A number of parameters can be controlled by the ErgoTechConfiguration.properties (TransSECS) or the mix.properties(MIX) file. A sample, file is installed with the application. If these parameters are not present in the file, the defaults will be used.
opcua.serverhosts If present the hostnames provided will be used to create endpoints for the server opcua.certs.dir The root folder for all certificates. This defaults to "security" in the folder in which the application is started opcua.servername The name of the server. This defaults to MIXOPCServer opcua.tcp.port The port for opc tcp connections opcua.https.port The port for https connections opcua.certificates.dir The folder that contains the server certificate opcua.serverpass The password of the server certificate opcua.trusted.cert.location The location of client certificates. This defaults to security/security/pki. Three folders, //issuers//, //rejected//, and //trusted// folders contain the certificates. Trusted client certificates should be placed in the //trusted// folder opcua.bind.address Additional, local, interfaces to which to bind. opcua.securitypolicy The OPC security policy to use. Options are: //None, Basic128Rsa15, Basic256, Basic256Sha256, Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss// . These options are described [[https://profiles.opcfoundation.org/profilefolder/474|in the OPC Foundation Documentation]] . If not specified, Basic256Sha256 will be used. Note that //None// is insecure. The ErgoTech OPC Server will, by default, present this on the local interface (accessible only by applications running on the same host). //Basic256//, and //Basic128Rsa15// are deprecated and not recommended for security reasons.
With the TransSECS OPCUA server deployment no additional setup is required for the TransSECS SECS/GEM server. The server is deployed in the project's OPCUA folder and can be run directly from there. The parameters above can be configured in the ErgoTechConfiguration.properties file.
To run MIX as an OPC-UA Server you will need to add a library provided by ErgoTech to the MIX installation's lib directory and also add a driver jar to your MIStudio project's Drivers directory before deploying the project to MIX. Both of these libraries are provided by ErgoTech with the OPC-UA MIX package.
Copy the library “OPCUAServerLauncher.jar” provided by ErgoTech to the MIX installation “lib” directory. Edit the mix.properties file in the MIX directory with a text editor (such as Notepad++) to make these changes:
Start MIX so it is ready for an MIStudio deployment.
Start MIStudio and load the project you want to use for the OPC-UA Server tags. Right click on the Drivers node of MIStudio and browse for the OPC-UA enabler library “OPCUAServerVIBImpls.jar”. This needs to be part of the deployment to MIX with the built project.
Any server or manipulator you place in the Diagram Window logic will become a tag in the OPC-UA Server if you have set “exported.only=false” in mix.properties. If you do not want all the logic servers and manipulators to be tags in the OPC-UA Server then you can use “exported.only=true” in the mix.properties, and then specifically set the server to be exposed as a tag in the OPC-UA Server by setting its expert property “Export Criteria” from the default “No Export” to “Export Read-Only” or “Export Read/Write”. Only manipulators can be set to Read/Write (servers only provide values so are Read-Only).
After you build the project and deploy to MIX the tags can be accessed with an OPC-UA Client.
The first time you connect a new OPC-UA Client to the Server, you will need to accept the server's certificate in the Client and then move the generated client certificate from untrusted to the trusted cert directory. These certificate directories will be in the MIX installation under security/security/pki. The untrusted certificate needs to be moved (not copied) from untrusted to trusted/cert, then you can connect the Client.
When you first try to connect to the secure endpoint on a server, the ErgoTech OPCClient will create a client certificate for you. This is the file “clientCert.der” in the folder security\security\pki\issuers\certs . For example, in the TransSECS editor it will be in the folder shown.
This certificate should be moved to your server configuration. You will need to consult the documentation for your server for instructions to complete this step.
In TransSECS you should also copy this folder to your deployment folder. For example, if you are using the PLCTool sample project you would copy the whole folder to ErgoTech\TransSECSDevicesTrial\Projects\PLCTool\PLCToolDeployment
If you have already run the deployment, that folder will already exist. You can delete it and replace it with the folder from Builder. The important configuration is that the clientCert.der and the clientPrivateKey.pem in the security folder be the same in both the builder and deployment and the clientCert.der must be the file that you installed on your server.