Skip to main content
Version: v2

OPCUA

OPCUA technology is a protocol for accessing data in read or write mode. The data are organized in a tree-like address space and are referenced with a unique address each (called node ID). OPCUA is a modern standard based on TPC, replacing OPC HDA/DA (see OPCHDA connector) technologies, and is often embedded natively in industrial controllers.

OPCUA embeds two variants of the protocol: HA (Historical Access) and DA (Data Access). The first mode allows access to a history of values over a time interval for the requested points (data), while the second mode accesses the values at each request.

OIBus integrates the two OPCUA modes (HA and DA) in read-only mode. Each mode has its own connector. The node-opcua library is used.

Connection settings

To connect to a OPCUA server, OIBus needs an URL which is composed of several part:

  • The protocol: opc.tcp:// (for now, only this one is supported)
  • The host or IP address
  • The port number
  • The endpoint (or server name)

All together, these elements form a URL. Here is an example: opc.tcp://localhost:53530/OPCUA/MyServer

Network

Several options are available to better manage network failure or inactivity:

  • Retry interval: in case of connection failure, time to wait before reconnecting (in ms)
  • Read timeout (HA only): time to wait before aborting a read request (in ms). It may happen if the read request retrieves too many values at once or if the network has a problem.
  • Max read interval (HA only): split the request interval into smaller chunks (in s)
  • Read interval delay (HA only): time to wait (in ms) between two sub-interval in case a split occurs (ignored otherwise)
  • Max return values (HA only): max number of values to retrieve per node. If 100 nodes are requested, this value is multiplied by 100 to have the total number of values retrieved.

Security settings

Communication

The communications can be secured thanks to the security mode and security policy fields. Available modes are:

  • None
  • Sign
  • SignAndEncrypt

OIBus supports the following policies:

  • None
  • Basic128
  • Basic192
  • Basic256
  • Basic128Rsa15
  • Basic192Rsa15
  • Basic256Rsa15
  • Basic256Sha256
  • Aes128_Sha256_RsaOaep
  • PubSub_Aes128_CTR
  • PubSub_Aes256_CTR
Compatibility with the OPCUA server

Be careful to select a security mode and a security policy supported by the OPCUA server!

If a security mode other than None is used, a certificate will be needed to sign and possible encrypt the communications. A self-signed certificate called OIBus (generated by OIBus at startup) is used to secure the communication with the OPCUA server. It must be trusted by the OPCUA server to allow communication.

Example on Prosys OPCUA Simulation Server

Prosys OPCUA Simulation Server Certificates

If the certificate is not trusted, an error will occur: Error: The connection may have been rejected by server

Authentication

If the certificate and key paths are empty, OIBus will try to use a user authentication with username and password. The username and password must exist on the OPCUA server.

If the username and password are empty, an anonymous authentication will be used. In this case, Anonymous authentication must be accepted by the OPCUA server.

The certificate, used to authenticate the client, must be added in the trusted user certificates of the OPCUA server. It is managed differently than the OIBus certificate mentioned before, used for secure communication.

Example on Prosys OPCUA Simulation Server

For Prosys, the certificate used to authenticate OIBus must be placed in the .prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\certs folder. Otherwise, an error will occur: Error: serviceResult = BadIdentityTokenRejected (0x80210000).

If a connection has already been tried and rejected, the certificate must be removed from the rejected certificates' folder .prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\rejected and be placed in the trusted folder (.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\certs).

Use the same certificate for user authentication and secure communications

The same certificate can be used. To do that, the cert.pem and privateKey.pem file paths must be specified. They are located in the cache/certs folder of OIBus.

On the OPCUA server side, the OIBus certificate (cert.pem) must be copied in the user certificates' folder.

For example, with Prosys OPCUA Simulation Server: .prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\certs.

Accessing data

Scan groups (HA only)

With HA mode, data are retrieved by intervals. It is then possible to aggregate these values or to resample them. To do so, a scan mode must be selected (to create additional scan modes, see Engine settings), with its associated aggregate and resampling options.

Creating scan groups

Creating scan groups is mandatory to choose them in the Points section when adding new points to request.

Compatibility with the OPCUA server

Not every aggregate and resampling are supported by OPCUA server. Raw aggregate and None resampling are preferred to avoid compatibility issues.

Points and nodes

The OPCUA connector retrieves values from specific addresses. Addresses (called node ID, or just node) are organized in namespaces, in a tree-like structure. These can be added in the Points section (in the upper right corner).

To request a data, specify the following fields:

  • Point ID
  • Node ID
  • Scan Mode (DA only)
  • Scan Group (HA only)

The Node ID matches the path of the data in the appropriate namespace in the OPCUA server. The point ID will be used when sent to North connectors. It can be the same as the Node ID, but it allows friendlier names to manage.