OPC-UA - Establish a Server Connection with Certificates - UaExpert

These are the overall steps when using certificates for an OPC UA Server connection:

1. PCMM2G Configuration (with Certificates)

2. UaExpert Configuration (with Certificates)

3. UaExpert Connection to the PCMM2G (with Certificates)

• 
  

• Videos of these features are here: PCMM2G OPC UA Server Setup in KAS-IDE.

1. PCMM2G Configuration (with Certificates)

The procedure in this section configures the PCMM2G for connection to UaExpert.

1. Verify the OPC-UA - UaExpert Installation procedure is completed.
2. Open a web browser and enter the PCMM2G IP address.
3. Login as administrator.
   See User Authentication.
4. Click the KAS Application tab.
5. Click the Stop button if the Status of KAS app is started.
6. Click the Settings tab.
7. Click the Certificates tab. (Figure 1)



Figure 1: Certificates tab

8. If the Status in the SSL Server Certificate Details section is shown as Not Installed, create a new SSL Server Certificate.
   See Install the SSL Certificate.
9. Start the KAS-IDE.
10. Create a new project or open an existing KAS project.
11. Double-click an OPC UA Server node in the Fieldbus Editor project tree.
    The OPC UA - Server dialog box opens. (Figure 2)



Figure 2: Server dialog box

12. In the Security settings section, click the Use certificates check box to use digital certificates for data encryption between the server and client.
    When selected, the text boxes of this section are activated.
• 
  

• Kollmorgen recommends accepting the defaults in the Security settings section to use self-signed certificates.

13. In the Authentication settings section:
    1. Clear the Anonymous check box.
    2. Optional: Click the User name/Password check box to activate the User name and Password text boxes.
    3. If applicable, enter a User name and Password for the configuration.
    4. Click the Certificate check box so the server allows the client to authenticate with a certificate.
    5. Click OK to save the changes or selections and close the dialog box.
       The Fieldbus Editor returns showing the added OPC UA Server node.
14. On the vertical toolbar, click the Insert Master/Port button ().
    The OPC UA - Endpoint dialog box opens. (Figure 3)



Figure 3: Endpoint dialog box

15. In the Security Policies section:
    1. Clear the None check box.
    2. Click the Basic256 or Basic256Sha256 check box to use the 256-bit Basic as the message encryption algorithm.
    3. Click OK to save the changes or selections and close the dialog box.
       The Fieldbus Editor returns.
16. Add applicable groups and variables using the OPC UA - Add Multiple Groups and Variables to the Driver Configuration procedure.
17. Compile and download the project to the KAS controller (e.g., PCMM2G).
18. Continue with 2. UaExpert Configuration (with Certificates).

2. UaExpert Configuration (with Certificates)

The procedure in this section configures UaExpert for connection to PCMM2G.

1. Verify the procedure in the 1. PCMM2G Configuration (with Certificates) section is completed.
2. Start UaExpert.
   The UaExpert main window opens.
3. In the Project tree, right-click Servers and click Add. (Figure 4)



Figure 4: Add option

The Add Server dialog box opens. (Figure 5)



Figure 5: UaExpert Add Server dialog box

4. Under Custom Discovery, double-click the text.
   The Enter URL dialog box opens.
5. Enter the URL as opc.tcp://(PCMM2G_IP_Address) to add the OPC UA Server. (Figure 6)



Figure 6: Enter URL dialog box

6. Click OK to save the changes or selections and close the dialog box.
   The Add Server dialog box returns.
• 
  

• A Replace Hostname message may appear. (Figure 7)

  

  Figure 7: Replace Hostname message

  This prompt appears because the PCMM2G supports OPC UA device discovery using its IP address, not by its hostname.

  Click Yes to continue.

