Makers Blog

How to configure the OPC UA Client on a PLCnext Control device

Martin PLCnext Team 20 January 2023 min. read
354 views 0 comments

Firmware version 2023.0 includes a long-awaited OPC UA Client component. The PLCnext Info center includes a good technical reference for this feature.

This tutorial is a step-by-step guide showing how to configure the OPC UA client in a PLCnext Control device so that it exchanges data with an OPC UA server.

You will need:

  • A PLCnext Control device running firmware version 2023.0 to act as the OPC UA Client. If you need to upgrade the firmware on your PLCnext Control device, you can follow the procedure shown in the Info Center.
  • PLCnext Engineer version 2023.0.
  • An OPC UA server. This article uses a second PLCnext Control device as the OPC UA server, but you can use the same PLCnext Control device as you're using to host the Client, or alternatively any third-party OPC UA server running (for example) on a Windows PC. For third-party servers, you will need to figure out how to adapt the "server" steps below for your server.
  • UaExpert from Unified Automation, which is needed to get information about OPC UA Server tags that we will use in the configuration of our own OPC UA Client.

One of the key points to remember when configuring OPC UA communications is that, for security reasons, the OPC UA Client and the OPC UA Server must trust each other. Therefore, security certificates must be exchanged between the Client and Server devices. This procedure involves jumping between the Client device and the Server device, which can get a bit confusing. If you have suggestions for how to make the procedure simpler (without disabling the security checks!), please feel free to add them in the comments.

Procedure

OPC UA Server device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the System Services item from the Configuration menu.

  3. Activate the OPC UA Server service, if it is not enabled already.

  4. Press the Apply and reboot button if necessary.

  5. Open PLCnext Engineer.

  6. Create a new PLCnext Engineer project using the template for your PLCnext Control device.

  7. Set the IP address of the PLC in the PLCnext Engineer project.

  8. On the OPC UA Server configuration page:

    Snag_19bd88e

    • set the DNS name / IP address to the DNS Name or the IP address of the PLC, depending on whether the OPC UA client will access the server using a DNS name or the IP address of the server. This information will be included in the OPC UA Server security certificate. Many OPC UA Clients will reject the server certificate if this information in the certificate does not match the server URL.

    • set Visibility of variables to Marked. This means that all the variables marked with the OPC attribute will be accessible through the OPC UA Server.

  9. Create variables that will be exposed by the OPC UA Server. Make sure the OPC check box is ticked for those variables. In the example below, two variables have been created in the Main program.

    Snag_1008520

  10. Add logic to change the Output variable when a new Input value is received. In this example, the Main program executed the following code:

    Server_Data_Out := Server_Data_In + 1;

  11. Write and start the project.

  12. Use UaExpert to connect to the OPC UA Server using the PLC username and password. You should see a warning that the certificate is "Untrusted", but there should be no other warnings.

  13. Trust the server certificate, either permantently or just for this session.

  14. For each server variable, write down the name of the Node ID and the Namespace for that variable.

    Snag_1082ce8

  15. Open the WBM site for the Server PLC again.

  16. Select the Certificate Authentication item from the Security menu.

  17. Select the Identity Stores tab.

  18. Download the Certificate from the OPC UA-self-signed [server] Identity Store. The Key Pair does not need to be downloaded.

OPC UA Client device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the System Services item from the Configuration menu.

  3. Activate the OPC UA Client service, if it is not enabled already.

  4. Press the Apply and reboot button if necessary.

  5. When the reboot is complete, log back in to the WBM site and select the Certificate Authentication item from the Security menu.

  6. Select the Trust Stores tab.

  7. Add the OPC UA-self-signed [server] certificate (downloaded earlier) to the Trust Store named OPC UA Client. Now, the OPC UA Client will trust the security certificate used by the OPC UA Server to verify its identity. This step will need to be repeated every time the Server certificate changes.

