Configure and deploy the OPC UA service

The AVEVA OPC UA Service provides access from an OPC UA client to Application Server data, without the need for the Galaxy Browser, a gateway, or other protocol translation mechanism.

To configure and deploy the OPC UA Server Service

1. On the IDE ribbon, select Galaxy then select Configure

2. Select System, then select Services.

3. The Configure Services utility opens.

   

4. Expand the items in the left-hand pane as needed. Right-click the OPC UA service name and select Check-out from the context menu.

5. Edit the port number for the OPC UA instance if necessary. The default port is 48031.

6. Security configuration

   • Require encrypted communication: It is strongly recommended that you enable this option, as this will encrypt the payloads across the connection. Note that the client must match this configuration.

     Important! An OPC UA connection cannot be established if you do not enable this option while OS security is enabled, even if the option "Allow authenticated Galaxy Users to write attributes" (under Step 7) is enabled.

7. Client access rules

   • Anonymous client connection: Allowing anonymous client connections is recommended ONLY for initial setup configurations and testing. Anonymous client connections should be disabled for production environments. Refer to Client access rules and galaxy security to see the effect that this option has on data access.

   • Allow authenticated Galaxy Users to write attributes: Enabling this setting will only take effect when encrypted communication is also enabled (see Step 6, above). The OPC UA client must match this configuration.

8. The Assignments section (below the right pane) shows both the local node and deployed remote runtime nodes to which the OPC UA service can be assigned. Select the checkmark next to the runtime node where you want to deploy the OPC Server service, and then select Update.

9. In the left pane, right-click the OPC UA service instance name and select Check-in from the context menu.

   

10. Right-click the instance again to open the context menu and select Deploy, or press CTRL+D. A message appears indicating whether the service has been successfully deployed to the OPC UA client node. If deployment is successful, the icon next to the instance name changes to indicate that the instance has deployed.

11. If you have deployed the service to a remote node, you can verify functionality through the Operations Control Management Console.

    1. Under Operations Integration Server Manager, select the remote node name.

    2. Expand Operations Integration Supervisory Servers and select the OPCUA Client (under OI.GATEWAY.3). Check the following settings:

       • Server Node: localhost

       • OPCUA Server: opc.tcp://localhost:48031

To add additional OPC UA services

Each OPC UA service is dedicated to a single OPC UA client node. To add additional OPC UA services:

12. Right-click AVEVA.OPCService, and then select Create from the context menu, or press CTRL+N. The new instance appears in the tree structure.

    Note: Each instance must have a unique port number. Enter the port number in the Base Address field. The default port number is 48031. See Configuring ArchestrA Service TCP Ports for a list of port numbers used by ASB services.

13. Rename the OPC UA service as needed. Right-click on the service name and select Rename from the context menu, or press F2. Then, enter the new name.

14. Repeat the steps above for configuring and deploying each additional OPC UA service.

To change a deployed OPC UA service

15. Check out the service instance.

16. Make any needed changes.

    • Port Number: If you are creating multiple services, each service instance should have a unique port number. If more than one service has the same port number, an error is generated in the logger. Multiple instances of the service can be deployed, as long as each service has a unique port number. A new URI (uniform resource identifier) is automatically generated when a port number is changed.

      Note: You may need to open the inbound port in the firewall to allow communication with the remote node.

    • Security Configuration: When enabled (default), communication between OPC UA clients and the OPC UA server is encrypted. This is the recommended setting. If this setting is unchecked (disabled), communication is not encrypted.

    • Client access rules

      Allow anonymous client connection (enabled): When enabled (default), an anonymous OPC UA client is allowed to connect to the OPC UA server. This is recommended only for testing and initial set up configurations. Once you have completed configuration and/or testing, be sure to disable this setting to provide protection against possible unwanted intrusions and to ensure that only authenticated users have access. Anonymous client connection should not be enabled in a production environment.
      
      Galaxy Security settings do not have any affect on these behaviors. See Configure security for more information.

      Allow authenticated Galaxy user to write to attributes (enabled): When enabled (default), an authenticated Galaxy user can change attribute values in runtime, if their security role allows them to do so. See About roles for more information.
      
      Allow authenticated Galaxy user to write to attributes (disabled): When disabled (unchecked), an authenticated Galaxy user is not permitted to change attribute values in runtime, even if their security role allows them to do so.

      See Client access rules and galaxy security for more information about user permissions for each setting combination.

17. Check in the service or services.

18. Undeploy and then redeploy the service or services.