Connecting to the inmation OPC UA Server
This example will show you how to establish a connection to the inmation OPC UA server using an OPC UA client. The first steps involve setting up an instance of the inmation OPC UA Server and creating an endpoint, after that we use the freely available Unified Automation UaExpert client to connect to the server. For more information on the inmation OPC UA Server, please visit the Server Service - UA Server page.
The first step is to enable the Server object. Select the Server object in the Server Model (it will have the same name as your host machine and should be disabled). Right-click and selector use the shortcut (
Right-click the Server object again and selectto open the Create Object Wizard.
Enter a name for the OPC UA Server and click Next.Figure 1. Create OPC UA TCP Server Wizard
On the Communication page of the wizard, enter a Listener Port that is not being used by another application or service (default is 4840).Figure 2. Create OPC UA TCP Server Wizard - Communication Options
The Bind to Address and Discovery Path properties are left empty here but can be configured for your particular UA client or system.
Click Create to create the OPC UA TCP Server object in the Server Model.Figure 3. Server Model - OPC UA TCP Server Object
The OPC UA TCP Server is created however, we need an endpoint to establish a session with an external OPC UA Client. The endpoint specifies the security policy, message security mode and supported user token policies. For this example, we will use the simplest case using no security mode and the Anonymous User Token policy.
Select the OPC UA TCP Server object in the Server Model. Right-click and selectto open the Create Object wizard.
Enter a name for the Endpoint object the click Next.Figure 4. Create Endpoint Wizard - Common
In the Communication page of the Create Endpoint wizard, you can enter an Endpoint Path (see note below for more details). However, to keep this example simple we will leave the field blank. Click Next to go to the User Token Polices page in the Wizard.Figure 5. Create Endpoint Wizard - Communication
If the Endpoint Path is entered then this will be appended to the endpoint URL that you use to connect with a UA client. For example, if
myendpointis added as the Endpoint Path property, then the endpoint URL used by the client will be
On the User Token Policies page, expand the “Anonymous Policy” option and select the “Enable” checkbox. Also, fill out the Profile and Password fields. This maps onto an existing Profile object so please enter the Profile Credentials that will allow access to the system. We will leave the Security Policy as null for the moment.Figure 6. Create Endpoint Wizard - User Token Policies
As mentioned above, the Anonymous Policy can be mapped to any existing Profile in the Access Model (See the Access Model Hands on section for more information on creating profiles and users). The UA Server grants the same permissions to a profile as is defined in the Access model when Object Level Security is set. In this way the Anonymous User Token Policy can be used to restrict access to the namespace when connecting with a UA client.
Click Create to create the Endpoint object in the Server Model tree. The Server Model should look like the example below:Figure 7. Server Model Tree - OPC UA Server and Endpoint
Using the configuration set up in the above examples, we can connect to the inmation OPC UA server with an external UA client using an anonymous user token policy and no defined security policy. You can check the connection using your own choice of UA client, however, here a connection will be demonstrated using the Unified Automation UaExpert client.
Open UaExpert and select Servers in the Project window. Right-click and select Add from the Context Menu to open the Add Server dialog.Figure 8. UaExpert - Adding a Server
In the Add Server dialog find the Custom Discovery section. Double click where indicated to enter the Discovery URL.Figure 9. UaExpert - Add Server Dialog
In the Discovery URL dialog, enter the name of the machine hosting the server. For this example we can just enter "localhost". Click OK to return to the Add Server dialog.Figure 10. UaExpert - Discovery URL
Back in the Add Server dialog, make sure that the "Anonymous" Authentication Settings are selected and click OK to return to the main window.
The communication Port should automatically be entered but if not, return to the Add Server dialog and add the full endpoint URL, including Port, in the Advanced tab. For example:
The system UA server should now be visible under Servers in the Project panel of the main UA Expert window. Select it, then right-click and select Connect from the context menu.Figure 11. UaExpert - Connect to Server
The Certificate Validation window will open allowing you to add the system UA Server certificate to the client trusted list. Click “Trust Server Certificate” to do this.Figure 12. UaExpert - UA Server Certificate Validation
Click Continue to return to the main window. In the Address Space panel, expand the Root node to browse the namespace.
