Accessing AVEVA System Platform with TOP Server via OPC UA

Are you an AVEVA™ System Platform user but you also have some other client or system (HMI, SCADA, other) and need that system to access data from System Platform?  It's a use case that sometimes occurs if your company is acquired another company and a non-AVEVA HMI/SCADA came as part of the assets.  Or perhaps your company merged with another and now your AVEVA system is expected to integrate with other systems.  Your options for sharing data largely depend on what software interfaces these "other systems" support.

In this blog post, I'll discuss how to share your AVEVA System Platform 2020 (or newer) data via OPC UA (without using OI Gateway) using the TOP Server OPC UA Client driver for situations where you have another non-OPC UA capable client application that needs access to process data in your AVEVA system.

Starting with AVEVA System Platform 2020 and newer, a native OPC UA server interface is available in System Platform for sharing data with external OPC UA capable client applications. So, obviously, if your other system can act as an OPC UA client, you can connect it directly to System Platform. However, if your other system cannot act as an OPC UA client, how are we going to make this work?

Using an older version of System Platform? Click Here for Our Other How-To

Well, you could certainly use the OI Gateway to expose the System Platform data externally. However, for users looking for alternatives or needing to connect a system via an interface that isn't supported by OI Gateway, the the TOP Server OPC UA Client driver makes it possible to convert data from OPC UA servers like System Platform 2020 or newer to its other supported client interfaces including DDE clients, OPC DA clients, SuiteLink clients, and even GE Intelligent Platforms iFIX NIO/PDB clients. And with a variety of optional plug-ins, other interfaces could be possible (for example, with the SNMP Agent plug-in, data could be made available to SNMP management clients).

To share AVEVA System Platform data with other systems via OPC UA Client connection, there are 3 main steps:

1. Configure the OPC UA Server Interface in AVEVA System Platform 2020 or Newer

The first step is creating and configuring an instance of the OPC UA Service in your System Platform ArchestrA IDE that will be accessible with the desired Port and security settings for external OPC UA client applications. So we need to do the following:

1. Inside the ArchestrA IDE, in the menu bar at the top we select Galaxy -> Configure -> ArchestrA Services.
   
   
   
   
2. This launches the "Configure ArchestrA Services" dialog where we need to expand the IDE name.
   
   
   
   
3. Next, we find "Aveva.OPCUAService.[Version]" in the list, right-click and select "Create" to create a new instance of the OPC UA Service (if you have a default instance already created that you wish to use, you can skip this step).
   
   
   
   
4. Expanding "Aveva.OPCUAService.[Version]" in the tree hierarchy shows the new instance with the default name of "OPCUAService_001" - to edit this, we need to right-click on the new instance and select "Check-out" to permit us to make the required changes.
   
   
   
   
5. It's now possible to make edits to the following properties of the OPC UA Service instance in the right-hand pane of "Configure ArchestrA Services".
   
   
   
   
   1. Port Number - this defines the port portion of the endpoint that OPC UA clients will need to use to access this OPC UA server instance (as well as, the port that will need to be allowed in any firewalls between the OPC UA client and server machines). The default is 48031. Consult your IT department for the best port to specify for your particular application.
      
      
   2. Require encrypted communication between OPC UA clients and this server instance - By default, this setting is enabled, requiring that all OPC UA clients that want to connect to this OPC UA server instance must be using encryption (System Platform currently supports Basic256SHA256 with SignAndEncrypt - so the OPC UA client needs to use the same exact level of encryption).
      
      Disabling this setting, which is not recommended, will allow OPC UA clients to connect without using any encryption, lowering the security level on your System Platform IDE and adding risk from outside security threats. This is especially true for applications where you plan to allow OPC UA clients to write to your IDE. Consult your IT department to discuss the risks of disabling this setting on your network.
      
      
   3. Allow anonymous client connection (no username/password) - Leaving this setting enabled will allow any OPC UA client to connect to this OPC UA server instance without specifying an approved username and password. This is not recommended, as it removes an additional layer of security.
      
