If you've been following our ongoing Exploring OPC UA blog series, we've been covering key Software Toolbox solutions and the specifics of configuring OPC UA security and connectivity.
In this seventh post of the series, we will focus on OPC Data Logger, specifically stepping through settings related to security, endpoints and certificate management and connecting OPC Data Logger to OPC UA servers for logging data.
OPC Data Logger is designed as an effective solution for reliable, event-driven logging of data from OPC server data sources (both OPC UA and OPC DA) to SQL and ODBC databases (including Microsoft Azure SQL) or text and CSV files. The wizard-based interface creates a flexible configuration which can be scaled with ease. And OPC Data Logger is OPC Foundation lab-certified to ensure compatible with OPC certified servers.
OPC UA Configuration Components in OPC Data Logger
The settings relevant to OPC UA in OPC Data Logger can be found in several different locations:
1. OPC Data Logger UA Configuration
Accessible under the Tools -> UA Options -> Configuration menu in the OPC Data Logger Configuration window, this is where security instance certificates are managed for the OPC Data Logger and for OPC UA servers, as well as, optional registration with an OPC UA discovery server.
The following sections are available:
Trusted ServerThis section is where certificates are managed for the OPC UA server or servers that you wish to log data from. In order for OPC Data Logger to connect to an OPC UA server, the server must trust OPC Data Logger and OPC Data Logger must trust the OPC UA server. This is accomplished by exchanging security instance certificates.
If you have attempted to connect to an OPC UA server without first exchanging security instance certificates, the connection will likely fail and you will find the certificate of the server located in the Rejected Certificates section you see here. To trust that server, simply highlight its certificate and click the right >> button to move it to the Trusted Certificates section.
Alternately, if you have previously trusted an OPC UA server but wish to revoke that trust, simply find its certificate in the Trusted Certificates section and click the left << button to move it to the Rejected Certificates section.
You can also export your OPC UA server certificate (consult the documentation for your OPC UA server for details on exporting the security instance certificate) and use the Import button here to trust the server in advance of attempting a connection. Just click the Import button and browse to the certificate file (with a .der or .cer extension).
You can also easily delete any trusted or rejected certificates here as needed.
- Client Certificate
This section is where you manage OPC Data Logger's own security instance certificate.
By default, OPC Data Logger generates a self-signed certificate upon install. You can View the details for the certificate currently issued, you can Export the certificate and then import it into your OPC UA server (consult the documentation for your OPC UA server for details on importing security instance certificates from UA clients) or you can Import certificates from third-party certificate authorities (such as Thawte, Verisign, etc).
You can also reissue the self-signed certificate using the Create New Certificate option and entering the available fields including the valid duration before the certificate expires and your organization name and location details.
- Advance Configuration
And, while OPC Data Logger doesn’t install with one, the Advance Configuration section is available to define any Local Discovery Server (LDS) services that you may have installed either on the same machine as OPC Data Logger or on another machine that is network accessible by OPC Data Logger. This includes the Local Discovery Server available from the OPC Foundation (available to registered users).
A discovery server for OPC UA is a dedicated service with which an OPC UA server can register, allowing OPC UA clients like OPC Data Logger to then look at the LDS to “browse” for available OPC UA servers they can connect to. Again, for those familiar with OPC DA Classic, this is similar to what you might be used to with OPCEnum for browsing OPC DA servers.
You can either select an existing Discovery URL from the dropdown, if available, or manually enter the Local Discovery Server's endpoint URL (such as opc.tcp://127.0.0.1:4840 for a local server) and click the Add button which will allow you to browse the discovery server when defining an OPC UA Data Collector in OPC Data Logger.
- Client Certificate
2. OPC Data Logger Data Collector Wizard
The settings for connecting to your OPC UA server in OPC Data Logger such as the endpoint and security settings are defined in the Data Collector configuration, which is wizard driven (you can also manually add Data Collectors but using the wizard is the recommended method).
