Starting the Server
Select the Status icon in the ACM Monitor app.
Start the asiDATA service if not already running.
Enable the property checkbox for ‘Show Optional Services’.
Select asiOPCUA then click the Start Services button.
Optionally, you can start the Server using the Windows Services app. The service is named Autosol OPC UA Service.
The OPC UA service is set to a service start up type of ‘Manual’ when installed. To have the service start up automatically when the computer reboots, use ACM Monitor or the Windows Services app and set the start up type to ‘Automatic’.
On a secondary ACM system that is used as a fail-over, the process, or script, that starts the asiDATA service upon fail-over should also start the asiOPCUA service if OPC UA is being used by clients. If the option "Only Connect To asiData When There Are Active Client Sessions", described below, is enabled, only the OPC UA service needs to be running in order to do a fail over as a client connection will cause asiDATA to be started.
Configuring the Server
The Server is configured using the ACM Monitor app. The first time the Server is started or the first time it is configured, a default configuration file is automatically created.
The configuration file asiOpcUa.Config.xml should not be edited directly without consultation from AUTOSOL support staff. Refer to Appendix B.
Start the ACM Monitor app, select the Client Protocols icon then click the OPC UA Configure button. This will show the server configuration dialog.
Properties Tab
Button | Function |
Save | Saves changes and writes new values to configuration file. Certain changes will require the Server to be stopped and restarted to take effect. |
Cancel | Discards any changes and exits dialog. |
Reset | Resets all controls to their default value. |
Setting | Purpose |
Reject SHA1 Signed Certificates | Select this option to reject SHA1 signed client certificates and require only SHA256 certificates. Default - not selected. |
Accept Non-Secure Sessions | Select this option to allow client applications to connect a session without using encryption – Security Policy None. Default - not selected. |
Accept Untrusted Certificates | Select this option to accept untrusted certificates from clients. This option should only be enabled for troubleshooting purposes and disabled during production run time. Default - not selected. |
Allow Writes to Items by Anonymous Users | Select this option to allow anonymously connected users to write to items (Nodes) in the address space. Default - not selected. |
Only Connect to asiData When There Are Active Client Sessions | Select this option to cause the OPC UA Server to only connect to the asiData service of ACM when it has an active client session. If asiData service is not running and this option is enabled, the OPC UA server will start asiData then connect. The Server will disconnect from asiData when all client sessions are deleted. Default - not selected |
Send Complete Certificate Chain | Select this option to allow the Server to send the complete certificate chain during a session connection. Default - not selected. |
Add Application Certificate to Trusted Store | Select this option to automatically copy the AUTOSOL OPC UA server self-signed certificate to the trusted store. Default - not selected. |
Register With Local Discovery Service | Select this option if an OPC UA Local Discovery Service is running and the Server should register with it upon startup. Default - not selected. |
Enable Diagnostics | Select this option to enable the collection of the Server’s diagnostic and throughput data. Default - not selected. |
Maximum Monitored Items per Call | The maximum number of items that the client can send in one Create Monitored Items request. The client will make multiple calls if the total item count exceeds this value. Default - 1000. |
Minimum Certificate Key Size | The minimum certificate key strength that will be accepted. Default - 1024 |
Session Nonce Length | The length of nonce to use in the CreateSession service. Default – 32 |
Log Option - Errors | Select this option to log error messages to the ACM logger. Default - not selected. |
Log Option - Warning | Select this option to log warning messages to the ACM logger. Default - not selected. |
Log Option - Trace | Select this option to log verbose informational messages to the ACM logger. Messages include session creation and deletion, monitored item creation, deletion, mode changes, ACM interaction, among others. Default - not selected. |
Log Option – OPC UA Stack | Select this option to log messages from underlying OPC UA stack to the ACM logger. This option provides details of interactions between the OPC UA stack and the client application. Default - not selected. |
Log Option - Data Updates | Select this option to log verbose messages to the ACM logger of item updates from ACM to the Server. Default - not selected. |
Log Option - Filter | Text used to filter Data Update messages sent to the ACM logger. The filter is used so that only messages that contain the filter text will be displayed in the logger. Data Update messages contain the ACM device and item name of the node being updated. The filter can be a partial or full match of the device name, item name, or combination. Wildcards are not supported. Default - blank |
Service Port – opc.tcp | TCP port to listen on for client opc.tcp connections. Default - 5337 |
Service Port - https | TCP port to listen on for client https connections. Default - 6337 |
Users Tab
Configuration properties for the validation types used for connected users. A user is defined by the client when it creates a session with the server.