  8. Select the Identity Stores tab .

  9. Download the Certificate from the OPC UA Client self-signed Identity Store. The Key Pair does not need to be downloaded.

OPC UA Server device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the Certificate Authentication item from the Security menu.

  3. Select the Trust Stores tab.

  4. Add the OPC UA Client self-signed certificate (downloaded earlier) to the Trust Store named OPC UA-configurable. Now, the OPC UA Server will trust the security certificate used by the OPC UA Client to verify its identity. This step will need to be repeated every time the Client certificate changes.

OPC UA Client device

  1. Open PLCnext Engineer.

  2. Create a new PLCnext Engineer project using the template for your PLCnext Control device. If you are using the same device for both the OPC UA Client and the OPC UA Server, then the same PLCnext Engineer project will be used.

  3. Set the IP address of the PLC in the PLCnext Engineer project.

  4. On the OPC UA Server configuration page, set Visibility of variables to Marked. Yes, it does seems strange to require this OPC UA Server setting for the OPC UA Client, but this will be fixed in a future firmware version.

  5. Create variables that will be connected to variables in the OPC UA Server. Make sure the OPC check box is ticked for those variables. In the example below, two variables have been created in the Main program.

    Snag_127e218

  6. Write and start the project.

  7. Open a secure shell session on the PLC (e.g. in a Command window).

  8. Create the following directory path on the device:

    /opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/Configs

  9. Create a file named client.module.config containing the following text in XML format:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <OpcUAClientModuleConfigurationDocument schemaVersion="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig" xmlns="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig">
      <Application>
        <CertificateStore>
          <SelfSignedIdentityStoreName>OPC UA Client self-signed</SelfSignedIdentityStoreName>
          <GivenIdentityStoreName>OPC UA Client</GivenIdentityStoreName>
          <TrustStoreName>OPC UA Client</TrustStoreName>
        </CertificateStore>
        <SessionSecurity>
          <ApplicationAuthentication>false</ApplicationAuthentication>
          <ApplicationUriCheck>true</ApplicationUriCheck>
          <CertificateHostnameCheck>true</CertificateHostnameCheck>
          <CertificateTimeCheck>true</CertificateTimeCheck>
          <CertificateIssuerTimeCheck>true</CertificateIssuerTimeCheck>
          <PasswordEncryptionCheck>true</PasswordEncryptionCheck>
        </SessionSecurity>
        <Timeouts>
          <SessionTimeout>1200000</SessionTimeout>
          <ConnectTimeout>5000</ConnectTimeout>
          <WatchdogTimeout>5000</WatchdogTimeout>
          <CallTimeout>10000</CallTimeout>
        </Timeouts>
      </Application>
    </OpcUAClientModuleConfigurationDocument>
    

    This file provides general configuration information for the OPC UA Client, e.g. the name of the Client Certificate Store on the PLC, and timeout values.

