Movicon Help on Line - Rel. 11.7.1301
This resource contains information for local OPC UA server discovery. The configurable properties are:
The same as the one for the OPC DA client and is the timeout used to wait for the runtime thread from the client management to fully start up.
Contains the Local Discovery Server service endpoint that permits you to see which OPC UA server is active in the local machine.
Contains the name of the client's producer used for the security certificate.
Endpoints or OPC UA Servers can be added within the 'OPC UA Client' resource by using "Add new OPC UA Tag..." Wizard.
The "Add new OPC UA Tag..." command opens a selection window through which you can browse local and remote computers to search for active 'OPC UA Servers' or add Endpoints (plus those are not local) with the aim to browse the Server's address space and select the Tag to connect to a project variable.
The objects created within the 'OPC UA Client' resource after having added the connected Tags are the OPC UA Server, "Session" object and the list of the connected "Tags".
Certificates
To create a connection between the OPC UA Client and an OPC UA Server at runtime, it is necessary that the OPC UA Server certificate be one of those trusted by the Client.
|
It is possible to connect to a OPC UA Server using the Basic256SHA256 security policy. Moreover, with this policy is requested a certificate based on a 2048 bit encryption key. Now the self-signed certificate is created with a 2048 bit encryption key. In order to use the new certificate, and if just exists an old version certificats the old one must be deleted, so Movicon will create a new one at need. |
The folder containing the OPC UA Server's Trusted certificates is located in the "ClientUAConfig.xml" configuration file from the "CertificateTrustListLocation" node which for default has the value:
"C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\" .
The Movicon OPC UA Client also creates its own certificiated that are saved in the paths indicated respectively by the "ClientCertificate" and "ClientPrivateKey" nodes:
The "MoviconUAClient.der" certificate is saved for example in
"C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\";
while the "MoviconUAClient.pem" certificate is saved for example in
"C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\".
|
The "OPC UA Client" and "OPC UA Server" certificates are automatically created when browsing OPC UA tags or when starting up the application for the first time in runtime with name and in the path indicated by the "ClientCertificate" and "CertificateTrustListLocation" attributes contained in the "ClientUAConfig.xml" file. If the Server's Certificate is not recognized as safe or valid, a warning window will show allowing you to obtain the Certificate from those trusted. . |
Certificates are automatically created when starting the project up in Runtime for the first time in Windows CE systems.
The OPC UA Client certificate is created in path:
"[projectpath]/ClientCert/Certs/MoviconUAClient.der" e "[projectpath]/ClientCert/Private/MoviconUAClient.pem".
The OPC UA Server certificate, when required by the Client or when confirming the request to obtain the Certificate when not safe, is created in the folder:
"[projectpath]\UA Application\certs\"
|
The paths and parameters defined in the "ClientUAConfig.xml" file are all customizable as regards to their default values.
|
|
If you need to restore the Certificates, delete the OPC UA Server's .DER and .PEM files from the "C:\ProgeamData\OPC Foundation\.." folders where present. |
How to check the BadSecurityChecksFailed Error between Client UA and MovCE Server UA
After the First Connection from Client UA towards Server UA, the Server Certificate will be passed to the Client side. If the certicate is an untrusted one, a dialog window will appear asking you to accept or not accept the Server Certificate :
(for instance if the OPC UA Server is a Movicon project)
At the same time the Server OPC UA receives the Client UA Certificate and decides to accept or reject it.
If a "BadSecurityChecksFailed" error occurs on the Client side:
this means that the Server OPC UA has Rejected the Client OPC UA Certificate.
To solve this issue,you will need to move the Client OPC UA Certificate from the OPC UA Server's Rejected Folder to the Trusted Folder on the Server side.
If the OPC UA Server is Movicon, you will find the Rejected and Trusted Certificate folder from the ServerConfig.xml file when the Server is on Desktop, or from the ServerConfigCE.xml file when the Server is on the WinCE Panel.
Within this file you will be able to read where the Rejected Client Certificates are stored in the Server Folder side from the "<RejectedCertificatesDirectory>" node. For instance, this will be "C:\ProgramData\OPC Foundation\RejectedCertificates" for Desktop, or "\FlashDrv\OPC Foundation\RejectedCertificates" for WinCE.
