Connecting to an OPC UA server

The next step is to connect to the OPC UA server and add an OpcUaDevice to the network.

  • You are working in Workbench running on a PC or laptop computer.

  • Your OPC UA device is on the network and ready to connect.

  • Prosys OPC UA Simulation Server is installed on the PC.

  • Client Security Certificate (signed or self-signed) is generated or imported into the client station’s CertManagerService. (For more details refer to the topics “Generating an OPC UA Client Certificate” and “Generating an OPC UA Client Certificate for Third-Party Server”).

  • Client User Identity Certificate (signed or self-signed) is generated or imported into the client station’s CertManagerService. (For more details refer the topics “Generating an OPC UA Client Certificate” and “Generating an OPC UA Client Certificate for Third-Party Server”).

  1. Open the OPC UA server software and navigate to the Status tab.
    The software opens.

    The example server software above is the ProSys Simulation Server. However, it is more likely that you will open a connection to your OPC UA server using software known to you that serves-up actual historical and live data.

  2. Locate the Connection Address and copy it along with the required security mode and user authentication method.
    In the example above, this address is:opc.tcp://IE67DTDVYXXC2.global.ds.honeywell.com:53530/OPCUA/SimulationServer

    Within Niagara the default configuration for the OPC UA server and client connections is security mode Sign and SignEncrypt and security policy Basic256SHA256. These are the recommended settings for high security. A warning accompanies the other security policies and modes that the driver supports. You or an administrator must acknowledge this alert to proceed. The driver logs the acknowledgment in the system for audit purposes.

    Note: If the device fails to find the server at the requested address, it may be because the client does not recognize the hostname. Consider adding the Hostname (IP address) to the hosts file. You may also use the IP address instead of Hostname in the connection address, for example: opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer.
  3. In the Workbench Nav tree, expand Config > Drivers and double-click OpcUaNetwork.
    The Opc Ua Client Device Manager opens.
  4. To add a new device, click New.
    The New window opens.

  5. Select OpcUaDevice from the drop-down list and click OK.
    A second New window opens.

  6. Configure the following required properties and click OK.

    • Server Endpoint Url is the Connection Address you copied earlier.

    • Security Mode, by default, is set to Sign Ecript Basic256 Sha256. This value must match the server’s Security Mode configuration. The default Security Mode for both OPC UA server and device is Sign Ecrypt Basic256 Sha256, which enables signing and encryption with security policy EncryptBasic256SHA256.

    • Security Certificate Alias defaults to the self-signed tridium certificate. For higher security, use a signed client certificate that matches the root CA certificate in the station’s Trust Store.

      • If Security Mode is selected other than None, then security certificates must be selected from the station’s Key Store using the Security Certificate Alias drop-down list. You must enter the private key password for the selected certificate in the Security Certificate Password field.

      • If Security Mode is selected as None, Security Certificate credentials remains same cannot be modified.

    • By default the User Authentication Mode is set to Username and Password. This value must match the server’s supported authentication modes.

      • If Username and Password is selected, enter the username in the User Authentication Certificate Alias, password in the User Authentication Certificate Password and the credentials remains same.

      • If Certificate is selected, click the User Authentication Certificate Alias drop-down to select the certificate and enter the private key password in the User Authentication Certificate Password field.

  7. Expand Config > Services > PlatformServices and double-click CertManagerService.
    The Certificate Management view opens.

  8. To approve the Security Certificate sent by the server as an exemption, click the Allowed Hosts tab, right-click the host and click Approve.
    The Approve Exemption(s) window opens.

    You do not need to approve the exemption if the Server’s Security Certificate or the Signing Certificate has been imported into the User Trust Store.

    1. Select Yes to continue.
  9. To ping the server, right-click the OpcUaDevice and click Actions > Ping.
    Note: If the OpcUaDevice is still unable to create a secure channel to the server, the server might be rejecting the client’s certificate. You may need to approve or trust the client certificate in the server’s certificate store. Once you select the certificate, ping the server again.
  10. Go to Property Sheet view of OpcUaDevice, and check the status of the following properties.
    The system should have populated these properties with current values.

    • Server State shows Running.

    • Server Current Time shows current timestamp. For example, 12–Jan-2024 12:04 PM IST.

    • Server Start Time shows server start time, For example, 12–Jan-2024 11:44 AM IST

    • Server Info shows complete information of the server.

      1. Product Name

      2. Product Uri

      3. Manufacturer

      4. Software Version

      5. Build Number

      6. Build Date