IBA ibaPDA-OPC-UA-Server+ Owner's manual

ibaPDA-OPC-UA-Server+

OPC UA Server for Measurement Data

Manual

Issue 1.2

Measurement Systems for Industry and Energy

www.iba-ag.com

Manufacturer

iba AG

Koenigswarterstr. 44

90762 Fuerth

Germany

Contacts

Main oce +49 911 97282-0

Fax +49 911 97282-33

Support +49 911 97282-14

Engineering +49 911 97282-13

E-mail [email protected]

Web www.iba-ag.com

Unless explicitly stated to the contrary, it is not permied to pass on or copy this document, nor

to make use of its contents or disclose its contents. Infringements are liable for compensaon.

The content of this publicaon has been checked for compliance with the described hardware

and soware. Nevertheless, discrepancies cannot be ruled out, and we do not provide guaran-

tee for complete conformity. However, the informaon furnished in this publicaon is updated

regularly. Required correcons are contained in the following regulaons or can be downloaded

on the Internet.

The current version is available for download on our web site www.iba-ag.com.

Version Date Revision - Chapter / Page Author Version SW

1.2 01-2022 Note on update cycle; writable tags; cercate

store

RM 7.2.0

Windows® is a brand and registered trademark of Microso Corporaon. Other product and

company names menoned in this manual can be labels or registered trademarks of the corre-

sponding owners.

1.2 3

ibaPDA-OPC-UA-Server+ Content

Content

1 About this manual .............................................................................................................4

1.1 Target group and previous knowledge ..................................................................... 4

1.2 Notaons .................................................................................................................. 4

1.3 Used symbols ............................................................................................. ...............5

2 System requirements ........................................................................................................6

3 OPC UA Server and OPC UA Server+ ..................................................................................7

3.1 General informaon ................................................................................................. 7

3.2 System topologies ..................................................................................................... 8

4 ConguraonandengineeringibaPDA ..............................................................................9

4.1 OPC UA Server – Conguraon ............................................................................... 11

4.2 Cercates ............................................................................................ ..................15

4.2.1 Introducon ............................................................................................................ 15

4.2.2 Central cercate store .......................................................................................... 16

4.2.3 Manage cercates ................................................................................................18

4.2.3.1 Create a new cercate ....................................................................................... 19

4.2.3.2 Add cercate .....................................................................................................20

4.2.3.3 Export cercates ............................................................................................. ...20

4.2.4 Use cercates ....................................................................................................... 21

4.2.5 Save and protect cercates .................................................................................. 22

4.3 OPC UA Server – Tags .............................................................................................23

4.3.1 Standard Tags.......................................................................................................... 26

4.3.2 Acquired Signals (Modules) .................................................................................... 28

4.3.3 Writable Tags .......................................................................................................... 29

4.3.4 Custom Informaon Models ................................................................................... 31

5 Diagnoscs ......................................................................................................................34

5.1 License .................................................................................................................... 34

5.2 Diagnoscs tab ....................................................................................................... 35

5.3 Connecon diagnoscs with PING .......................................................................... 36

6 Support and contact ........................................................................................................ 37

4 1.2

About this manual ibaPDA-OPC-UA-Server+

1 About this manual

This documentaon describes the funcon and applicaon of the soware

ibaPDA-OPC-UA-Server+.

1.1 Targetgroupandpreviousknowledge

This documentaon is aimed at qualied professionals who are familiar with handling electrical

and electronic modules as well as communicaon and measurement technology. A person is

deemed to be a professional if they are capable of assessing the assigned work and idenfying

possible risk areas on the basis of their specialist training, experse and experience as well as

knowledge of the applicable regulaons.

In parcular, this documentaon is intended for personnel involved in the engineering, tesng,

commissioning or maintenance of the respecve programmable logic controllers and commu-

nicaon systems. For the handling of ibaPDA-OPC-UA-Server+ the following basic knowledge is

required and/or useful:

■ Windows operang system

■ Basic knowledge of ibaPDA

■ Experience of conguring an OPC UA server

1.2 Notaons

In this manual, the following notaons are used:

Acon Notaon

Menu command Menu Logic diagram

Calling the menu command Step 1 – Step 2 – Step 3 – Step x

Example:

Select the menu Logic diagram - Add - New funcon

block.

