Kepware OPC UA Client Timeout

Hi, we are trying to connect Ignition V8 (8.0.12) to KEPServerEX 6 (V6.8). In this evironment Ignition is the OPC UA Server and Kepware will be the OPC UA Client.

In Kepware we have created an OPC UA Client device which have the following configuration:

  • Endpoint URL: opc.tcp://localhost:62541
  • Security Policy: Basic256SHa256
  • Message Mode: Sign and Encrypt
  • Username = opcuauser with password = password (default)

In Ignition gateway we have the following settings:

  • Bind Port: 62541
  • Bind Address: localhost
  • Endpoint Address: ,
  • Security Policies: Basic256Sha256
  • Anonymous Access: false
  • User Source: opcua-module

We accepted the certificates on both sides so that could not be the issues. The issues which we are facing at the moment is as follow:

Kepware Error:

Ignition Error:

org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://localhost:62541, securityPolicy=None, securityMode=None

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:407)

at java.base/java.util.Optional.orElseThrow(Unknown Source)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:397)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:301)

at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:57)

at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

The strange thing is that if we add “None” in the Server settings in the gateway that it works but we want to have the Secure Policy “Basic256Sha256”.

Try configuring Kepware to use opc.tcp://localhost:62541/discovery as the endpoint URL.

In the past Kepware’s client has been broken and not capable of connecting unless there is also a no security endpoint configured. I’ve talked to them about this at the OPC interop events but not sure if they’ve fixed it yet.

Same issue with the discovery added to the URL. I now got a warning and an error, as I only got an error in the URL without discovery added.

Warning and error:

org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://localhost:62541/discovery, securityPolicy=Basic256Sha256, securityMode=SignAndEncrypt

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:407)

at java.base/java.util.Optional.orElseThrow(Unknown Source)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:397)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:301)

at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:57)

at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

These look like the same issues I’ve seen and reported.

You can call them and let them know this is an issue for you but the only workaround you have for now is to add that “None” SecurityPolicy back to Ignition.

Ok, thanks for you help so far. I will contact Kepware

Some technical details to give them.

The Ignition OPC UA Server exposes two endpoints:

  1. an endpoint running at “opc.tcp://localhost:62541/discovery”, which accepts unsecured connections and implements only the discovery services.

  2. an endpoint running at “opc.tcp://localhost:62541”, which accepts connections with the configured security policies (only Basic256Sha256 by default).

The EndpointDescriptions returned by the GetEndpoints service at “opc.tcp://localhost:62541/discovery” contain endpoint URLs pointing to “opc.tcp://localhost:62541”.

If I recall, the problem is they follow and store the endpoint URL found when configured to use [1] but they do a traditional 2-step connect process where they connect and call GetEndpoints, find an endpoint that matches the desired configurations, then connect to that endpoint, but they try to do the discovery step against the 2nd endpoint URL that only accepts secured connections instead of the original discovery URL.

Great I keep you informed when I have got a reply from Kepware.

I found this thread because I am having the same issue. Did you hear anything from Kepware?

See below the answer which I got from PTC (Kepware) on my support ticket:

I’ve taken up this issue with our PM department and they’ve informed me that is already on the backlog for future improvement but a certain timeframe for this is not available at the moment.
I’d love however to understand more of how this feature is needed by you in your setup and other details like the number of Kepserver instances with this feature you would need or what would be a suitable timeframe to deliver this feature ? This would be very useful to us as we’d like to gather info as much as possible on market needs and if possible it can speed up the enhacement release process.

And this is a update on that which I received in July:

Thank you for your patience. As PTC, led by Kepware experts, is taking a holistic approach to OPC UA capabilities; it is necessary that we implement features with future architectures and use cases in mind. Traditional OPC server capabilities, though robust for data acquisition and transfer to client applications, do not inherently provide the contextualization necessary for advanced data transformation; modeling; analytics and machine learning which are essential to digital transformation. To enable these things with the quality and security that industrial solutions require takes careful consideration and appropriate planning. As we continue to maintain and improve on our award winning connectivity solution, {KEPServerEX, ThingWorx Kepware Server} we are taking a moment to validate our OPC UA architecture to ensure it is ready for things to come. PTC - Kepware is committed to providing robust OOTB industrial communications capabilities that support the needs of the future. This process will likely span to 2021, based on findings over the next several months.

AFAIK you still must configure Ignition to allow unsecured connections (SecurityPolicy None) for Kepware’s UA client driver to connect.