To resolve the "BadSecurityChecksFailed":
move the Rejected Client OPC UA Certificate from the Rejected Certificates Folder to the Trusted OPC UA Server Folder specificated within the ServerConfig.xml
in the node "<CertificateTrustListLocation>", for instance
"C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\" for Desktop, or
"\FlashDrv\OPC Foundation\CertificateStores\UA Applications\certs\" for WinCE
Limitations
The Movicion OPC UA Client component implements the OPC UA standard concerning the exchanging of data (Data Access) between applications, while it is not possbile to invoke Methods exposed by the OPC UA Server or special data types such as "Time" as it is not possible to exchange data of 'Alarms & Events" or "Historical Data Access".
Therefore, the OPC UA Data Types supported by Movicon 11 are those that appear in the list of Project Variable Data Types for which the Movicon 11 OPC UA Client Brower Window displays only those Tags compatible with those exposed by the OPC UA Server.
Each OPC UA Client Resource, therefore each group of Sessions for the same Resource, is executed at Runtime in Separate Thread.
On Win32 / 64 Platforms it is limited to '20' Connected OPC UA Server sessions for as many OPC UA Client Resources, while on WinCE it is limited to '4'.
Tag Browser OPC UA
The OPC UA Client Tag Browser window allows you to browse and import Tags exposed from a OPC UA Server connected the Movicon OPC UA Client.
The "Add Endpoint" button can be used to enter the Endpoint address manually (e.g. "opc.tcp://ServerName:ServerPort") and browse the list of exposed Tags from the Server OPC UA.
The OPC UA Browser does not display OPC UA Server Tags that have been set with "Null" as "Data Type" or which are not compatible with Movicon 11 Data Types.
In addition, it does not display Tags or Structure Variable members that have been set with "Null" as "Data Value". For example, if a "Struct01" Structure Tag contains members with the "Null" Value:
The OPC UA Tag Browser only displays that have been set values correctly:
|
Structure Tags exposed by a OPC UA Server are imported as individual OPC UA Tags in Movicon 11:
|
Stronger Security
From Dialog "New Endpoint" it's possibile to set the property "Stronger Security" (default is disabled) to activate the URI Checking between the OPC UA Server Name specified on the Endpoint and the correspondent "Host_Name" within the Server Certificate.
The property has effects during the Tag Browsing and its value is stored on the same property on the OPC UA Server resource added to the project and used during the Runtime.
During the import phase, the entered data is used for the connection (stored in the "Browsed.endpoint" file in the Project's DATA folder so that they can be used for subsequent imports), after which they are then set in the Project's Endpoint resource properties:
It is also possible to set the User Name only and leave the Password field blank. In this case, the Browser window will search for the user with the same name among those of the Project's by using the password memorized for that user and in Runtime as well.
Once the Tags have been imported with a User Name and Password, you can force the use of a Project User during Runtime if the Password property has been cancelled from the Endpoint resource properties created in the Project:
If you cancel the password, one of the Project's users and passwords will be used for subsequent imports of new OPC UA Tags.
When needing to import OPC UA Tags with the same name and exposed by different OPC UA Servers, you will need to differentiate the names of the Movicon Tags to make them univocal due to the limits imposed on their definitions. This is done using the ‘Prefix’ field in the OPC UA Tag Browser window to add a ‘Prefix’ to the name of the Variable to be created in the Movicon Real Time DB:
In this way, the test set in the ‘Prefix’ field will be added as a preamble to all the OPC Tags selected for importing with the following syntax:
<Preamble>_<TagName>
Refresh
Refresh button invalidate the connection and closes the address spaces in the OPC UA Server connections tree. The OPC UA Server must be browsed again, to show its address space. This is necessary, because the refresh is intended to be used when the server address space could have been changed.
The refresh can be executed pressing the Refresh button or the F5 key too.
Synchronize
Synchronize command is within OPC UA Client resource contestual commands.
The execution of the command connects to the already configured server and browse the whole address space.
During synchronization may happen the following:
Item found on the server are not present in the current project configuration: the item is added, and the correspondent variable created.
Item found on the server is already present in the current project configuration: the item properties are updated, following the ones just read from the server.
In item present in the current project configuration is not present on the server: the user is asked to delete (or not) the project item (and its variable) that is not present on the server.
Esc key may be used to interrupt the procedure.
