...
Start the ACM Monitor app, select the Client Protocols icon then click the OPC UA Configure button. This will show the server configuration dialog.
Properties Tab
Button | Function |
Save | Saves changes and writes new values to configuration file. Certain changes will require the Server to be stopped and restarted to take effect. |
Cancel | Discards any changes and exits dialog. |
Reset | Resets all controls to their default value. |
...
Configuration properties for the validation types used for connected users. A user is defined by the client when it creates a session with the server.
...
Setting | Purpose |
Anonymous | Select this option to allow anonymous user connections. Default - selected. |
User Name Validation | Select this option to allow username and password connections. Username and password will be validated by Windows. Default - selected. |
User Name Policy | Select the encryption policy to use to pass log on information |
Validate User Names in the Domain | Select this option to validate username and passwords, and optionally user groups, in the network domain. Deselect to validate username and password, and optionally user groups, on the local machine account. |
User Group for Validation | The user group that the supplied user must be a member of in order to be validated. Leave blank to not validate against a user group. Location of the group is determined by the Validate User Names in the Domain property. |
X.509 Certificate | Select this option to validate users by trusted certificate. Default - selected. |
X.509 Certificate Policy | Select the encryption policy to use to pass user certificate information |
...
Configuration properties for Brute Force attack prevention. This limits a client user from repeatedly trying to create a session using an incorrect username or password combination.
...
Setting | Purpose |
Enable Brute Force Attach Prevention | Select this option to enable the Brute Force Attack Prevention mechanism. Default - not selected. |
Minimum Retry Interval | The minimum interval (milliseconds) which has to pass until the failed user is allowed to retry to connect. Default - 10000 |
Failed Attempts Before Increment | Allowed attempts per Minimum Retry Interval for same user until the interval is increased with value of Increment Time Value. Default - 3 |
Increment Time Value | Additional retry interval delay for a connection if attack detected (milliseconds). Default - 5000 |
Delays Before Stopping New Connections | Number of Increment Time Value delays before stopping any new connection while keeping the old connections alive. Default - 2 |
Stop New Connections | Select this option to stop new client connections if Delays Before Stopping New Connections criteria has been met . Default - selected. |
Reverse Connect Tab
Configuration properties for defining reverse connect clients. Usually, a connection is opened by the Client to the Server. This will fail, however, when Servers are behind firewalls. In the reverse connectivity scenario, the Client accepts a connection request initiated by the Server and establishes a UA Secure Channel and Session using this open socket connection. The Server will attempt to connect to all enabled reverse clients upon startup.
...
The client application must also support reverse connections.
...
. |
When configuring the OPC UA server’s Endpoint URL in the client application, the URL must match the base address URL the server is using. The TCP address of the server usually will not work. You can find the server’s URL by browsing, in the client, for the endpoint or by looking in the ACM logger for the startup messages from the OPC UA server. The server will log a message similar to the following documenting the base address endpoint:
2024/12/30 15:03:56.893, Info, asiOPC_UA.30, asiOPC_UA.30, BaseAddress 0: opc.tcp://autosol1134:5337/asiOPC_UA
...
Setting
...
Purpose
...
Connect Interval
...
The interval (milliseconds) to periodically try to connect to clients until successful. Default - 10000
...
Connect Timeout
...
The default timeout (milliseconds) to wait for a response from a client when attempting to reverse connect. Default - 30000
...
Reject Timeout
...
The timeout (milliseconds) to wait for a rejection response from the client when attempting to reverse connect. Default - 20000
Reverse Connect Clients Control
This control is used to add, view, and delete the configured reverse connect clients. The list box will contain the connections that the user has defined. If a connection is enabled it will have a green check mark next to it. If disabled, it will have a red X. The configuration property controls are bound to a datasource and can be edited in place without the need to click the Save button between edits.
...
Setting
...
Purpose
...
Plus Button
...
Adds a new connection to the list and populates default values in the property controls.
...
Minus Button
...
Deletes the selected connection from the list.
...
Endpoint URL
...
The IP address or host name of the client’s endpoint and the IP port used for connection. The URL should be in the format of “opc.tcp://{host}:{port number}”. Reverse HTTPS connections are not supported. Default - opc.tcp://host:port
...
Timeout
...
The timeout (milliseconds) to wait for a response from the client when attempting to reverse connect, if the value needs to be different than the default timeout above. Default - 30000
...
Max Session Count
...
The maximum sessions the client can create on the Server. A value of zero means no limit. Default - 0
...
Enabled
...
Select this option to enable the Server to initiate a reverse connection to this client. Default - enabled
PKI Tab
Configuration properties specifying the location of the PKI certificate stores. Ellipse button clicks will show a folder selection dialog. The default location of the Server’s store is shown in the graphic below.
| Info |
|---|
The paths shown are the base folder for each certificate store. Each store can contain multiple sub-folders, depending upon the use, and all will have a sub-folder 'certs'. The certs sub-folder is the location where the actual certificate files will be stored. Example: The public certificate file for a trusted application would be copied to the folder "..\pki\trusted\certs". Do not include the 'certs' sub-folder when building the PKI paths in the edit boxes. |
...
Setting | Purpose |
Base Certificate Store | Shows the folder selection dialog to select the base folder path of the PKI certificate store. Once selected, all the path edit boxes will be updated to the base folder path. |
Application Certificate | Location of the OPC UA Server application instance certificate. If the “Add Application Certificate to Trusted Store” property is enabled on the properties tab, a self-signed certificate will be generated and stored here. If using an application certificate generated by a certificate authority, it is stored here. |
Trusted Peer | The location used to store the trusted UA client application instance certificates. This store will contain the public key certificates of the trusted application instances. |
Trusted Issuer | Location of trusted peer certificate authority certificates, if required. If using an application certificate, either the server’s or a client’s, generated by a certificate authority, the public key file of the authority must be stored here. |
Rejected Certificates | Location the server will move rejected certificates to. |
Trusted Users | The location used to store the trusted UA application user certificates. This store will contain the public key certificates of the trusted user instances. |
User Issuer | Location of user certificate authority, if required. If using a user certificate generated by a certificate authority, the public key file of the authority must be stored here. |
...
| Info |
|---|
The PKI paths on the PKI tab should be set to the correct folders before using the controls on this tab. |
...
Setting | Purpose |
Application Certificate Lifetime | The length of time (months) that the server’s auto-generated, self-signed certificate will be valid before expiring. To generate new self-signed certificates:
|
...