OPC UA Certificate "Push Management"

Print

In a previous article, OPC UA Local Discovery Servers (LDS) were introduced.

Global Discovery Servers (GDS) provide similar discovery features to Local discovery servers, but they also provide the ability to manage security certificates on multiple OPC UA servers from a single point.

This article demonstrates "GDS Push Management", which allows security certificates to be "pushed" to an OPC UA server device.

Introduction

There is a good introduction to OPC UA discovery servers in this article from Unified Automation:

https://documentation.unified-automation.com/uasdkdotnet/2.5.2/html/L2UaDiscoveryConnect.html

Background

Before following the steps in this article, you should understand:

Procedure

For this example, the network setup is as follows:

OPC UA Server: AXC F 2152 FW 2020.6.1
IP address: 192.168.1.10
DNS name: axc-f-2152-1

OPC UA Client: Debian 10 PC

The PLC IP address and DNS name will be used throughout this article, but of course you should modify these for your own application.

Set up PLC DNS name

If your network does not include a DNS server, edit the hosts file on the OPC UA client machine.

The hosts file is located in the following directory:

Add the following new DNS entry to the hosts file on the OPC UA Client machine (substituting the IP address and DNS name of your PLC):

192.168.1.10 axc-f-2152-1

Check that the entry is correct by pinging the DNS name (not the IP address) of the PLC from the OPC UA client machine.

Install the OPC UA client software

This example uses UaExpert from Unified Automation:

https://www.unified-automation.com/products/development-tools/uaexpert.html

Download and install UaExpert on the OPC UA client machine.

Configure the OPC UA Server in PLCnext Engineer

  1. In PLCnext Engineer, in the OPC UA configuration window, in the Security section, set:

    • "Certificate" to Provided by OPC UA GDS.
    • "IdentityStore name" to OpcUaGdsIdentityStore.
    • "TrustStore name" to OpcUaGdsTrustStore.
  2. Write the PLCnext Engineer project to the PLC.

  3. In the Web-Based Management system, the new Identity Store and Trust Store can now be seen on the "Certificate Authentication" page.

Configure the OPC UA Client

  1. Open UA Expert and connect to the OPC UA server in the usual way (not using a discovery server).

  2. In UA Expert, use the "Document -> Add..." menu to add a "GDS Push View" document.

You can now manage security certificates on the PLC, as an alternative to using the Web-Based Management window. It is also possible to create and download self-signed certificates from this view, as an alternative to using XCA.

Conclusion

The GDS Push Management feature - demonstrated here using UA Expert - is a feature that can be used today with all PLCnext Control devices.

Other OPC UA GDS implementations are provided by: