Connecting to the inmation OPC UA Server

This example will show you how to establish a connection to the inmation OPC UA server using an OPC UA client. The first steps involve setting up an instance of the inmation OPC UA Server and creating an endpoint, after that we use the freely available Unified Automation UaExpert client to connect to the server. For more information on the inmation OPC UA Server, please visit the Server Service - UA Server page.

Creating the OPC UA TCP Server

  1. The first step is to enable the Server object. Select the Server object in the Server Model (it will have the same name as your host machine and should be disabled). Right-click and select Admin  Enable  Object or use the shortcut (F9).

  2. Right-click the Server object again and select Admin  New  OPC UA TCP Server to open the Create Object Wizard.

  3. Enter a name for the OPC UA Server and click Next.

    Create OPC UA TCP Server Wizard
    Figure 1. Create OPC UA TCP Server Wizard
  4. On the Communication page of the wizard, enter a Listener Port that is not being used by another application or service (default is 4840).

    Create OPC UA TCP Server Wizard - Communication Options
    Figure 2. Create OPC UA TCP Server Wizard - Communication Options
    The Bind to Address and Discovery Path properties are left empty here but can be configured for your particular UA client or system.
  5. Click Create to create the OPC UA TCP Server object in the Server Model.

    Server Model - OPC UA TCP Server Object
    Figure 3. Server Model - OPC UA TCP Server Object

Creating an Endpoint

The OPC UA TCP Server is created however, we need an endpoint to establish a session with an external OPC UA Client. The endpoint specifies the security policy, message security mode and supported user token policies. For this example, we will use the simplest case using no security mode and the Anonymous User Token policy.

  1. Select the OPC UA TCP Server object in the Server Model. Right-click and select Admin  New  OPC UA TCP Server Endpoint to open the Create Object wizard.

  2. Enter a name for the Endpoint object the click Next.

    Create Endpoint Wizard - Common
    Figure 4. Create Endpoint Wizard - Common
  3. In the Communication page of the Create Endpoint wizard, you can enter an Endpoint Path (see note below for more details). However, to keep this example simple we will leave the field blank. Click Next to go to the User Token Polices page in the Wizard.

    Create Endpoint Wizard - Communication
    Figure 5. Create Endpoint Wizard - Communication
    If the Endpoint Path is entered then this will be appended to the endpoint URL that you use to connect with a UA client. For example, if myendpoint is added as the Endpoint Path property, then the endpoint URL used by the client will be opc.tcp://hostmachine:4840/myendpoint.
  4. On the User Token Policies page, expand the “Anonymous Policy” option and select the “Enable” checkbox. Also, fill out the Profile and Password fields. This maps onto an existing Profile object so please enter the Profile Credentials that will allow access to the system. We will leave the Security Policy as null for the moment.

    Create Endpoint Wizard - User Token Policies
    Figure 6. Create Endpoint Wizard - User Token Policies
    As mentioned above, the Anonymous Policy can be mapped to any existing Profile in the Access Model (See the Access Model Hands on section for more information on creating profiles and users). The UA Server grants the same permissions to a profile as is defined in the Access model when Object Level Security is set. In this way the Anonymous User Token Policy can be used to restrict access to the namespace when connecting with a UA client.
  5. Click Create to create the Endpoint object in the Server Model tree. The Server Model should look like the example below:

    Server Model Tree  - OPC UA Server and Endpoint
    Figure 7. Server Model Tree - OPC UA Server and Endpoint

Connecting to the system OPC UA Server with a UA Client

Using the configuration set up in the above examples, we can connect to the inmation OPC UA server with an external UA client using an anonymous user token policy and no defined security policy. You can check the connection using your own choice of UA client, however, here a connection will be demonstrated using the Unified Automation UaExpert client.

  1. Open UaExpert and select Servers in the Project window. Right-click and select Add from the Context Menu to open the Add Server dialog.

    UaExpert - Adding a Server
    Figure 8. UaExpert - Adding a Server
  2. In the Add Server dialog find the Custom Discovery section. Double click where indicated to enter the Discovery URL.

    UaExpert - Add Server Dialog
    Figure 9. UaExpert - Add Server Dialog
  3. In the Discovery URL dialog, enter the name of the machine hosting the server. For this example we can just enter "localhost". Click OK to return to the Add Server dialog.

    UaExpert - Discovery URL
    Figure 10. UaExpert - Discovery URL
  4. Back in the Add Server dialog, make sure that the "Anonymous" Authentication Settings are selected and click OK to return to the main window.

    The communication Port should automatically be entered but if not, return to the Add Server dialog and add the full endpoint URL, including Port, in the Advanced tab. For example: opc.tcp://localhost:4840
  5. The system UA server should now be visible under Servers in the Project panel of the main UA Expert window. Select it, then right-click and select Connect from the context menu.

    UaExpert - Connect to Server
    Figure 11. UaExpert - Connect to Server
  6. The Certificate Validation window will open allowing you to add the system UA Server certificate to the client trusted list. Click “Trust Server Certificate” to do this.

