| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
opcuaconfig [2024/04/06 11:37]
wikiadmin |
opcuaconfig [2025/03/24 20:27] (current)
wikiadmin [Notes] |
| ===ErgoTech OPC-UA Server - Configuration=== | |
| |
| A number of parameters can be controlled by the ErgoTechConfiguration.properties (TransSECS) or the mix.properties(MIX) file. A sample, file is installed with the application. If these parameters are not present in the file, the defaults will be used. | ====== OPC UA Server Configuration Options ====== |
| <file> | |
| opcua.serverhosts If present the hostnames provided will be used to create endpoints for the server | |
| opcua.certs.dir The root folder for all certificates. This defaults to "security" in the folder in which the application is started | |
| opcua.servername The name of the server. This defaults to MIXOPCServer | |
| opcua.tcp.port The port for opc tcp connections | |
| opcua.https.port The port for https connections | |
| opcua.certificates.dir The folder that contains the server certificate | |
| opcua.serverpass The password of the server certificate | |
| opcua.trusted.cert.location The location of client certificates. This defaults to security/security/pki. Three folders, //issuers//, //rejected//, and //trusted// folders contain the certificates. Trusted client certificates should be placed in the //trusted// folder | |
| |
| opcua.bind.address Additional, local, interfaces to which to bind. | The following system properties configure the ErgoTech OPC UA Server: |
| opcua.securitypolicy The OPC security policy to use. Options are: //None, Basic128Rsa15, Basic256, Basic256Sha256, Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss// . These options are described [[https://profiles.opcfoundation.org/profilefolder/474|in the OPC Foundation Documentation]] . If not specified, Basic256Sha256 will be used. Note that //None// is insecure. The ErgoTech OPC Server will, by default, present this on the local interface (accessible only by applications running on the same host). //Basic256//, and //Basic128Rsa15// are deprecated and not recommended for security reasons. | |
| | ^ Property ^ Description ^ Default Value ^ |
| | | **opcua.serverhosts** | (Optional) Comma-separated list of hostnames to use when creating server endpoints. If not specified, the server will bind to default interfaces. | *none* | |
| | | **opcua.certs.dir** | (Optional) Root directory for all certificate-related files. | `certificates` (in the application start folder) | |
| | | **opcua.servername** | (Optional) Name of the OPC UA server. | `MIXOPCServer` | |
| | | **opcua.tcp.port** | (Optional) TCP port for OPC UA binary (opc.tcp) connections. | `12686` | |
| | | **opcua.https.port** | (Optional) Port for HTTPS-based OPC UA connections. | `8443` | |
| | | **opcua.serverpass** | (Required) Password for the server certificate's private key. | *none* | |
| | | **opcua.trusted.cert.location** | (Optional) Location of the client PKI folder. Must contain subfolders: `trusted/`, `rejected/`, and `issuers/`. | `security/security/pki` | |
| | | **opcua.bind.address** | (Optional) Additional local network interfaces to bind to. Useful for multi-homed systems. | *none* | |
| | | **opcua.securitypolicy** | (Optional) Security policy for server endpoints. Supported values: ''None'', ''Basic128Rsa15'', ''Basic256'', ''Basic256Sha256'', ''Aes128_Sha256_RsaOaep'', ''Aes256_Sha256_RsaPss''. If not specified, ''Basic256Sha256'' is used. | `Basic256Sha256` | |
| | | **allow.anonymous.identities** | (Optional) Allow anonymous identities. If false a username/password is required to connect | *false* | |
| | ==== Notes ==== |
| | |
| | * The server always exposes an endpoint with a security policy of **''None''**, but it is bound only to the local interface (''localhost''). This allows local applications to easily connect to the server. It does **not** pose a security risk because it is not accessible from external systems. |
| | * Security policies ''Basic256'' and ''Basic128Rsa15'' are deprecated and should not be used unless required for legacy interoperability. |
| | * Certificates for trusted clients should be placed in the `trusted/` folder within the specified `opcua.trusted.cert.location` directory. Rejected and issuer certificates should go in the `rejected/` and `issuers/` folders respectively. |
| |
| </file> | |
| |
| ===TransSECS OPC-UA Server Setup=== | ===TransSECS OPC-UA Server Setup=== |
| * remove the "#" from (to uncomment) the line that says "#export.servers=OPCUA" so it says "export.servers=OPCUA" | * remove the "#" from (to uncomment) the line that says "#export.servers=OPCUA" so it says "export.servers=OPCUA" |
| |
| <note tip>Note that changing the property "exported.only" in mix.properties from true to false will cause all servers in the logic (Diagram Window) of your MIStudio project to be published in the OPC-UA Sever. If you want more control over what is published, leave this as "exported.only=true", and set each logic bean's expert property "Export Criteria" from "No Export" to the export criteria of your choice (usually Read-Only, but could be Read/Write depending on the server. </note> | <note tip>Note that changing the property "exported.only" in mix.properties from true to false will cause all servers in the logic (Diagram Window) of your MIStudio project to be published in the OPC-UA Sever. If you want more control over what is published, leave this as "exported.only=true", and set each logic bean's expert property "Export Criteria" from "No Export" to the export criteria of your choice (usually Read-Only, but could be Read/Write depending on the server). </note> |
| |
| Start MIX so it is ready for an MIStudio deployment. | Start MIX so it is ready for an MIStudio deployment. |
| {{:pasted:20240406-113241.png}} | {{:pasted:20240406-113241.png}} |
| |
| If you have already run the deployment, that folder will already exist. You can delete it and replace it with the folder from Builder. The important configuration is that the clientCert.der and the clientPrivateKey.pem in the security folder be the same in both the builder and deployment and the clientCert.der must be the file that you installed on your server. Never move the clientPrivateKey.pem file to the server. That's a file that validates the client and should be maintained only with the client. | If you have already run the deployment, that folder will already exist. You can delete it and replace it with the folder from Builder. The important configuration is that the clientCert.der and the clientPrivateKey.pem in the security folder be the same in both the builder and deployment and the clientCert.der must be the file that you installed on your server. <note tip>Never move the clientPrivateKey.pem file to the server. That's a file that validates the client and should be maintained only with the client.</note> |
| |
| {{:pasted:20240406-113543.png}} | {{:pasted:20240406-113543.png}} |