Differences

This shows you the differences between two versions of the page.

--- opcuaconfig [2022/01/02 12:12]
wikiadmin created
+++ opcuaconfig [2025/03/24 20:27] (current)
wikiadmin [Notes]
@@ Line 1: / Line 1: @@
-===TransSECS - Configuration===
-A number of parameters can be controlled by the ErgoTechConfiguration.properties file. A sample, file is installed with the application. it is also used for every TransSECS deployment to be able to tweak runtime behavior.
+====== OPC UA Server Configuration Options ======
-<file>
-# needed if trigger source is reset automatically back to boolean false (PLC)
-transsecs.resetceidtrigger=false
-#message handling threading model, 0=all messages on same thread, 1=Push the processing of each message onto a new thread, one thread will be used for primaries and many for responses.
-transsecs.threadingmodel=1
-# voyeur option
-#transsecs.passthrough=true
-# set debug level higher for more verbose session manager logging
-sessionmanager.debuglevel=0
-# id type defaults to 54 if this options is excluded (options 50, 51, 52, 54, etc.)  This is used by the tool to set all the id types (ceid, vid, dataid, alid, rptid).
-transsecs.idtype=54
-# following four used for GEM host applications (id type options 50, 51, 52, 54, etc.)
-# gemhost in the name of the tool defined in the TransSECS project.
-gemhost.ceidsecsformat=54
-gemhost.vidsecsformat=52
-gemhost.dataidsecsformat=52
-gemhost.alidsecsformat=52
-gemhost.rptidsecsformat=54
-# there can be multiple entries if multiple hosts are deployed in the same application
-anothergemhost.ceidsecsformat=52
-anothergemhost.vidsecsformat=52
-anothergemhost.dataidsecsformat=52
-anothergemhost.alidsecsformat=52
-anothergemhost.rptidsecsformat=52
-######
-# activate simple S7Fx (x=3,5,17,19) file based recipe handling (default is 0, no recipe handling, set to 1 to enable recipe management)
-transsecs.recipemanager=0
-#used only if recipemanager is set to true
-transsecs.recipemanager.basedir=./
-transsecs.recipemanager.extension=rcp
-#######
-# needed for MQTT so that send message trigger tag is reset automatically
-transsecs.resetsendmessagetrigger=false
-</file>
-===Controlling Event Triggering Behavior in TransSECS PLC applications===
+The following system properties configure the ErgoTech OPC UA Server:
-transsecs.ceidedgetrigger=true
+^ Property ^ Description ^ Default Value ^
+| **opcua.serverhosts** | (Optional) Comma-separated list of hostnames to use when creating server endpoints. If not specified, the server will bind to default interfaces. | *none* |
+| **opcua.certs.dir** | (Optional) Root directory for all certificate-related files. | `certificates` (in the application start folder) |
+| **opcua.servername** | (Optional) Name of the OPC UA server. | `MIXOPCServer` |
+| **opcua.tcp.port** | (Optional) TCP port for OPC UA binary (opc.tcp) connections. | `12686` |
+| **opcua.https.port** | (Optional) Port for HTTPS-based OPC UA connections. | `8443` |
+| **opcua.serverpass** | (Required) Password for the server certificate's private key. | *none* |
+| **opcua.trusted.cert.location** | (Optional) Location of the client PKI folder. Must contain subfolders: `trusted/`, `rejected/`, and `issuers/`. | `security/security/pki` |
+| **opcua.bind.address** | (Optional) Additional local network interfaces to bind to. Useful for multi-homed systems. | *none* |
+| **opcua.securitypolicy** | (Optional) Security policy for server endpoints. Supported values: ''None'', ''Basic128Rsa15'', ''Basic256'', ''Basic256Sha256'', ''Aes128_Sha256_RsaOaep'', ''Aes256_Sha256_RsaPss''. If not specified, ''Basic256Sha256'' is used. | `Basic256Sha256` |
+| **allow.anonymous.identities** | (Optional) Allow anonymous identities.  If false a username/password is required to connect | *false* |
+==== Notes ====
-If this parameter is set to true events will be triggered only when the value changes from low to high (eg 0-1).  Changing from high to low is ignored.
+  * The server always exposes an endpoint with a security policy of **''None''**, but it is bound only to the local interface (''localhost''). This allows local applications to easily connect to the server. It does **not** pose a security risk because it is not accessible from external systems.
+  * Security policies ''Basic256'' and ''Basic128Rsa15'' are deprecated and should not be used unless required for legacy interoperability.
+  * Certificates for trusted clients should be placed in the `trusted/` folder within the specified `opcua.trusted.cert.location` directory. Rejected and issuer certificates should go in the `rejected/` and `issuers/` folders respectively.
