OPC UA

General / What is OPC UA

OPC UA is a cross-platform, open-source, IEC62541 standard for data exchange from sensors to cloud applications developed by the OPC Foundation. It is characterised by:

  • Standardized data models freely available for over 60 types of industrial equipment, published by the OPC Foundation via Companion Specifications

  • Extensible security profiles, including authentication, authorization, encryption and checksums

  • Extensible security key management, including X.509, token and password

  • Support for both client-server and publish-subscribe communication patterns

  • Communication protocol independent. Mappings to several communication protocols like TCP/IP, UDP/ IP, WebSockets, AMQP and MQTT are specified

  • Initially successful in standardized data exchange with industrial equipment (discrete manufacturing, process manufacturing, energy) and systems for data collection and control, but now also leveraged in building automation, weighing and kitchen equipment and cloud applications

  • Open – open-source reference implementations freely available to OPC Foundation members, non members under GPL 2.0 license[2]

  • Cross-platform – not tied to one operating system or programming language

  • Service-oriented architecture (SOA)

  • The specification is freely available on the OPC Foundation website and is split into several parts to ease implementation, but only OPC UA stack vendors need to read them, end users simply leverage existing commercial and/or open-source stacks available in all popular programming languages

More info can be found here on Wikipedia for a general overview, or for a more detailed description from OPC Foundation.

Authentication

How is authentication handled?

Currently, the IOC does not seem to be able to support encrypted message security policy. It does, however, support “None” security mode, and connecting with a username and password, which also appears to require sending the password encrypted with Basic256 (username and password connection works with None security mode, but does not work if there is no certificate and private key provided via the opcuaCLientCertificate option in the st-common.cmd or st.cmd file, which loads the IOC with some other options, such as IP address, node configuration, namespace address, etc. More information on the EPICS OPC UA module can be found here: EPICS OPC UA Documentation.

Authentication configurations in Windows only seem to work with username and password. This is likely due to functionality missing from the open62541 library, the open source library that we use in conjunction with opcua EPICS module. A username and password is set on the PLC itself, and those values can be read at IOC startup to authenticate, and sent via Basic256 encryption to the PLC to sign in. When implementing/installing onto a new instrument, the client_private_key.pem (which needs to either be generated, or gotten from the appropriate instrument’s OPCUA folder from the private network shares), cert.txt (which will need to be edited to reflect current username and password for the target PLC/server), and OPCUA_01.cmd should be moved from the Experiment Controls private network share OPCUA folder, to the instrument’s configurations area, in a new folder that should be named opcua. If done properly, the opcua EPICS module should be able to pick up the user name and password, log in to the OPC server properly, and begin a connection.

Communication

Do any settings in the PLC side need to be adjusted to get communicating properly?

On occasion, a client certificate needs to be trusted manually, from the PLC technician side. However, things should be set up on our PLCs currently deployed; this step is done in deployment/implementation. A security policy might be set that is not what the IOC is trying to use, if everything else seems fine but you are unable to connect. Lastly, another person might be connected to the server (perhaps testing an IOC or something), and they would need to be kicked off in order for the IOC to communicate properly. Speak with Tim Carter or a member of the team, Instrumentation and Control Systems Group, to see if this is the case.

Configuration

Where are instrument-specific configs loaded from

We load instrument specific configs from the $(INSTRUMENT)/configurations/opcua/ folder. This opcua folder is created at implementation time, on the NDX machine. It should contain a OPCUA_01.cmd file, which contains any dbLoadRecords calls, and where paths are specified to the db files for that NDX’s specific OPCUA IOC. If an NDX is missing an opcua folder, create one; if you cannot find it’s OPCUA_01.cmd file, it should be placed in the Experiment Controls private network share, in the OPCUA folder, in a folder specific to that NDX. For example, NDXMAPS’s OPCUA_01.cmd file is in <network share>/OPCUA/MAPS_OPCUA/.

Where are instrument-specific DBs defined

Instrument specific db files are currently defined in ioc/master/OPCUA/OPCUA-IOC-01App/Db. Hence, the db files should have somewhat specific names so as to avoid confusion.

Troubleshooting

As always, be sure to check the IOC log first, if something isn’t working properly. If the IOC has connected properly to the server, the IOC log should print out something like the following:

# namespace 4 urn:OMRON:SomeOpcUaServer:FactoryAutomation

Structure TPG_Gauge { # binaryEncodingId: ns=4;i=5002
  Float Pressure # mandatory opc:Float
  # memberSize=4 alignment=4 padding=0 memSize=4
  Float Lower_Threshold # mandatory opc:Float
  # memberSize=4 alignment=4 padding=0 memSize=8
  Float Upper_Threshold # mandatory opc:Float
  # memberSize=4 alignment=4 padding=0 memSize=12
  String Measured_Value_Status # mandatory opc:CharArray
  # memberSize=16 alignment=8 padding=4 memSize=32
  String Measuring_Circuit_Status # mandatory opc:CharArray
  # memberSize=16 alignment=8 padding=0 memSize=48
  String Switching_Function_Assignment # mandatory opc:CharArray
  # memberSize=16 alignment=8 padding=0 memSize=64
  String Switching_Function_Status # mandatory opc:CharArray
  # memberSize=16 alignment=8 padding=0 memSize=80
  String Filter_Time_Constant # mandatory opc:CharArray
  # memberSize=16 alignment=8 padding=0 memSize=96
}; # alignment=8 memSize=96 8 members
# adding type TPG_Gauge to known types

Which means that the IOC has read data properly from the server and has a good connection.