      
   4. Allow authenticated Galaxy Users to write attributes, depending on their security role - Leaving this setting enabled will allow IDE/Galaxy users that have provided a valid username/password when connecting to this OPC UA server instance and that user has the appropriate security role for changing attributes to perform writes. Disabling this setting will essentially make all OPC UA connections to this server instance read-only regardless of the authentication used.
      
      
   5. Assignments - Deployment hosts that are available for deploying this OPC UA Server instance will be available to select here. Depending on what host you select, the Assignment plus the previously defined Port Number will determine the OPC UA Endpoint URL that an OPC UA client will need to use to connect.
      
      For example, if the hostname is "WWSP2020R2" with the default Port of 48031, then the OPC UA Endpoint URL will be:
      
      opc.tcp://WWSP2020R2:48031
      
      
6. Once the above settings have been configured as desired or required for your application, we click the "Update" button to apply any changes.
   
   
   
   
7. Next, we need to right-click on the instance again in the tree hierarchy and select "Check-In" to check the instance back in after the edits have been applied.
   
   
   
   
8. And last but not least, we need to deploy the new OPC UA server instance by right-clicking on the instance again and selecting "Deploy". This pushes the service to the selected Assignment node where it will begin running and be available to OPC UA clients.
   
   
   
   
9. We can now go ahead and close out of the "Configure ArchestrA Services" dialog window, as configuration on the OPC UA server side is complete for now (we'll revisit trusting the OPC UA client certificate after the initial OPC UA client connection attempt from the TOP Server OPC UA Client driver).

NOTE: Depending on how your IT department has security configured on both the client and server machines, it may be necessary to request a firewall exception for the TCP port you specify for the OPC UA server. Please consult your IT department.

2. Configure TOP Server OPC UA Client Driver as an OPC UA Client Connecting to AVEVA System Platform

Now that the OPC UA server service for System Platform has been configured and deployed, the next step is configuring the TOP Server OPC UA Client driver to act as an OPC UA client to that server with the following configuration:

1. First we need to add a new channel, which represents the connection to the OPC UA server. To do so, we'll right-click on the Connectivity branch of the tree view in TOP Server and select "New Channel".
   
   
   
   
   1. Then we need to select the OPC UA Client driver from the list of available drivers under channel type.
      
      
      
   2. Then we need to give the channel a representative name.
      
      
      
   3. We can then maintain defaults for Write Optimizations and Duty Cycle just click next until we get to the section for defining the OPC UA endpoint and security.
      
      
      
   4. Here we can enter the full URL referenced in the properties of the OPC UA Service instance in System Platform that we saw earlier.  And the default settings for "Security Policy" and "Message Mode" of "Basic256Sha256" and "Sign and Encrypt" match the defaults for the OPC UA server instance. So we can go ahead and click Next.
      
      
   5. We can click Next through the next section, as it is specific to timings and other UA specific details that are generally okay left at the defaults, which brings us to the authentication section. To perform writes or if anonymous connections in the OPC UA settings in System Platform have been disabled, this where the "Username" and "Password" for the System Platform galaxy need to be entered.
      
      
      
   6. Then we’ll click Next, review the settings for the channel and click Finish to complete the channel portion of the TOP Server configuration.
      
      
      
2. Now we need to add a new device to this channel by right-clicking on the channel and selecting "New Device".
   
   
   
   
   1. Then we need to give the device a representative name for what data it will be accessing.
      
      
      
   2. The next section defines the scan mode, which we’ll keep at the default and click Next.
      
      
   3. The Publishing Interval is essentially the frequency that you want to receive updates from the underlying OPC UA server. The default of every second or 1000 ms is good for our purposes but you would want to adjust this to your desired update frequency. Additionally, the update mode defaults to “Exception” which is the recommended update mode, as it is the most efficient as it only requests updates on changed data. Poll mode performs asynchronous reads for all tags regardless of whether the data has changed.
      
      
      
   4. The defaults are recommended in the majority of situations (beyond the Publishing Interval) so we can click Next through the next few sections to get to the section pertaining to Node/Item import, where we click the "Select import items" button.
      