    UaExpert - UA Server Certificate Validation
    Figure 12. UaExpert - UA Server Certificate Validation
  7. Click Continue to return to the main window. In the Address Space panel, expand the Root node to browse the namespace.

  8. Drag some I/O items to the Data Access panel to see the values updating.

    UaExpert - Connected UA Server with Updating Values
    Figure 13. UaExpert - Connected UA Server with Updating Values

The amount of the namespace that is permitted to be browsed depends on the Profile used when setting up the Anonymous User Token policy of the endpoint. Using the system owner "so" profile we can see the entire namespace in all model panels. Change the profile and password in the Anonymous User Token policy section of the UA Server endpoint to use the Guest Users profile that was created in the Access Model Hands On section.

Change Anonymous User Token Policy
Figure 14. Change Anonymous User Token Policy

Click Apply to confirm the changes then return to the UA Expert Client. Disconnect from the Server then reconnect, this time using the Guest Users profile. Browsing the I/O model now only allows access to the section of the namespace that is permitted by the Object Level Security for the Guest Users profile in the Access Model panel.

Browsing the Namespace using Guest Users Profile Configured as Anonymous User Token Policy
Figure 15. Browsing the Namespace using Guest Users Profile Configured as Anonymous User Token Policy

To use Profiles directly as authentication in the UA client you must first enable the User Name Token Policy in the UA Server Endpoint. To do this, check the box in the Object Properties panel of the endpoint.

Enable User Name Policy in Endpoint
Figure 16. Enable User Name Policy in Endpoint

Click Apply to confirm the changes, then switching to the UA Expert client, open the properties for the server and change the Authentication Settings to accept Username and Password. Click OK to confirm changes.

UA Expert Authentication Settings
Figure 17. UA Expert Authentication Settings

Now, when you connect to the Server, the User Credentials dialog will appear. Enter a Profile as Username and the correct password to connect.

User Credentials Dialog
Figure 18. User Credentials Dialog

Once connection is achieved, the sections of the namespace that are permitted for that profile can be browsed successfully.

Security Policies and Modes, and Certificate Management

Different security encryption policies can be applied to the system UA Server connections and different security modes utilized. If the server connection is configured to have a security policy then the UA client connecting to it must issue a certificate. The certificate must then be trusted by the system UA server in order for the connection to be successful. The security policy is configured in the Endpoint object in the Object properties panel of DataStudio. All security policies (except “None”) require a client certificate as well as the server certificate used to connect above. To change the security policy configuration of your endpoint, select it in the Server Model and open the Communication menu in the Object Properties panel. Select a Security Policy (other than "None") from the drop-down menu and change the security mode to sign and encrypt.

Security Policy and Mode Settings in the Endpoint Object
Figure 19. Security Policy and Mode Settings in the Endpoint Object
If you are already connected to the server with a client, any change in the security policy on the server side will disconnect the client. Security settings have to be configured on the client side to reestablish connection to the server.

In the UaExpert Client, open the Server properties connection properties and change the Security Policy and Message Security Mode fields to match those configured for the Endpoint in the previous step (you can use Anonymous or User Name policy). Click OK to close the dialog.

UaExpert - Server Settings
Figure 20. UaExpert - Server Settings

Try to connect to the server in UaExpert. You will receive the error that "Connecting failed with error 'BadSecurityChecksFailed'". The connection fails because the UaExpert client self-signed certificate is rejected by the system UA server. This is because the system UA server is configured to reject all client certificates. To change this configuration, select the UA Server object in the Server Model of DataStudio and open up the Certificate Management menu.

Certificate Management Options
Figure 21. Certificate Management Options

The certificate management syncs with the certificates store (found in the inmation.root > certificates directory) and displays the trusted and rejected certificates from the store. The rejected certificate from the failed UaExpert connection is displayed and can be found in the inmation.root > certificates > rejected directory.

A record of the rejected certificate is also entered into the system log. Open a log display (right click on the UA server object and select Admin > Open Log > last 30 mins) and double click on the information entry to view details of the rejected certificate. All rejected certificates can be evaluated before allowing connection.

To trust the UaExpert Client certificate, select Trust from the Trust Mode drop-down menu in the Certificate Management settings and click Apply.

Certificate Management - Trust Mode
Figure 22. Certificate Management - Trust Mode

Now, try to connect to the system server in the UaExpert client. The first connection attempt will fail but the UaExpert client certificate will be moved to the trusted certificates directory of the local certificate store (inmation.root > certificates > certs).

UaExpert certificate moved to "trusted"
Figure 23. UaExpert certificate moved to "trusted"

Try again to connect to the server with UaExpert. This time connection will be successful and you can browse the server namespace using UaExpert. The Trust Mode of the system UA server can be returned to Reject to prevent any other client certificates being accepted.

Rejected certificates can also be manually moved from the "rejected" folder to the "certs" folder in the certificate store. Upon re-connection with a client, the connection will be successful.