OmniServer UA Interface Tutorial
Table of Contents
INTRODUCTION
3
Introduction to OPC UA 3 Introduction to OmniServer 4 Intended Audience 4 Pre-requisites 4CONFIGURING THE OMNISERVER UA SERVER SETTINGS
5
Defining Endpoints 5
Managing Instance Certificates 6
Enabling Security 8
Creating User Authentication Profiles 9
Introduction
Introduction to OPC UA
The OPC Unified Architecture, also known as OPC-UA, is the latest open-standard architecture developed by the OPC Foundation to improve and expand interoperability standards in the Industrial Automation Industry.
Why do we need a new architecture to begin with? OPC-UA was the result of several advancements
and changes in the way data was commonly being accessed and exchanged. Some changes that lead to the need for a new architecture include:
• Microsoft’s COM and DCOM (the basis for previous standards) were deprecated and are now considered legacy technologies
• Web services gained importance in data exchange between machines and for communications to factory floor devices
• Earlier specifications were decoupled and did not integrate well, e.g. items in a Data Access server could not communicate directly with items in an Alarms and Events server.
OPC-UA is designed for exchanging information in an object-oriented manner, rather than as isolated data points. This increases the accessibility of your plant floor data by letting you re-use information stored in a common object. OPC-UA also incorporates a service-oriented model, which increases interoperability with other platforms and improves security.
OPC-UA is not a replacement for existing OPC-DA standards. Because of the layered design of this architecture it includes all the functionality of existing OPC-DA servers, but expands upon their functionality with a common interoperability layer. This interoperability layer unifies information exchange and provides a common interface for controlling processes.
What are the benefits of the new architecture? OPC-UA provides a way to connect clients and servers
in a secure manner, without relying on Microsoft DCOM. This is a big advantage because it means that you are no longer saddled with the headaches associated with having to configure DCOM. This is because DCOM plays no role in data transport. OPC-UA can also allow users to make secure connections through
firewalls and over VPN connections. In addition, it expands the ability to provide factory floor information to other business systems, as a result of the object-oriented model described above.
Introduction to OmniServer
The OmniServer is a user configurable server designed to handle communications with devices that use non-standard communications protocols. OmniServer is a fully configurable I/O server which interprets the data coming in from a device and delivers the data to any client program that supports the major information exchanges.
OmniServer takes care of all the polling and data parsing for you, and does this without the use of a programming language. All you need to know is how you want to present the data to the outside world.
Intended Audience
This paper is intended for general audiences, including process control engineers and system integrators, who are interested in learning more about utilizing the OPC-UA capabilities of the OmniServer. This tutorial will show you how to configure the OmniServer OPC UA interface to allow OPC UA clients to connect to access data coming from your non-standard devices.
Pre-requisites
You will be required to have both the OmniServer 2.7 and the Unified Automation UaExpert Test Client downloaded and installed on your machine. In order to test your client connection to the OmniServer, you will also be required to have a valid OmniServer configuration. You can learn more about configuring the OmniServer in our Introduction to OmniServer guide.
You can download the latest version Unified Automation UaExpert test client from here. The instructions and screenshots in the paper were created with version 1.1.0.117 of the UaExpert client.
Configuring the OmniServer UA Server Settings
This section will provide a step-by-step guide for configuring the OmniServer UA interface to allow a UA client to connect.
1. Open the Clients section in the configuration Window.
2. Double click on the OPC UA wedge. You can also right click and choose Properties. This will open the OPC UA Configuration Window
Defining Endpoints
With the OPC-DA Specification, servers were identified by their ProgID. In OPC-UA, this is done through what is called an endpoint, which more closely resembles a URL than the OPC-DA ProgIDs. This endpoint uses a machine name and a port number to identify the server. Different authentication and security settings can also be configured on the endpoint. Any one particular server can have multiple server endpoint definitions. You may want to define multiple endpoints if you want certain clients to connect on certain ports, or if you want some clients to only be able to connect locally, and some to be able to connect remotely.
1. To add a new endpoint definition, click on the Add button. This will open the Endpoint Properties page.
2. Under the General tab, select the Hostname from the drop-down list. The Default option will use
the computer name in the endpoint definition and will make the server accessible from a remote client. The Local Only option will create an endpoint that can only be accessed by a UA client on the local machine. For this example, we will make a local only endpoint.
3. Specify the Port number that you want the UA client to connect over. The port number for our
example is 27730.
4. You will see the full endpoint definition underneath the port, as shown in Figure 1 below. You will need to know this endpoint definition in order to connect with the client.
Figure 1: Endpoint Definition
Managing Instance Certificates
All endpoints within a particular server will share the same instance certificate. An instance certificate is a security certificate that grants permissions to clients to be able to connect to the server. This means that user validation is done on a per server instance basis, not per endpoint. Therefore, a client that has the server’s instance certificate will be able to connect to any endpoint configured in the server, provided that the client supports the type of encryption that the endpoint employs.
