Configuring the OPC UA Client Module

The configuration of the OPC UA client module comprises the general and connection independent settings of the client module. This includes the settings for the certificate store, the security settings, and the timeout settings. The settings are stored in the configuration file which is written to the controller with the PLCnext Engineer project.

Note
For all of the settings described below, the embedded OPC UA client in the PLCnext Technology controller provides default settings which are supplied with the controller. In common cases there are no changes of these default values required in order to communicate with the OPC UA server.

The module configuration is done using the 'Client Settings' editor. To open the editor, double-click the 'OPC UA' PLANT node and activate the editor in the editors group. Click one of the categories on the left to configure the various settings.

This topic contains the following sections:

Certificate store settings

In the 'Certificate Stores' category, the names for the identity stores and for the trust store can be changed (observe the note above). By default, the following certificate and trust stores are used (the default stores are shown when you select 'Yes' in the 'Override Certificate Store Names' field).

Self-signed identity store: OPC UA Client self-signed
The identity store 'OPC UA client self-signed' is used to keep a self-signed certificate (certificate which has no Certificate Authority (CA)). The certificate is generated on first start of the OPC UA client. The certificate uses the same URLs and IP addresses that are configured for the OPC UA server. With the information stored in the identity store, the OPC UA client authenticates itself against the server, i.e., the server checks whether the communication with the OPC UA client is authorized. The certificate in this identity store is only used, if the OPC UA client identity store is empty (see the following item).
Given identity store: OPC UA Client
The identity store 'OPC UA client' can be used to provide a manually created Application Instance Certificate for the OPC UA client. The OPC UA client uses this certificate to identify itself when connecting to the OPC UA server.
Trust store: OPC UA Client
The trust store 'OPC UA client' is used to hold the certificates of the trusted servers. You have to add the certificates of all servers that the client wants to communicate with. Using the information in the trust store, the OPC UA client can verify the identity of a connecting OPC UA server by validating the authenticity of the certificates it presents.

If your are using certificates other than the default stores to set up the communication with the OPC UA server, set the parameter 'Override Certificate Store Names' to 'Yes' and enter your values.

Background information: Identity Store and Trust Store

Security settings

In the 'Security' category, you can override the default security checks that are performed on the OPC UA client side when connecting to the OPC UA server. To disable the default settings, set the parameter 'Override Security Settings' to 'Yes'. The following checks can be deactivated:

Security check Description

'Application Authentication' If disabled, a server certificate verification failure will be ignored when connecting to the OPC UA server.

'Application Uri Check' If disabled, an invalid server certificate application URI will be ignored.
With a deactivated URI check, the connection to the OPC UA server can be established even the server's URI does not match the URI entered in the client's certificates.

'Certificate Hostname Check' If disabled, an invalid server certificate hostname will be ignored.
With a deactivated hostname check, the connection to the OPC UA server can be established even the server's hostname does not match the hostname entered in the client's certificates.

'Certificate Time Check' If disabled, an invalid certificate time will be ignored.
With a deactivated certificate time check, the connection to the OPC UA server can be established even the server's certificate has expired or is invalid.

'Certificate Issuer Time Check' If disabled, an invalid certificate issuer time will be ignored.
With a deactivated certificate issuer time check, the connection to the OPC UA server can be established even the server's issuer certificate has expired or is invalid.

'Password Encryption Check' If disabled, the check for the ServerNonce and the PasswordEncryptionMode will be ignored.

Security check	Description
'Application Authentication'	If disabled, a server certificate verification failure will be ignored when connecting to the OPC UA server.
'Application Uri Check'	If disabled, an invalid server certificate application URI will be ignored. With a deactivated URI check, the connection to the OPC UA server can be established even the server's URI does not match the URI entered in the client's certificates.
'Certificate Hostname Check'	If disabled, an invalid server certificate hostname will be ignored. With a deactivated hostname check, the connection to the OPC UA server can be established even the server's hostname does not match the hostname entered in the client's certificates.
'Certificate Time Check'	If disabled, an invalid certificate time will be ignored. With a deactivated certificate time check, the connection to the OPC UA server can be established even the server's certificate has expired or is invalid.
'Certificate Issuer Time Check'	If disabled, an invalid certificate issuer time will be ignored. With a deactivated certificate issuer time check, the connection to the OPC UA server can be established even the server's issuer certificate has expired or is invalid.
'Password Encryption Check'	If disabled, the check for the ServerNonce and the PasswordEncryptionMode will be ignored.

Note
Disabling the security checks reduce the security. It is not recommended to disable the checks for production environments.

Timeout settings

In the 'Timeouts' category, you can override the default timeout values that are used in the communication between OPC UA client and OPC UA server. To modify the default values, set the parameter 'Override Session Timeouts' to 'Yes'. The following timeouts can be modified:

Timeout Description

'Session Timeout' Session timeout (in milliseconds) that is used by the server to support the reuse of a session after a lost connection. The server closes the session due to inactivity after the session timeout has expired.

'Connect Timeout' Session connect timeout (in milliseconds) that is used for connect calls during the connection establishment. If the server does not confirm the connection within the entered time, the connection process is aborted.

'Watchdog Timeout' Watchdog call timeout (in milliseconds) that is used as connection check and reconnect after connection errors.

'Call Timeout' General timeout (in milliseconds) for messages between the OPC UA client and OPC UA server.

Timeout	Description
'Session Timeout'	Session timeout (in milliseconds) that is used by the server to support the reuse of a session after a lost connection. The server closes the session due to inactivity after the session timeout has expired.
'Connect Timeout'	Session connect timeout (in milliseconds) that is used for connect calls during the connection establishment. If the server does not confirm the connection within the entered time, the connection process is aborted.
'Watchdog Timeout'	Watchdog call timeout (in milliseconds) that is used as connection check and reconnect after connection errors.
'Call Timeout'	General timeout (in milliseconds) for messages between the OPC UA client and OPC UA server.