Embed Size (px)
Citation preview
OmniServer UA Interface Tutorial
A Guide to Configuring the OmniServer OPC UA Server Settings
Page 2 of 14
Table of Contents
INTRODUCTION 3
Introduction to OPC UA 3
Introduction to OmniServer 4
Intended Audience 4
Pre-requisites 4
CONFIGURING THE OMNISERVER UA SERVER SETTINGS 5
Defining Endpoints 5
Managing Instance Certificates 6
Enabling Security 8
Creating User Authentication Profiles 9
CONFIGURING THE UNIFIED AUTOMATION TEST CLIENT 11
Page 3 of 14
Introduction
Introduction to OPC UA
The OPC Unified Architecture, also known as OPC-UA, is the latest open-standard architecture developed
by the OPC Foundation to improve and expand interoperability standards in the Industrial Automation
Industry.
Why do we need a new architecture to begin with? OPC-UA was the result of several advancements
and changes in the way data was commonly being accessed and exchanged. Some changes that lead to
the need for a new architecture include:
• Microsoft’s COM and DCOM (the basis for previous standards) were deprecated and are now
considered legacy technologies
• Web services gained importance in data exchange between machines and for communications to
factory floor devices
• Earlier specifications were decoupled and did not integrate well, e.g. items in a Data Access server
could not communicate directly with items in an Alarms and Events server.
OPC-UA is designed for exchanging information in an object-oriented manner, rather than as isolated data
points. This increases the accessibility of your plant floor data by letting you re-use information stored in a
common object. OPC-UA also incorporates a service-oriented model, which increases interoperability with
other platforms and improves security.
OPC-UA is not a replacement for existing OPC-DA standards. Because of the layered design of this
architecture it includes all the functionality of existing OPC-DA servers, but expands upon their functionality
with a common interoperability layer. This interoperability layer unifies information exchange and provides a
common interface for controlling processes.
What are the benefits of the new architecture? OPC-UA provides a way to connect clients and servers
in a secure manner, without relying on Microsoft DCOM. This is a big advantage because it means that you
are no longer saddled with the headaches associated with having to configure DCOM. This is because
DCOM plays no role in data transport. OPC-UA can also allow users to make secure connections through
Page 4 of 14
firewalls and over VPN connections. In addition, it expands the ability to provide factory floor information to
other business systems, as a result of the object-oriented model described above.
Introduction to OmniServer
The OmniServer is a user configurable server designed to handle communications with devices that use
non-standard communications protocols. OmniServer is a fully configurable I/O server which interprets the
data coming in from a device and delivers the data to any client program that supports the major information
exchanges.
OmniServer takes care of all the polling and data parsing for you, and does this without the use of a
programming language. All you need to know is how you want to present the data to the outside world.
Intended Audience
This paper is intended for general audiences, including process control engineers and system integrators,
who are interested in learning more about utilizing the OPC-UA capabilities of the OmniServer. This tutorial
will show you how to configure the OmniServer OPC UA interface to allow OPC UA clients to connect to
access data coming from your non-standard devices.
Pre-requisites
You will be required to have both the OmniServer 2.7 and the Unified Automation UaExpert Test Client
downloaded and installed on your machine. In order to test your client connection to the OmniServer, you
will also be required to have a valid OmniServer configuration. You can learn more about configuring the
OmniServer in our Introduction to OmniServer guide.
You can download the latest version Unified Automation UaExpert test client from here. The instructions
and screenshots in the paper were created with version 1.1.0.117 of the UaExpert client.
Page 5 of 14
Configuring the OmniServer UA Server Settings
This section will provide a step-by-step guide for configuring the OmniServer UA interface to allow a UA
client to connect.
1. Open the Clients section in the configuration Window.
2. Double click on the OPC UA wedge. You can also right click and choose Properties. This will open
the OPC UA Configuration Window
Defining Endpoints
With the OPC-DA Specification, servers were identified by their ProgID. In OPC-UA, this is done through
what is called an endpoint, which more closely resembles a URL than the OPC-DA ProgIDs. This endpoint
uses a machine name and a port number to identify the server. Different authentication and security
settings can also be configured on the endpoint. Any one particular server can have multiple server
endpoint definitions. You may want to define multiple endpoints if you want certain clients to connect on
certain ports, or if you want some clients to only be able to connect locally, and some to be able to connect
remotely.
1. To add a new endpoint definition, click on the Add button. This will open the Endpoint Properties
page.
2. Under the General tab, select the Hostname from the drop-down list. The Default option will use
the computer name in the endpoint definition and will make the server accessible from a remote
client. The Local Only option will create an endpoint that can only be accessed by a UA client on
the local machine. For this example, we will make a local only endpoint.
3. Specify the Port number that you want the UA client to connect over. The port number for our
example is 27730.
4. You will see the full endpoint definition underneath the port, as shown in Figure 1 below. You will
need to know this endpoint definition in order to connect with the client.
Page 6 of 14
Figure 1: Endpoint Definition
Managing Instance Certificates
All endpoints within a particular server will share the same instance certificate. An instance certificate is a
security certificate that grants permissions to clients to be able to connect to the server. This means that
user validation is done on a per server instance basis, not per endpoint. Therefore, a client that has the
server’s instance certificate will be able to connect to any endpoint configured in the server, provided that
the client supports the type of encryption that the endpoint employs.
Each application that wants to establish a trust with the OPC UA server or client must have the appropriate
public and private keys. The private key is protected, while the public key is placed into a certificate of
distribution, called the Instance Certificate. Establishing a secure connection requires the client to have the
server’s certificate, and the server to have the client’s certificate. This exchange is only required once for
the duration of the certificate’s lifetime.
