OPC UA Client Driver

Not counted towards your tag license limit.

UA stands for "Unified Architecture". The OPC UA Client driver interfaces to an OPC UA server running on either the local or another computer.

OPC UA is an alternative communication protocol to OPC CLASSIC, which used DCOM for communication between a client and a server. VTScada still supports the existing OPC CLASSIC driver.

Unlike OPC CLASSIC, OPC UA, does not rely on third-party “OPC-tunnellers” to act as proxies between the client and server. An OPC UA server may run on a remote computer or be embedded in a smart device and can run on a variety of operating systems. Because there are a limited number of OPC UA products, a tunneller can be used to connect OPC UA clients to an OPC CLASSIC server.

 

If both client and server are using OPC UA, the only additional configuration necessary is to ensure that firewalls allow the correct ports to be opened. The port(s) in use are defined by the OPC UA server.

 

Unlike many other drivers, the OPC UA Client Driver does not use a Port tag to communicate with its device (OPC UA server). Due to the nature of the binary protocol, the OPC UA Client Driver has port handling built-in.

Server List

Select (or create) a named server list. (Driver Server Lists) Servers for the list must be defined using the Application Configuration dialog, as described in Servers for Specific Services. Smaller sites that do not have multiple servers, or that use only the default server list, need not configure this field.

OPC UA Client Driver properties Connection tab

Use this tab to supply the address of the server. (see: Server Addressing in the topic, OPC UA Addressing)

The check box to allow unsecured connections should be selected only when the security of the connection is otherwise guaranteed by external means such as a VPN between the VTScada system and the OPC UA server.

 

 

OPC UA Client Driver properties Authentication tab

Refer to OPC UA Support & Security for more detail on required security configuration.

 

Fields within this tab are enabled according to your selection of authentication method:

Anonymous

When authentication is set to Anonymous, no other fields are enabled.

Username

Username and Password fields are enabled.

Certificate

Control buttons and certificate grid are enabled.

 

A certificate grid displays the collection of certificates in a certificate store (which store depends on which grid is displayed) and a set of action buttons. Because a certificate grid appears on more than one tab, it is described later in this topic rather than within the tab description.

 

OPC UA Client Driver properties Client Certificate tab

Refer to OPC UA Support & Security for more detail on required security configuration.

 

Contains a certificate grid and associated buttons, similar to that in the Authentication tab. (See: Certificate Grids and Controls)

Use this to choose the certificate that the OPC UA Client Driver will supply to the server for transport security. It displays only valid certificates of the appropriate extended key usage type (that is, suitable for client authentication) that are in the current user’s Trihedral OPC UA Client certificate store. That certificate store is created by the OPC UA Driver for this purpose.

OPC UA Client Driver properties Server Certificate tab

Refer to OPC UA Support & Security for more detail on required security configuration.

 

This tab holds a pair of certificate grids showing trusted and untrusted server-supplied transport security certificates, if any. (See: Certificate Grids and Controls) The certificates displayed are those in the current user’s Trihedral OPC UA Trusted and Trihedral OPC UA Untrusted certificate stores.

The server provides its certificate during establishment of a connection with the client. The OPC UA Client Driver will only allow the connection to be established if the certificate is trusted.

If the server’s certificate is derived from a trusted certificate authority (in other words, there is a complete chain of trust from the server’s certificate through any intermediate certificates to the trusted certificate authority’s certificate), the certificate will be automatically trusted and not placed in either of these stores.

If the server certificate is not trusted by virtue of such a chain of trust and is not in the Trihedral OPC UA Trusted certificate store, it is automatically placed in the Trihedral OPC UA Untrusted store and appears in this tab’s Untrusted Certificates grid. From there you can elect to trust that certificate, using the Add Trust button. This will remove the certificate from the Untrusted Certificates and place it in the Trusted Certificates grid (and corresponding store).

If the OPC UA Client Driver trusts the server’s transport certificate, via either of the above two methods, then the OPC UA Client Driver will allow a connection to the server to be established.

OPC UA Client Driver properties Diagnostics tab

On startup, the OPC UA Client Driver reads certain status and other information from the server. This tab displays the most recent information and provides a button to allow the data to be refreshed. The data is only available when there is a good connection to the server.

There is also a check box that allows an unsecured, unencrypted transport connection to be made to the server (if the server permits such a connection) for debugging purposes. The state of the check box always reverts to unchecked when the driver is reloaded (typically on restart of the application). After selecting or deselecting the check box, use the Restart Driver button to cause the OPC UA Client Driver to disconnect and reconnect to the server, thereby switching between secure and unsecured communication.

 

Certificate Grids and Controls

A certificate grid displays the collection of certificates in a certificate store (which store depends on which grid is displayed) and a set of action buttons.

Certificate Name

The leftmost grid column shows the “Friendly Name” of the certificate, if it has one, and the “Common Name” of the certificate if it does not.