Each application that wants to establish a trust with the OPC UA server or client must have the appropriate public and private keys. The private key is protected, while the public key is placed into a certificate of distribution, called the Instance Certificate. Establishing a secure connection requires the client to have the server’s certificate, and the server to have the client’s certificate. This exchange is only required once for the duration of the certificate’s lifetime.
OmniServer provides two options for the storage location for Instance Certificates, referred to as the Certificate Store, as seen in Figure 1.
• The Open SSL Store is the default option and uses the Open SSL Certificate Authority system to manage and store Instance Certificates for OmniServer. Open SSL managed certificates are located at:
C:\Documents and Settings\All Users\Application Data\Software Toolbox\OmniServer\PKI\CA
• The Windows Certificate Store is the location where all Windows-managed certificates are stored. If you prefer that your OPC UA Instance Certificates for OmniServer be stored in the Windows Certificate Store, select this option.
Once you have selected the desired Certificate Store (we will use the default for this example), you can manage the Instance Certificate for OmniServer using the following steps.
1. Click on the Certificate tab in the Endpoint Properties window. You can create a new certificate by clicking on the Create New button.
2. In the Filename field give your certificate a name. We will use the name “MyTestCert”.
3. Fill in the appropriate information in the Organization, Location, Unit, State, and Country fields to identify your organization. You are not required to fill in any of these fields. Click OK to create the new certificate.
Figure 2: New Server Instance Certificate
Note: You can view all of the instance certificates (server and client) in the Client Certificates tab of the
Enabling Security
The settings on this tab designate what security policies the OmniServer will support for clients attempting to connect. For instance, by default any OPC UA client that uses Basic 128 Rsa 15 and Basic 256 security will be able to connect. If you select only the None option, any UA client application will be able to connect.
1. Click on the Security tab in the Endpoint Properties window.
2. Select the encryption methods you want to use for the client connection to the OmniServer. The UA client must support the encryption methods you select for it to be able to connect. In this example, we will only allow a client using Basic 256 encryption to connect. Uncheck None and Basic 128
Rsa 15 and leave Basic 256 checked.
Figure 3: Enable Security
3. When you are finished configuring your Endpoint, click OK to exit the Endpoint Properties window. You will see your new endpoint added to the Endpoints tab in the OPC UA Configuration window.
Figure 4: New Server Endpoint
Creating User Authentication Profiles
You can further restrict access to your server by enabling authentication profiles in the OPC UA
configuration. Authentication is applied on the server level, meaning that the same authentication will be applied to all configured Endpoints.
1. In the OPC UA Configuration window, click on the Authentication tab. 2. Enable the Require User Authentication checkbox.
3. Click the Add button.
4. Enter a User Name and Password and confirm the password. We will use the User Name “Test”,
Figure 5: New User Name and Password
5. Click OK. You will see the Username “Test” appear in the box.
Figure 6: New User Authentication Profile
Configuring the Unified Automation Test Client
This section will provide steps for configuring the Unified Automation UaExpert test client.
Note: Configuration steps for other UA client applications may vary.
1. Open the Unified Automation UaExpert Test Client
2. Click on the Add Server button to open the Add Server window. You can also open this window from the menu by going to Server | Add.
3. Enter a Configuration Name. We will call ours “UA Test”.
4. If you have a Discovery Service, you can browse for servers on your network. If you do not have a Discovery Service, proceed to step 5.
5. Click on the Advanced tab in the Add Server window. Enter the Endpoint URL that we configured in the Configuring the OmniServer UA Client Wedge section above. Our endpoint is
opc.tcp://127.0.0.1:27730.
6. In the Security Settings section, select the appropriate Security Policy from the drop down. We are using Basic 256, as configured in the previous section.
7. Select the appropriate Message Security Mode from the dropdown. The OmniServer supports both Sign, and Sign & Encrypt modes. For our example, we will select Sign & Encrypt.
8. In the Authentication Settings section, select the Username and Password radio button. Click the
Store checkbox to enable the password field. Enter the username “Test” and password “Test” that
we configured in the OmniServer.
9. Check the Connect Automatically button to attempt to connect to the server once we exit the
configuration. Click OK to create your server connection. You can also manually connect by right clicking on the server connection under Servers in the treeview and selecting Connect.
10. If this is the first time you have made a connection to the OmniServer, you will receive a pop-up that will prompt you to accept the server certificate. You can view the OmniServer certificate by clicking on View Certificate. Accept the certificate by clicking the Accept the certificate permanently radio button and then click OK. For more information on the client certificate, view the discussion above on Managing Instance Certificates
Figure 8: Accept Server Instance Certificate
Note: If you are unable to connect to the OmniServer, check the Client Certificates tab in the
Endpoint Properties and make sure the UaExpert Client Certificate is not showing in the Rejected list. (This only applies if your OPC UA Client is using Secure Encryption for
If the OPC UA Client certificate is listed as “Rejected”, click on the button to move it to the trusted list.
Figure 9: Rejected Client Certificate
11. Once you have created the connection to the server, you can browse the OmniServer’s address space in the bottom left hand pane of the UA Client. You can monitor a particular tag by dragging and dropping it into the Default DA View window. You can also see detailed properties for the selected tag in the Attribute Window.