Simply right-click on the Data Collection section of the tree view under Global Components and select Data Collector Wizard to launch the wizard.
The wizard steps you through the entire configuration in the following key steps:
- Selecting the Data Collector Type
Here you simply select OPC Unified Architecture (UA) Interface from the type dropdown.
- Naming your Data Collector
Here you give the new Data Collector a meaningful or "friendly" name that represents it in the OPC Data Collector, such as the name of the OPC UA server you'll be connecting to.
- Configuring the OPC UA Endpoint, Security and Authentication options
Here is the meat of the OPC UA configuration as it pertains to your specific OPC UA server. If a Local Discovery server is available, you can select it from the dropdown and click "Get Server Endpoint". Otherwise, assuming a discovery server is not available, you can simply enter the endpoint from your OPC UA server here and click "Get Security Modes".
You can then select the desired level of encryption (including None, if so desired) from the "Security" dropdown, which will only display security policies enabled and supported by your OPC UA server.
Additionally, if your want to use user authentication to access your OPC UA server (or if your OPC UA server doesn't support anonymous log-in) you will enable "Use Authentication" here and enter a valid Username and Password as defined in your OPC UA server. To use anonymous log-in, if your UA server supports it and you don't wish to use authentication, simply leave "Use Authentication" disabled here.
Also, the "Show Configuration" button is another method to access the UA Configuration settings that we covered previously.
Connecting OPC Data Logger to your OPC UA Server
Using the information we’ve just discussed, you can get OPC Data Logger configured to connect to your OPC UA server. You’ll want to step through the following list, as a general rule (or watch our tutorial video on connecting OPC Data Logger to TOP Server here for an example):
- Make sure your other OPC UA server is properly configured to accept OPC UA client connections including enabling the interface (if applicable), having your OPC UA endpoint configured and any username/password authentication setup properly (consult the help documentation for your other OPC UA server for details on preparing for OPC UA clients to connect including how to export the security instance certificate).
- You’ll need the following details from your other OPC UA server in order to configure the OPC Data Logger to connect:
- OPC UA endpoint URL (including Port)
- The security instance certificate from that OPC UA server.
- Import the security instance certificate from your other OPC UA server in the OPC Data Logger UA Configuration under “Trusted Server” by clicking the “Import” button and browsing to the certificate file from Step 2 above.
- Export the security instance certificate for the OPC Data Logger in the UA Configuration under “Client Certificate” by clicking the “Export ” button.
- Import the OPC Data Logger security instance certificate into your OPC UA server and trust it (consult the help documentation for your other OPC UA server to determine how to import and trust client certificates).
- Configure a new Data Collector by right-clicking on "Data Collection" and selecting "Data Collector Wizard" and step through the wizard:
- Select "OPC Unified Architecture (UA) Interface" from the Data Collector type.
- Give the new Data Collector a meaningful name.
- If a Discovery Server is available, select it from the dropdown. Otherwise, enter the endpoint URL of your OPC UA server in the "Server Url" field and click "Get Security Modes".
- Select the desired security encryption method from the "Security" dropdown.
- If using username/password authentication (leave unchecked if your UA server supports anonymous login and you plan to not use authentication), enable "Use Authentication" and enter a valid Username and Password for your UA server (consult your UA server documentation for details on defining user security).
- Complete the new Data Collector by finishing the wizard.
- The remainder of the configuration is specific to configuration of data presentations, data storage and other non-OPC UA related configuration. For how-to videos on logging to text files and databases, click here.
For a walkthrough of connecting OPC Data Logger via OPC UA to TOP Server, watch the detailed how-to video here. As always, you can try out everything we've just covered yourself with the free trial of OPC Data Logger.
Subscribe to our blog to stay tuned for the rest of this series where we will continue looking at how to specifically secure more OPC UA solutions available from Software Toolbox, which should be useful to our users migrating to OPC UA but uncertain of how to take full advantage of the security benefits.