      
      
   5. Now, assuming the UA server instance is available, you'll receive the following warning prompt because the UA server certificate is not trusted by TOP Server and TOP Server's UA Client certificate is not trusted by System Platform. Click OK to close the prompt.
      
      
      
      
   6. So we first need to right-click on the system tray icon for TOP Server Administration (if it's not shown, you can launch it from the Programs menu under Software Toolbox). And we select "OPC UA Configuration" from the resulting menu. (If your TOP Server has user management enabled, you will be prompted to enter your username and password credentials).
      
      
      
      
   7. Here we need to go to the "Trusted Servers" section, where we'll find that the certificate for the System Platform ASB OPC UA Server instance is currently untrusted.
      
      
      
      
   8. To trust the certificate, simply highlight the certificate in the list and click the Trust button at the bottom (notice the red "X" goes away meaning the certificate is trusted) then click Close.
      
      
      
      
   9. Now, to apply that change, we must reinitialize the server. First, though, we need to go back to our device wizard and finish the device configuration (we'll come back to import the tags afterwards).
      
      
   10. So we go ahead and click Next where we'll review the device summary and click Finish to complete the device configuration.
       
       
       
   11. Now we can reinitialize the runtime by right-clicking on the system tray TOP Server Admin icon again and selecting "Reinitialize". 
       
       
       
   12. Now, we can go back into our device properties by double-clicking on the new device and then going to the "Tag Generation" section, where we can click on the blue "Select import items" link. But we get the same error prompt - because we now need to go tell System Platform to trust TOP Server's certificate.
       
       
       
       
   13. So, before we can browse and select our OPC UA node/items, we need to complete that trust relationship:
       
       
       1. 1. On the System Platform galaxy machine, we need to browse to C:\ProgramData\AVEVA\PCS\OPC UA Rejected Client Certificates\certs where we find the .der certificate for the TOP Server UA Client Driver.
             
             
             
             
          2. Next we need to install the certificate so that it will be trusted. To do this, we need to right-click on the .der file and select "Install Certificate".
             
             
             
             
          3. This launches the Certificate Import Wizard. We need to select "Local Machine" for the Store Location and click Next.
             
             
             
             
          4. Now we select "Place all certificates in the following store", click Browse and select "Trusted People" from the list, then click Next.
             
             
             
             
          5. Confirm the settings are correct and click Finish.
             
             
             
             
          6. Then you'll get a confirmation that the certificate was successfully imported.
             
             
             
             
   14. Now we can go back to TOP Server and browse for the items we’re interested in. You can see that we’re now able to successfully browse the tags in the System Platform galaxy via the OPC UA server instance. Expanding down the tree view, we find the desired topics under the "Model View" and select the desired nodes/items by highlighting them and clicking the “Add items” button.
       
       
       
       
   15. Also, in order to ensure TOP Server uses the correct data type for the nodes/items being accessed, it is recommended to enable the "Import as Default Data Type" option. This allows TOP Server to resolve to the correct data type for each item upon connecting to System Platform (NOTE: Not enabling this option could result in your tags/items being created with an incorrect data type). Clicking OK will complete the item selection.
       
       
   16. Then click OK again to close the device properties which results in TOP Server automatically generating static tags and a folder structure corresponding to the System Platform items we browsed to and selected.
       
       
   17. Launching the OPC Quick Client, the OPC DA classic test client that installs with TOP Server, allows us to confirm that we’re getting good quality and changing values for the items from System Platform.
       
       

3. Connect Other Systems to TOP Server's Other Supported Interfaces to Use the Data Points from AVEVA System Platform

With the System Platform data now available in TOP Server, it can be used with any of the other supported client interfaces that TOP Server supports, including OPC DA client, DDE client, NIO/PDB client, and more simply by referencing the channel/device topic that is configured to access System Platform using the OPC UA Client driver.

We have a selection of how-to video resources for connecting to TOP Server (and other TOP Server how-to topics) available here. And a selection of how-to applications notes for TOP Server available here.

So, as you can see, TOP Server makes it straightforward to share your AVEVA System Platform data with other systems that can't natively act as an OPC UA client applications.  Try it for yourself with our fully functional free two hour trial of TOP Server.