Movicon Help on Line - Rel. 11.7.1302
This resource contains information for the local OPC UA server discovery. The configurable properties are:
This is same as the one for the the OPC DA client. It is the time to wait for the runtime thread to fully start up from the client management.
Contains the Local Discovery Server service endpoint that allows you to see which OPC UA server is active in the local machine.
Contains the name of the client's organization which has been used for the security certificate.
Endpoints or OPC UA Servers can be added within the 'OPC UA Client' resource by using "Add new OPC UA Tag..." Wizard.
The "Add new OPC UA Tag..." command opens a selection window through which you can browse local and remote computers to search for active 'OPC UA Servers' or add Endpoints (including those that are not local) with the aim to browse the Server's address space and select the Tag to connect to a project variable.
The objects created within the 'OPC UA Client' resource after having added the connected Tags are the OPC UA Server, "Session" object, and the list of the connected "Tags".
Certificates
To create a connection between the OPC UA Client and an OPC UA Server at runtime, it is necessary that the OPC UA Server certificate be one of those trusted by the Client.
|
It is possible to connect to a OPC UA Server using the Basic256SHA256 security policy. Moreover, a certificate based on a 2048 bit encryption key is also requested along with this policy. The self-signed certificate is now created with a 2048 bit encryption key. Any old versions must be deleted in order to allow Movicon to create the new one when needed. |
The folder containing the OPC UA Server's Trusted certificates is located in the "ClientUAConfig.xml" configuration file from the "CertificateTrustListLocation" node which for default has the following value:
"C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\" .
The Movicon OPC UA Client also creates its own certificates that are saved in the paths indicated respectively by the "ClientCertificate" and "ClientPrivateKey" nodes:
The "MoviconUAClient.der" certificate is saved for example in:
"C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\";
while the "MoviconUAClient.pem" certificate is saved for example in:
"C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\".
|
The "OPC UA Client" and "OPC UA Server" certificates are automatically created when you browse OPC UA tags or when you start up the application for the first time in runtime with the name and in the path indicated by the "ClientCertificate" and "CertificateTrustListLocation" attributes contained in the "ClientUAConfig.xml" file. If the Server's Certificate is not recognized as safe or valid, a warning window will appear to allow you to obtain the Certificate from those trusted. |
Certificates are automatically created when starting the project up in Runtime for the first time in Windows CE systems.
The OPC UA Client certificate is created in path:
"[projectpath]/ClientCert/Certs/MoviconUAClient.der" and "[projectpath]/ClientCert/Private/MoviconUAClient.pem".
The OPC UA Server certificate, when required by the Client or when confirming the request to obtain the Certificate when not safe, is created in this folder:
"[projectpath]\UA Application\certs\"
|
The default values of the paths and parameters defined in the "ClientUAConfig.xml" file are all customizable.
|
|
If you need to restore the Certificates, delete the OPC UA Server's .DER and .PEM files from the "C:\ProgeamData\OPC Foundation\.." folders where present. |
How to check the BadSecurityChecksFailed Error between Client UA and MovCE Server UA
After the First Connection from Client UA towards Server UA, the Server Certificate will be passed to the Client side. If the certicate is an untrusted one, a dialog window will appear asking you to accept or not accept the Server Certificate :
(for instance if the OPC UA Server is a Movicon project)
At the same time, the Server OPC UA will receive and decide whether to accept or reject the the Client UA Certificate.
If a "BadSecurityChecksFailed" error occurs on the Client side:
this will mean that the Server OPC UA has Rejected the Client OPC UA Certificate.
To solve this issue,you will need to move the Client OPC UA Certificate from the OPC UA Server's Rejected Folder to the Trusted Folder on the Server side.
If the OPC UA Server is Movicon, you will find the Rejected and Trusted Certificate folder in the ServerConfig.xml file when the Server is on Desktop, or in the ServerConfigCE.xml file when the Server is on the WinCE Panel.
Within this file, you will be able to read where the Rejected Client Certificates are stored in the Server Folder side from the "<RejectedCertificatesDirectory>" node. For instance, this will be "C:\ProgramData\OPC Foundation\RejectedCertificates" for Desktop, or "\FlashDrv\OPC Foundation\RejectedCertificates" for WinCE.