OmniServer provides two options for the storage location for Instance Certificates, referred to as the
Certificate Store, as seen in Figure 1.
• The Open SSL Store is the default option and uses the Open SSL Certificate Authority system to
manage and store Instance Certificates for OmniServer. Open SSL managed certificates are
located at:
Page 7 of 14
C:\Documents and Settings\All Users\Application Data\Software Toolbox\OmniServer\PKI\CA
• The Windows Certificate Store is the location where all Windows-managed certificates are stored.
If you prefer that your OPC UA Instance Certificates for OmniServer be stored in the Windows
Certificate Store, select this option.
Once you have selected the desired Certificate Store (we will use the default for this example), you can
manage the Instance Certificate for OmniServer using the following steps.
1. Click on the Certificate tab in the Endpoint Properties window. You can create a new certificate by
clicking on the Create New button.
2. In the Filename field give your certificate a name. We will use the name “MyTestCert”.
3. Fill in the appropriate information in the Organization, Location, Unit, State, and Country fields to
identify your organization. You are not required to fill in any of these fields. Click OK to create the
new certificate.
Figure 2: New Server Instance Certificate
Note: You can view all of the instance certificates (server and client) in the Client Certificates tab of the
Endpoint Properties window.
Page 8 of 14
Enabling Security
The settings on this tab designate what security policies the OmniServer will support for clients attempting
to connect. For instance, by default any OPC UA client that uses Basic 128 Rsa 15 and Basic 256 security
will be able to connect. If you select only the None option, any UA client application will be able to connect.
1. Click on the Security tab in the Endpoint Properties window.
2. Select the encryption methods you want to use for the client connection to the OmniServer. The UA
client must support the encryption methods you select for it to be able to connect. In this example,
we will only allow a client using Basic 256 encryption to connect. Uncheck None and Basic 128 Rsa 15 and leave Basic 256 checked.
Figure 3: Enable Security
3. When you are finished configuring your Endpoint, click OK to exit the Endpoint Properties window.
You will see your new endpoint added to the Endpoints tab in the OPC UA Configuration window.
Page 9 of 14
Figure 4: New Server Endpoint
Creating User Authentication Profiles
You can further restrict access to your server by enabling authentication profiles in the OPC UA
configuration. Authentication is applied on the server level, meaning that the same authentication will be
applied to all configured Endpoints.
1. In the OPC UA Configuration window, click on the Authentication tab.
2. Enable the Require User Authentication checkbox.
3. Click the Add button.
4. Enter a User Name and Password and confirm the password. We will use the User Name “Test”,
and the password “Test”.
Page 10 of 14
Figure 5: New User Name and Password
5. Click OK. You will see the Username “Test” appear in the box.
Figure 6: New User Authentication Profile
6. Click OK to complete the configuration of the OmniServer UA Client wedge.
Page 11 of 14
Configuring the Unified Automation Test Client
This section will provide steps for configuring the Unified Automation UaExpert test client.
Note: Configuration steps for other UA client applications may vary.
1. Open the Unified Automation UaExpert Test Client
2. Click on the Add Server button to open the Add Server window. You can also open this
window from the menu by going to Server | Add.
3. Enter a Configuration Name. We will call ours “UA Test”.
4. If you have a Discovery Service, you can browse for servers on your network. If you do not have a
Discovery Service, proceed to step 5.
5. Click on the Advanced tab in the Add Server window. Enter the Endpoint URL that we configured
in the Configuring the OmniServer UA Client Wedge section above. Our endpoint is
opc.tcp://127.0.0.1:27730.
6. In the Security Settings section, select the appropriate Security Policy from the drop down. We are
using Basic 256, as configured in the previous section.
7. Select the appropriate Message Security Mode from the dropdown. The OmniServer supports
both Sign, and Sign & Encrypt modes. For our example, we will select Sign & Encrypt.
8. In the Authentication Settings section, select the Username and Password radio button. Click the
Store checkbox to enable the password field. Enter the username “Test” and password “Test” that
we configured in the OmniServer.
9. Check the Connect Automatically button to attempt to connect to the server once we exit the
configuration. Click OK to create your server connection. You can also manually connect by right
clicking on the server connection under Servers in the treeview and selecting Connect.
Page 12 of 14
Figure 7: UA Server Connection Configuration
Page 13 of 14
10. If this is the first time you have made a connection to the OmniServer, you will receive a pop-up that
will prompt you to accept the server certificate. You can view the OmniServer certificate by clicking
on View Certificate. Accept the certificate by clicking the Accept the certificate permanently
radio button and then click OK. For more information on the client certificate, view the discussion
above on Managing Instance Certificates
Figure 8: Accept Server Instance Certificate
Note: If you are unable to connect to the OmniServer, check the Client Certificates tab in the
Endpoint Properties and make sure the UaExpert Client Certificate is not showing in the
Rejected list. (This only applies if your OPC UA Client is using Secure Encryption for connecting to OmniServer)
Page 14 of 14
If the OPC UA Client certificate is listed as “Rejected”, click on the button to move it
to the trusted list.
Figure 9: Rejected Client Certificate
11. Once you have created the connection to the server, you can browse the OmniServer’s address
space in the bottom left hand pane of the UA Client. You can monitor a particular tag by dragging
and dropping it into the Default DA View window. You can also see detailed properties for the
selected tag in the Attribute Window.