-transsecs.resetceidtrigger=true
-If this is true, after the event is triggered, the value in the PLC (or other device) will be reset to zero.
+===TransSECS OPC-UA Server Setup===
-===Advanced Parameters===
+With the TransSECS OPCUA server deployment no additional setup is required for the TransSECS SECS/GEM server.  The server is deployed in the project's OPCUA folder and can be run directly from there.  The parameters above can be configured in the ErgoTechConfiguration.properties file.
-In general these parameters should not be set unless suggested by ErgoTech tech support.
+===MIX OPC-UA Server Setup===
-secs.maxmessagelength
+To run MIX as an OPC-UA Server you will need to add a library provided by ErgoTech to the MIX installation's lib directory and also add a driver jar to your MIStudio project's Drivers directory before deploying the project to MIX. Both of these libraries are provided by ErgoTech with the OPC-UA MIX package.
-This limits the maximum size of a SECS message.  Certain SECS/GEM implementations send valid, but inaccurate length bytes in HSMS messages.   This avoids "OutOfMemory" errors if the size provided is extremely large.
+===Set up MIX===
-The value is provided in kb.  Messages are normally small, a few kb.  Setting this value to 100 should avoid any issues with normal, or abnormal operation.  For example, adding the line:
+Copy the library "OPCUAServerLauncher.jar" provided by ErgoTech to the MIX installation "lib" directory. Edit the mix.properties file in the MIX directory with a text editor (such as Notepad++) to make these changes:
-secs.maxmessagelength=100
+  * change the line that says exported.only=true to exported.only=false
+  * remove the "#" from (to uncomment) the line that says "#export.servers=OPCUA" so it says "export.servers=OPCUA"
-to the configuration file, or adding:
+<note tip>Note that changing the property "exported.only" in mix.properties from true to false will cause all servers in the logic (Diagram Window) of your MIStudio project to be published in the OPC-UA Sever. If you want more control over what is published, leave this as "exported.only=true", and set each logic bean's expert property "Export Criteria" from "No Export" to the export criteria of your choice (usually Read-Only, but could be Read/Write depending on the server). </note>
--Dsecs.maxmessagelength=100
+Start MIX so it is ready for an MIStudio deployment.
-to the startup script will enable this option.
+===Set up your MIStudio project===
+Start MIStudio and load the project you want to use for the OPC-UA Server tags. Right click on the Drivers node of MIStudio and browse for the OPC-UA enabler library "OPCUAServerVIBImpls.jar". This needs to be part of the deployment to MIX with the built project.
+Any server or manipulator you place in the Diagram Window logic will become a tag in the OPC-UA Server if you have set "exported.only=false" in mix.properties. If you do not want all the logic servers and manipulators to be tags in the OPC-UA Server then you can use "exported.only=true" in the mix.properties, and then specifically set the server to be exposed as a tag in the OPC-UA Server by setting its expert property "Export Criteria" from the default "No Export" to "Export Read-Only" or "Export Read/Write". Only manipulators can be set to Read/Write (servers only provide values so are Read-Only).
+After you build the project and deploy to MIX the tags can be accessed with an OPC-UA Client.
+===Connecting a Client to the OPC-UA Server===
+The first time you connect a new OPC-UA Client to the Server, you will need to accept the server's certificate in the Client and then move the generated client certificate from untrusted to the trusted cert directory. These certificate directories will be in the MIX installation under security/security/pki. The untrusted certificate needs to be moved (not copied) from untrusted to trusted/cert, then you can connect the Client.
+===ErgoTech OPC-UA Client - Configuration===
+===Security===
+When you first try to connect to the secure endpoint on a server, the ErgoTech OPCClient will create a client certificate for you.  This is the file "clientCert.der" in the folder security\security\pki\issuers\certs .  For example, in the TransSECS editor it will be in the folder shown.
+{{:pasted:20240406-112708.png}}
+This certificate should be moved to your server configuration.  You will need to consult the documentation for your server for instructions to complete this step.
+In TransSECS you should also copy this folder to your deployment folder.  For example, if you are using the PLCTool sample project you would copy the whole folder to ErgoTech\TransSECSDevicesTrial\Projects\PLCTool\PLCToolDeployment
+{{:pasted:20240406-113241.png}}
+If you have already run the deployment, that folder will already exist.  You can delete it and replace it with the folder from Builder.  The important configuration is that the clientCert.der and the clientPrivateKey.pem in the security folder be the same in both the builder and deployment and the clientCert.der must be the file that you installed on your server.  <note tip>Never move the clientPrivateKey.pem file to the server.  That's a file that validates the client and should be maintained only with the client.</note>
+{{:pasted:20240406-113543.png}}