Keys <Key name>

Example: <Alt>; <F1>

Press the keys simultaneously <Key name> + <Key name>

Example: <Alt> + <Ctrl>

Buons <Key name>

Example: <OK>; <Cancel>

File names, paths "Filename", "Path"

Example: "Test.doc"

1.2 5

ibaPDA-OPC-UA-Server+ About this manual

1.3 Used symbols

If safety instrucons or other notes are used in this manual, they mean:

Danger!

Thenon-observanceofthissafetyinformaonmayresultinanimminentrisk

of death or severe injury:

■ Observe the specied measures.

Warning!

Thenon-observanceofthissafetyinformaonmayresultinapotenalriskof

deathorsevereinjury!

■ Observe the specied measures.

Cauon!

Thenon-observanceofthissafetyinformaonmayresultinapotenalriskof

injuryormaterialdamage!

■ Observe the specied measures

Note

A note species special requirements or acons to be observed.

Tip

Tip or example as a helpful note or insider p to make the work a lile bit easier.

Otherdocumentaon

Reference to addional documentaon or further reading.

6 1.2

System requirements ibaPDA-OPC-UA-Server+

2 System requirements

The following system specicaons are required for use of OPC UA Server+:

■ ibaPDA v7.0.0 or higher

■ License for ibaPDA-OPC-UA-Server+

■ Network connecon to one or more OPC UA clients

Otherdocumentaon

Further requirements for the respecve computer hardware and the supported

operang systems can be found in ibaPDA documentaon.

Note

It is advisable to run the OPC UA communicaons for data acquision on a sepa-

rate network to avoid interference from the Ethernet data trac between

ibaPDA and other network nodes (le servers, data le requirements, etc.),

which may aect the OPC UA data telegrams.

Licenseinformaon

Order No. Product designaon Descripon

30.670051 ibaPDA-OPC-UA-Server+ Extension license for an ibaPDA system which

adds the funcon:

OPC UA Server+

Table 1: Available OPC UA Server+ licenses

1.2 7

ibaPDA-OPC-UA-Server+ OPC UA Server and OPC UA Server+

3 OPC UA Server and OPC UA Server+

3.1 Generalinformaon

By default, ibaPDA provides the OPC UA server funconality in order to make data and informa-

on about its own status publicly available. This includes informaon such as

■ Issue

■ Acve licenses

■ Status of data acquision and recording

■ Connected OPC UA clients

The OPC UA server funcon is thus used as an alternave to the SNMP interface or the watch-

dog telegram in order to inform other systems about the status of ibaPDA .

With the ibaPDA-OPC-UA-Server+ extension, you can also publish all recorded or calculated sig-

nals as well as text channels via OPC UA.

This allows other systems with OPC UA client funconality to access data collected by ibaPDA .

The signals that are published via OPC UA can be conveniently selected using the signal tree in

the ibaPDA Manager.

The signal values are updated cyclically.

Note

The tags in the OPC UA server are refreshed at the same rate as the ibaPDA out-

puts. Thus, the fastest update cycle derives from the least common mulple of

all module me bases or is at least 50 ms respecvely.

The OPC UA clients can only read (but not write) the tags provided by ibaPDA as the OPC UA

server.

If required, you may add so called Writable Tags (analog and digital) to the OPC UA server data

model. By means of an OPC UA server module, which can be added on the interface node OPC

UA, it is possible that OPC UA clients can write values into the OPC UA server of ibaPDA. In order

to use Writable Tags and the OPC UA server module you will also need the license ibaPDA-OPC-

UA-Server+.

You can import or generate the cercates required for communicaon between the OPC UA

server (ibaPDA ) and an OPC UA client in ibaPDA.

8 1.2

OPC UA Server and OPC UA Server+ ibaPDA-OPC-UA-Server+

3.2 Systemtopologies

The following drawing gives an overview of a possible conguraon.

1.2 9

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

4 ConguraonandengineeringibaPDA

Open the I/O manager, e.g., from the toolbar .

You will see the OPC UA-Server node in the signal tree under General.

Select the node and then select the Tags tab on the right.

