Many AVEVA™ users are probably already aware of the native connectivity options they have for interfacing with different systems. Many AVEVA users have also turned to TOP Server over the years, both for standardizing device connectivity in a single server and for drivers/protocols not available as native AVEVA options.
Those users of AVEVA System Platform have traditionally connected to TOP Server directly via either its native SuiteLink interface or OPC DA Classic. AVEVA's OI Gateway provides those users the additional option of connecting to OPC UA data sources, for easier and more secure remote connections to such data sources.
In this blog post, we will cover the basic steps to connect AVEVA System Platform to TOP Server via OPC UA, expanding device connectivity options for AVEVA users.
While AVEVA™ users certainly have their own options for connectivity, there are often devices where there isn't an existing OI Server or native driver available. AVEVA users have been using TOP Server for connectivity to a wide range of additional protocols and device types for many years. While System Platform can certainly still connect directly to TOP Server via its native SuiteLink and OPC DA Classic interfaces, if your system architecture requires that System Platform and TOP Server reside on different remote machines, OPC UA is an easier to configure option (no remote DCOM!) that provides greater security, as well.
To that end, TOP Server also has a native OPC UA server interface with multiple supported security encryption policies with or without user authentication via TOP Server's built-in User Manager. Since System Platform can access OPC UA server data sources through the OI Gateway acting as an OPC UA client, users can still take advantage of TOP Server's flexible functionality and driver selection over secure OPC UA connections.
There are five basic steps AVEVA users will need to follow to get System Platform connected to TOP Server using OPC UA.
With TOP Server, there is an extensive list of available drivers to choose from for connectivity to the widest range of PLCs, RTUs, injection molding machines and many other device types (including other OPC DA, OPC XML-DA, DDE and ODBC data sources).
In TOP Server, you'll have a channel, which is where you specify the driver to use and the physical connection/path to the devices under that channel (i.e. a COM port or Ethernet adapter). Under the channel, you'll have a device that represents the physical device or data source you need to collect data from with settings specific to that device. And you'll have tags that represent the variables or parameters that you need to access for that device.
This post assumes that you already have a channel and device configured in TOP Server for communications with the desired device or data source and at least one static tag (if you plan to use static tags in TOP Server - for details on static vs dynamic tag usage with TOP Server, click here).
If not, however, it's easy to get started. While this post isn't intended to focus on setting up those channel, device and tag settings for a specific device, we have some other detailed resources below that cover those steps to help you get started, including a getting started tutorial and other more specific how-to videos by specific topic or driver.
Once your TOP Server is configured with channels, devices and tags, we recommend then confirming successful communication using the OPC Quick Client that installs with TOP Server. This ensures that your TOP Server channel, device and tag settings are correct before moving on to the next steps of getting AVEVA System Platform connected. If you've chosen to use dynamic tags (instead of static tags), we still recommend configuring at least one known good static tag for each device in TOP Server, which allows you to easily launch the OPC Quick Client from the toolbar in TOP Server and have it automatically subscribe to those items for easy confirmation of successful communications.
The OPC Quick Client Users Guide has full details on using the test client. Alternately, we have a how-to tutorial video on using all of the TOP Server testing and troubleshooting tools, including the OPC Quick Client available here.
AVEVA users will also be familiar with "topics" as a way to access a specific device using a specific driver. With TOP Server, you have two options for topics:
Either method results in the topic you'll use during configuration of your items/tags in System Platform later. For instance, in the image above, both of the highlighted aliases are valid topics for the same channel/device - the first is the system generated topic and the bottom one is a user-defined topic with a shortened user-friendly name. Either are valid and either can be used to access the same device. With device communications successfully configured and an associated topic for the device, you can move on to specific settings related to the TOP Server OPC UA server interface.
The settings relevant to TOP Server's OPC UA server interface are located in two parts of the TOP Server configuration settings:
In the TOP Server Configuration, there are general settings related to the OPC UA server interface located in the Project Properties (right-click on “Project” in the tree view and select “Properties”). In the OPC UA section, the majority of these settings can be left at the default values but the following are the 3 most important ones that you’ll need to be aware of here and potentially change from the default values.
TOP Server's built-in User Manager is accessed from the TOP Server Administration system tray icon (right-click and select “Settings” then “User Manager”). The User Manager provides a number of benefits including auditability in your TOP Server event log and granular assignment of permissions by user (even down to the tag level when using the Security Policies plug-in). For our purposes, if you plan to use user authentication with OI Gateway for the connection to TOP Server, you will need at least one user defined with permissions to access TOP Server via OPC UA.
A defined user inherits it's permissions from the group it is assigned to so the actual permissions are defined at the group level in the User Manager. This means a user can belong to any defined group (Administrators, Server Users, User Defined) as long as that group allows the user the required access to the tags you need to read and/or write in TOP Server. Capabilities that you will want your user/users to have at a minimum include:
For more details on using the User Manager and the Security Policies plug-in, we recommend reviewing our blog post on the subject here. Once you have at least one user defined in a group with those permissions, make sure to note the name and password, as you'll need it for configuring the OPC UA client settings in OI Gateway.