Issuer Name

Shows the issuer of the certificate. Self-signed certificates often have the same name as the certificate Common Name, while certificates issued by a Certificate Authority (whether in-house or external) bear the issuer’s name.

Valid

Indicates whether the certificate is valid for the purpose intended. This means slightly different things on different grids.

On the Connection tab or Client Certificate tab, a certificate is considered valid if it still within its validity period. Certificates in the same certificate store that are inappropriate for use are not displayed. Although a certificate might not be marked as valid, it may still be allowed for use by the server or client.

Note that on the Server Certificate tab, the Valid column means that the certificate is within its validity period and the name on the certificate matches the name of the server supplied on the Connection tab Endpoint URL field. This helps you spot if the server responding to the configured Endpoint URL holds a valid certificate for that server.

Fingerprint

The rightmost column displays the SHA-1 “fingerprint” of the certificate. This is the same fingerprint as is shown in the Windows’ certificate dialog displayed by double-clicking a certificate file. This allows easy and unique identification of certificates that may appear similar in the certificate grid.

Control buttons

Create New Button

The “Create New” button will generate a self-signed certificate and place it in the store being displayed on the certificate grid.

Click this button to display the following dialog, the content of which will be incorporated in the new certificate.

Certificate Name

The certificate name is the “Friendly Name” of the certificate. After a certificate is created, the Common Name cannot be changed, but the Friendly Name can.

The Friendly Name is what the OPC UA Client Driver holds as a parameter to its tag and therefore, is propagated across computers participating in the distributed application.

Consider, however, the case of a pair of I/O servers (primary and backup). Normally the primary will connect to the OPC UA server and retrieve data. To do this (assuming the driver is not running in unsecured mode) it needs to provide a Client Certificate to the server. It uses its “ClientCertificateName” tag parameter to find the certificate it should supply. As the backup I/O server contains an exact copy of the tag, it too has the same tag parameter and will therefore look for a certificate of that name in its certificate store.

There is no issue if you use the same certificate (and private key) on both I/O servers, however you can use different certificates so long as they have the same Friendly Name, as this is the key used by the OPC UA Client Driver to locate its transport certificate. Of course, the OPC UA server has to trust both client certificates as well.

For this reason, for the Client Certificate (transport certificate), the Certificate Name field is only enabled if the OPC UA Client Driver does not have any value in its ClientCertificateName parameter. This happens only when you first generate a self-signed certificate for this tag. From that point onwards, generating a new self-signed client transport certificate via this dialog will have the tag parameter value displayed in the Certificate Name field and will not be modifiable.

Certificate Subject

The certificate subject may be modified. It is the Distinguished Name of the certificate and defaults to “CN=<driver name>”, i.e. sets the Common Name to the name of the driver tag. Unless you have specific needs, we do not recommend that you modify this.

Key Strength

This allows you to set the key strength (number of bits) in the asymmetric key pair that will be generated for this certificate. Currently, the dialog only permits RSA keys (that is all the current OPC UA servers support) of key strengths between 2048 and 4096 bits.

The client and server certificates can have different key strengths.

VTScada will only generate RSA public/private key pairs that are classed as acceptable by:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

This mandates at least "112 bits of security", which means an RSA key length of at least 2048 bits.

Referring to Table 4 within the following document, this is sufficient up to the year 2030.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Validity

The key validity period can be set to be between 30 and 36500 days (approximately one month to 10 years).

When a certificate expires, any entity receiving that certificate should decline it. A shorter validity period may seem inconvenient, but this reduces the length of time that a compromised or stolen certificate remains undetected.

Subject Alternative Names (DNS)

Supply any DNS (Domain Name Service) names that the client computer may be known by. These will be incorporated into the certificate extended properties Subject Alternative Name field as DNS entries.

The certificate will also have an automatically-created URL and a DNS entry. The URL is composed from the application GUID and is unique to this application. The DNS entry contains the host name of the workstation on which you are creating this certificate. (Not the fully qualified domain name, FQDN.)

Some OPC UA servers may require that one of the DNS names provided can be matched to a white list, therefore this field gives you an opportunity to provide whatever DNS name is required.

Enter each Subject Alternative Name (DNS) on a separate line.

Use Selected button

Enabled only when there are two ore more certificates to choose from.

Import Button

Use to import a certificate and private key from a Personal Information Exchange format file (.PFX or .P12). This file format is commonly used to securely transport certificates and private keys between computers.

The Microsoft Management Console’s Certificate Management snap-in is one way to export certificates and their private key to such files.

On clicking the button, the following dialog is displayed, which allows you to select the file and supply the password associated with the private key (which is encrypted within the file).

Remove Button

Removes the currently selected certificate (and its private key) from the grid and the associated certificate store.

After removal, a certificate can be restored only if you have a backup of that certificate in a suitable format (e.g. a .PFX or .P12 file). Confirmation is required before the certificate is deleted.