OPC UA Server as a northbound interface¶
OPC UA Server as a northbound interface is a reliable open platform communication among industrial devices. The OPC UA Server can be installed on a SINUMERIK Edge device as a northbound interface. The OPC UA Server itself doesn’t communicate with the SINUMERIK, instead it offers an interface for other applications to host their data on the OPC UA Server. These so called “Provider” applications have their own OPC UA information model in the XML format, that can be created for example in SiOME. The provider application can then write data to the OPC UA Server and also receive data through the Databus, send events to the server to add and delete nodes and generate events. The data model is configured in the configuration of the provider application and automatically passed to the server.
Usually, the provider application will connect to the SINUMERIK via the SINUMERIK Adapter and write the data to the OPC UA Server.
A provider application uses the APP SDK functionality for writing/receiving data through the databus and transmitting data through events, so it can be developed in any language supported by the AppSDK.
One OPC UA Server can support multiple Provider applications, each with their own, independent data model. Important Each Provider application has to implement his own unique namespace(s). It is not possible to load multiple same namespaces in parallel.
The development of a provider application is described in the Developer Manual.
Installation of OPC UA Server application¶
After onboarding a new SINUMERIK EDGE you will need to install the OPC UA Server application
Select the application "opcuaserver" with the released version related to the firmware version installed on your SINUMERIK EDGE to install it on your connected SINUMERIK EDGE device.
Please refer to chapter Application Management for detailed information how to install an application on your SINUMERIK EDGE device.
For detailed description how to configure a data provider application please refer to the Developer Manual.
Configuration of OPC UA Server application¶
In the "specificConfig" of the opcuaserver application, there is a XML Model stored as a string called "serverConfigXml". Here you can find some server settings like the permitted security policies. For a complete documentation, visit the site: https://documentation.unified-automation.com/uasdkcpp/1.5.4/html/L2ServerSdkServerConfig.html#server_config_xml_file. This configuration should not be changed except for setting the IP Adress in the following certificate setting.
Important Be careful when changing settings. The certificate paths for example are required to stay the same.
There are two important configurations highlighted in this chapter.
Server Certificate:¶
The Server automatically generates a certificate on first startup, that is used when clients open a secure connection with the server. The information in this certificate can be configured in the ServerConfig.
Because the opcuaserver application is executed inside of a container, it doesn't have the IP Address of the host system (the edge box). Therefore, when the server generates its certificate, you have to manually set the IP Address in the serverConfigXml within the specificConfig in the App Instance Configuration. Change the ServerCertificate>CertificateSettings>DNSName to the address of your edge box, e.g. 192.168.10.2 .
If you don't do this, the following error will appear when connecting through a signed connection with the opcuaserver:
Important: The server certificate is rebuild everytime the serverConfigXml changes. Older server certificates which were saved as trusted lose their functionality.
Allow all SSL Certificates:¶
For establishing a secure connection, certificates are exchanged. These certificates are independent of the authentication and cannot be managed in any Insights Hub interface. Therefore, it is important to set UaEndpoint>AutomaticallyTrustAllClientCertificates to true (default, when installing opcuaserver). This does not mean that an unauthenticated client can connect to the opcuaserver and receive data, it only means that clients are able to establish a signed connection with the opcuaserver. The authentication still comes after the connection has been opened.
Connecting to the OPC UA Server¶
The connection with the OPC UA Server can be done with any OPC UA Client through the Web Interface (X1) of the edge box. The OPC UA Server will have the following address: opc.tcp://[Edge_Box_Address]:48010, e.g.: opc.tcp://192.168.10.82:48010. In this chapter, UaExpert is used as an example for a client.
Please note that anonymous logins are not permitted. You need to use either username and password, or a certificate to connect with the OPC UA Server.
User Management of OPC UA Server through ReverseProxy¶
The OPC UA Server relies on the ReverseProxy application for user management tasks. The ReverseProxy application provides a user interface through which groups, users and password assignment can be managed easily. Please refer to the System Services documentation for how to handle user management in the ReverseProxy application. For instance, we have added a user called "abc" to the user list and assigned him a password. In the UaExpert application, when connecting to the server, the user credentials can be provided as shown below:
After that, during the "Connect" operation, you can see the result of the login in the log panel of the UaExpert application as shown below:
Otherwise, the authentication will fail, indicated in the log panel as shown below:
User Management of OPC UA Server with certificates¶
In addition to the user management of the ReverseProxy, the OPC UA Server also supports the authentication of clients with the help of provided certificates.
There are two ways to upload a certificate to OPC UA Server. First one is, as an App Owner, certificate file can be given inside meta config of data provider application. This part is already explained in detail at Building Indapp chapter in developer document.
Second way, as an End User, a certificate file can be uploaded to the opcuaserver application through Manage MySINUMERIK Edge /App Management. After installing the opcuaserver application, there will be a Manage OPC UA certificates icon for the opcuaserver application.
When the icon is clicked, a pop-up is opened for OPC UA certificate management. Your current certificate files are shown and you can add and remove certificates in this window. Certificate files can be added by clicking the Add button on the left. You can add multiple certificate files. Additionally, certificate files can be removed by clicking the Remove button.
After adding or removing your certificate files, changes can be saved by clicking the Save button on the right. A window will ask if you want to save the changes, click Confirm.
The status can be observed from the “Jobs” tab and the “Configure” sub tab. The OPC UA Certificates window can be closed by clicking the Cancel button.
The Following shows how to connect to the OPC UA Server using the UaExpert tool with certificates. When adding a server, the following dialog will pop up, where you can enter the certificate files.
After connecting to the OPC UA Server, the result of the connection attempt is shown in the log panel:
Connection Security¶
Instead of connecting with the Security Policy "None", you should use the Signed and Encrypted mode. By default, the Basic256Sha256 Sign and Basic256Sha256 Sign & Encrypt are configured security policies in the Configuration of the OPC UA Server.
Any questions left?
Except where otherwise noted, content on this site is licensed under the The Siemens Inner Source License - 1.1.