Makers Blog

How to configure the OPC UA Client on a PLCnext Control device

Martin PLCnext Team 20 January 2023 min. read
2,428 views 2 comments

Firmware version 2023.0 includes a long-awaited OPC UA Client component. The PLCnext Info center includes a good technical reference for this feature.

This tutorial is a step-by-step guide showing how to configure the OPC UA client in a PLCnext Control device so that it exchanges data with an OPC UA server.

You will need:

  • A PLCnext Control device running firmware version 2023.0 or later to act as the OPC UA Client. If you need to upgrade the firmware on your PLCnext Control device, you can follow the procedure shown in the Info Center.
  • PLCnext Engineer version 2023.3 or later.
  • An OPC UA server. This article uses a second PLCnext Control device as the OPC UA server, but you can use the same PLCnext Control device as you're using to host the Client, or alternatively any third-party OPC UA server running (for example) on a Windows PC. For third-party servers, you will need to figure out how to adapt the "server" steps below for your server.
  • UaExpert from Unified Automation, which is needed to get information about OPC UA Server tags that we will use in the configuration of our own OPC UA Client.

One of the key points to remember when configuring OPC UA communications is that, for security reasons, the OPC UA Client and the OPC UA Server must trust each other. Therefore, security certificates must be exchanged between the Client and Server devices. This procedure involves jumping between the Client device and the Server device, which can get a bit confusing. If you have suggestions for how to make the procedure simpler (without disabling the security checks!), please feel free to add them in the comments.

Procedure

OPC UA Server device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the System Services item from the Configuration menu.

  3. Activate the OPC UA Server service, if it is not enabled already.

  4. Press the Apply and reboot button if necessary.

  5. Open PLCnext Engineer.

  6. Create a new PLCnext Engineer project using the template for your PLCnext Control device.

  7. Set the IP address of the PLC in the PLCnext Engineer project.

  8. On the OPC UA Server configuration page:

    Snag_19bd88e

    • set the DNS name / IP address to the DNS Name or the IP address of the PLC, depending on whether the OPC UA client will access the server using a DNS name or the IP address of the server. This information will be included in the OPC UA Server security certificate. Many OPC UA Clients will reject the server certificate if this information in the certificate does not match the server URL.

    • set Visibility of variables to Marked. This means that all the variables marked with the OPC attribute will be accessible through the OPC UA Server.

  9. Create variables that will be exposed by the OPC UA Server. Make sure the OPC check box is ticked for those variables. In the example below, two variables have been created in the Main program.

    Snag_1008520

  10. Add logic to change the Output variable when a new Input value is received. In this example, the Main program executed the following code:

    Server_Data_Out := Server_Data_In + 1;

  11. Write and start the project.

  12. Use UaExpert to connect to the OPC UA Server using the PLC username and password. You should see a warning that the certificate is "Untrusted", but there should be no other warnings.

  13. Trust the server certificate, either permantently or just for this session.

  14. For each server variable, write down the name of the Node ID and the Namespace for that variable.

    Snag_1082ce8

  15. Open the WBM site for the Server PLC again.

  16. Select the Certificate Authentication item from the Security menu.

  17. Select the Identity Stores tab.

  18. Download the Certificate from the OPC UA-self-signed [server] Identity Store. The Key Pair does not need to be downloaded.

OPC UA Client device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the System Services item from the Configuration menu.

  3. Activate the OPC UA Client service, if it is not enabled already.

  4. Press the Apply and reboot button if necessary.

  5. When the reboot is complete, log back in to the WBM site and select the Certificate Authentication item from the Security menu.

  6. Select the Trust Stores tab.

  7. Add the OPC UA-self-signed [server] certificate (downloaded earlier) to the Trust Store named OPC UA Client. Now, the OPC UA Client will trust the security certificate used by the OPC UA Server to verify its identity. This step will need to be repeated every time the Server certificate changes.

  8. Select the Identity Stores tab .

  9. Download the Certificate from the OPC UA Client self-signed Identity Store. The Key Pair does not need to be downloaded.

OPC UA Server device

  1. Open the Web Based Management (WBM) site by browsing to the IP address of the PLC.

  2. Select the Certificate Authentication item from the Security menu.

  3. Select the Trust Stores tab.

  4. Add the OPC UA Client self-signed certificate (downloaded earlier) to the Trust Store named OPC UA-configurable. Now, the OPC UA Server will trust the security certificate used by the OPC UA Client to verify its identity. This step will need to be repeated every time the Client certificate changes.

OPC UA Client device

  1. Open PLCnext Engineer.

  2. Create a new PLCnext Engineer project using the template for your PLCnext Control device. If you are using the same device for both the OPC UA Client and the OPC UA Server, then the same PLCnext Engineer project will be used.

  3. Set the IP address of the PLC in the PLCnext Engineer project.

  4. Only required for PLCs running firmware versions prior to 2023.6: On the OPC UA Server configuration page, set Visibility of variables to Marked. Yes, it does seems strange to require this OPC UA Server setting for the OPC UA Client. This is fixed in firmware versions 2023.6 and later.

