Connection configuration

Note: The OPC UA client and server use the OpenSSL library to validate X.509 certificates using the OpenSSL flag X509_V_FLAG_X509_STRICT. As firmware 2024.0 LTS is updated to OpenSSL 3.0, the X.509 certificate validation became more strict, especially for non self-signed certificates. This may cause the server to return the error BadSecurityChecksFailed on client connection attempts. Make sure that, according to OPC UA Part 6, client issuer as well as client application X.509 certificates are conform to RFC 5280, especially to the sections listed below. The same applies for user-managed server certificates. 
  • 4.1.1.2 signatureAlgorithm
  • 4.1.2.6 Subject
  • 4.2.1.1 Authority Key Identifier
  • 4.2.1.2 Subject Key Identifier
  • 4.2.1.3 Key Usage
  • 4.2.1.6 Subject Alternative Name
  • 4.2.1.9 Basic Constraints
 

Definition in PLCnext Engineer or connection XML files

The OPC UA client can be configured in PLCnext Engineer from version 2023.3. We recommend to use PLCnext Engineer for the configuration (see also Tutorial - OPC UA setup for PLCnext Control)

In addition to PLCnext Engineer, the connections can be defined in connection XML files that are located in the following folder:

/opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/Configs/*.xml

All connection configuration files are aggregated (including the one from PLCnext Engineer).

The format of the XML file is described in OPC UA client XML schema.

Note: To reload the settings and connection files a restart of the PLC is required.

Example configurationExample configuration

<?xml version="1.0" encoding="utf-8"?>
<eUAClientConfigurationDocument xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:uax="http://opcfoundation.org/UA/2008/02/Types.xsd"
xmlns="http://phoenixcontact.com/OpcUA/PLCnext/UAClientConfig/Types.xsd">
  <eUAClientConfiguration>
    <Name>ClientConnectionsConfiguration</Name>
    <NamespaceArray>
      <uax:String>http://phoenixcontact.com/OpcUA/PLCnext/GlobalDataSpace/</uax:String>
    </NamespaceArray>
    <ServerConnections>
      <eUAClientServerConnection>
        <EncodingMask>3</EncodingMask>
        <Endpoint>
          <uax:EndpointUrl>opc.tcp://192.168.178.123:4840</uax:EndpointUrl>
          <uax:SecurityMode>Sign_2</uax:SecurityMode>
          <uax:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</uax:SecurityPolicyUri>
        </Endpoint>
        <UserTokenType>UserName_1</UserTokenType>
        <UserName>admin</UserName>
        <Password>secretpassword</Password>
      </eUAClientServerConnection>
    </ServerConnections>
    <VariableGroups>
      <eUAClientVariableGroup>
        <GroupType>Subscribe_0</GroupType>
        <CycleTime>100</CycleTime>
        <NodeMappings>
          <eUAClientNodeMapping>
            <LocalVariable>
              <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.i_OPCUACLIENT_CNT</uax:Identifier>
            </LocalVariable>
            <RemoteVariableDescriptor>
              <EncodingMask>2</EncodingMask>
              <ServerIndex>1</ServerIndex>
              <NodeId>
                <uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.i_OPCUASERVER_CNT</uax:Identifier>
              </NodeId>
            </RemoteVariableDescriptor>
          </eUAClientNodeMapping>
        </NodeMappings>
      </eUAClientVariableGroup>
    </VariableGroups>
  </eUAClientConfiguration>
</eUAClientConfigurationDocument>

Server connections

The connection configuration contains a list of servers that can be accessed by the client. For each server the connection information can be described as follows (see also OPC UA client XML schema):

  • server URL: This URL shall always start with opc.tcp:// since this is currently the only supported protocol.
    Optionally the port can be specified. If omitted, the default OPC UA discovery port 4840 is used.
  • Username (optional): If omitted, anonymous authentication is used.
  • Password (optional): Only required if Username is specified.
  • The securityMode to use (see OPC UA client security  for more details).
  • The securityPolicy to use: This can be best available for most secure communication (default) or one of the supported specific security policies.
    Note: None and the deprecated security profiles can only be used explicitly (see OPC UA client security for more details).

Variable groups

The configuration can contain multiple variable groups. Each has a GroupType (subscribe or write) and a CycleTime (see also OPC UA client XML schema).

Variable mapping

Every VariableGroup can contain multiple variable mappings. These mappings contain a local variable and a description how to find the remote variable.

The local variable is described by a NodeId of the own PLCnext Technology OPC UA server.

The remote variable is described by a reference to the remote server and a NodeId for a variable on that server.

In the XML file the namespace is specified as namespace index. This is an index into the NamespaceArray which is also defined in the XML file.

In PLCnext Engineer the NodeId is specified by two parts:

  • a namespace: The unique URI as scope for the identifier.
  • an identifier: The unique integer, string, guid, or opaque id within the namespace.

The type of such an identifier is specified via a prefix as it is defined in OPC UA. Here are some examples:

  • i=2258 (integer)
  • s=Arp.Plc.Eclr/GlobalVariable (string)
  • g=1c35cb2b-e5d0-495a-93c9-da095c652230 (guid)
  • b=M/RbKBsRVkePCePcx24oRA== (opaque / binary)

 

 


• Published/reviewed: 2024-12-10  ☃  Revision 075 •