments section (below the right pane) represents the platform nodes where the service configuration can be deployed. Select one or more runtime nodes where you want to deploy the OPC Server service, and then click Update.

10. Right-click the OPC UA Server service instance name and select Check-in from the context menu.

11. On the left-pane, right-click the instance, and then select Deploy from the context menu, or press CTRL+D. A message appears indicating whether the service has been successfully deployed to the OPC UA server node. If deployment is successful, the icon next to the instance name changes to indicate that the instance has deployed.

To add additional OPC UA services

Each OPC UA service is dedicated to a single OPC UA server node. To add additional OPC UA services:

12. Right-click AVEVA.OPCUAService, and then select Create from the context menu, or press CTRL+N. The new instance appears in the tree structure.

    Note: Each instance must have a unique port number. Enter the port number in the Base Address field. The default port number is 48031. See Configuring Service TCP Ports for a list of port numbers used by ASB services.

13. Rename the OPC UA service as needed. Right-click on the service name and select Rename from the context menu, or press F2. Then, enter the new name.

14. Repeat the steps above for configuring and deploying each additional OPC UA service.

To change a deployed OPC UA service

15. Check out the service instance.

16. Make any needed changes.

    • Port Number: If you are creating multiple services, each service instance should have a unique port number. If more than one service has the same port number, an error is generated in the logger. Multiple instances of the service can be deployed, as long as each service has a unique port number. A new URI (uniform resource identifier) is automatically generated when a port number is changed.

      Note: You may need to open the inbound port in the firewall to allow communication with the remote node.

    • Security Configuration: When enabled (default), communication between OPC UA clients and the OPC UA server is encrypted. This is the recommended setting. If this setting is unchecked (disabled), communication is not encrypted.

    • Client Access Rules:

      • When Allow anonymous client connection is enabled (default), an anonymous OPC UA client is allowed to connect to the OPC UA server. This is recommended only for testing and initial set up configurations. Once you have completed configuration and/or testing, be sure to disable this setting to provide protection against possible unwanted intrusions and to ensure that only authenticated users have access. Anonymous client connection should not be enabled in a production environment.
        
        Galaxy Security settings do not have any affect on these behaviors. See Configuring Security for more information.

      • When Allow authenticated Galaxy user to write to attributes is enabled (default), an authenticated Galaxy user can change attribute values in run time, if their security role allows them to do so. See About Roles for more information.
        
        When Allow authenticated Galaxy user to write to attributes is unchecked (disabled), an authenticated Galaxy user is not permitted to change attribute values in run time, even if their security role allows them to do so.

      • See Client access rules and galaxy security for more information about user permissions for each setting combination.

17. Check in the service or services.

18. Undeploy and then redeploy the service or services.