And last, but definitely not least, the TOP Server OPC UA Configuration Manager is where the bulk of the connection-specific and security-specific settings for TOP Server are configured. It's accessible by right-clicking on the TOP Server Administration icon in the Windows system tray and selecting “OPC UA Configuration” from the menu.
While you'll notice a number of different sections available, right now, you're only interested in the settings related to OPC UA server endpoints. I'll highlight the relevant settings at this stage in the process below.
Server Endpoints
In case you're not familiar with OPC UA, the endpoint for an OPC UA server is how an OPC UA client specifies a connection. This is equivalent to the OPC DA Server ProgID at a very basic level, if you're more familiar with OPC DA Classic. This section is where you configure the server endpoints that you would like to be available to OI Gateway and any other OPC UA client applications you may have.Again, yes, there are more sections but for the purposes of connecting OI Gateway to TOP Server, these are the only settings needed for now. You'll be coming back to the OPC UA Configuration Manager after the first connection from OI Gateway shortly.
So, for now, you can "Cancel" out of the OPC UA Configuration Manager (as long as you didn't make any changes - if you did make any changes to the Port Number, etc, you'll want to click "OK" instead) and the runtime will need to be reinitialized by right-clicking on the TOP Server Administration system tray icon and selecting "Reinitialize". TOP Server is ready for a connection from OI Gateway.
Next, you need to configure OI Gateway as an OPC UA client and connect it to TOP Server. In the AVEVA System Platform Management Console (SMC), you'll expand "Operations Integration Server Manager" in the tree view, the Node group, the desired Node, then the Operations Integration Supervisory Servers group, then the OI Gateway OPC DA ProgID ("OI.GATEWAY.3").
Click on "Configuration", then right-click and select "Add OPCUA Connection" and give the connection a meaningful name such as "TOP_Server".
For the "OPCUA Server Details", if TOP Server is on the same machine as OI Gateway, you can leave the "Server Node" as "localhost". If they are on separate machines, the "Server Node" will need to be the IP Address or Hostname of the TOP Server machine. And the "OPCUA Server" field should be the endpoint from the TOP Server OPC UA Configuration Manager settings we reviewed earlier (yes, you can paste the endpoint URL here, if you were able to copy it from TOP Server - otherwise carefully enter it here).
By default, OI Gateway uses the most secure options for "Security Policy" and "Security Message Mode" - all of the options currently supported are valid for TOP Server (as long as the policy has been enabled in the TOP Server endpoint. OI Gateway's default is Basic256Sha256, matching the default for the endpoint in TOP Server - so no changes are needed here if the defaults were maintain in your endpoint in TOP Server.
OI Gateway also requires that User Credentials be specified, by default, so you'll need to enter your valid User Name and Password as configured in the TOP Server User Manager, as discussed previous (if you've chosen to allow Anonymous log-in and enabled that earlier in TOP Server, you'll need to also enable "Anonymous User" here in OI Gateway).
At this point, you can click the "Test" button to the right of where you entered the "OPCUA Server" endpoint. You'll get the following message indicating the connection failed.
Assuming the following are true (which are actually conveniently detailed in the error message itself), this is due to the fact that TOP Server doesn't currently trust OI Gateway's security certificate:
So, to allow the Test functionality to work, you need to go back to TOP Server. Back in the OPC UA Configuration Manager, under "Trusted Clients", you should now notice an entry for OI Gateway with a red "X" over the certificate icon at the left of the entry from the attempted test.
You can simply highlight that certificate and click the "Trust" button at the bottom to tell TOP Server to trust OI Gateway connections from that machine using that certificate.
Click "Close" then you'll need to reinitialize the TOP Server runtime service by right-clicking on the TOP Server Administration system tray icon and selecting "Reinitialize" to apply the changes to the runtime.
You can now go back to OI Gateway and the "Test" button will result in a successful test connection (OI Gateway doesn't have any certificate management interface and trusts certificates by default - there is a folder structure under C:\ProgramData\Wonderware\OI-Server\$Operations Integration Supervisory Servers$\OI.GATEWAY\CertificateStores .
The "trusted" folder contains OPC UA server certificates that have previously been trusted (the filename of the certificate is the thumbprint of that certificate - not particularly user-friendly but you can compare these filenames to the Thumbprint field of TOP Server's certificate (accessible in the TOP Server OPC UA Configuration Manager under "Instance Certificates" by clicking the "View server certificate" button and then going to the "Details" tab - the Thumbprint is the last field at the bottom).
Because TOP Server's certificate is in the Trusted folder for OI Gateway and we've trusted OI Gateway's certificate in TOP Server, this allows OI Gateway to securely connect because the client and server trust each other now. You can confirm the Test now works (no, unfortunately, there isn't a message that explicitly confirms the test was successful), you'll notice the OPC UA Namespace at the bottom of the configuration in OI Gateway is now populated for TOP Server.