In the tab you will see a signal tree with the tags that ibaPDA makes available. The tags that are

available in the standard version do not have check boxes.

The signals or tags under the Modules node have check boxes and can only be used with the

ibaPDA-OPC-UA-Server+ license.

If the OPC UA Server+ funcon is not enabled in your dongle, a note appears at the top of the

tab.

10 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

If the OPC UA Server+ funcon is enabled in your dongle, you will nd a corresponding note in

the tab and you can check the boxes to select signals.

1.2 11

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

4.1 OPCUAServer–Conguraon

To congure further sengs, you rst need to enable the OPC UA server in the Conguraon

tab.

Enabled

Check this box to enable the OPC UA server funcon.

StartacquisioneveniftheOPCUAserverfailstostart

If this opon is enabled, the acquision will start even if the OPC UA server cannot be started.

In case of an error, a warning is indicated in the validaon dialog. If the system has been started

without an OPC UA server, ibaPDA will periodically try to start the OPC UA server. If the OPC UA

server has not been started, no OPC UA variables will be published and ibaPDA will not be visi-

ble as an OPC UA server in the network.

12 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

Servercercate

Select the cercate that the OPC UA server should use from the drop-down list.

If you have not yet generated or imported a cercate, you can do so by selecng Create new

cercate or Manage cercates from the list.

You will then be redirected to the central cercate store, which you can also nd in the inter-

face tree under General - Cercates.

The handling of cercates is described in chapter ì Cercates, page 15.

Parameters

If required, you can adjust the publishing interval of the OPC UA server here.

If you do not enable this opon (default), the publishing interval is based on the smallest com-

mon mulple of all module me bases – as is the case with all other output interfaces – and is a

minimum of 50 ms.

If you enable this opon, you can set the publishing interval to a higher value, e.g., 500 ms. This

ensures that the OPC UA server does not publish its tags faster than every 500 ms, even if a

higher publishing rate is required by the clients.

This opon can be used, for example, to counteract an overload of the communicaon band-

width if many OPC UA clients are requesng large volumes of data from the server.

At least one of the following login rules should be applied:

Anonymous

If this opon is enabled, clients can log in to the OPC UA server without login credenals (user/

password).

Username/password

If this opon is enabled, clients can only log in if they can authencate themselves by user name

and password as congured in this dialog.

By clicking the buon, the password will be temporarily displayed in a readable format.

Cercate

If this opon is enabled, clients can log in if they can authencate themselves by using a trusted

cercate.

1.2 13

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

Security policies

At least one of the opons must be enabled.

If you enable the opon None, then connecons without encrypon are also supported.

For each of the other opons or encrypon types, you can select a security rule with signature

and/or encrypon:

■ Sign

■ Sign & Encrypt

■ Sign + Sign & Encrypt

Note

Basic128Rsa15 and Basic256 encrypon are now obsolete.

For security reasons, the use of Basic256Sha256, Aes128-Sha256-RsaOaep or

Aes256-Sha256-RsaPss encrypon is preferred.

Endpoints

This area of the dialog lets you congure the local endpoints that the server will provide.

An endpoint is a combinaon of an IP address and a port number. Instead of entering a specic

IP address, it is also possible to enter the computer name of the OPC UA server. This applies to

all IP addresses of all network interfaces in the system. The URI (Uniform Resource Idener) is

formed from the IP address or computer name and the port number.

In the example above, OPC UA clients can connect to the OPC UA server from any network using

port 48400 or 48401. In addion, clients can also connect to IP address 172.29.0.100 via port

49000.

14 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

The list of endpoints includes some controls:

Buon Funcon

Use this buon to add a new endpoint.

Inially, the new endpoint always has the same data as the local computer, which

then needs to be edited.

This buon lets you duplicate the selected endpoint, which you can then edit.

Use this buon to delete the selected endpoint from the list.

Table 2: Control elements for the endpoint list

By default, the name of the local computer is already entered in the list.

If you click on an endpoint in the list, the buon will appear. Click on this buon to edit the

endpoint.

Select the desired network interface via which the OPC UA clients should communicate. The

drop-down list shows all of the computer's available network interfaces with all IP addresses.

