Download pdf - WorkstationST* OPC® UA Server - GE...The OPC® Unified Architecture (OPC UA) standard combines the older standards of OPC Data Access (DA), OPC Alarm and Event (AE), and OPC Historical

GEI-100828G

WorkstationST* OPC® UA ServerInstruction Guide

These instructions do not purport to cover all details or variations in equipment, nor to provide for every possiblecontingency to be met during installation, operation, and maintenance. The information is supplied for informationalpurposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflectedherein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or tothe document itself at any time. This document is intended for trained personnel familiar with the GE products referencedherein.

Public Information – This document contains non-sensitive information approved for public disclosure.

GE may have patents or pending patent applications covering subject matter in this document. The furnishing of thisdocument does not provide any license whatsoever to any of these patents.

GE provides the following document and the information included therein as is and without warranty of any kind,expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness forparticular purpose.

For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE SalesRepresentative.

Revised: Dec 2019Issued: May 2012

© 2012 - 2019 General Electric Company.___________________________________* Indicates a trademark of General Electric Company and/or its subsidiaries.All other trademarks are the property of their respective owners.

We would appreciate your feedback about our documentation.Please send comments or suggestions to [email protected]

Public Information

mailto:[email protected]

Document UpdatesRevision Location Description

G Client PrivilegesAdded flow diagram illustrating how OPC UA client privileges canenable or restrict the user's ability to can browse for, read, and writeOPC UA nodes

F

Overview

Added content for Alarm/Event SubscriptionsLive Data and Alarm/Event SubscriptionsMonitored ItemsAlarm/Event

E Application Certificate Sharing Added this section with the procedure to share certificates betweenOPC UA client and server

D OPC UA CommunicationRemoved obsolete server URL; only one URL can be used toaccess the WorkstationST OPC UA serverRemoved obsolete discovery server URL

Acronyms and AbbreviationsAE Alarm and EventDA Data AccessGSM GE Standard MessagesHDA Historical Data AccessOPC A standard for data exchange in the industrial environment

SDI System Data InterfaceUA Unified ArchitectureURI Uniform Resource IdentifierURL Uniform Resource LocatorWCF Windows Communication Foundation

2 GEI-100828G GEI-100828 WorkstationST OPC UA ServerPublic Information

Contents1 Overview ....................................................................................................................................................42 OPC UA Communication...............................................................................................................................42.1 Application Certificates............................................................................................................................42.2 Client/Server Connection Sequence ............................................................................................................62.3 Application Certificate Sharing..................................................................................................................72.4 Live Data and Alarm/Event Subscriptions....................................................................................................82.5 Troubleshooting......................................................................................................................................9

3 Client Privileges ......................................................................................................................................... 104 Live Data Flow .......................................................................................................................................... 115 Alarm/Event .............................................................................................................................................. 126 Historical Data Access................................................................................................................................. 136.1 External Historians................................................................................................................................ 136.2 Configure DCOM Settings...................................................................................................................... 13

Instruction Guide GEI-100828G 3Public Information

1 OverviewThe OPC® Unified Architecture (OPC UA) standard combines the older standards of OPC Data Access (DA), OPC Alarmand Event (AE), and OPC Historical Data Access (HDA) into one interface. Additionally, the OPC UA standard providesHistorical Alarm and Event access. An OPC UA server implementation can include all or part of these standard’s features.The WorkstationST* OPC UA server provides DA reading and writing, live AE data, and HDA reading features.

Note The OPC UA standard that was created by the OPC Foundation. For more information, visit www.opcfoundation.org.

2 OPC UA CommunicationAn OPC UA client must have a URL to connect to a server. If the client is not configured with a URL, the client can access adiscovery server to obtain a URL. The WorkstationST OPC UA server is accessed using the following URL:

opc.tcp://<hostname>:64121/GeCssOpcUaServer

The <hostname> entry can be “localhost” or a valid host name or IP address.

The WorkstationST OPC UA server also registers itself with the OPC Foundation’s UA local discovery server, which isinstalled with the WorkstationST application. The discovery server runs as a Windows® service. UA servers register with itand UA clients can obtain a list of registered UA servers from it.

2.1 Application CertificatesThe OPC UA client and server each own an X509 application certificate. These certificates are created and added to acertificate store when the client or server is installed, when the client application is first run, or through a vendor-suppliedutility.

Creating a client certificate and adding it to the certificate store requires administrative privileges. The OPC UA client is usedin the following:

• Trender• Test OPC UA client• Configuration for the OPC UA client part of the OPC UA server• Running the OPC UA client part of the WorkstationST OPC UA server, allowing data access for variables in external

OPC UA servers

When the client is first accessed, if the application is running as an administrator the certificate is created and placed into thecorrect store location. Otherwise, the user is prompted to allow the certificate to be created. It is then added to the correctstore location with a new process started as an administrator. The user may be required to enter credentials for this process.