So we can go ahead and Save our settings by clicking the Save button in the upper right corner of the configuration.
The next step is adding some nodes/tags/items from TOP Server that you want to access with System Platform (or other OPC DA or SuiteLink clients that connect to OI Gateway). So you need to right-click on the OPC UA server under the Configuration branch in the tree view and select "Add OPCUAGroup Connection" - you'll want to enter a meaningful name.
The "Browse OPCUA Server" button will allow you to browse the TOP Server address space.
You can then select the desired data points that you wish to access in the OPCUA Tag Browser window that appears (be patient - it can sometimes take a few seconds and appear that nothing happened when you click the button). The "Add to list" button then adds the selected items.
Click "OK" once all of the desired points have been added - for our purposes, there is a "Tank1_Levels" topic with several data points in this TOP Server that will provide changing data.
Back in the main configuration, you can then go to the "Device Items" tab and confirm that your points have been added to the item list here. Optionally, you may also choose to rename the items here with a more user-friendly name - this is helpful since the "Name" defined here will be used in the SuiteLink Topic attributes as the Item Reference in System Platform . Clicking the Save button at the top-right corner applies the additions and edits.
Now, if your OI Gateway has been deactivated, you'll need to right-click on the top level "OI.GATEWAY.3" in the tree view and select "Activate". Otherwise, you'll need to deactivate then activate to apply the changes to the runtime. Now that OI Gateway is configured, it is typically a good idea to confirm that your configuration is working as expected prior to moving on to the next step.
To that end, you can connect to OI Gateway using a SuiteLink or OPC DA test client (the OPC Quick Client that installs with TOP Server, as shown below which was already installed on the AVEVA System Platform machine, or the Software Toolbox OPC Test Client is available as a standalone installation you can request here. As you can see from the image below, the test client successfully connects to the OPC DA ProgID "OI.GATEWAY.3" and is receiving good quality and values from the TOP Server points configured for the OPC UA connection.
The next step is accessing OI Gateway from System Platform.
4. Configuring AVEVA System Platform DI Objects
The first step is creating/adding an instance of the OPC or SuiteLink Device Integration (DI) object in the desired System Platform (ArchestrA) galaxy, since OI Gateway supports either interface for client connectivity. The following assumes that you already have a WinPlatform, AppEngine and Area created where either of the DI objects can be assigned. For our purposes, we'll use a SuiteLink DI Object below.
In the ArchestrA IDE for the galaxy you want to connect to TOP Server, go to the Template Toolbox under System objects and find the $DDESuiteLinkClient DI object template. Right-click and select New -> Instance which will create a new instance in the "Unassigned Host" folder in the Deployment view which you can rename to something meaningful such as "OIGW_TOP_Server".
You can drag-and-drop the new instance to the desired AppEngine. Then you can double-click on the new instance to open the properties.
The SuiteLink DI object involves configuring the following:
These are the high level settings that get System Platform connected to OI Gateway via the SuiteLink DI Object.
Once the SuiteLink DI object is configured and checked back in, it will be necessary to define an instance of the $AnalogDevice object to represent analog values such as integers and floats (for discrete/boolean values, an instance of the $Discrete Device object would be required and is basically the same process).
So back in the Template Toolbox under System, you need to right-click on $AnalogDevice and select New -> Instance which will add the instance to the "Unassigned Host" folder where you can give it a meaningful name to represent the data points it will be linked to. You can drag-and-drop the instance to the desired Area to assign it.
Double-clicking on the object will open its properties where you need to go to the "Attributes" tab.
Here you need to click the "+" button at the top center of the tab to add an attribute.
Then configure the following:
And last, but not least, once the SuiteLink DI object is configured with the desired items/tags and assigned appropriately depending on your galaxy architecture, it's necessary to deploy the SuiteLink DI object and related Application Objects for the associated tags. This deployment is accomplished the same way as for deploying any other objects and changes in System Platform - by right-clicking on the Galaxy object in System Platform (in the Deployment view) and selecting the "Deploy" option.
And the System Platform Object Viewer can then be used to confirm you are successfully connected and communicating by right-clicking on the Area and selecting "View in Object Viewer".
Underneath the Area branch, you can select the AnalogDevice and/or Discrete Device objects then can find the points/attributes that you added and highlight them then "Add to Watch" if you'd like to watch them update in real-time (though you can already see values and good quality). Once the points have initialized, you can watch the selected attributes/items updating per their defined update rate with good values and quality.
This indicates you're receiving data all the way from TOP Server through the OI Gateway and into System Platform via OPC UA, for easy access to all of your devices over secure remote OPC UA connections.
Don't forget to subscribe to our blog to not only be notified of future posts on TOP Server and AVEVA applications but to also find out about more relevant technical topics applying to industrial process automation and solving related challenges.
Want to try TOP Server for Integrating Your Own Devices with AVEVA System Platform? Download the free trial.