Twin Config
Twin Configuration To setup connection to OPC servers, the connection properties must be configured in the OPC Module Twin, under a key named "OpcConfigurations". For each OPC server, the following properties must be specified:
EndpointId: This is the Endpoint name, which is a custom name that identifies the server. When setting up data retrieval in the tag configuration, this Id refers to the Endpoint in the Tag Configuration. This is required, since multiple OPC UA servers are supported in Publisher mode.
EndpointUrl: The URL to the OPC UA server.
Authentication: Possible values are Anonymous (no security) and UsernamePassword (user/pass security).
If the OPC UA server requires a secure TLS connection, an X509 application certificate is required to secure the communication between the OPC UA client and server. This is not dependent to the authentication method. Anonymous authentication can still require a secure connection, if the OPC UA server requires it.
The OPC UA Client supports both Sign and Sign&Encrypt security modes, and the following security policies:
Basic128Rsa15
Basic256
Basic256Sha256
Aes128Sha256RsaOaep
NB: The OPC UA client does not currently support the Aes256_Sha256_RsaPss security policy.
It is possible to configure the application certificate manually in the twin configuration, but if it is not defined, a self-signed certificate is automatically generated. The application certificate can be defined in an extra configuration field containing the certificate payload. The certificate filename and id relates to where the certificate is stored in the Azure key vault.
NB: The application certificate must be trusted by the OPC UA server. By default new certificates are rejected, so when changing certificate it must be manually trusted on the server, no matter if they are automatically generated or defined in the twin.
The OPC UA client will automatically generate a new self-signed certificate when the old certificate expires, however it needs to be trusted by the OPC UA server to take effect. A warning will be logged 14 days before expiry.
The following show examples of the module twin desired configuration settings for the different security models.:
Anonymous security example
"opcConfigurations": {
"testServer1": {
"id": "TestServer1",
"endpointUrl": "opc.tcp://opcuademo.sterfive.com:26543",
"endpointId": "TestServer",
"authentication": "Anonymous"
}
}UsernamePassword example When using UsernamePassword security, a username and password must be issued.
"opcConfigurations": {
"testServer1": {
"id": "TestServer1",
"endpointUrl": "opc.tcp://opcuademo.sterfive.com:26543",
"endpointId": "TestServer",
"authentication": "UsernamePassword",
"username": "user",
"password": "password"
}
}Setting the Application Certificate example If the OPC UA server requires secure communication, an application certificate must be issued. The certificatepayload must contain the payload of the certificate. The certificate filename and id is used for identification in relation to the management portal, and are not required when configuring manually. The certificate payload must include the private key, and must be saved as either a base64 or UTF8 encoded string.
"opcConfigurations": {
"testServer1": {
"id": "TestServer1",
"endpointUrl": "opc.tcp://opcuademo.sterfive.com:26543",
"endpointId": "TestServer",
"authentication": "UsernamePassword",
"username": "user",
"password": "password",
"certificate": {
"certificateFilename": "certificate.cer",
"id": "9cd55993-0be0-4dd8-ab43-ad3693cf5f11",
"certificatePayload": "MIIDqTCCApGgAwIB.....D45KaB3DNUqtMsauLYPDO3jn83Q="
}
}
}If the application certificate is not defined in the twin configuration, a self-signed application certificate is automatically generated.
Last updated
Was this helpful?