Kepware OPC-UA

Any quick hints on how to setup a UA connection to the Kepserver that support UA clients? Very easy for the OPC-DA connection, but no clue on what to use for the settings for UA.

I got it to attempt to connect, but I have some setting wrong. The settings I have are:

Host: localhost
Port: 49320
Target: KEPserverEX/UA Server
Security Policy: Basic128Rsa15
Message Security Mode: SignAndEncrypt
Enabled: True

User name blank

Below are the errors I am getting on the KEPserverEX side (kind of looks like even thought the security is set it is not using it). I also tried with no security (and enabled None on the KEPserver side) :

2/21/2010 10:57:09 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 1 opened!
2/21/2010 10:57:09 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:09 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 1 closed! [status=0x0]
2/21/2010 10:57:13 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 2 opened!
2/21/2010 10:57:13 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:13 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 2 closed! [status=0x0]
2/21/2010 10:57:18 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 3 opened!
2/21/2010 10:57:18 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:18 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 3 closed! [status=0x0]
2/21/2010 10:57:23 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 4 opened!
2/21/2010 10:57:23 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:23 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 4 closed! [status=0x0]
2/21/2010 10:57:28 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 5 opened!
2/21/2010 10:57:28 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:28 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 5 closed! [status=0x0]
2/21/2010 10:57:33 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 6 opened!
2/21/2010 10:57:33 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:33 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 6 closed! [status=0x0]
2/21/2010 10:57:38 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 7 opened!
2/21/2010 10:57:38 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None
2/21/2010 10:57:38 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 7 closed! [status=0x0]
2/21/2010 10:57:43 AM SYSTEM UA Server UaServer_EndpointCallback: SecureChannel 8 opened!
2/21/2010 10:57:43 AM SYSTEM UA Server Security Mode 1 Security Policy opcfoundation.org/UA/SecurityPolicy#None

Can you go ahead and change the Security Policy to “None” and the Message Security Mode to “None” and see if that works for you?

I had already tried that unsuccessfully. I had also enabled the no security on the kepware side before trying that and it still did not work.

Thanks,

Darren

Any suggestions to get this to work?

Darren

First make sure you have Ignition 7.0.4. This includes a certificate file in “C:\Program Files\Indictuve Automation\Ignition\contexts\main\opc” named “xopc-client.cer”.

You need to take this and import it to the “Trusted Clients” tab of the Kepware OPC UA Configuration.

On the “Server Endpoints” tab make sure you have Basic128Rsa15 checked and “Sign and Encrypt” selected in the box next to it.

Then on your Ignition client connection you should just need to put in the host, port, and choose matching security settings. (Basic128Rsa15 and SignAndEncrypt).

On new installs (as opposed to upgrades) of 7.0.4 and when we release 7.0.5 both upgrades and installs there will be a link in the Settings section of the OPC-UA Server configuration to download the certificate from the gateway.

I’ve followed the steps above but I am still getting a Bad_CertificateInvalid error on the OPC server status page. I’ve imported Ignition’s certificate into KepServer successfully (downloaded from the OPC-UA config page, there was not a cert in the directory mentioned). I have both sides configured for Basic123Rsa15 Sign and Encrypt. Ignition is v7.0.8. Any next steps?

Edit: If I set everything to None I get a successful connection, but this setup isn’t desired.

I need to get Kepware on the phone and see if I can work this out with them. As it stands right now it looks like a bug on their side.

I am able to successfully connect to other UA server, such as the foundations sample server, with security enabled just fine.

Thanks for the update. At least you are able to reproduce the problem which means I’m not going crazy!

Try installing the attached certificate on running Kepware and add the cert to the Kepware OPC-UA configuration.

You’ll have to unzip it first…

The certificate provided in the OPC-UA settings area if Ignition should work again by the next release (or dev release).

ignition-client.der.zip (776 Bytes)

[quote=“Kevin.Herron”]Try installing the attached certificate on running Kepware and add the cert to the Kepware OPC-UA configuration.

You’ll have to unzip it first…

The certificate provided in the OPC-UA settings area if Ignition should work again by the next release (or dev release).

[attachment=0]ignition-client.der.zip[/attachment][/quote]

Test 1:

Server : Ubuntu 64 / Ignition 7.6.4 64 bit
KEPServerEX : Running on Windows 7
Client : Ubuntu 64. local machine where Ignition server is running

Result: Folllowed OPC UA connection guide inductiveautomation.com/supp … n_guid.htm
Imported the ignition-client.der certificate and unable to connect. Status FAULTED.

Console error message: OpcUaConnection:KEPServerEX Error connecting to server: StatusCode[Severity=Bad, Subcode=Bad_ConnectionRejected]

Test 2:

Server : Ubuntu 64 / Ignition 7.6.4 64 bit
KEPServerEX : Running on Windows 7
Client : W7 - local machine where KEPServerEX is running

Result: Folllowed OPC UA connection guide inductiveautomation.com/supp … n_guid.htm
Imported the ignition-client.der certificate and unable to connect. Status FAULTED.

Console error message: OpcUaConnection:KEPServerEX Error connecting to server: StatusCode[Severity=Bad, Subcode=Bad_ConnectionRejected]

Any help is appreciated. Thanks.

I’m a little confused about the process you followed. You linked to an article from the user manual which says nothing about importing a certificate when you connect to Kepware yet you mention that you did in fact import a certificate. Did the certificate not automatically show up under the trusted clients tab? Have you checked to make sure that your firewall is not blocking the port on which Kepware is trying to communicate?

Keep in mind that you replied to a forum topic that is now about 4 years old so some of the advice listed in here may not be applicable any more.

dave.fogle,

  1. /// Did the certificate not automatically show up under the trusted clients tab? ///

No. It didn’t show up. So i did some research in this forum and found this topic.

  1. Have you checked to make sure that your firewall is not blocking the port on which Kepware is trying to communicate?

Yes. I disabled the firewall and checked. Nothing happened.

Do you think i must leave Linux and switch over to Windows platform?.

I don’t think you should have to switch over to a windows platform. It might be possible that Kepware is returning the hostname in the endpoints and the Ignition machine is unable to resolve it. Are your two servers (kepware and Ignition) on two different networks?

What you could try is setting the host override setting in the OPC server connection to the IP address that you are specifying to reach the Kepware machine. This will cause Ignition to Ignore the returned hostname by Kepware and just force it to use the address you’ve specified. That will only work if you indeed have a valid network path to the Kepware machine.

Dave

// It might be possible that Kepware is returning the hostname in the endpoints and the Ignition machine is unable to resolve it //

Pls check my latest post under “Ignition 7.7/Ignition 7.7 on Linux” topic.
inductiveautomation.com/forum/v … 92&t=12645

The problem is resolved successfully in Ignition 7.7 and that may help for the Ignition 7.6 also. Thanks.