Table of Contents
OPC UA Server Configuration Options
The following system properties configure the ErgoTech OPC UA Server:
| Property | Description | Default Value |
|---|---|---|
| opcua.serverhosts | (Optional) Comma-separated list of hostnames to use when creating server endpoints. If not specified, the server will bind to default interfaces. | *none* |
| opcua.certs.dir | (Optional) Root directory for all certificate-related files. | `certificates` (in the application start folder) |
| opcua.servername | (Optional) Name of the OPC UA server. | `MIXOPCServer` |
| opcua.tcp.port | (Optional) TCP port for OPC UA binary (opc.tcp) connections. | `12686` |
| opcua.https.port | (Optional) Port for HTTPS-based OPC UA connections. | `8443` |
| opcua.serverpass | (Required) Password for the server certificate's private key. | *none* |
| opcua.trusted.cert.location | (Optional) Location of the client PKI folder. Must contain subfolders: `trusted/`, `rejected/`, and `issuers/`. | `security/security/pki` |
| opcua.bind.address | (Optional) Additional local network interfaces to bind to. Useful for multi-homed systems. | *none* |
| opcua.securitypolicy | (Optional) Security policy for server endpoints. Supported values: None, Basic128Rsa15, Basic256, Basic256Sha256, Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss. If not specified, Basic256Sha256 is used. | `Basic256Sha256` |
| allow.anonymous.identities | (Optional) Allow anonymous identities. If false a username/password is required to connect | *false* |
Notes
- The server always exposes an endpoint with a security policy of
None, but it is bound only to the local interface (localhost). This allows local applications to easily connect to the server. It does not pose a security risk because it is not accessible from external systems. - Security policies
Basic256andBasic128Rsa15are deprecated and should not be used unless required for legacy interoperability. - Certificates for trusted clients should be placed in the `trusted/` folder within the specified `opcua.trusted.cert.location` directory. Rejected and issuer certificates should go in the `rejected/` and `issuers/` folders respectively.
TransSECS OPC-UA Server Setup
With the TransSECS OPCUA server deployment no additional setup is required for the TransSECS SECS/GEM server. The server is deployed in the project's OPCUA folder and can be run directly from there. The parameters above can be configured in the ErgoTechConfiguration.properties file.
MIX OPC-UA Server Setup
To run MIX as an OPC-UA Server you will need to add a library provided by ErgoTech to the MIX installation's lib directory and also add a driver jar to your MIStudio project's Drivers directory before deploying the project to MIX. Both of these libraries are provided by ErgoTech with the OPC-UA MIX package.
Set up MIX
Copy the library “OPCUAServerLauncher.jar” provided by ErgoTech to the MIX installation “lib” directory. Edit the mix.properties file in the MIX directory with a text editor (such as Notepad++) to make these changes:
- change the line that says exported.only=true to exported.only=false
- remove the “#” from (to uncomment) the line that says “#export.servers=OPCUA” so it says “export.servers=OPCUA”
Start MIX so it is ready for an MIStudio deployment.
Set up your MIStudio project
Start MIStudio and load the project you want to use for the OPC-UA Server tags. Right click on the Drivers node of MIStudio and browse for the OPC-UA enabler library “OPCUAServerVIBImpls.jar”. This needs to be part of the deployment to MIX with the built project.
Any server or manipulator you place in the Diagram Window logic will become a tag in the OPC-UA Server if you have set “exported.only=false” in mix.properties. If you do not want all the logic servers and manipulators to be tags in the OPC-UA Server then you can use “exported.only=true” in the mix.properties, and then specifically set the server to be exposed as a tag in the OPC-UA Server by setting its expert property “Export Criteria” from the default “No Export” to “Export Read-Only” or “Export Read/Write”. Only manipulators can be set to Read/Write (servers only provide values so are Read-Only).
After you build the project and deploy to MIX the tags can be accessed with an OPC-UA Client.
Connecting a Client to the OPC-UA Server
The first time you connect a new OPC-UA Client to the Server, you will need to accept the server's certificate in the Client and then move the generated client certificate from untrusted to the trusted cert directory. These certificate directories will be in the MIX installation under security/security/pki. The untrusted certificate needs to be moved (not copied) from untrusted to trusted/cert, then you can connect the Client.
ErgoTech OPC-UA Client - Configuration
Security
When you first try to connect to the secure endpoint on a server, the ErgoTech OPCClient will create a client certificate for you. This is the file “clientCert.der” in the folder security\security\pki\issuers\certs . For example, in the TransSECS editor it will be in the folder shown.
This certificate should be moved to your server configuration. You will need to consult the documentation for your server for instructions to complete this step.
In TransSECS you should also copy this folder to your deployment folder. For example, if you are using the PLCTool sample project you would copy the whole folder to ErgoTech\TransSECSDevicesTrial\Projects\PLCTool\PLCToolDeployment
If you have already run the deployment, that folder will already exist. You can delete it and replace it with the folder from Builder. The important configuration is that the clientCert.der and the clientPrivateKey.pem in the security folder be the same in both the builder and deployment and the clientCert.der must be the file that you installed on your server.
