Dear Ignition Support
I am fairly new to setting up OPC-UA connections and making the ignition OPC-UA Server visible to external OPC-UA clients but I am trying to setup a OPC-UA Connection from OSI-PI using their OPC-UA Connector to Ignition’s OPC-UA Server and doing some preliminary testing currently with this, but it seems something weird is being observed with certificates
Upon setting up the OSI-PI OPC-UA Connector to the correct endpoint opc.tcp:// `{IP Address or Hostname of Server}:62541, the Ignition server certificate is correctly passed to the OSI-PI UA Connector and therefore can then be manually trusted. The OPC-UA connection is setup and data is flowing between the Ignition OPC UA Server and OSI-PI via OPC-UA now but the OSI-PI certificate is not showing up in the quarantined certificates or trusted certificates in the OPC-UA Security setting of the Ignition Gateway. I have not manually downloaded the OSI-PI certificate or manually trusted it either. The security policy setup on the ignition server is set to either None, Basic256Sha256
Is this normal behaviour as I thought with OPC-UA connections both certificates are needed to be trusted at both ends before any data flow could occur regardless of security policy setup on the ignition gateway, is this correct?
My guess would be that OSI PI has connected without security.
The only time you might need to trust the certificate even if the "None" SecurityPolicy is being used is when the client is connecting with a username and password. (edit: actually not sure if that's true, might only apply to the other direction)
I think the punchline is that if you can't get connected with security by pointing OSI PI at the discovery endpoint URL then you need to get OSI PI involved, and potentially get them to fix their client.
Ignition has an admittedly unusual endpoint setup re: security. This will be changing in 8.3 due to the trouble it seems to cause for some 3rd party clients.