Drag some I/O items to the Data Access panel to see the values updating.Figure 13. UaExpert - Connected UA Server with Updating Values
The amount of the namespace that is permitted to be browsed depends on the Profile used when setting up the Anonymous User Token policy of the endpoint. Using the system owner "so" profile we can see the entire namespace in all model panels. Change the profile and password in the Anonymous User Token policy section of the UA Server endpoint to use the Guest Users profile that was created in the Access Model Hands On section.
Click Apply to confirm the changes then return to the UA Expert Client. Disconnect from the Server then reconnect, this time using the Guest Users profile. Browsing the I/O model now only allows access to the section of the namespace that is permitted by the Object Level Security for the Guest Users profile in the Access Model panel.
To use Profiles directly as authentication in the UA client you must first enable the User Name Token Policy in the UA Server Endpoint. To do this, check the box in the Object Properties panel of the endpoint.
Click Apply to confirm the changes, then switching to the UA Expert client, open the properties for the server and change the Authentication Settings to accept Username and Password. Click OK to confirm changes.
Now, when you connect to the Server, the User Credentials dialog will appear. Enter a Profile as Username and the correct password to connect.
Once connection is achieved, the sections of the namespace that are permitted for that profile can be browsed successfully.
Different security encryption policies can be applied to the system UA Server connections and different security modes utilized. If the server connection is configured to have a security policy then the UA client connecting to it must issue a certificate. The certificate must then be trusted by the system UA server in order for the connection to be successful. The security policy is configured in the Endpoint object in the Object properties panel of DataStudio. All security policies (except “None”) require a client certificate as well as the server certificate used to connect above. To change the security policy configuration of your endpoint, select it in the Server Model and open the Communication menu in the Object Properties panel. Select a Security Policy (other than "None") from the drop-down menu and change the security mode to sign and encrypt.
|If you are already connected to the server with a client, any change in the security policy on the server side will disconnect the client. Security settings have to be configured on the client side to reestablish connection to the server.|
In the UaExpert Client, open the Server properties connection properties and change the Security Policy and Message Security Mode fields to match those configured for the Endpoint in the previous step (you can use Anonymous or User Name policy). Click OK to close the dialog.
Try to connect to the server in UaExpert. You will receive the error that "Connecting failed with error 'BadSecurityChecksFailed'". The connection fails because the UaExpert client self-signed certificate is rejected by the system UA server. This is because the system UA server is configured to reject all client certificates. To change this configuration, select the UA Server object in the Server Model of DataStudio and open up the Certificate Management menu.
The certificate management syncs with the certificates store (found in the inmation.root > certificates directory) and displays the trusted and rejected certificates from the store. The rejected certificate from the failed UaExpert connection is displayed and can be found in the inmation.root > certificates > rejected directory.
|A record of the rejected certificate is also entered into the system log. Open a log display (right click on the UA server object and select Admin > Open Log > last 30 mins) and double click on the information entry to view details of the rejected certificate. All rejected certificates can be evaluated before allowing connection.|
To trust the UaExpert Client certificate, select Trust from the Trust Mode drop-down menu in the Certificate Management settings and click Apply.
Now, try to connect to the system server in the UaExpert client. The first connection attempt will fail but the UaExpert client certificate will be moved to the trusted certificates directory of the local certificate store (inmation.root > certificates > certs).
Try again to connect to the server with UaExpert. This time connection will be successful and you can browse the server namespace using UaExpert. The Trust Mode of the system UA server can be returned to Reject to prevent any other client certificates being accepted.
|Rejected certificates can also be manually moved from the "rejected" folder to the "certs" folder in the certificate store. Upon re-connection with a client, the connection will be successful.|