Configure an OPC UA data source object

OI Gateway provides a convenient method for configuring security certification on the server and client OPC UA nodes.

To access the OI Gateway

1. From the Start Menu on the run-time node, open the Operations Control Management Console (OCMC) (Start > AVEVA > Operations Control Management Console).

2. In the console tree, navigate to the OI.GATEWAY.3 node under Operations Integration Supervisory Servers.

To add an OPC UA data source object to your Gateway Communication Driver Hierarchy

3. Right-click Configuration in the hierarchy, and select Add OPCUA Connection from the shortcut menu.

   A new object is created in the hierarchy tree.

4. The OPCUA Connection object is named "New_OPCUA_000" by default. Rename it, if desired.

Step 1: To Configure the OPCUA Server Details

Use the OPCUA Server Details section of the OPC UA editor to configure the OPC UA Server. Ensure that the configuration on the OPCUA faceplate matches the configuration settings in the OPCUA Server that you are trying to connect.

Prerequisites:

Before configuring the OPC UA Server Details, ensure that you have the following details:

• If the OPC UA server can be directly connected:

  • OPC UA Server Endpoint URL: Required for the OPC UA client to connect to the OPC UA server. Note down the endpoint from your OPC UA server. At the least, you should know the IP address of the OPC UA server.

    The Gateway Communication Driver can also connect to an OPC UA server in an IPv6 network by entering the link-local IPv6 address of the machine on which the OPC UA server runs.

    The general syntax of the OPC UA Server Endpoint URL is:

    opc.tcp://[<IP address of the OPC UA Server>]:<Port number>/<Server Name>

  • OPC UA Server Certificate: Required to establish a trust relation between the OPC UA server and OPC UA client. You can import a digital certificate of the OPC UA directly. Alternatively the Gateway Communication Driver can download a certificate from the OPC UA. Review the certificate to ensure that it is genuine before trusting it.

  • Security Policy: Indicates the encryption policy used for the connection. Note down the security policy used by the OPC UA server.

  • User Authentication: If your OPC UA server is configured with the User name and Password, then you need to enter the same user credentials for the OPC UA connection. Note down the User name and Password that is used in your OPC UA server.

• If the OPC UA server is protected by a firewall and cannot be directly connected, you can use the OPC UA Reverse Connect feature where the OPC UA server can be configured to initiate the connection to the Gateway Communication Driver:

  • Gateway Communication Driver Endpoint URL: Required while using Reverse Connect to allow the OPC UA Server to initiate a connection with the Gateway Communication Driver. Note down the complete endpoint URL as mentioned in the OPC UA server for the reverse connect client URL.

To configure the OPC UA Server details

5. In the Server Node field, browse the Server Node using the browse button (...), or enter the server node name or the IP address.

6. OPC UA Server Endpoint URL field: If you know of the endpoint exposed by the OPC UA server, you can enter it manually. If the OPC UA server supports local discovery through OPC UA defined port 4830, you can just leave this field blank. When you select on the ellipse (...) button, the end point selection dialog will be posted to allow you to select the appropriate endpoints supported by the OPC UA server. Be sure to select the View Certificate button in the Endpoint Selection dialog to ensure the digital certificate reflects appropriately the corresponding OPC UA server that you are connecting to. You can select any endpoint in the list by selecting any entry in the list followed by the OK button or by simply double-selecting on any entry.

   

7. In the OPC UA Server Certificate field, select the Import button to add the OPC UA server certificate, or enter the details manually. Select the certificate that you have downloaded from your OPC UA server and select OK. In the Certificate Import window that appears, select View Certificate to verify if you have selected the correct certificate, and then select Accept to trust the certificate. You can also select View if you wish to see the certificate details after trusting the certificate.

   Important: Importing a certificate from an untrusted source may incur a security risk. It is recommended to review the certificate to ensure it is issued by a trusted authority before accepting it.

