Using OPC UA - ACM Monitor
- Alex Mouton
- Yalia Hernandez
- Marina Drobnic
Starting the Server
Select the Status icon in the ACM Monitor app.
Start the asiDATA service if not already running.
Enable the property checkbox for ‘Show Optional Services’.
Select asiOPCUA then click the Start Services button.
Optionally, you can start the Server using the Windows Services app. The service is named Autosol OPC UA Service.
The OPC UA service is set to a service start up type of ‘Manual’ when installed. To have the service start up automatically when the computer reboots, use ACM Monitor or the Windows Services app and set the start up type to ‘Automatic’.
On a secondary ACM system that is used as a fail-over, the process, or script, that starts the asiDATA service upon fail-over should also start the asiOPCUA service if OPC UA is being used by clients. If the option "Only Connect To asiData When There Are Active Client Sessions", described below, is enabled, only the OPC UA service needs to be running in order to do a fail over as a client connection will cause asiDATA to be started.
Configuring the Server
The Server is configured using the ACM Monitor app. The first time the Server is started or the first time it is configured, a default configuration file is automatically created.
The configuration file asiOpcUa.Config.xml should not be edited directly without consultation from AUTOSOL support staff. Refer to Appendix B.
Start the ACM Monitor app, select the Client Protocols icon then click the OPC UA Configure button. This will show the server configuration dialog.
Properties Tab
Button | Function |
Save | Saves changes and writes new values to configuration file. Certain changes will require the Server to be stopped and restarted to take effect. |
Cancel | Discards any changes and exits dialog. |
Reset | Resets all controls to their default value. |
Setting | Purpose |
Reject SHA1 Signed Certificates | Select this option to reject SHA1 signed client certificates and require only SHA256 certificates. Default - not selected. |
Accept Non-Secure Sessions | Select this option to allow client applications to connect a session without using encryption – Security Policy None. Default - not selected. |
Accept Untrusted Certificates | Select this option to accept untrusted certificates from clients. This option should only be enabled for troubleshooting purposes and disabled during production run time. Default - not selected. |
Allow Writes to Items by Anonymous Users | Select this option to allow anonymously connected users to write to items (Nodes) in the address space. Default - not selected. |
Only Connect to asiData When There Are Active Client Sessions | Select this option to cause the OPC UA Server to only connect to the asiData service of ACM when it has an active client session. If asiData service is not running and this option is enabled, the OPC UA server will start asiData then connect. The Server will disconnect from asiData when all client sessions are deleted. Default - not selected |
Send Complete Certificate Chain | Select this option to allow the Server to send the complete certificate chain during a session connection. Default - not selected. |
Add Application Certificate to Trusted Store | Select this option to automatically copy the AUTOSOL OPC UA server self-signed certificate to the trusted store. Default - selected. |
Register With Local Discovery Service | Select this option if an OPC UA Local Discovery Service is running and the Server should register with it upon startup. Default - not selected. |
Enable Diagnostics | Select this option to enable the collection of the Server’s diagnostic and throughput data. Default - selected. |
Maximum Monitored Items per Call | The maximum number of items that the client can send in one Create Monitored Items request. The client will make multiple calls if the total item count exceeds this value. Default - 1000. |
Minimum Certificate Key Size | The minimum certificate key strength that will be accepted. Default - 1024 |
Session Nonce Length | The length of nonce to use in the CreateSession service. Default – 32 |
Log Option - Errors | Select this option to log error messages to the ACM logger. Default - selected. |
Log Option - Warning | Select this option to log warning messages to the ACM logger. Default - not selected. |
Log Option - Trace | Select this option to log verbose informational messages to the ACM logger. Messages include session creation and deletion, monitored item creation, deletion, mode changes, ACM interaction, among others. Default - not selected. |
Log Option – OPC UA Stack | Select this option to log messages from underlying OPC UA stack to the ACM logger. This option provides details of interactions between the OPC UA stack and the client application. Default - not selected. |
Log Option - Data Updates | Select this option to log verbose messages to the ACM logger of item updates from ACM to the Server. Default - not selected. |
Log Option - Filter | Text used to filter Data Update messages sent to the ACM logger. The filter is used so that only messages that contain the filter text will be displayed in the logger. Data Update messages contain the ACM device and item name of the node being updated. The filter can be a partial or full match of the device name, item name, or combination. Wildcards are not supported. Default - blank |
Service Port – opc.tcp | TCP port to listen on for client opc.tcp connections. Default - 5337 |
Service Port - https | TCP port to listen on for client https connections. Default - 6337 |
Users Tab
Configuration properties for the validation types used for connected users. A user is defined by the client when it creates a session with the server.
Setting | Purpose |
Anonymous | Select this option to allow anonymous user connections. Default - selected. |
User Name Validation | Select this option to allow username and password connections. Username and password will be validated by Windows. Default - selected. |
User Name Policy | Select the encryption policy to use to pass log on information |
Validate User Names in the Domain | Select this option to validate username and passwords, and optionally user groups, in the network domain. Deselect to validate username and password, and optionally user groups, on the local machine account. |
User Group for Validation | The user group that the supplied user must be a member of in order to be validated. Leave blank to not validate against a user group. Location of the group is determined by the Validate User Names in the Domain property. |
X.509 Certificate | Select this option to validate users by trusted certificate. Default - selected. |
X.509 Certificate Policy | Select the encryption policy to use to pass user certificate information |
Brute Force Tab
Configuration properties for Brute Force attack prevention. This limits a client user from repeatedly trying to create a session using an incorrect username or password combination.
