/
OPC UA Connector

OPC UA Connector

Connector overview

The OpcExt implements connector support for the OPC UA protocol.

How to use OPC UA

To configure the OPC UAconnector, follow the below steps.

  • Enable the OPC UA extension.

Endpoint Connectivity

username/password authentication mode is only supported starting with https://finproducts.atlassian.net/wiki/spaces/FINFramework/pages/33648738306

All OPC UA connections require a suitable server endpoint to connect to. The OPC foundation defines the following information for each endpoint:

  • Endpoint URL: The uri for the endpoint.

  • Security Policy: A security policy is made up of a set of signing and encryption algorithms and parameters.

  • Security Mode: Either None, Sign or SignAndEncrypt to define how secure messages are passed back and forth.

  • Server Urn: A unique name for a server instance that identifies it on the remote host.

  • Authentication Mode: Currently, only Anonymous and UserName are supported

This connector requires the following tags:

  • uri: The endpoint URL for the intended endpoint. This include the scheme which defines the method for which the connection will attempt to use. Only opc.tcp:// is currently supported.

  • opcUserAuthMode: the authentication mode to use. If not specified, defaults to Anonymous.

    • Anonymous: connect using the client certificate only. The OPC-UA server must approve the client certificate before a connection can be authenticated.

    • UserName: Authenticate using a username and password. The username and password tags must be specified for this mode.

  • opcSecurity: Composed of a security policy and security mode pair.

    See Security Policy for details.

  • opcCertAlias: The alias in the key store of the client certificate to use for

    cryptographic functions. This is required if the security mode is not None. See certificates for more details.

On connecting, the connector will attempt to find an endpoint on the remote host that matches these tags.

Note, this method of connection is subject to change.

Security Policy

The following values are supported for the opcSecurity tag. The easiest way to configure this tag value is to edit the connector record within the Connector App.

  • None

  • Basic128Rsa15 Sign

  • Basic128Rsa15 SignAndEncrypt

  • Basic256 Sign

  • Basic256 SignAndEncrypt

  • Basic256Sha256 Sign

  • Basic256Sha256 SignAndEncrypt

Certificates

A client certificate is required when using any security mode besides None. When the extension is first enabled, a default, self-signed certificate will be added to the crypto store. It will have alias opc.default. This is the value that should be configured for the opcCertAlias tag on the connector.

You can add your certificates to the crypto store using the crypto tool. You would then configure the opcCertAlias tag to whatever alias you used when adding your certificate.

The default certificate's subject DN is auto-generated and includes the hostname of the device running FIN Framework in an effort to make them unique. If you need to generate your client certificiate, use the opcGenCert() function.

NodeIds

NodeIds (for referencing nodes on a server) are composed of a namespace (a 16-bit integer) and a value. The value may be an integer, a string, a uuid or a bytestring.

All references to nodes on an OPC UA server must use the encoded form of that NodeId. Bytestrings must be encoded in base64. A namespace of 0 may be omitted.

The follow are example of how each encoding might look:

n=3;s=Test.Point => String "Test.Point" in the 3 namespace n=15;i=2459 => Integer 2459 in the 15 namespace i=348 => Integer 348 in the 0 namespace n=1;b=YmxvYg== => A bytestring in the 1 namespace n=7;g=03f0e2bb-8f1a-c800-e1f8-00623f7473c4 => A Uuid in the 7 namespace

Most built-in nodes are predefined NodeIds. It is recommended to use connector learn to add and bind points.

This table specifies the built-in OPC datatypes that are supported:

DateType NodeId Haystack -------- ------ -------- Boolean i=1 Bool SByte i=2 Number Byte i=3 Number Int16 i=4 Number UInt16 i=5 Number Int32 i=6 Number UInt32 i=7 Number Int64 i=8 Number UInt64 i=9 <NOT SUPPORTED> Float i=10 Number Double i=11 Number String i=12 Str LocalizedText i=21 Str

Current Points

OPC UA proxy points are configured with the opcCur tag, which maps to the NodeId for the node in server. For example, this point maps the current time on the server:

point opcConnRef: @myOpcConn opcCur: "i=2258" kind: "DateTime"

Historical Points

OPC UA proxy points may be used to collect stored history from the remote server. The format is similar to current points. For example, this point will collect history on the running state of the server:

point opcConnRef: @myOpcConn opcHis: "i=2259" opcType: "i=12" kind: "Str" enum: "Running,Failed,NoConfiguration,Suspended,Shutdown,Test,CommunicationFault,Unknown"

Writable Points

OPC UA proxy points are configured to write remote points via the opcWrite tag. Only OPC UA points that have a Value attribute can be written. For example, this point will write a Int16 OPC point type:

point opcConnRef: @myOpcConn opcWrite: "ns=2;s=Modbus Channel.ModbusSim.ModKepReg1" opcType: "i=4" kind: "Number"

Known bugs in 5.2.0

  • When a new connector is added, the uritag is created as string type; when a value is added and connector is pinged, an error is returned.
    Workaround is to delete the tag and recreate it as uri type.

  • While passwordshould only be required if opcUserAuthModeis set to UserName, pinging the connector with a blank passwordwill return an error.
    Workaround is to add any value to the password tag even if using anonymous connection.

  • While opcCertAliasshould only be required if opcSecurityis not set to None, pinging the connector with a blank opcCertAliaswill return an error.
    Workaround is to either delete the opcCertAliastag, or to add the “opc.default” value to it.