  5. Create variables that will be connected to variables in the OPC UA Server. Only required for PLCs running firmware versions prior to 2023.6: Make sure the OPC check box is ticked for those variables (the check box is not required to be ticked for PLCs running firmware version 2023.6 or later).

    In the example below, two variables have been created in the Main program.

    Snag_127e218

  6. In the OPC UA Client Connections tab, add one Server and two Variable Groups, as shown below.

    Snag_8b41c7

    The server URL, username, and password should be changed to suit the OPC UA Server you are using.

  7. In the "Subscribe" variable group, add one variable mapping, as shown below.

    Snag_969764

    This automatically transfers the value from the remote variable (on the OPC UA Server) to the local variable in the PLCnext Engineer project.

  8. In the "Write" variable group, add one variable mapping, as shown below.

    Snag_9d5de3

    This automatically transfers the value from the local variable in the PLCnext Engineer project to the remote variable (on the OPC UA Server).

  9. Write and start the PLCnext Engineer project.

  10. In Debug mode, change the value of the variable Client_Data_out. The value will be written to the variable Server_Data_In on the OPC UA Server. That value will be incremented by the Server and written to the variable Server_Data_Out. The value of that variable will then be transferred to the variable Client_Data_In on the Client.

It isn't working?

Please check the Troubleshooting Guide in the PLCnext Info Center (at the bottom of the page).

Frequently Asked Questions

Q: Will PLCnext Engineer also allow me to browse tags in the OPC UA server, or will I still need to use something like UaExpert to see what tags are available?

A: In the short term: the second one. In the medium term, we hope that PLCnext Engineer will include this feature.

Q: Can the client connect to an OPC UA Server using Certificate/Key authentication?

A: No, not at the moment.

Q: How does the OPC UA Client store the Server password?

A: At the moment the OPC UA Server password is stored as clear text in the client configuration file, but the PLCnext Runtime developers are working on a more secure password storage method.

Q: Can I get quality information (e.g. Status Code, Timestamp) for data read from an OPC UA Server?

A: Not at the moment, sorry.

Appendix: File-based configuration

The OPC UA Client configuration in PLCnext Engineer is stored on the controller in XML format. For applications that do not use PLCnext Engineer, it is possible to configure the OPC UA Client by writing the XML configuration directly on the controller.

The configuration that was prepared in this example is represented in the following XML files:

  1. Any required changes to the default OPC UA Client settings are defined in the file /opt/plcnext/projects/current/Services/OpcUA/Modules/Client/client.module.config :

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <OpcUAClientModuleConfigurationDocument schemaVersion="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig" xmlns="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig">
      <Application>
        <CertificateStore>
          <SelfSignedIdentityStoreName>OPC UA Client self-signed</SelfSignedIdentityStoreName>
          <GivenIdentityStoreName>OPC UA Client</GivenIdentityStoreName>
          <TrustStoreName>OPC UA Client</TrustStoreName>
        </CertificateStore>
        <SessionSecurity>
          <ApplicationAuthentication>false</ApplicationAuthentication>
          <ApplicationUriCheck>true</ApplicationUriCheck>
          <CertificateHostnameCheck>true</CertificateHostnameCheck>
          <CertificateTimeCheck>true</CertificateTimeCheck>
          <CertificateIssuerTimeCheck>true</CertificateIssuerTimeCheck>
          <PasswordEncryptionCheck>true</PasswordEncryptionCheck>
        </SessionSecurity>
        <Timeouts>
          <SessionTimeout>1200000</SessionTimeout>
          <ConnectTimeout>5000</ConnectTimeout>
          <WatchdogTimeout>5000</WatchdogTimeout>
          <CallTimeout>10000</CallTimeout>
        </Timeouts>
      </Application>
    </OpcUAClientModuleConfigurationDocument>
    
  2. OPC UA Client connections are defined in the file /opt/plcnext/projects/current/Services/OpcUA/Modules/Client/Configs/ clientconnections.xml :