Click <OK> and the selected IP address will be displayed in the list.

Note

Currently only IPv4 addresses are supported.

1.2 15

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

4.2 Cercates

Communicaon with the OPC UA server is secured by means of cercates. The cercates are

managed in the central cercate store in ibaPDA. This store also contains other cercates,

e.g., for interfaces and data stores, in addion to the cercates for OPC UA communicaon.

4.2.1 Introducon

For secure and encrypted TLS/SSL communicaon between a client and a server, so-called cerf-

icates are used because they enable secure authencaon.

Before a client can connect to a server, an applicaon cercate must rst be congured. Cerf-

icates can be provided from both the server and client side. Communicaon can only take place

if each partner trusts the partner cercate.

Cercates can either be exchanged spontaneously when a connecon is established or regis-

tered as trusted in advance. If a previously unknown cercate is oered when a connecon is

established, the user must manually accept or reject the cercate. Accepted cercates are

automacally entered into the table in the cercate store and marked as trusted. If the cer-

cate is rejected, then no communicaon will take place.

You can also register cercates and then mark them as "not trusted". Communicaon with

partners with such cercates is then always denied. Once cercates have been registered,

i.e., entered in the table in the cercate store, the user will no longer be noed or prompt-

ed when communicaon is established – regardless of whether the cercates are marked as

"trusted" or "not trusted".

Some interfaces in ibaPDA, such as the e-mail output, use Windows cercates. Other features,

such as OPC UA server or MQTT data stores use cercates from the central cercate store of

ibaPDA.

16 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

4.2.2 Centralcercatestore

All registered cercates are listed in a table that is available on the Cercates node in I/O

Manager and in the data store conguraon. The following gure shows the cercate store in

the I/O Manager.

The following gure shows the cercate store in the data store conguraon.

Each line represents one cercate.

By default, the columns Name, Properes, Expiraon date and Used by are displayed.

If necessary, you can select or deselect addional columns in the table's context menu.

1.2 17

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

The Name column contains the name of the cercate. This is not necessarily unique, because

several cercates can have the same name. Only the ngerprint is unique for every cercate.

The symbols in the Properes column have the following meaning:

Symbol Meaning

The cercate is trusted as long as it has not expired.

This cercate is not trusted.

A private key for this cercate is available.

This cercate can also be used for user authencaon.

Table 3: Symbols for cercate properes

The Used by column shows by which applicaon/funcon the cercate is used. In the example

shown in the gure above, the cercate ibaPDA003@D is used by the OPC UA server in ibaP-

DA. This means that this cercate was selected during conguraon of the OPC UA server.

The display is a combinaon of the currently open manager (I/O or data storage) and the other

one. The eld in the Used by column has a link funcon. Double-click on a lled eld to jump to

the corresponding conguraon dialog within the opened manager. If the entry belongs to the

other manager, the link will not work. In the example above, double-clicking on the entry "OPC

UA-Server" would directly open the conguraon dialog of the OPC UA server, if this is done

from within the I/O Manager. If you had opened the cercate store in the data logging congu-

raon, the link to the OPC UA server would not work.

Conversely, opening an "MQTT data storage" would only work if the cercate store was

opened from within the data storage conguraon.

18 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

4.2.3 Managecercates

The central cercate store is used to manage the cercates. Here you can add, create and

delete cercates.

In the cercate store toolbar you will nd a number of buons with the following funcons:

Buon Funcon

This buon opens a dialog that allows you to load an exisng cercate le. Vari-

ous le formats are supported (.der, .cer, .crt, .cert, .pem, .pfx, .p12). If you have a

cercate with an unknown le extension, expand the le lter to "*.*" and try to

open the le anyway. This works in most cases.

This buon opens a dialog that lets you create a new cercate le.

This buon lets you export a cercate to a le to register it for Windows or anoth-

er applicaon, e.g. on an OPC UA client. Mulple le formats are supported here as

well.

Use this buon to remove the selected cercate from the table.

Use this buon to designate the selected cercate as "trusted".

Use this buon to designate the selected cercate as "not trusted". However, the

cercate will sll remain in the cercate store table. However, cercates that

are not trusted are not available in the selecon list for use in the corresponding

conguraon dialog.

