Using OPC UA - ACM Monitor

Starting the Server

Select the Status icon in the ACM Monitor app.
Start the asiData service if not already running.
Enable the property checkbox for ‘Show Optional Services’.
Select asiOPCUA then click the Start Services button.

Optionally, you can start the Server using the Windows Services app. The service is named Autosol OPC UA Service.

The OPC UA service is set to a service start up type of ‘Manual’ when installed. To have the service start up automatically when the computer reboots, use the Windows Services app and set the start up type to ‘Automatic’.

On a secondary ACM system that is used as a fail-over, the process, or script, that starts the asiData service upon fail-over should also start the asiOpcUa service if OPC UA is being used by clients. If the option "Only Connect To asiData When There Are Active Client Sessions" described below, is enabled, only the OPC UA service needs to be running in order to do a fail over as a client connection will cause asiData to be started.

Configuring the Server

The Server is configured using the ACM Monitor app. The first time the Server is started or the first time it is configured, a default configuration file is automatically created.

The configuration file asiOpcUa.Config.xml should not be edited directly without consultation from AUTOSOL support staff. Refer to Appendix B.

Start the ACM Monitor app, select the Client Protocols icon then click the OPC UA Configure button. This will show the server configuration dialog.

Properties Tab

Button	Function
Save	Saves changes and writes new values to configuration file. Certain changes will require the Server to be stopped and restarted to take effect.
Cancel	Discards any changes and exits dialog.
Reset	Resets all controls to their default value.

Setting	Purpose
Reject SHA1 Signed Certificates	Select this option to reject SHA1 signed client certificates and require only SHA256 certificates. Default - not selected.
Accept Non-Secure Sessions	Select this option to allow client applications to connect a session without using encryption – Security Policy None. Default - not selected.
Accept Untrusted Certificates	Select this option to accept untrusted certificates from clients. This option should only be enabled for troubleshooting purposes and disabled during production run time. Default - not selected.
Allow Writes to Items by Anonymous Users	Select this option to allow anonymously connected users to write to items (Nodes) in the address space. Default - not selected.
Only Connect to asiData When There Are Active Client Sessions	Select this option to cause the OPC UA Server to only connect to the asiData service of ACM when it has an active client session. If asiData service is not running and this option is enabled, the OPC UA server will start asiData then connect. The Server will disconnect from asiData when all client sessions are deleted. Default - not selected
Send Complete Certificate Chain	Select this option to allow the Server to send the complete certificate chain during a session connection. Default - not selected.
Add Application Certificate to Trusted Store	Select this option to automatically copy the AUTOSOL OPC UA server self-signed certificate to the trusted store. Default - not selected.
Register With Local Discovery Service	Select this option if an OPC UA Local Discovery Service is running and the Server should register with it upon startup. Default - not selected.
Enable Diagnostics	Select this option to enable the collection of the Server’s diagnostic and throughput data. Default - not selected.
Maximum Monitored Items per Call	The maximum number of items that the client can send in one Create Monitored Items request. The client will make multiple calls if the total item count exceeds this value. Default - 1000.
Minimum Certificate Key Size	The minimum certificate key strength that will be accepted. Default - 1024
Session Nonce Length	The length of nonce to use in the CreateSession service. Default – 32
Log Option - Errors	Select this option to log error messages to the ACM logger. Default - not selected.
Log Option - Warning	Select this option to log warning messages to the ACM logger. Default - not selected.
Log Option - Trace	Select this option to log verbose informational messages to the ACM logger. Messages include session creation and deletion, Monitored item creation, deletion, mode changes, data updates, ACM interaction, among others. Default - not selected.
Log Option – OPC UA Stack	Select this option to log message from underlying OPC UA stack to the ACM logger. This option provides details of interaction between the OPC UA stack and the client application. Default - not selected.
Service Port – opc.tcp	TCP port to listen on for client opc.tcp connections. Default - 5337
Service Port - https	TCP port to listen on for client https connections. Default - 6337

Users Tab

Configuration properties for the validation types used for connected users.

Setting	Purpose
Anonymous	Select this option to allow anonymous user connections. Default - selected.
User Name Validation	Select this option to allow username and password connections. Username and password will be validated by Windows. Default - selected.
User Name Policy	Select the encryption policy to use to pass log on information
Validate User Names in the Domain	Select this option to validate username and passwords, and optionally user groups, in the network domain. Deselect to validate username and password, and optionally user groups, on the local machine account.
User Group for Validation	The user group that the supplied user must be a member of in order to be validated. Leave blank to not validate against a user group. Location of the group is determined by the Validate User Names in the Domain property.
X.509 Certificate	Select this option to validate users by trusted certificate. Default - selected.
X.509 Certificate Policy	Select the encryption policy to use to pass user certificate information

PKI Tab

Configuration properties specifying the location of the pki certificate stores. Ellipse button clicks will show a folder selection dialog. The default location of the Server’s store is shown in the graphic below.

Note

The paths shown are the base folder for each certificate store. Each store can contain multiple sub-folders, depending upon the use, and all will have a sub-folder 'certs'. The certs sub-folder is the location where the actual certificate files will be stored. Example: The public certificate file for a trusted application would be copied to the folder "..\pki\trusted\certs".

Do not include the 'certs' sub-folder when building the pki paths in the edit boxes.

Setting	Purpose
Base Certificate Store	Shows the folder selection dialog to select the base folder path of the pki certificate store. Once selected, all the path edit boxes will be updated to the base folder path.
Application Certificate	Location of the OPC UA Server instance certificate. If the “Add Application Certificate to Trusted Store” property is enabled on the properties tab, a self-signed certificate will be generated and stored here.
Trusted Peer	The location used to store the trusted UA client application instance certificates. This store will contain the public key certificates of the trusted application instances.
Trusted Issuer	Location of peer certificate authority, if required.
Rejected Certificates	Location the Server will move rejected certificates to.
Trusted Users	The location used to store the trusted UA application user certificates. This store will contain the public key certificates of the trusted user instances.
User Issuer	Location of user certificate authority, if required.