  10. Create a file named clientconfig.xml containing the following text in XML format:

    <?xml version="1.0" encoding="utf-8"?>
    <eUAClientConfigurationDocument xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:uax="http://opcfoundation.org/UA/2008/02/Types.xsd" xmlns="http://phoenixcontact.com/OpcUA/PLCnext/UAClientConfig/Types.xsd">
      <eUAClientConfiguration>
        <Name>ClientConnectionsConfiguration</Name>
        <NamespaceArray> 
          <uax:String>http://phoenixcontact.com/OpcUA/PLCnext/GlobalDataSpace/</uax:String>
        </NamespaceArray>
        <ServerConnections>
          <eUAClientServerConnection>
            <EncodingMask>3</EncodingMask>
            <Endpoint> 
              <uax:EndpointUrl>opc.tcp://192.168.1.10:4840</uax:EndpointUrl>
              <uax:SecurityMode>Sign_2</uax:SecurityMode> 
              <uax:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</uax:SecurityPolicyUri>
            </Endpoint>
            <UserTokenType>UserName_1</UserTokenType>
            <UserName>admin</UserName>
            <Password>xxxxxxxx</Password>
          </eUAClientServerConnection>
        </ServerConnections>
        <VariableGroups>
          <eUAClientVariableGroup>
            <GroupType>Write_1</GroupType> 
            <CycleTime>100</CycleTime>
            <NodeMappings>
              <eUAClientNodeMapping>
                <LocalVariable>
                  <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Client_Data_Out</uax:Identifier> 
                </LocalVariable>
                <RemoteVariableDescriptor>
                  <EncodingMask>2</EncodingMask>
                  <ServerIndex>1</ServerIndex>
                  <NodeId> 
                    <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Server_Data_In</uax:Identifier>
                  </NodeId>
                </RemoteVariableDescriptor>
              </eUAClientNodeMapping>
            </NodeMappings>
          </eUAClientVariableGroup> 
          <eUAClientVariableGroup>
            <GroupType>Subscribe_0</GroupType> 
            <CycleTime>100</CycleTime>
            <NodeMappings>
              <eUAClientNodeMapping>
                <LocalVariable>
                  <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Client_Data_In</uax:Identifier> 
                </LocalVariable>
                <RemoteVariableDescriptor>
                  <EncodingMask>2</EncodingMask>
                  <ServerIndex>1</ServerIndex>
                  <NodeId> 
                    <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Server_Data_Out</uax:Identifier>
                  </NodeId>
                </RemoteVariableDescriptor>
              </eUAClientNodeMapping>
            </NodeMappings>
          </eUAClientVariableGroup> 
        </VariableGroups>
      </eUAClientConfiguration>
    </eUAClientConfigurationDocument>
    

    This file uses the Namespace and Node ID information recorded earlier (using UaExpert) to specify which server variables the client will access.

  11. In the above file, change the following to suit your application:

    • The element uax:EndpointUrl must include the IP address (or DNS name) of your OPC UA server.

    • The Username and Password elements must contain the credentials required for the OPC UA server.

    IMPORTANT: In this example, the Node ID strings in UaExpert included the text ns=6. In the XML file above, this has been changed to ns=1, because the "namespace" parameter (ns) is an index into the list of namespaces on the local client. In this example, the Namespace name that was copied from UaExpert is the first (and only) namespace in the list of namespaces in our clientconfig.xml file.

  12. Place both files client.module.config and clientconfig.xml in the directory you created earlier:

    /opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/Configs

  13. Restart the PLCnext Runtime.

  14. In PLCnext Engineer, connect to the Client PLC and go into Debug mode.

  15. Change the value of the variable Client_Data_out. The value will be written to the variable Server_Data_In on the OPC UA Server. That value will be incremented by the Server and written to the variable Server_Data_Out. The value of that variable will then be transferred to the variable Client_Data_In on the Client.

It isn't working?

Please check the Troubleshooting Guide in the PLCnext Info Center (at the bottom of the page).

Frequently Asked Questions

Q: The file-based configuration isn't very user-friendly, is it?

A: You're right. PLCnext Engineer version 2023.3 will include a graphical user interface that will make the file-based configuration steps unnecessary.

Q: Will PLCnext Engineer also allow me to browse tags in the OPC UA server, or will I still need to use something like UaExpert to see what tags are available?

A: In the short term: the second one. In the medium term, we hope that PLCnext Engineer will include this feature.

Q: Can the client connect to an OPC UA Server using Certificate/Key authentication?

A: No, not at the moment.

Q: How does the OPC UA Client store the Server password?

A: At the moment the OPC UA Server password is stored as clear text in the client configuration file, but the PLCnext Runtime developers are working on a more secure password storage method.

Q: Can I get quality information (e.g. Status Code, Timestamp) for data read from an OPC UA Server?

A: Not at the moment, sorry.

Discussion

Please login/register to comment
Login/Register

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter
Never miss a new article
Sign up for the newsletter
Never miss news about PLCnext Technology
Get interesting content via newsletter four times a year
Receive exclusive information before all other users