How-To Configure the OPC UA Connection for Kepware
What Does This Article Cover?
Intelligence Hub includes a configurable Connection that allows Intelligence Hub solutions to exchange data via OPC UA TCP. Kepware KEPServerEX is a market leading OPC UA Server and therefore Intelligence Hub is often configured to exchange data with KEPServerEX. This article covers security and authentication considerations when configuring the Intelligence Hub OPC UA TCP Connection for KEPServerEX.
- What is KEPServerEX?
- What is Kepware OPC UA Configuration Manager?
- Kepware KEPServerEX configuration
- Kepware OPC UA Configuration Manager configuration
- Configuring host and port
- Configuring Authentication Type
- Configuring Security Type
What is KEPServerEX?
Kepware is a brand of PTC that offers a portfolio of industrial connectivity solutions that help businesses connect automation devices and software. Kepware’s flagship product, KEPServerEX is an OPC server that allows you to connect to various devices including PLCs, RTUs, and some sensors and actuators. Kepware also offers software drivers that meet the connectivity requirements of a specific device, system, or other data source. The driver handles proprietary communications between KEPServerEX and the data source.
What is Kepware OPC UA Configuration Manager?
The OPC UA Configuration Manager assists users in administering the UA server configuration settings for an instance of KEPServerEX. OPC UA’s security standard requires that all endpoints participating in UA communication do so over a secure connection. To comply with this security requirement, each UA server instance and UA client instance must provide a trusted certificate to identify itself. These certificates may be self-signed. As such, they must be added to a local trusted certificate store on both the server and client nodes by a user with administrator privileges before any secure OPC UA connections may be attempted. The Kepware OPC UA Configuration Manager is a user-friendly interface through which the certificate exchange may be performed.
Kepware KEPServerEX configuration
The first step is to enable and configure the KEPServerEX OPC UA server. To do this open the KEPServerEX Configuration application and right click on the Project level of the tree to open the Property Editor. In the Server Interface section the “Enable” dropdown selection should be changed to “Yes”. The Server needs to be reinitialized for this change to take effect. The “Allow anonymous login” setting should also be considered and aligned with the security strategy. Please reference the KEPServerEX documentation and consider other OPC UA server properties as they relate to the Intelligence Hub solution being created.
It may be beneficial to create a dedicated KEPServerEX user for the Intelligence Hub Connection. This can be done using the KEPServerEX Administration application or “Settings…”. Please reference KEPServerEX documentation for information related to Security Policies and Users.
Kepware OPC UA Configuration Manager configuration
After KEPServerEX has been enabled as an OPC UA Server the details of OPC UA security can be configured using the OPC UA Configuration Manager application. The server endpoint must be enabled. Note the servername or IP address specified here will be referenced in the Intelligence Hub Connection configuration.
Then the desired security policy can be configured for the endpoint. A level of security is required for the Intelligence Hub Connection. Valid options in Intelligence Hub are None, Basic256Sha256-Sign and Basic256Sha256-SignEncrypt. The Intelligence Hub supports the ability to select “None” turning off security as allowed by the OPC UA specification. In this mode, communications will not be encrypted nor signed, and as such will not be private and not be verified as coming from a trusted source.
When security is enabled and Basic256Sha256-Sign or Basic256Sha256-SignEncrypt, the Intelligence Hub automatically creates an application instance certificate the first time it is run. It connects using asymmetric security algorithms encryption to securely exchange public keys and create a secure connection. Intelligence Hub Signs or Signs and Encrypts all requests before sending it to the server. Intelligence Hub Decrypts (if applicable) and verifies the signature of all responses coming from the server.
Note the Port Number specified here will be referenced in the Intelligence Hub Connection configuration. It may also be necessary to open a firewall port to allow communication on this port. Please reference Kepware documentation for this configuration.
Configuring host and port
After the prerequisite KEPServerEX configuration has been completed then the Intelligence Hub OPC UA TCP Connection may be configured. The Host and Port information may be obtained from the KEPServerEX OPC UA Configuration Manager.
Configuring Authentication Type
An Authentication Type must be specified. If Anonymous is selected then the “Allow Anonymous Access” setting must be enabled in KEPServerEX. If Username_Basic256 is selected then a valid KEPServerEX username and password must be entered. Passwords are always encrypted using Basic256 encryption defined by the OPC UA specification.
Note: HighByte recommends using a minimum of Basic256Sha256–Sign along with username/password authentication for all OPC UA communications.
Configuring Security Type
The Security selection can be made in Intelligence Hub corresponding to the configuration that was completed in the KEPServerEX OPC UA Configuration Manager Endpoint Definition.
When Basic256Sha256-Sign or Basic256Sha256-SignEncrypt are selected then the Client Certificate must be selected. The default Intelligence Hub certificate named “app-certificate-private-key” may be selected.
Next attempt to browse the OPC UA Namespace by selecting the Inputs tab and clicking the Browse button.
The Intelligence Hub Connection will fail to find the OPC UA tags.
The first time the Intelligence Hub makes a secure connection to any OPC UA server, you will need to Trust the Intelligence Hub application certificate. This can be using the KEPServerEX OPC UA Configuration Manager. Select the Trusted Clients tab, then select the Client Name, and then click the Trust button.
Now it should be possible to browse the OPC UA Tags.