Using OPC UA - ACM Monitor

Starting the Server

  1. Select the Status icon in the ACM Monitor app.

  2. Start the asiData service if not already running.

  3. Enable the property checkbox for ‘Show Optional Services’.

  4. Select asiOPCUA then click the Start Services button.

Optionally, you can start the Server using the Windows Services app. The service is named Autosol OPC UA Service.

The OPC UA service is set to a service start up type of ‘Manual’ when installed. To have the service start up automatically when the computer reboots, use the Windows Services app and set the start up type to ‘Automatic’.
On a secondary ACM system that is used as a fail-over, the process, or script, that starts the asiData service upon fail-over should also start the asiOpcUa service if OPC UA is being used by clients. If the option "Only Connect To asiData When There Are Active Client Sessions" described below, is enabled, only the OPC UA service needs to be running in order to do a fail over as a client connection will cause asiData to be started.

Configuring the Server

The Server is configured using the ACM Monitor app. The first time the Server is started or the first time it is configured, a default configuration file is automatically created.

The configuration file asiOpcUa.Config.xml should not be edited directly without consultation from AUTOSOL support staff. Refer to Appendix B.

Start the ACM Monitor app, select the Client Protocols icon then click the OPC UA Configure button. This will show the server configuration dialog.

Properties Tab


Button

Function

Save

Saves changes and writes new values to configuration file. Certain changes will require the Server to be stopped and restarted to take effect.

Cancel

Discards any changes and exits dialog.

Reset

Resets all controls to their default value.


SettingPurpose

Reject SHA1 Signed Certificates

Select this option to reject SHA1 signed client certificates and require only SHA256 certificates. Default - not selected.

Accept Non-Secure Sessions

Select this option to allow client applications to connect a session without using encryption – Security Policy None. Default - not selected.

Accept Untrusted Certificates

Select this option to accept untrusted certificates from clients. This option should only be enabled for troubleshooting purposes and disabled during production run time. Default - not selected.

Allow Writes to Items by Anonymous Users

Select this option to allow anonymously connected users to write to items (Nodes) in the address space. Default - not selected.

Only Connect to asiData When There Are Active Client Sessions

Select this option to cause the OPC UA Server to only connect to the asiData service of ACM when it has an active client session. If asiData service is not running and this option is enabled, the OPC UA server will start asiData then connect. The Server will disconnect from asiData when all client sessions are deleted. Default - not selected

Send Complete Certificate Chain

Select this option to allow the Server to send the complete certificate chain during a session connection. Default - not selected.

Add Application Certificate to Trusted Store

Select this option to automatically copy the AUTOSOL OPC UA server self-signed certificate to the trusted store. Default - not selected.

Register With Local Discovery Service

Select this option if an OPC UA Local Discovery Service is running and the Server should register with it upon startup. Default - not selected.

Enable Diagnostics

Select this option to enable the collection of the Server’s diagnostic and throughput data. Default - not selected.

Maximum Monitored Items per CallThe maximum number of items that the client can send in one Create Monitored Items request. The client will make multiple calls if the total item count exceeds this value. Default - 1000.

Minimum Certificate Key Size

The minimum certificate key strength that will be accepted. Default - 1024

Session Nonce Length

The length of nonce to use in the CreateSession service. Default – 32

Log Option - Errors

Select this option to log error messages to the ACM logger. Default - not selected.

Log Option - Warning

Select this option to log warning messages to the ACM logger. Default - not selected.

Log Option - Trace

Select this option to log verbose informational messages to the ACM logger. Messages include session creation and deletion, Monitored item creation, deletion, mode changes, ACM interaction, among others. Default - not selected.

Log Option – Trace With Data Updates  

Select this option to log verbose informational messages to the ACM logger. Messages include data updates. Default - not selected.

Log Option – OPC UA Stack

Select this option to log message from underlying OPC UA stack to the ACM logger. This option provides details of interaction between the OPC UA stack and the client application. Default - not selected.

Service Port – opc.tcp

TCP port to listen on for client opc.tcp connections. Default - 5337

Service Port - https

TCP port to listen on for client https connections. Default - 6337

Users Tab

Configuration properties for the validation types used for connected users.
SettingPurpose

Anonymous

Select this option to allow anonymous user connections. Default - selected.

User Name Validation

Select this option to allow username and password connections. Username and password will be validated by Windows. Default - selected.

User Name Policy

Select the encryption policy to use to pass log on information

Validate User Names in the Domain

Select this option to validate username and passwords, and optionally user groups, in the network domain. Deselect to validate username and password, and optionally user groups, on the local machine account.

User Group for Validation

The user group that the supplied user must be a member of in order to be validated. Leave blank to not validate against a user group. Location of the group is determined by the Validate User Names in the Domain property.

X.509 Certificate

Select this option to validate users by trusted certificate. Default - selected.

X.509 Certificate Policy

Select the encryption policy to use to pass user certificate information

PKI Tab

Configuration properties specifying the location of the pki certificate stores. Ellipse button clicks will show a folder selection dialog. The default location of the Server’s store is shown in the graphic below.

Note

The paths shown are the base folder for each certificate store. Each store can contain multiple sub-folders, depending upon the use, and all will have a sub-folder 'certs'. The certs sub-folder is the location where the actual certificate files will be stored. Example: The public certificate file for a trusted application would be copied to the folder "..\pki\trusted\certs". 

Do not include the 'certs' sub-folder when building the pki paths in the edit boxes. 

SettingPurpose

Base Certificate Store

Shows the folder selection dialog to select the base folder path of the pki certificate store. Once selected, all the path edit boxes will be updated to the base folder path.

Application Certificate

Location of the OPC UA Server instance certificate. If the “Add Application Certificate to Trusted Store” property is enabled on the properties tab, a self-signed certificate will be generated and stored here.

Trusted Peer

The location used to store the trusted UA client application instance certificates. This store will contain the public key certificates of the trusted application instances.

Trusted Issuer

Location of peer certificate authority, if required.

Rejected Certificates

Location the Server will move rejected certificates to.

Trusted Users

The location used to store the trusted UA application user certificates. This store will contain the public key certificates of the trusted user instances.

User Issuer

Location of user certificate authority, if required.

For assistance, please submit a ticket via our Support Portal, email autosol.support@autosoln.com or call 281.286.6017 to speak to a support team member.