With this buon you can dene whether a cercate can also be used for user au-

thencaon for OPC UA.

Table 4: Buons in the toolbar for cercate management

The commands always refer to the cercate selected in the table, which is indicated by an ar-

row on the le at the start of the line.

1.2 19

ibaPDA-OPC-UA-Server+ Conguraon and engineering ibaPDA

4.2.3.1 Createanewcercate

If there are not yet any cercates that you can load, then you will need to create one.

1. Click on the buon and the following dialog opens

2. Enter any name for the cercate.

3. Enter an applicaon URI if required.

The URI (Uniform Resource Idener) is a globally unique idener for the applicaon, in

this case ibaPDA. If you do not ll in this eld, then – provided that an applicaon URI is

veried by the OPC UA client – a default URI will be generated that consists of the machine

name and applicaon name:

urn:machinename:applicationName.

4. Select the desired validity period for your cercate.

5. Select the desired hash algorithm for encrypon.

SHA-1 is an older hash algorithm that is now considered insecure and whose use is no longer

recommended. Some older or simpler OPC UA clients only support this algorithm. Increas-

ingly, algorithms in the SHA-2 family, e.g., SHA-256, are being used, which oer a higher en-

crypon depth and thus greater security. For security reasons, this should be the preferred

choice, provided that the planned clients also support it.

6. Enter a password of your choice for the private key. If no password has been entered, the

<OK> buon remains inacve. To assign the password, click the <...> buon and enter the

password twice and conrm with <OK>. The password eld must not be le blank. There

are no special requirements for the password. Keep the password in a safe place so that the

self-generated cercate can be exported and used for Windows or other applicaons.

7. Close the dialog with <OK>.

The new cercate is now entered into the list held by the cercate store and immediately as-

signed the properes "trusted" + private key.

You can now also export the cercate and register it with the communicaon partner, e.g., an

OPC UA client. Aerwards, the client can then connect to ibaPDA (OPC UA-Server).

20 1.2

Conguraon and engineering ibaPDA ibaPDA-OPC-UA-Server+

4.2.3.2 Addcercate

1. In the cercate store toolbar, click the buon .

A dialog will open that lets you navigate to the desired cercate le and open it.

Dierent le formats are supported (.der, .cer, .crt, .cert, .pem, .pfx, .p12).

If you have a cercate with an unknown le extension, expand the le lter to "*.*" and try

to open the le anyway. This works in most cases.

2. When the cercate is loaded, it appears in the cercate store list.

3. If you have not already done so, trust the cercate.

Cercates can somemes be added without manual import.

Thus, during the rst connecon aempt by an OPC UA client to the OPC UA server (ibaPDA),

the applicaon cercate of the OPC UA client is automacally added to the cercate list and

inially rejected.

Once you have selected the OPC UA client cercate in the list and conrmed it as trusted with

the buon, the OPC UA client can subsequently connect automacally.

You can use the buon to reject a cercate at any me or to classify it as not trusted.

4.2.3.3 Exportcercates

Cercates created with ibaPDA as well as other cercates in the cercate store can be ex-

ported individually as a le and subsequently used for Windows or other applicaons. An ex-

ported cercate can also be re-imported into ibaPDA.

To export a cercate, rst select the desired cercate in the table and then click the buon

in the toolbar for the cercate store.

If you wish to export a cercate without a private key, a dialog that lets you save the le opens

immediately.

If the cercate to be exported has a private key, there are some opons.

First, you will be asked if the exisng private key should be exported as well. If you answer "no",

the cercate will be saved immediately, just like a cercate without a key.

If you answer "yes", then you must enter the correct password aerwards. The correct pass-

word is the password used when imporng or generang the cercate. If the password is cor-

rect, the cercate can be saved as a .pfx le. This le is password protected and contains the

cercate and the private key.

If the password is incorrect, the cercate will not be exported.

Under certain circumstances, a cercate with a private key may be stored in ibaPDA, however

the key is not password protected. In this case, the cercate can only be exported without a

private key. You will then be noed accordingly.

Page is loading ...

IBA ibaPDA-OPC-UA-Server+ Owner's manual

Related papers