OSI PI OPC-UA Connector

I'm working with a client currently to try to get their OSI PI connector to talk to Ignition, but we're not having any luck. We've followed the suggestions on the other threads on here (see below), but our options don't always match up (I suspect a version difference). We've tried both with and without encryption (with the Ignition security policy set to: Basic256Sha256,None) and we have the binding address already set to 0.0.0.0. We're using a dedicated user instead of the built-in/preconfigured user, but we do not have anonymous access enabled on the server as we'd like to keep this enabled if possible. We have not tried anonymous access, and maybe that could be our issue.

No matter what though, the certificate never shows up as a quarantined certificate when we try to connect to the server, but the PI connector is able to see the server because when we put in the opc.tcp://<IPAddress>:62541 and tell it to discover, it correctly detects the available endpoints. One thing I was surprised about is that it showed the host name as one, but never showed the IP address as an available endpoint (I thought it would at least show the IP in addition to the host name)

For the root node, we've tried both ns=1;s=0 and ns=1;s=[PLC] as an attempt to even limit it to one device, but I suspect that is irrelevant if we can't get the certificate to even show up in the quarantined certificates section so we can trust it. We also tried uploading the client certificate to Ignition manually and it didn't help either.

I've also tried looking at the logs and I'm not even seeing anything in there but not sure which logger to put into debug or trace to try to troubleshoot further.

Anyone have any suggestions? Here's the other forum posts we've followed:

Might help to get a Wireshark capture to get an idea of how far into connecting it's even getting.

I was thinking that also, but was on a running plant server, so didn't want to interrupt their operations. I may try to schedule a time I can load it (at least we're on a redundant set of servers so I can fail them over to the backup while I install it).

In working with their guy, I also suggested loading up UAExpert on the same server that the Pi Connector is on so we could attempt connections from it with a little more diagnostics to maybe narrow down the problem. If it can connect and Pi can't, it at least rules out network/firewall issues (although I would think if it were a firewall problem it wouldn't even discover the endpoints).

The command line tshark is really helpful when dealing with production servers. I often use the -a duration:60 option to get an auto-exiting 60-second capture.

Well, after troubleshooting, we think there were a few issues at play, but got it all working finally.

  • We forgot to move the certificate from the "rejected" to the "trusted" folder in the Pi Connector folders.
  • We think in the copy/paste or typing of the credentials the password was entered incorrectly

After we got that connection working, we used ns=1;s=Devices as the root node ID to pull in all the devices (discovered this with UA Expert).

It seems to be working (it's still churning at 1M+ tags discovered so far), but we're going to let it go and come back to it later.

Not sure if it's just doing a recursive discovery, or if you've actually told it to historize everything under devices... but the latter is not advisable.

Ignition's OPC UA server is not used like Kepware. I think most people would be pointing Pi towards their Ignition tags, not their devices. Different root.

So the connector browses all the tags available (I also suggested only doing tag providers), then they have to specify/filter the tags they want, and it will only subscribe to those specific tags to make them historize and available for users.