The application certificates are kept in the Windows local machine certificate store. The WorkstationST Certificate Manageris used to view, import, export and reissue certificates. The WorkstationST Certificate Manager is accessed from theWorkstationST Status Monitor Tools menu.


www.opcfoundation.org

The following figure displays five certificates, including one for the OPC UA client and one for the OPC Foundation’s UALocal Discovery Server.

Example Application Certificates in WorkstationST Certificate Manager

Certificate Keys

An OPC UA application certificate has a public key needed by other applications to verify the application certificate. Whenexported, the .der file contains the certificate and public key.

Each application certificate also contains a private key. When exported, the .pfx file contains the certificate and the public andprivate keys. Typically, these are protected with a password when exported.


2.2 Client/Server Connection SequenceWhen an OPC UA client and server connect, both the client and the server application have an X509 certificate they own. Forsuccessful communication, both the OPC UA client and server must receive each other's certificate over the communicationlink and verify that it matches a certificate in the trusted store location. The OPC UA client and server use the Windows localmachine certificate store as the trusted store, which is located within the folder UA Applications on the computer where theyare running.

Windows certificate

store

WorkstationST OPC-UA serverOPC UA

clientGetEndpoints Request

GetEndpoints Response

Contains Application Instance Certificate which the server provided from the Windows certificate store. Client validates this with certificates in his Windows certificate store.

Open Secure Channel RequestContains Client Application Certificate. The server validates this with the Windows certificate store.

Secure Channel Response

At startup if no certificate is found, one is added.

ControlST OPC UA client *

At startup if no certificate is found, one is added.

For example, the ControlST OPC UA client.

Certificate Management

Tool

Allows viewing, deleting, importing, and exporting of UA Application Certificates from the Windows Store. (Can be used to reissue expired certificates or import and export certificates from one computer for use on another)

OPC UA client running as non-

administrator user (for example, running in the

trender)

Install of Product

Client / Server connection sequence

Certificate added by running an elevated privilege process

Client/Server Connection Sequence Diagram


2.3 Application Certificate SharingWhen an OPC UA client uses a security profile other than None to connect to an OPC UA server, the server initially sends itsapplication certificate back to the client (as illustrated in the figure Client/Server Connection Sequence Diagram). The clientlooks into its trusted store for the public certificate of the server. If the certificate is not found, some clients will prompt theuser to trust the certificate, while others will place the certificate into a rejected store location. After the client trusts theserver’s public certificate and the client attempts to connect again, the second part of the communication calls for the client tosend its public certificate to the server. If the server does not trust the certificate, the server will typically place the certificateinto a rejected store.

ControlST* OPC UA Client Trusting OPC UA Server Certificate

With the ControlST OPC UA client, which is used by the Trender and the OPC UA test client (accessed from theWorkstationST Component Editor’s View menu), the user is prompted to trust the server’s certificate if the server’s certificateis not already trusted. The user must enter ha administrator credentials to trust the certificate (trusting action requires haadministrator privileges on the computer).


ControlST OPC UA Server Trusting Client Certificate

➢➢ To trust the client certificate

Use the Certificate Manager to trust the client’s certificate on the server node.

1. Select theWorkstationST Status Monitor tray icon to display the WorkstationST Status Monitor.

2. From the WorkstationST Status Monitor Tools menu, select Certificate Manager to display the WorkstationSTCertificate Manager.

3. From the Certificate Manager, click the Rejected toolbar icon to display a list of all rejected certificates.

4. From the Server node, select the OPC UA client’s certificate and click Trust Selected Certificates to trust it.

Attempt to connect the client to the OPC UA server again. At this point, when the viewer is started it should be able to talk tothe server.

2.4 Live Data and Alarm/Event SubscriptionsA client adds Subscriptions once a secure channel session is established. A live Data Subscription contains a list of monitoreditems that represent a variable or a property of a variable. A live Alarm/Event Subscription normally contains the ServerObject as the event monitored item. By subscribing to the Server Object, the OPC UA Client receive notifications for allevents as they occur and all alarms currently in an alarm queue.

Subscription Settings

Setting DescriptionPublishing Interval Specifies the client’s desired update rate

Keep-alive CountDefines how many times the Publishing Interval needs to expire without available notificationsbefore the server sends an empty message to the client that the server is still alive

Lifetime CountDefines how many times the Publishing Interval expires without having a connection to the client. Ifthe server cannot deliver notification messages after this time, it deletes the Subscription to clearthe resources. The minimum Lifetime Count value must be three times the Keep-alive Count value.