    <?xml version="1.0" encoding="utf-8"?>
    <eUAClientConfigurationDocument xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:uax="http://opcfoundation.org/UA/2008/02/Types.xsd" xmlns="http://phoenixcontact.com/OpcUA/PLCnext/UAClientConfig/Types.xsd">
      <eUAClientConfiguration>
        <Name>ClientConnectionsConfiguration</Name>
        <NamespaceArray> 
          <uax:String>http://phoenixcontact.com/OpcUA/PLCnext/GlobalDataSpace/</uax:String>
        </NamespaceArray>
        <ServerConnections>
          <eUAClientServerConnection>
            <EncodingMask>3</EncodingMask>
            <Endpoint> 
              <uax:EndpointUrl>opc.tcp://192.168.1.10:4840</uax:EndpointUrl>
              <uax:SecurityMode>Sign_2</uax:SecurityMode> 
              <uax:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</uax:SecurityPolicyUri>
            </Endpoint>
            <UserTokenType>UserName_1</UserTokenType>
            <UserName>admin</UserName>
            <Password>xxxxxxxx</Password>
          </eUAClientServerConnection>
        </ServerConnections>
        <VariableGroups>
          <eUAClientVariableGroup>
            <GroupType>Write_1</GroupType> 
            <CycleTime>100</CycleTime>
            <NodeMappings>
              <eUAClientNodeMapping>
                <LocalVariable>
                  <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Client_Data_Out</uax:Identifier> 
                </LocalVariable>
                <RemoteVariableDescriptor>
                  <EncodingMask>2</EncodingMask>
                  <ServerIndex>1</ServerIndex>
                  <NodeId> 
                    <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Server_Data_In</uax:Identifier>
                  </NodeId>
                </RemoteVariableDescriptor>
              </eUAClientNodeMapping>
            </NodeMappings>
          </eUAClientVariableGroup> 
          <eUAClientVariableGroup>
            <GroupType>Subscribe_0</GroupType> 
            <CycleTime>100</CycleTime>
            <NodeMappings>
              <eUAClientNodeMapping>
                <LocalVariable>
                  <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Client_Data_In</uax:Identifier> 
                </LocalVariable>
                <RemoteVariableDescriptor>
                  <EncodingMask>2</EncodingMask>
                  <ServerIndex>1</ServerIndex>
                  <NodeId> 
                    <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.Server_Data_Out</uax:Identifier>
                  </NodeId>
                </RemoteVariableDescriptor>
              </eUAClientNodeMapping>
            </NodeMappings>
          </eUAClientVariableGroup> 
        </VariableGroups>
      </eUAClientConfiguration>
    </eUAClientConfigurationDocument>
    

    This file uses the Namespace and Node ID information recorded earlier (using UaExpert) to specify which server variables the client will access.

  3. In the above file, change the following to suit your application:

    • The element uax:EndpointUrl must include the IP address (or DNS name) of your OPC UA server.

    • The Username and Password elements must contain the credentials required for the OPC UA server.

    IMPORTANT: In this example, the Node ID strings in UaExpert included the text ns=6. In the XML file above, this has been changed to ns=1, because the "namespace" parameter (ns) is an index into the list of namespaces on the local client. In this example, the Namespace name that was copied from UaExpert is the first (and only) namespace in the list of namespaces in our clientconfig.xml file.

The PLCnext Runtime must be restarted after making changes to the OPC UA Client configuration files.

Note:

The Makers Blog shows applications and user stories of community members that are not tested or reviewed by Phoenix Contact. Use them at your own risk.

Discussion

Please login/register to comment

Login/Register

Leave a Reply

esai01 27.03.2023

Nice guide for the "uncomfortable" actual status of the OPC UA client implementation. I´ve managed to get it running, but only with one varible beeing exchanged between servera and client. How should a second reading variable be declared in the clientconfig.xml file? Subscribe_0 100 ns=1;s=Arp.Plc.Eclr/MainInstance.Client_Data_In 2 1 ns=1;s=Arp.Plc.Eclr/MainInstance.Server_Data_Out I´ve tried different ways, but no success. Thanks a lot for your help.

Login / Register to reply
Martin PLCnext Team 27.03.2023

Thanks for the feedback. The example currently includes a GroupType "Subscribe_0". That GroupType contains NodeMappings, which is a list of eUAClientNodeMapping items. At the moment there is only one eUAClientNodeMapping item in that group, which maps a server variable to a client variable. To add a second eUAClientNodeMapping item to that list of NodeMappings, simply create a second eUAClientNodeMapping item, immediately under the first one (i.e. inside the NodeMappings tag). Then you only need to change the server and client tag names in the new eUAClientNodeMapping item. After the PLCnext Runtime is restarted, the data should be transferred automatically. This procedure will not be required after PLCnext Engineer version 2023.3 is released.

esai01 05.04.2023

Thank you Martin for your quick answer. As 2023.3 is about to come, it´s a good idea waiting for it and make our lives more comfortable :-)

Martin PLCnext Team 17.04.2023

The article has now been updated to show the configuration using PLCnext Engineer version 2023.3. The file-based configuration is still shown in the Appendix.

Acke Chau 16.08.2023

Thanks Martin for this guide. The only modification I had to do was to change the dns name of my endpoints to ip addresses. As same as your example... "If the connection cannot be established: Use IP addresses in the certificates of client and server or ensure that a DNS server is available which can resolve the host names (i.e. enter the IP address into the DNS name / IP address field of the OPC UA server configuration in PLCnext Engineer)."

Login / Register to reply
Newsletter
Never miss a new article
Sign up for the newsletter
Never miss news about PLCnext Technology
Get interesting content via newsletter four times a year
Receive exclusive information before all other users