8. If the OPC UA Server is protected by a network firewall and that it also supports OPC UA Reverse Connect, select the Use Reverse Connect (OPC UA Server will initiate connection to OI Gateway) checkbox. The OPC UA Reverse Connect feature enables the OPC UA server to initiate a connection with the Gateway Communication Driver. In a secure environment, inbound connections to the OPC UA server are restricted as the server operates behind a firewall. By using Reverse Connect, the firewall restriction is alleviated as the connection is being made from the OPC UA server to the client. This field is optional. If you do not select this option, you can skip to step 6.

9. If you select the Use Reverse Connect (OPC UA Server will initiate connection to OI Gateway) checkbox in the above step, the OI Gateway Endpoint URL field gets enabled. This is endpoint that the Gateway Communication Driver will listen to incoming connection from the OPC UA server. Make sure the port specified in this URL is not blocked by the local firewall of the Gateway Communication Driver computer. An inbound rule may need to be created in the firewall setting to open the specific local port for TCP connection. This must have the same value of the end point URL configured in the OPC UA server for Reverse Connect.

   The general convention for the URL is: opc.tcp://<hostname>:<port>/<reference>

   where,

   <hostname>: machine host name

   <port>: tcp port number that is available and opened at the firewall

   <reference>: a unique string that identifies this connection. Ensure that this string is unique across reverse connection strings in any instances and hierarchies of Gateway Communication Driver on the same machine.

10. Select Test Connection to establish the connection between the OPC UA Server and Gateway Communication Driver. When Reverse Connect is used to listen to any connection from the OPC UA server, a progress dialog will be displayed. The OPC UA server will need to connect to OI Gateway within 120 seconds to avoid any connection time-out in the progress dialog.

    Once the connection is established, the Advanced Configuration section is minimized and the updated OPC UA Namespace section is displayed.

    Note: When using Reverse Connect, the Gateway Communication Driver has an internal time-out of 120 seconds while awaiting connection initiated from the OPC UA server. You can also cancel the test anytime by selecting on the Cancel button.

11. Select the Allow Optional Data Type Suffix in Item Name check-box to add data type as a suffix to an item name. This parameter is hot configurable. For more information about OPC UA data item names, access the OPC UA Tag Browser or see OPC UA Item Names and Syntax.

For errors while connecting to the OPC UA Server, see Connectivity with the OPC UA Server in the Troubleshooting chapter.

Step 2A: Advanced Configuration (If using secured OPC UA connection)

Use the Advanced Configuration section of the OPC UA editor to set the OPC UA connection security parameters: Security Policy, Security Message Mode, and User Credentials. To expand/collapse the Advanced Configuration section, select the arrow next to Advanced Configuration. You can select the arrow button to maximize or minimize the Advanced Configuration section.

To configure the OPCUA Security

Before configuring the OPC UA security parameters, we recommend that you reference the OPCUA Server to match the security configuration.

• Item Validation Retries

  The Item Validation Retries allows to configure the retry details for item validation.

  • Retry Attempts: Indicates the number of Retry attempts for the validation. The valid range is between -1 to 10000000. The default value is -1.

  • Retry Period: Indicates the retry period (in minutes) for each retry of the item validation. The valid range is 1 to 10000000.The default value is 1 minute.

• Security Policy

  The Security Policy indicates the encryption policy used for the connection.

  • None: No encryption is applied.

  • Basic256Sha256: Indicates that Basic256Sha256 security is applied.

  • Aes128_Sha256_RsaOaep: Indicates that Aes128_Sha256_RsaOaep is applied.

  • Aes256_Sha256_RsaPss: Indicates that Aes256_Sha256_RsaPss is applied.

  • Basic128Rsa15 (deprecated): Indicates that Basic128Rsa15 security is applied.

  • Basic256 (deprecated): Indicates that Basic256 security is applied.

    Note: It is strongly recommended to use the security policy (Basic256Sha256, Aes128_Sha256_RsaOaep or Aes256_Sha256_RsaPss) to encrypt communication with the server. Encryption is critically important when passing username and password to an OPC UA server. Note that legacy policies Basic128Rsa15 and Basic256 are no longer considered secure and are classified as deprecated. While those deprecated policies may be preferable to no encryption at all, it is recommended that a more secure policy is used when supported by targeted OPC UA servers.

