Porovnávané verzie

Stará verzia 49

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia Aktuálny

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

  • Simatic S-7 OPC UA Server
  • Bernecker PLC embedded OPC UA Server
  • Zenon OPC UA Server
  • Prosoft EtherNet/IP to Modbus TCP/IP to OPC UA Server Gateway (PLX32-EIP-MBTCP-UA)

Forced disconnection: If all stations on the line are in the simulation mode or the communication is stopped for them, the line will be disconnected (the communication socket will be closed). If the simulation is disabled for at least one station and the communication is not stopped for it (the Parameters tab of the Station type object), the line will be connected again.

...

Parameter nameMeaningUnitDefault value

Kotva
ct
ct
Client Type

Type of used client (driver for OPC UA communication):

  • Default - an original implementation of OPC UA client. Supports It supports authentication (parameter Authentication Type) of Anonymous/Username types only. It does not support message encryption or signing.
  • Secure - a new implementation of OPC UA client with security support. Supports advanced authentication, encryption, and message signing capabilities.

Default

Secure

Default

Kotva
sn
sn
Session Name

Session text identifier. The Session identifier should be unique within the client instance, making it possible to search problems faster in the client or server logs.StringKom process
Kotva
cl
cl
Requested Channel Lifetime
The channel must be reopened before this time limit elapses. If the time is exceeded, the channel will be closed and unable to change data.hh:mm:ss01:00:00
Kotva
st
st
Requested Session Timeout
Any message should be changed between client and server before this time limit elapses. If it is not sent, the sources within the session that are kept on the server are released. The primary work of this parameter is to remove the sessions that became inactive because of some unexpected reason.mm:ss01:00
Kotva
at
at
Authentication Type
Type of authentication used with the OPC UA server. Supported types are:
  • Anonymous: logon is anonymous
  • Username: logon uses the user name and password
  • Certificate: logon uses x509 certificate (only for Client Type = Secure)
Anonymous / UsernameAnonymous
Kotva
tun
tun
Token User Name
If Authentication type = Username, then the user name used in the authentication.
If Authentication type = Certificate, then the path to the user certificate (e.g. D:\user_cert.der).

Kotva
pwd
pwd
Token Password
If Authentication type = Username, then the password used in the authentication.
If Authentication type = Certificate, then the path to the user private key (e.g. D:\user_private_key.pem).

Kotva
sp
sp
Security Policy

Security policy (only for Client Type = Secure; for Client TypeDefault a security policy None is used):

  • None - security policy None
  • Basic128Rsa15 - security policy Basic128Rsa15 (considered to be obsolete due to using a weak SHA-1 hashing algorithm)
  • Basic256 - security policy Basic256 (considered to be obsolete due to using a weak SHA-1 hashing algorithm)
  • Basic256Sha256 - security policy Basic256Sha256
  • Aes128Sha256RsaOaep - security policy Aes128Sha256RsaOaep
  • Aes256Sha256RsaPss - security policy Aes256Sha256RsaPss
None
Basic128Rsa15
Basic256
Basic256Sha256
Aes128Sha256RsaOaep
Aes256Sha256RsaPss		None

Kotva
sm
sm
SecurityMode

A mode of message security in OPC UA communication (only for Client Type = Secure; for Client TypeDefault a mode of message security None is used):

  • None - messages are not secured 
  • Sign - messages are signed (protected against modification, but not against eavesdropping)
  • Sign & Encrypt- messages are signed and encrypted (protected both against modification and eavesdropping)
None
Sign
Sign & Encrypt		None

Kotva
ppi
ppi
Preferred Policy Id

Identifier of preferred Security Policy (only for Client TypeDefault for password encryption). If the OPC UA offers several security policies, it is possible to select a specific one according to the identifier sent by the OPC server (the identifier can be found in the logs). Examples of an identifier (text form is in parentheses):
PolicyId: 30 (0)
PolicyId: 31 (1)
PolicyId: 75 73 65 72 6E 61 6D 65 5F 62 61 73 69 63 31 32 38 52 73 61 31 35 (username_basic128Rsa15)
PolicyId: 75 73 65 72 6E 61 6D 65 5F 62 61 73 69 63 32 35 36 53 68 61 32 35 36 (username_basic256Sha256)		--

