Cert-Only Outbound OPC Connection from Ignition

We are trying to connect via a simple cert authentication from Ignition to a 3rd Party OPC server. A working test connection setup is as follows in UA Expert:

As you can see, this is about as ‘vanilla’ a client connection as can be. It works just fine.

The key setup area of Ignition is completely befuddling us and we have been unable to achieve a similar connection…

If we go to the Ignition Web UI > OPC UA > Security we can of course see both ‘client’ and ‘server’ certs. While that naming convention is a bit confusing when Ignition is itself both a client and server, we can’t find any way to upload pre-shared DER/PEM pair for an outbound connection (the Web UI cert management seems to only accept DER files). So… we are assuming this is NOT the area to upload certs for our current use case here. It appears that this area of the Web UI is intended to:

  1. Accept server certificates when making an outbound connection from Ignition
  2. Accept client certificates when allowing 3rd parties to connect inbound to Ignition

This does not appear to be the area where we would store actual outbound authentication key pairs. Please correct if we are wrong on this, this is our interpretation and it may very well be incorrect.

If we then look at the Web UI > OPC Client > OPC Connections area we see the following at the bottom of the ‘advanced properties’ for our connection:

This SEEMS like surely this is the secret sauce we are missing to somehow (externally?) import and store our client connection keys in some way that Ignition can leverage for this outbound connection.
After many hours of fruitless Googling we can’t find any documentation on this.

Any help establishing an ‘anonymous’ (no user/pw) outbound OPC connection to a pure pre-shared key OPC server would be greatly appreciated.

The connection you configured in UaExpert is using X509 authentication, not anonymous authentication. The key and certificate used for this mode of authentication is not the same key and certificate used to secure the connection between client and server (the Application Instance Certificate).

Ignition’s OPC UA client does not support X509 authentication. The advanced configuration option you uncovered is to allow a different Application Instance Certificate to be used by the connection.

If you want to establish an anonymous connection then simply leave the username and password fields blank. But this is not what you did in UaExpert.

Thanks for the amazingly prompt reply!

Correct, when I say ‘anonymous’ I’m purely just describing the lack of ‘standard’ User/PW in favor of the pre-generated client certs. Sorry for my clumbsy use of that term there.

Knowing that Ignition does no support X509 key auth is the critical info I was missing. It makes sense now why I can’t find any mentions of this in the documentation. :wink:

We’ll go back to the machine vendor and see if they can setup user/password auth for us.

That UaExpert has not disabled the Username/Password radio option likely means the server already has that authentication mode enabled and you just need to find out the username/password to use.

I understand this isn’t always an easy question to answer, but just so I know what our options are here, is x509 auth support anything on the OPC Connection roadmap for you?

We are at a bit of a crossroads on how we move forward and curious if this is something Ignition will ever support.

The biggest blocker to supporting it is that the gateway config UI isn’t flexible enough to introduce a configuration UI that makes any sense for it. Once the gateway config is rewritten to be React-based like the status section in 8.2 it should be pretty easy.

There’s not likely to be any support for it near-term, though.

Gotcha, totally reasonable direction. Thanks for the feedback once again!