• Security Message Mode

  The Security Message Mode indicates the message mode of the connection. If the Security Policy is set to None, the Security Message Mode is Not Applicable. If the Security Policy is set to any options other than None (that is, Basic128Rsa15, Basic256, or Basic256Sha256), the Security Message Mode options - Sign and Sign and Encrypt populates for selection.

  • Sign: All messages are signed but not encrypted.

  • Sign and Encrypt: All message are signed and encrypted. This is the most secured option and is recommended to use this option.

• User Credentials

  This section allows you to configure the user credentials for the OPC UA connection. Select the Anonymous User checkbox to allow the OPC UA client to connect to the OPC UA server without credentials. If your OPC UA client wants to connect to an OPC UA server that does not support anonymous connections, the OPC UA client must provide a valid user name and password. Clear the checkbox to provide a user name and password in their respective fields.

  Note: If User Name and password is configured for connection with OPCUA Server, it is recommended to configure the appropriate security policy Basis256Sha256, Aes128_Sha256_RsaOaep or Aes256_Sha256_RsaPss) to ensure username and password values are fully encrypted.

• Once you configure all the fields, select the Save icon to save your configuration.

Step 2B: Trusting the gateway communication driver OPC UA certificates with the OPC UA server

When using a secured connection to the OPC UA Server, the Gateway Communication Driver node must be trusted by the OPC UA Server. Apart from the procedure mentioned in Step 1: To Configure the OPCUA Server Details for trusting OPC UA server, you can also trust the certificate manually.

Follow the steps below to trust the Gateway Communication Driver node.

12. Open the OPC UA configuration.

13. To check that the configuration on the OPC UA faceplate matches the configuration settings in the OPC UA Server that you are trying to connect, select Test.

    A new Gateway Communication Driver OPC UA certificate is automatically copied to the OPC UA Server.

14. Follow the OPC UA Server workflow to trust the new certificate that was published to it.

15. Return to the OPC UA Configuration screen and select Test to ensure that the operation is successful.

Note: If you are upgrading from a version older than 5.2, you must trust the certificate again as explained above. It is recommended to download the OPC UA Server Certificate directly, and import it while configuring the OPC UA Server details. This ensures that the certificate is genuine.

Step 2C (Optional): Specify your own certificate for the Gateway Communication Driver

If you want to use your own certificates (self-signed or CA-signed), as a certificate for the Gateway Communication Driver, follow the steps below:

16. Gateway Communication Driver uses a digital certificate named "OIGateway OPCUA". To use your own certificate, replace the existing Gateway Communication Driver certificates with your own certificates, using the existing "oiGateway OPCUA" name.

17. You must replace the public certificate and the private key in the respective folders:

    • Public certificate (.der file): C:\ProgramData\Wonderware\OI-Server\$Operations Integration Supervisory Servers$\OI.GATEWAY\CertificateStores\certs\OIGateway OPCUA.der

    • Private key (.pem file): C:\ProgramData\Wonderware\OI-Server\$Operations Integration Supervisory Servers$\OI.GATEWAY\CertificateStores\private\OIGateway OPCUA.pem

    The self-signed certificate has a validity of ten years from the date it is generated and is encoded with the machine name according to the digital certificate requirement in the OPC UA specification.

18. Follow the steps in section 2B.

OPC UA Namespace

The OPC UA Namespace section of the OPC UA editor displays the Namespace alias table for the Namespace URIs present in the OPC UA Server to which the OPC UA Client is connected. The OPC UA Namespace is defined and exposed by the OPC UA server. Each namespace is identified by an index ID. You can define an alias name for a namespace according to the following rules:

• The alias name must be defined for the namespace URI exposed by the Gateway Communication Driver.

• The alias name must be in string format.

• There can be no more than one alias per namespace.

• The same alias cannot be given to two OPC UA namespaces.

• The alias must not conflict with any other namespace display name.

The Namespace grid displays the following information:

To edit the OPC UA namespace

19. Right-click the Namespace URI you want to set as the default, and then select Set as Default Namespace. The Index will then be appended with an asterisk (*) to indicate the default Namespace URI.

20. In the Alias text box of the selected Namespace, type an alias name for the Namespace URI.

21. Save the OPC UA configuration.