Hi, has anyone here had success creating a secure connection between an Allen Bradley PLC (acting as the OPC-UA client) and an Ignition OPC-UA server?
My research so far suggests that it is necessary to create a trust relationship in the Rockwell Factory Talk Policy Manager software. I believe I have to create a "Zone" and add both the OPC-UA server and client as "Devices" in the same Zone. However, I can't get the software to accept the Ignition server's URL - it simply says "Cannot verify connection to this server. Try adding again in Discovery pane or verify the URL and refresh the endpoint list". I'm running the FTPM software on the same machine as Ignition and so my URL is opc.tcp://localhost:62541 (I also tried adding /discovery on the end but got the same result). My security settings are the default Basic256Sha256 and anonymous. I try pressing the refresh button but nothing appears in the endpoint list and the above message remains just below the URL.
A further issue (maybe related, I don't know) is that I cannot import the server's certificate into FTPM. It says "Cannot import certificate to the OPC UA server - Factory Talk System Services does not have permissions to access file.".
Is there a client certificate for FTPM that needs to be imported and trusted by Ignition? Or does it need a certificate from the PLC? And where would I find that?
anonymous access is not enabled by default on the Ignition OPC UA server. If you enabled it at some point then make sure you've restarted the Ignition Gateway.
If you get far enough into the connection process it will show up in the Gateway under Config > OPC UA > Security on the Server tab, where you can mark it trusted. You can also import it ahead of time in the same place.
Hi Kevin. Thanks for the reminder about restarting the server after making changes to the configuration. That still catches me out from time to time. Just a suggestion, but it might be helpful to have some visual indication in the gateway when there are pending config changes that require a restart.
In my case, I don't think that was the cause of my problem. I have restarted many times while trying out different things to solve it.
My PLC is not configured with that URL. Localhost is used only in the FTPM software, which is running on the same PC as the Ignition server.
I'm still trying to understand exactly how the Rockwell/AB security model works but it looks as though you configure the Zones and Devices in FTPM before "deploying" the security settings to the PLC.
FTPM presumably needs to verify the connection to the OPC-UA server. So, from that point of view, it is a localhost connection. In the PLC, I have it configured with the IP address of the server, rather than localhost. And that works fine until I turn on the security - then, thanks to Rockwell/AB's approach, things get a whole lot more complicated and I have to use the FTPM software, apparently.
I have tried using the IP address and hostname in FTPM too - but get the same error message.
Thanks for the suggestion - I will give that a try.
Do you know if FTPM has to be running constantly in the production environment, or can I deploy the security model to the PLC and then remove FTPM from the environment? My reason for asking is that we only have one PC in our production system - and that's the one that is running Ignition, of course.
No, sorry. I only use Rockwell Software to deploy/maintain PLC and related hardware, not as any part of a production system. (Because I don't put production-critical software on Windows, and Rockwell is still in an unholy union with Microsoft.)