You will then see output like this, near the bottom of the IOC log:

** Session OPC1: (readComplete) getting data for item ns=4;s=Opc_TPG2_Sensor_B2.Measuring_Circuit_Status = "No measuring channel" (String) Good
** Session OPC1: (readComplete) getting data for item ns=4;s=Opc_TPG2_Sensor_B1.Switching_Function_Assignment = "No assignment" (String) Good
** Session OPC1: (readComplete) getting data for item ns=4;s=Opc_TPG2_Sensor_B1.Switching_Function_Status = "Off" (String) Good
** Session OPC1: (readComplete) getting data for item ns=4;s=Opc_TPG2_Sensor_B1.Filter_Time_Constant = "Slow" (String) Good

If you don’t see this sort of read out at the end of the IOC log, you’ll know that something has gone wrong, and likely there is a repeated output that signifies attempts to connect to the server.

An example of BadInternalError IOC output, which can usually be caused by username and password not being read properly, or the paths not being set properly in the OPCUA_01.cmd file, looks like this:

OPC UA: Autoconnecting sessions
Session OPC1: (initClientSecurity) loading client certificate C:/Instrument/Settings/config/<NDX###>/configurations/opcua/client_cert.der
Session OPC1: (initClientSecurity) loading client private key C:/Instrument/Settings/config/<NDX###>/configurations/opcua/client_private_key.pem
[2025-05-06 08:48:55.699 (UTC+0100)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.
[2025-05-06 08:48:55.705 (UTC+0100)] info/securitypolicy        The Basic128Rsa15 security policy with openssl is added.
[2025-05-06 08:48:55.711 (UTC+0100)] info/securitypolicy        The basic256 security policy with openssl is added.
[2025-05-06 08:48:55.716 (UTC+0100)] info/securitypolicy        The basic256sha256 security policy with openssl is added.
[2025-05-06 08:48:55.723 (UTC+0100)] info/securitypolicy        The Aes128Sha256RsaOaep security policy with openssl is added.
OPC UA session OPC1: cannot open credentials file C
OPC UA session OPC1: credentials file C does not contain settings for Username token (user + pass) or Certificate token (cert + key [+ pass])
Session OPC1: (setupSecurity) no security configured
[2025-05-06 08:48:55.736 (UTC+0100)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2025-05-06 08:48:55.743 (UTC+0100)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2025-05-06 08:48:55.751 (UTC+0100)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2025-05-06 08:48:55.759 (UTC+0100)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2025-05-06 08:48:55.766 (UTC+0100)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
Session OPC1: secure channel state changed from Closed to HelSent
Session OPC1: secure channel state changed from HelSent to AckReceived
Session OPC1: secure channel state changed from AckReceived to OPNSent
[2025-05-06 08:48:55.785 (UTC+0100)] info/channel       Connection 1704 | SecureChannel 140237378 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2025-05-06 08:48:55.792 (UTC+0100)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
Session OPC1: secure channel state changed from OPNSent to Open
[2025-05-06 08:48:55.801 (UTC+0100)] info/client        The initially defined EndpointURL opc.tcp://0.0.0.0:4080is valid for the server
[2025-05-06 08:48:55.810 (UTC+0100)] info/client        Rejecting UserTokenPolicy 0 (username) in endpoint 0: configuration doesn't match
[2025-05-06 08:48:55.813 (UTC+0100)] info/client        Rejecting endpoint 1: security mode doesn't match
[2025-05-06 08:48:55.818 (UTC+0100)] info/client        Rejecting endpoint 2: security mode doesn't match
[2025-05-06 08:48:55.822 (UTC+0100)] error/client       No suitable UserTokenPolicy found for the possible endpoints
[2025-05-06 08:48:55.825 (UTC+0100)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadInternalError
Session OPC1 irrecoverably failed: BadInternalError
OPC UA session OPC1: connect service failed with status BadInternalError

This output will often repeat, as the client/IOC continually tries to connect to the server/PLC.

You’ll see that the IOC gets quite close to connecting, as it goes from Closed to HelSent, or “hello sent”, then from HelSent to AckReceived, meaning it receives an acknowledgement, and then moves to OPNSent, sending a message to open the connection, which then fails on configuration mismatch. More information about the OPC UA Connection protocol can be found here.