To resolve the "BadSecurityChecksFailed":
move the Rejected Client OPC UA Certificate from the Rejected Certificates Folder to the Trusted OPC UA Server Folder specified in the ServerConfig.xml file
in the node "<CertificateTrustListLocation>", for instance:
"C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\" for Desktop, or
"\FlashDrv\OPC Foundation\CertificateStores\UA Applications\certs\" for WinCE
Limitations
The Movicion OPC UA Client component implements the OPC UA standard which only concerns data exchange (Data Access) between applications. It is not possbile to invoke Methods exposed by the OPC UA Server or special data types such as "Time" as it is not possible to exchange data of 'Alarms & Events" or "Historical Data Access".
Therefore, the OPC UA Data Types supported by Movicon 11 are those that appear in the list of Project Variable Data Types for which the Movicon 11 OPC UA Client Brower Window displays only those Tags compatible with those exposed by the OPC UA Server.
Each OPC UA Client Resource, therefore each group of Sessions for the same Resource, is executed at Runtime in a Separate Thread.
The limit on Win32 / 64 Platforms is '20' Connected OPC UA Server sessions for as many OPC UA Client Resources, while on WinCE it is '4'.
Tag Browser OPC UA
The OPC UA Client Tag Browser window allows you to browse and import Tags exposed from a OPC UA Server connected the Movicon OPC UA Client.
The "Add Endpoint" button can be used to enter the Endpoint address manually (e.g. "opc.tcp://ServerName:ServerPort") and browse the list of exposed Tags from the Server OPC UA.
The OPC UA Browser will not display OPC UA Server Tags that have been set with "Null" as "Data Type" or which are not compatible with Movicon 11 Data Types.
In addition, it will not display Tags or Structure Variable members that have been set with "Null" as "Data Value". For example, if a "Struct01" Structure Tag contains members with the "Null" Value:
The OPC UA Tag Browser only displays tags that have been set values correctly:
|
Structure Tags exposed by an OPC UA Server are imported as individual OPC UA Tags in Movicon 11:
|
Stronger Security
The "Stronger Security" property can be set in the "New Endpoint" dialog window (default is disabled) to activate the URI Checker between the OPC UA Server Name specified on the Endpoint and the correspondent "Host_Name" on the Server Certificate.
This property has effect while tags are being browsed and its value is stored in the same property on the OPC UA Server resource which is added to the project and used at Runtime.
During the import phase, the entered data are used for the connection (stored in the "Browsed.endpoint" file in the Project's DATA folder so that they can be used for subsequent imports), after which they are then set in the Project's Endpoint resource properties:
It is also possible to only set the User Name and leave the Password field blank. In this case, the Browser window will search for the user with the same name among those listed in the Project by using the password memorized for that user and also at Runtime as well.
Once the Tags have been imported with a User Name and Password, you can force the use of a Project User at Runtime if the Password property has been deleted from the Endpoint resource properties created in the Project:
If you delete the password, one of the Project users and passwords will be used for subsequent imports of new OPC UA Tags.
When you need to import OPC UA Tags with the same name but exposed by different OPC UA Servers, you will need to differentiate the names of the Movicon Tags so that they are univocal in order to comply to the limits imposed on their definitions. This can be done by using the ‘Prefix’ field in the OPC UA Tag Browser window to add a ‘Prefix’ to the name of the Variable to be created in the Movicon Real Time DB:
In this way, the text set in the ‘Prefix’ field will be added as a preamble to all the OPC Tags selected for importing with the following syntax:
<Preamble>_<TagName>
Refresh
Refresh button invalidates the connection and closes the address spaces in the OPC UA Server connections tree. The OPC UA Server must then be browsed again to show its address space that may have been modified. The refresh can also be excuted by using the Refresh button or the F5 key.
Synchronize
The Synchronize command is listed among those of the OPC UA Client resource contestual commands.
The execution of this command will reconnect the pre-configured server and browse the whole address space.
The following may happen while synchronization is in progress:
Items found on the server are not present in the current project configuration: the item/s will be added and the corresponding variable/s will be created.
Items found on the server ae already present in the current project configuration: the item/s' properties will be updated, following those just read by the server.
The item in the current project configuration is not on the server: the user will be asked to delete (or not to delete) the project item (and its variable) that is not on the server.
Esc key may be used to interrupt the procedure.