Setting | Purpose |
Anonymous | Select this option to allow anonymous user connections. Default - selected. |
User Name Validation | Select this option to allow username and password connections. Username and password will be validated by Windows. Default - selected. |
User Name Policy | Select the encryption policy to use to pass log on information |
Validate User Names in the Domain | Select this option to validate username and passwords, and optionally user groups, in the network domain. Deselect to validate username and password, and optionally user groups, on the local machine account. |
User Group for Validation | The user group that the supplied user must be a member of in order to be validated. Leave blank to not validate against a user group. Location of the group is determined by the Validate User Names in the Domain property. |
X.509 Certificate | Select this option to validate users by trusted certificate. Default - selected. |
X.509 Certificate Policy | Select the encryption policy to use to pass user certificate information |
Brute Force Tab
Configuration properties for Brute Force attack prevention. This limits a client user from repeatedly trying to create a session using an incorrect username or password combination.
Setting | Purpose |
Enable Brute Force Attach Prevention | Select this option to enable the Brute Force Attack Prevention mechanism. Default - not selected. |
Minimum Retry Interval | The minimum interval (milliseconds) which has to pass until the failed user is allowed to retry to connect. Default - 10000 |
Failed Attempts Before Increment | Allowed attempts per Minimum Retry Interval for same user until the interval is increased with value of Increment Time Value. Default - 3 |
Increment Time Value | Additional retry interval delay for a connection if attack detected (milliseconds). Default - 5000 |
Delays Before Stopping New Connections | Number of Increment Time Value delays before stopping any new connection while keeping the old connections alive. Default - 2 |
Stop New Connections | Select this option to stop new client connections if Delays Before Stopping New Connections criteria has been met . Default - selected. |
Reverse Connect Tab
Configuration properties for defining reverse connect clients. Usually, a connection is opened by the Client to the Server. This will fail, however, when Servers are behind firewalls. In the reverse connectivity scenario, the Client accepts a connection request initiated by the Server and establishes a UA Secure Channel and Session using this open socket connection. The Server will attempt to connect to all enabled reverse clients upon startup.
The client application must also support reverse connections.
An inbound firewall rule must be created on the client PC to allow incoming connections to the port the client application is listening on for reverse connections.
When configuring the OPC UA server’s Endpoint URL in the client application, the URL must match the base address URL the server is using. The TCP address of the server usually will not work. You can find the server’s URL by browsing, in the client, for the endpoint or by looking in the ACM logger for the startup messages from the OPC UA server. The server will log a message similar to the following documenting the base address endpoint:
2024/12/30 15:03:56.893, Info, asiOPC_UA.30, asiOPC_UA.30, BaseAddress 0: opc.tcp://autosol1134:5337/asiOPC_UA
Setting | Purpose |
Connect Interval | The interval (milliseconds) to periodically try to connect to clients until successful. Default - 10000 |
Connect Timeout | The default timeout (milliseconds) to wait for a response from a client when attempting to reverse connect. Default - 30000 |
Reject Timeout | The timeout (milliseconds) to wait for a rejection response from the client when attempting to reverse connect. Default - 20000 |
Reverse Connect Clients Control
This control is used to add, view, and delete the configured reverse connect clients. The list box will contain the connections that the user has defined. If a connection is enabled it will have a green check mark next to it. If disabled, it will have a red X. The configuration property controls are bound to a datasource and can be edited in place without the need to click the Save button between edits.
