OPC UA client to server connection

You can use the CSense OPC UA Client Source block to read data from an OPC UA server and the OPC UA Client Sink block to write data to an OPC UA server.

To use the OPC UA Source or Sink block to connect to an OPC UA server, it is expected that you have a basic understanding of the OPC UA standard, the X.509 Certificate, and the Public Key Infrastructure (PKI). Before you begin, it is recommended that you read About Security in OPC UA to have a very basic understanding of security in OPC UA, certificate store, and PKI.

To establish a connection between the CSense OPC UA Client Source or Sink block and the OPC UA server, the following are the requirements:

  1. Discover an active OPC UA server.

  2. Establish trust between the OPC UA server and CSense OPC UA Client.

  3. User Authentication.

  4. Reconnect to the OPC UA server.

Discover an Active OPC UA Server

  1. From the Input or Output tab, drag-and-drop the OPC UA Client Source or Sink block onto a new canvas.

  2. Double-click the OPC UA Client Source or Sink block.
    The OPC UA Client Source or Sink Properties window opens.

  3. Click the button adjacent to the Data source field.
    The OPC UA Connection dialog opens.

    1. Click Discover.
      The OPC UA Server Discover dialog opens.

    2. In the Endpoint field, enter the endpoint of the OPC UA server as needed. It can be a Local Discover Server, Global Discovery Server, or any specific OPC UA server.
      All the list of OPC UA servers, along with their Security Policy and Message Security Mode are listed.

    3. Select the OPC UA server from the list.

    4. Click OK.
      The OPC UA Server Discover dialog closes, and the selected OPC UA server and its Security Policy and Message Security mode are added to the OPC UA Connection dialog.

      The OPC UA Connection dialog displays the following configurations:

    Sections Properties Description

    Server Configuration

     

    Endpoint

    The URI of the OPC UA server that you want to connect to. It can be a Local Discovery Server or the Global Discovery Server.

    It is recommended to use the Discover button to discover and select the OPC UA server along with its Security Policy and Message security mode.

    NOTE: Both OPC (opc.tcp://) and HTTPS (https://) type connections are supported. The options supported and values for these options depend on the OPC UA server. See the OPC UA server documentation or contact your system administrator for further details.

    Security policy

    The security policy configured on the server that you are trying to connect to.

    It is recommended to use the Discover button to discover and select the OPC UA server and to load the respective security Policy.

    Message security mode

    The security mode configured on the OPC UA server that you are trying to connect to.

    It is recommended to use the Discover button to discover and select the OPC UA server and to load the respective Message security mode.

    User Authentication

    Anonymous

    This authentication type disables the user authentication and allows any OPC UA client to connect with the OPC UA server (not recommended).

    User and Password

    This authentication type requires a valid username and password to authenticate the CSense OPC UA Client to the OPC UA server.

    Certificate, Private Key, and Password

    This authentication type requires a valid user certificate, private key, and password to authenticate the CSense OPC UA client to the OPC UA server. For this purpose, a separate pkiuser directory is available on the server. You must ensure that the user certificate is in the trusted folder. For more information, see User Authentication using a certificate.
  4. Select the configured User Authentication.

    • Anonymous- select this if you want to disable user authentication. This is not recommended.

    • User and Password- enter a valid username and password that the Server trusts.

    • Certificate, Private key, and Password- browse the location where the user certificate and the private key are placed. If the certificate came without a password, leave the Password field empty. Ensure that the user's certificate is trusted by the server. For more information, see User Authentication using a certificate.

  5. Click Test.

    At this moment, you may not be able to establish a successful connection to the OPC UA Server. You must ensure that both the OPC UA Server and the CSense OPC UA Client trust each other's certificates. And in the case of Certificate, Private Key, and Password type of user authentication, ensure that you move the user certificate, to the server's trusted folder in the pki directory, as mentioned in User Authentication using a certificate.

Establish Trust Between OPC UA Server and CSense OPC UA Client

When you discover and select an OPC UA server, both the server and the CSense OPC UA client share the certificates between them. However, the certificates might be added to the rejected folder in the pki directory. You must ensure that the certificates are moved to the trusted folder.

For more information on how to establish trust, see Certificate Management on the CSense OPC UA client, and Certificate Management on the OPC UA Server.

User Authentication using a Certificate, Private key, and Password

When you connect to the Server using a certificate and private key or a certificate, private key, and password user authentication, the user certificate may be added to the rejected folder of the server's pkiuser directory. You must move the user certificate to the trusted folder. See your server documentation or consult your system administrator to learn about the recommended certificate management process specific to your server.

In general, to add the certificate of the user to the server's trusted folder, perform the following:

  • If the user certificate is not available in both the trusted and rejected folders on the server's pkiuser directory, copy the user certificate *.der file from your machine and move it to <BASE_DIRECTORY>\ pkiuser\trusted\certs\.

  • If the user certificate is available in the rejected folder on the server's pkiuser directory, copy the user certificate *.der file from the rejected folder and move it to <BASE_DIRECTORY>\ pkiuser\trusted\certs\.

Once you have ensured that the certificates of both the server and CSense OPC UA client are trusted by each other and you have added the user certificate to the server, you can again try to connect with the OPC UA server.

Reconnect to the OPC UA Server

Consider the following points before you begin to reconnect to the OPC UA Server:

  • If the blueprint is currently executing, reconnecting to the server connection will only take effect when the blueprint is stopped and restarted. This is due to the blueprint being executed in a separate execution thread.

  • When executing in real-time mode and the connection to the OPC UA server is lost during execution, the OPC UA Client Source block will attempt to reconnect to the server every 60 seconds. While the connection is broken, the field values and timestamps in the output port will remain unchanged. When the connection is re-established, the execution will continue as before the connection was lost.

Now try to connect to the OPC UA server following the steps mentioned in Discover an OPC UA Server.

Return to top

Related topics:

  

CSense 2023- Last updated: June 24,2025
Back to Home