Maximum Notificationsper Publish

Defines the maximum number of notifications per message delivered to the client in a publishedresponse

Note The priority of the Subscription in the client is relative to other subscriptions created by the client.


2.4.1 Monitored ItemsAfter configuration, the client adds monitored items to the Subscription. For Data Subscriptions, each monitored itemrepresents a variable. Alarm/Event Subscriptions contain an event monitored item. The following table provides the commonand specific settings for monitored items and event monitored items.

Monitored Item Settings

Setting Description

Sampling Interval

For a Data Subscription, this is the rate (in ms) at which the server checks for changes. A changethat triggers a notification is defined by the filter. If -1 is the Sampling Interval value, theSubscription’s Publishing Interval value is used for this setting. A client can over-sample the value(sample more frequently) by setting the Sampling Interval value to less than the Publishing Intervalvalue and setting the Queue Size value to 1. For Alarm/Event Subscriptions, the client can set theSampling Interval value to 0 and notifications will be sent as they occur.

Queue SizeMaximum number of values stored for the monitored item during a publishing interval. After eachpublishing interval, the server sends the values to the client.

Filter

For a Data Subscription, a filter is by default of the type trigger, with the trigger being either achanging value or the status of the monitored item. This trigger can be set to notify when there is astatus change only, or it can include status, value, and source time stamp changes. The filter canalso have a deadband type and deadband value. The deadband type is either Absolute or Percent.If the type is Percent, the variable’s EURange must be configured (for ToolboxSTapplicationvariables, display limits or format specification engineering units are used). Alarm/Event monitoreditems use an item event filter. This includes a where clause that normally includes ConditionType. Italso contains many select clauses.

2.5 TroubleshootingIf a client is unable to connect to a server, perform the following checks:

• Verify that the client’s application certificate is present in the server's trusted certificate store.• Verify that the server’s certificate is present in the client's trusted certificate store. The WorkstationST OPC UA client

uses the Windows store. Others use a folder in the file system. Depending on the client, the server’s certificate can beexported using the WorkstationST Certificate Manager and placed in the client’s trusted store.

Many clients, such as the WorkstationST OPC UA client, display a list of available servers when configuring a connection.The OPC Foundation’s UA local discovery server obtains this list. If the list does not display, stop and restart the UA LocalDiscovery Server (located in Windows services).


3 Client PrivilegesOnce an OPC UA client is connected to the server, the client can log in with a user token, if provided. The user must match aconfigured ToolboxST user and be assigned write privileges. If no Users and Roles are assigned in the ToolboxSTconfiguration, all clients are granted write privileges.

Clients that allow user token authentication send a token containing a user name and password. If the password can beauthenticated, the server associates the user with a matching user in the Users and Roles configuration. The client is thengranted privileges according to that user 's access rights and assigned role.

For clients that do not allow user token authentication, the OPC UA server associates a client application certificate with auser in the Users and Roles configuration. When a client connects using one of these application certificates, associated userprivileges are granted.

OPC UA client privileges enable or restrict a user's ability to browse for, read, and write OPC UA nodes, as illustrated in thefollowing flow diagram.

OPC UA Client Privileges


4 Live Data FlowThe OPC DA server has traditionally been the live data provider for the WorkstationST application. After implementing theOPC UA feature, the OPC DA server is still required for its SDI server, which provides live data to the Recorder, Modbus®,GSM, the Alarm Scanner, and the WorkstationST Component Editor.

When the OPC UA feature is not enabled, EGD data is processed by the OPC DA server. When the OPC UA feature isenabled, the OPC UA server processes EGD-consumed exchanges and produces WorkstationST-owned EGD exchanges. Theserver then forwards the consumed exchanges to the OPC DA server through a Microsoft® WCF secure channel.

OPC UA client connections can be configured to add external OPC UA server variables to the OPC UA live namespace.These variables, as well as plug-in variables, are provided through a WCF live list with a periodic update. Plug-in variablesare:

• Variables obtained by proxy• Non-EGD variables obtained by an SDI connection to a controller• OPC DA client connections to external OPC DA servers

Any variables configured in the WorkstationST Component Editor Variables tab are in the OPC DA or OPC UA server’snamespace and can be cyclically moved to any other variable. When the OPC UA feature is enabled, variable mapping isperformed by the OPC UA server; otherwise the mapping is performed by the OPC DA server. There is a configuration rate atwhich the mapping occurs. The following rules apply:

• The destination variable must be writable.• The data type must match between the source and the destination of each mapped variable.

Note Consumed EGD devices and external OPC DA and OPC UA servers can limit the rate at which writes are allowed todestination variables.


5 Alarm/EventWhen alarms are included in the OPC UA server the process can use significantly more memory. Because of this, alarms arenot included (default setting). Beginning with ControlST V07.02.07C, the configuration setting Include Alarms in OPC UAServer can be enabled (set to True) to add alarms to the OPC UA server.