Kotva
rcd
rcd
Reconnect Delay

Waiting after the connection is broken before the connection is re-established.mm:ss.mss00:10.000

Kotva
ecd
ecd
Error Connect Delay

Waiting after an unsuccessful connection attempt.mm:ss.mss00:02.000

Kotva
ord
ord
Object Reinit Delay

Waiting after an unsuccessful attempt to create monitored items. If it is zero, the attempt is not repeated. If it is non-zero, the attempt is repeated after the defined wait.
Note: in the case of a specific OPC UA server (Simatic S-7), it could happen that after restarting the PLC the creation of monitored items failed, but after some time (after the complete initialization of the PLC?) the creation was already successful.

sec0

Kotva
dsf
dsf
Disconnect On ServiceFault

Terminating the connection after receiving a ServiceFault.YES/NONO

Kotva
dm
dm
Debug Mode

It changes the number of information about communication. We recommend enabling the Extended/Full modes only when detecting the problems and debugging the communication. The "Full + Trace (Secure only)" mode is valid only for Client Type = Secure.Normal/Extended/Full/
Full + Trace (Secure only)		Normal
Kotva
dt
dt
Debug Threads
The parameter defines the thread(s) that will send the debug info about the communication.Receiving/Sending/Others treads/All threadsAll threads

Kotva
kom-opcua
kom-opcua
Note: all X509 certificates used in OPC UA communication can be found in the following subdirectories of the kom-opcua directory in the application directory:

  • own - a directory with the KOM process's own certificate (file cert.der). If this file does not exist, it is generated
    Warning - this automatically generated certificate will only be valid for 1 year, so we recommend replacing it with a certificate valid for a longer period!
  • private - a directory with a private key for the KOM process's own certificate (file private.pem)
  • rejected - a directory with rejected certificates
  • trusted - a directory with trusted certificates (the first time a connection is established to an OPC UA server, its certificate is stored in this directory)

...

Kotva
protokol_merany_bod
protokol_merany_bod
I/O tag configuration

...


The I/O tag configuration dialog window is used for setting the monitored objects.

...

OPC Foundation manuals are placed on available at http://www.opcfoundation.org.

...

  • Ver. 1.0 – May 10, 2012
  • Ver. 1.1 - December 17, 2018: Added browser dialog recycling and browsing of structured tags
  • Ver. 1.2 - April 4, 2024: Added support for browsing all tag types


Info
titleGenerating client certificates

Generating client certificates for OPC UA using OpenSSL. On Windows we used https://slproweb.com/products/Win32OpenSSL.html.

Before generating, you need to create a file domain.ext with the following content:


subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=critical, CA:TRUE, pathlen:0
keyUsage = critical,  digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = servername
URI.1 = urn:Scada:Ipesoft:D2000 Kom


Edit the URI.1 entry, syntax is urn:<computer>:<vendor>:<application>
and the DNS.1 entry (server name) if necessary.

Then generate a key (e.g. ProSoft PLX32-EIP-MBTCP-UA Multi-Protocol Gateway needed 2048-bit, other devices accepted 4096-bit):

openssl genrsa -out private.pem 2048

and generate a certificate signing request (CSR):

openssl req -new -key private.pem -out private.csr

Then, you need to enter several parameters. Following the UaExpert, we only fill in Organization Name, Common Name, and Email Address, and instead of the other parameters, we enter a dot (so that they are empty).

Country Name (2 letter code) [AU]:.
        State or Province Name (full name) [Some-State]:.
        Locality Name (eg, city) []:.
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
        Organizational Unit Name (eg, section) []:.
        Common Name (e.g. server FQDN or YOUR name) []:kom@servername
        Email Address []:ipesoft@ipesoft.com
        
        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:

Then generate a certificate valid for days (10000 corresponds to approximately 27 years).

openssl x509 -req -days 10000 -in private.csr -signkey private.pem -out cert.crt  -extfile domain.ext

Convert the certificate cert.crt to der format:

openssl x509 -inform pem -in cert.crt -outform der -out cert.der

Copy the resulting certificate (cert.der) to the own directory and the private key (private.pem) to the private directory in the kom-opcua directory, see note.
Note: the private key/certificate generated in this way can also be used for the Unified Automation UaExpert tool.


Info
titleRelated pages:

Communication protocols

...