Setting | Purpose |
Enable Brute Force Attach Prevention | Select this option to enable the Brute Force Attack Prevention mechanism. Default - not selected. |
Minimum Retry Interval | The minimum interval (milliseconds) which has to pass until the failed user is allowed to retry to connect. Default - 10000 |
Failed Attempts Before Increment | Allowed attempts per Minimum Retry Interval for same user until the interval is increased with value of Increment Time Value. Default - 3 |
Increment Time Value | Additional retry interval delay for a connection if attack detected (milliseconds). Default - 5000 |
Delays Before Stopping New Connections | Number of Increment Time Value delays before stopping any new connection while keeping the old connections alive. Default - 2 |
Stop New Connections | Select this option to stop new client connections if Delays Before Stopping New Connections criteria has been met . Default - selected. |
PKI Tab
Configuration properties specifying the location of the PKI certificate stores. Ellipse button clicks will show a folder selection dialog. The default location of the Server’s store is shown in the graphic below.
The paths shown are the base folder for each certificate store. Each store can contain multiple sub-folders, depending upon the use, and all will have a sub-folder 'certs'. The certs sub-folder is the location where the actual certificate files will be stored. Example: The public certificate file for a trusted application would be copied to the folder "..\pki\trusted\certs".
Do not include the 'certs' sub-folder when building the PKI paths in the edit boxes.
Setting | Purpose |
Base Certificate Store | Shows the folder selection dialog to select the base folder path of the PKI certificate store. Once selected, all the path edit boxes will be updated to the base folder path. |
Application Certificate | Location of the OPC UA Server application instance certificate. If the “Add Application Certificate to Trusted Store” property is enabled on the properties tab, a self-signed certificate will be generated and stored here. If using an application certificate generated by a certificate authority, it is stored here. |
Trusted Peer | The location used to store the trusted UA client application instance certificates. This store will contain the public key certificates of the trusted application instances. |
Trusted Issuer | Location of trusted peer certificate authority certificates, if required. If using an application certificate, either the server’s or a client’s, generated by a certificate authority, the public key file of the authority must be stored here. |
Rejected Certificates | Location the server will move rejected certificates to. |
Trusted Users | The location used to store the trusted UA application user certificates. This store will contain the public key certificates of the trusted user instances. |
User Issuer | Location of user certificate authority, if required. If using a user certificate generated by a certificate authority, the public key file of the authority must be stored here. |
Certificates Tab
Utilities to view, import, and export certificates to/from the ACM PKI.
The PKI paths on the PKI tab should be set to the correct folders before using the controls on this tab.
Setting | Purpose |
Application Certificate Lifetime | The length of time (months) that the server’s auto-generated, self-signed certificate will be valid before expiring. To generate new self-signed certificates:
|
View Certificates
Controls to view related certificates in the local PKI. Clicking a button will bring up the OPC UA Certificates dialog. Information about the selected type of certificates will be shown in the grid control.
Control | Purpose |
Filter Certificate Type | Change the type of certificate currently being shown in the grid. |
Delete Certificate | Deletes the currently selected certificate files from the local PKI. If the type of certificate selected is Own, both the public key and the private key file will be deleted. |
Close | Exits the dialog. |
Import Certificates
Controls to import certificates into the local ACM PKI. Public key certificate files should be of type DER. Private key files imported into the Own folder can be either PFX or PEM types.
Selecting one of the following controls will bring up a File Selection dialog to select the public key certificate file to import.
Control | Purpose |
Trusted | Import trusted client application certificate. |
Trusted User | Import trusted user certificates. |
Issuer | Import certificate of the certificate authority used to created client trusted certificates. |
User Issuer | Import certificate of the certificate authority used to created user certificates. |
Own | Clicking the Own button will show the Import Own Certificates dialog, described below. |
Import Own Certificates
Control to import certificate authority created application certificates to use with the ACM OPC UA server. The ACM OPC UA server automatically creates a self-signed application certificate in the PKI on initial start up. If your organization requires the use of an application certificate created by an authority, instead of the self-signed one, use this control to import it.
Click the ellipse buttons next to the filename display boxes to select the certificate file. You must select both public and private key files.
Setting | Purpose |
Private Key Password | Enter the password for the private key file. If the private key file is not password protected, leave the edit box blank. |
OK | Import the selected files then exits the dialog. |
Cancel | Exit dialog without importing files. |
Once a password is entered and the OK button clicked, there is no way to retrieve the password after import. If you enter the wrong password simply re-import the same files and enter the correct password. Select Yes when prompted to overwrite the existing files.
Related content
For assistance, please submit a ticket via our Support Portal, email autosol.support@autosoln.com or call 281.286.6017 to speak to a support team member.