ToolboxST Configuration Setting, Include Alarms in OPC UA Server

A discrepancy between the ControlST alarm system and the OPC UA Alarm Standard is the number of states for analogalarms. ControlST analog alarms can have H, HH, HHH, L, LL and LLL states. OPC UA Alarm Standard analog alarms canonly have H, HH, L and LL states. Therefore, the ControlST HH and HHH states are mapped to the OPC UA HH level andthe ControlST LL and LLL states are mapped to the OPC UA LL level.

Note Although the alarm state on the OPC UA client displays as HI HI even when the alarm is HHH, the description of thealarm will include the HHH alarm description from ControlST.

Normally, an OPC UA client only subscribes to receive alarm/event notifications. However, in addition to this, the OPC UAserver Address Space also includes the alarm definitions. Located within the Objects folder in the address space is an_AllAlarms component that contains all of the alarm definitions.


6 Historical Data AccessThe OPC UA server namespace contains a variable named HistorianSource. HistorianSource is an enumerated integer typevariable where a value of 0 = None, 1 = Recorder, and 2 = Historian. If the local WorkstationST computer has either theRecorder or Historian feature enabled, the HistorianSource variable allows an OPC UA client to control the source of thehistorical data for variables in the main server’s namespace. For example, if the variable G1.TNH is collected in both theRecorder and the Historian, a client could set HistorianSource to Recorder so historical read requests would provide data fromthe Recorder. A default value for clients that do not want to write to HistorianSource can be configured. This allows clients toreceive historical data from either the Recorder or the Historian without writing to HistorianSource.

6.1 External HistoriansOPC HDA historian servers are configured on the OPC UA tab. Each external historian is given a name that is used as aprefix for each variable in the server.

When the OPC UA server starts, it attempts to use an OPC HDA client to obtain the list of variables in the external historianand add them to the OPC UA server namespace. Subsequent requests are sent to the external OPC HDA server.

6.2 Configure DCOM SettingsThe OPC UA server and the OSI PI OPC HDA server both run under the SYSTEM account by default. The ProficyHistorian’s OPC HDA server defaults to run under the interactive user account. When configuring the external historianconnection in the OPC UA server settings, a client user is specified for access to the external historian. This same client usermust be configured in the DCOM settings for the external historian OPC HDA server to allow the OPC UA server tocommunicate with the OPC HDA Server.

Note Refer to theWorkstationST OPC DA Server Instruction Guide (GEI-100621) and the WorkstationST OPC AE ServerInstruction Guide (GEI-100624) for additional settings information.


➢➢ To configure the PI OSI HDA server in DCOM

1. Run dcomcnfg.exe.

2. From the Component Services window, expand DCOM Config, right-click PI OSI HDA Server, and selectProperties.

3. Configure the user account.

Note On 64-bit operating systems, the PI OPC HDA Server may not display in the list of DCOM configurable objects. Todisplay the PI OSI DA Server and PI OSI HDA Server entries in dcomcnfg: Run MMC /32 %windir%\syswow64\comexp.msc to open the 32-bit version of the DCOM Configuration utility. The entries will permanently display.


4. From the Control Panel, double-click Administrative Tools, Services, and PI OPC HDA Server, then right-clickand select Properties.

5. Log on to the server account.

From the Log On tab, select Th is acco un t.

Enter the same User as the PI OSI HDA Server .

The OPC UA server’s OPC HDA client must be set to run under the same user.

➢➢ To configure the OPC UA server’s OPC HDA client: from theWorkstationST Component Editor OPC UAtab, select an External Historian item and in the Property Editor enter the User Name and User Password.

Note There is no corresponding DCOM identity setting for the OPC UA server.

Once the remote PI HDA server and the OPC UA server are running under the same user, and the DCOM settings for bothcomputers have been set, the OPC UA server displays variables from the PI server in the OPC UA Server tab Tree Viewunder the External Historians item.

Note The initial retrieval of the variable namespace for an external server can take a couple of minutes. The namespace ispopulated after this initial retrieval.


The Proficy Historian HDA server must also be configured to run under the same user.

➢➢ To configure the Proficy Historian HDA server in DCOM

1. Run dcomcnfg.exe.

2. From the Component Services window, expand DCOM Config, right-click Proficy Historian HDA Server, andselect Properties.

3. Configure the user account.

From the Iden t ity tab, select Th is user.

The system accoun t (serv ices on ly) option cannot be selected.

It is recommended that this setting be configured as a valid Windows user. (Windows user must be a member of the administrators group.)

Note The Proficy OPC HDA Server does not run as a Service and does not require any user assignment in Services.

Public Information