7. Under Custom Discovery, expand the newly added node.
8. Under the opc.tcp://(PCMM2G_IP_Address), select Basic256Sha256 – Sign & Encrypt. (Figure 8)



Figure 8: Add Server dialog box - Basic256Sha256 – Sign & Encrypt

9. In the Authentication settings section:
   1. Click the Certificate / Private Key option button.
   2. In the Certificate check box, enter the path to the UaExpert certificate.
      Example: C:/Users/<<user_name>>/AppData/Roaming/unifiedautomation/uaexpert/PKI/own/certs/uaexpert.der
   3. In the Private Key text box, enter the path to the UaExpert private key. (Figure 9)
      Example: C:\Users\<<user_name>>\AppData\Roaming\unifiedautomation\uaexpert\PKI\own\private\uaexpert_key.pem

   

   Figure 9: Server Settings dialog box

   • A Username and Password can be used if this Authentication Setting option is enabled in the KAS project. (Figure 10)
   • The password is always encrypted if Use Certificates is enabled in the KAS project.

   

   Figure 10: Server Settings dialog box - Username and Password

   4. Click OK to save the changes or selections and close the dialog box.
      The server is now available in the UaExpert project tree.
10. On the UaExpert toolbar, click the Settings button and select Manage Certificates > Properties.
    The UaExpert Manage Certificates dialog box opens. (Figure 11)



Figure 11: Manage Certificates dialog box

11. Click the Copy Application Certificate To... button to open the Save As dialog box. (Figure 12)



Figure 12: Save As dialog box

12. Save the file uaexpert.der to a temporary directory on the PC (e.g., C:\Temp).
13. Click Save to save the file in the designated location and close the dialog box.
14. Using the web browser opened in the 1. PCMM2G Configuration (with Certificates) section:
    1. Click the Settings tab.
    2. Click the Certificates tab. (Figure 13)

    

    Figure 13: Certificates tab

    3. In the Upload SSL Client Certificate section, click the Choose File button.
       A File Explorer window opens.
    4. Locate and select the certificate file uaexpert.der that was saved in Step 12 in section 2. UaExpert Configuration (with Certificates).
    5. Click Open to confirm the selection and close the File Explorer window.
    6. Click the Upload Certificate button to upload the file to the PCMM2G.
    • The Certificated is added to the PCMM2G trusted store.
      • This allows OPC UA connections from UaExpert.
    • The file uaexpert.der appears under SSL Client Certificates explorer tree.
15. Continue with 3. UaExpert Connection to the PCMM2G (with Certificates).

3. UaExpert Connection to the PCMM2G (with Certificates)

The procedure in this section connects UaExpert to the PCMM2G.

1. Verify the procedure in the 2. UaExpert Configuration (with Certificates) section is completed.
2. On the toolbar, click the Connect button () to connect to the server.
   A Connect Error message opens. (Figure 14)



Figure 14: Connect Error message

3. Click Ignore to continue connecting.

Data is now available from the KAS/PCMM2G OPC UA Server. (Figure 15)



Figure 15: UaExpert - KAS OPC UA Data Objects

4. In the Address Space scroll box, select the applicable PLC object.
5. Drag-and-drop the selected objects to the Data Access View table. (Figure 16)



Figure 16: Data Access View table

6. Verify the values of PLC objects in the Data Access View table matches with the KAS project running on the PCMM2G.
7. In the Data Access View table, select a variable.
   The Attributes panel appears.
8. Scroll through the variables to locate a variable with an AccessLevel set to CurrentWrite. (Figure 17)



Figure 17: Attributes panel

9. Double-click the applicable Value column cell and change its value.
10. Switch to the KAS-IDE window.
11. Navigate to the OPC UA Server Fieldbus Editor. (Figure 18)



Figure 18: KAS Fieldbus Editor

12. Change a variable value in the KAS-IDE.
13. Verify the change in UaExpert.
    A re-browse of the variable value in UaExpert may be necessary to refresh the visible values.
14. Select the PLC object and right-click to use Rebrowse. (Figure 19)



Figure 19: Rebrowse option

• 
  
• • A maximum of 100 OPC UA client connections are accepted simultaneously.
  • Established connections are disconnected if no data is exchanged within 30 seconds.

• 
  
  
• • Uploaded certificates are automatically trusted by the OPC UA Server running on PCMM2G.
  • The certificates enable secure communication when using Sign or SignAndEncrypt security modes.
  • If the certificate is not uploaded, the PCMM2G OPC UA Server rejects the connection attempt from UaExpert.

See Also

• OPC-UA - Establish a Server Connection without Certificates - UaExpert
• OPC UA - Establish Server Connection without Certificates - Exor HMI
• OPC UA - Troubleshooting