Setting | Purpose |
Plus Button | Adds a new connection to the list and populates default values in the property controls. |
Minus Button | Deletes the selected connection from the list. |
Endpoint URL | The IP address or host name of the client’s endpoint and the IP port used for connection. The URL should be in the format of “opc.tcp://{host}:{port number}”. Reverse HTTPS connections are not supported. Default - opc.tcp://host:port |
Timeout | The timeout (milliseconds) to wait for a response from the client when attempting to reverse connect, if the value needs to be different than the default timeout above. Default - 30000 |
Max Session Count | The maximum sessions the client can create on the Server. A value of zero means no limit. Default - 0 |
Enabled | Select this option to enable the Server to initiate a reverse connection to this client. Default - enabled |
PKI Tab
Configuration properties specifying the location of the PKI certificate stores. Ellipse button clicks will show a folder selection dialog. The default location of the Server’s store is shown in the graphic below.
The paths shown are the base folder for each certificate store. Each store can contain multiple sub-folders, depending upon the use, and all will have a sub-folder 'certs'. The certs sub-folder is the location where the actual certificate files will be stored. Example: The public certificate file for a trusted application would be copied to the folder "..\pki\trusted\certs".
Do not include the 'certs' sub-folder when building the PKI paths in the edit boxes.
Setting | Purpose |
Base Certificate Store | Shows the folder selection dialog to select the base folder path of the PKI certificate store. Once selected, all the path edit boxes will be updated to the base folder path. |
Application Certificate | Location of the OPC UA Server application instance certificate. If the “Add Application Certificate to Trusted Store” property is enabled on the properties tab, a self-signed certificate will be generated and stored here. If using an application certificate generated by a certificate authority, it is stored here. |
Trusted Peer | The location used to store the trusted UA client application instance certificates. This store will contain the public key certificates of the trusted application instances. |
Trusted Issuer | Location of trusted peer certificate authority certificates, if required. If using an application certificate, either the server’s or a client’s, generated by a certificate authority, the public key file of the authority must be stored here. |
Rejected Certificates | Location the server will move rejected certificates to. |
Trusted Users | The location used to store the trusted UA application user certificates. This store will contain the public key certificates of the trusted user instances. |
User Issuer | Location of user certificate authority, if required. If using a user certificate generated by a certificate authority, the public key file of the authority must be stored here. |
Certificates Tab
Utilities to view, import, and export certificates to/from the ACM PKI.
The PKI paths on the PKI tab should be set to the correct folders before using the controls on this tab.
Setting | Purpose |
Application Certificate Lifetime | The length of time (months) that the Server’s auto-generated, self-signed certificate will be valid before expiring. To generate new self-signed certificates:
|
View Certificates
Controls to view related certificates in the local PKI. Clicking a button will bring up the OPC UA Certificates dialog. Information about the selected type of certificates will be shown in the grid control.
Control | Purpose |
Filter Certificate Type | Change the type of certificate currently being shown in the grid. |
Delete Certificate | Deletes the currently selected certificate files from the local PKI. If the type of certificate selected is Own, both the public key and the private key file will be deleted. |
Close | Exits the dialog. |
Import Certificates
Controls to import certificates into the local ACM PKI. Public key certificate files should be of type DER. Private key files imported into the Own folder can be either PFX or PEM types.
Selecting one of the following controls will bring up a File Selection dialog to select the public key certificate file to import.
Control | Purpose |
Trusted | Import trusted client application certificate. |
Trusted User | Import trusted user certificates. |
Issuer | Import certificate of the certificate authority used to created client trusted certificates. |
User Issuer | Import certificate of the certificate authority used to created user certificates. |
Import Own Certificates
Control to import certificate authority created application certificates to use with the ACM OPC UA server. The ACM OPC UA server automatically creates a self-signed application certificate in the PKI on initial start up. If your organization requires the use of an application certificate created by an authority, instead of the self-signed one, use this control to import it. Clicking the Own button will show the Import Own Certificates dialog.
Click the ellipse buttons next to the filename display boxes to select the certificate file. You must select both public and private key files.
Setting | Purpose |
Private Key Password | Enter the password for the private key file. If the private key file is not password protected, leave the edit box blank. |
OK | Import the selected files then exits the dialog. |
Cancel | Exit dialog without importing files. |
Once a password is entered and the OK button clicked, there is no way to retrieve the password after import. If you enter the wrong password simply re-import the same files and enter the correct password. Select Yes when prompted to overwrite the existing files.