Wonderware as OPC UA Client

I’m trying to use Wonderware’s OI Gateway as the OC UA client to an Ignition server. They are running one separate VMs. I’ve configured OI Gateway to use endpoint “opc.tcp://”. The initial connection attempt fails as expected as the OI Gateway security certificate appears in the Quarantined Certificates section of the Server tab in the Config>OPCUA>Security page on the Ignition gateway. I trusted the certificate and it moved to the Trusted Certificates section of the page. When I try to connect again from the OI Gateway, it still fails and the Wonderware side generates the same error message as before. That Wonderware error message is not very specific, basically saying to make sure the endpoint is correct and a firewall isn’t blocking the connection.

On the Ignition server, the second connection attempt causes the UascServerAsymmetricHandler logger to log a message “Error installing security token: StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}”. I looked up that error in this forum and saw that most of the time the problem was that the client wouldn’t work unless the security policy was set to “None”. I changed the Ignition OPC UA security policy to “None,Basic256Sha256” and restarted the OPC UA module. Now when I try to connect the OI Gateway, it fails with the same error message, but no error message is logged on the Ignition server.

I’ve installed a 3rd party (Prosys) OPC UA client on the Wonderware server and I’m able to connect it to Ignition. I’ve also installed a 3rd party (Prosys) OPC UA server on the Ignition gateway and I can get the Wonderware OI Gateway to connect to it (even with a security policy of “Basic256Sha256” and security mode of “Sign&Encrypt”).

Any advice on further troubleshooting steps would be appreciated.

Try removing “/discovery” from the Ignition endpoint URL now that you’ve added the “None” SecurityPolicy.

Also - what is the error message on the Wonderware side? What SecurityPolicy are you configuring it with?

Thank you, Kevin. On the Wonderware side, I had configured the Security Policy as “None”. Removing “/discovery” from the endpoint URL worked.

Removing “/discovery” from the endpoint URL also worked with the Wonderware Security Policy set to “Basic256Sha256.” Well, it worked from one of my Wonderware servers, but on a 2nd Wonderware server, I can only get it to connect with the Security Policy set to “None”. On that 2nd server, I’m wondering if the problem is related to renaming the computer because on the Ignition server, the Common Name for the Wonderware server’s security certificate contains the old server name.

I really appreciate the help.