Create OPCUA.md #10
Open
Create OPCUA.md #10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add file for general OPCUA knowledge
3 tasks
doc/specific_iocs/plcs/OPCUA.md
Outdated
| More info can be found [here on Wikipedia for a general overview](https://en.wikipedia.org/wiki/OPC_Unified_Architecture), or for a more detailed description from [OPC Foundation](https://opcfoundation.org/about/what-is-opc/). | ||
|
|
||
| ## How is authentication handled? | ||
| Currently, the IOC does not seem to be able to support encrypted message security policy. It does, however, support “None” security mode, and connecting with a username and password, which also appears to require sending the password encrypted with Basic256 (username and password connection works with None security mode, but does not work if there is no certificate and private key provided via the `opcuaCLientCertificate` option in the `st-common.cmd` or `st.cmd` file, which loads the IOC with some other options. |
There was a problem hiding this comment.
Suggested change
| Currently, the IOC does not seem to be able to support encrypted message security policy. It does, however, support “None” security mode, and connecting with a username and password, which also appears to require sending the password encrypted with Basic256 (username and password connection works with None security mode, but does not work if there is no certificate and private key provided via the `opcuaCLientCertificate` option in the `st-common.cmd` or `st.cmd` file, which loads the IOC with some other options. | |
| Currently, the IOC does not seem to be able to support encrypted message security policy. It does, however, support "None" security mode, and connecting with a username and password, which also appears to require sending the password encrypted with Basic256 (username and password connection works with None security mode, but does not work if there is no certificate and private key provided via the `opcuaCLientCertificate` option in the `st-common.cmd` or `st.cmd` file, which loads the IOC with some other options. |
There was a problem hiding this comment.
which loads the IOC with some other options.
It's unclear to me exactly what this means or refers to?
doc/specific_iocs/plcs/OPCUA.md
Outdated
|
|
||
| More info can be found [here on Wikipedia for a general overview](https://en.wikipedia.org/wiki/OPC_Unified_Architecture), or for a more detailed description from [OPC Foundation](https://opcfoundation.org/about/what-is-opc/). | ||
|
|
||
| ## How is authentication handled? |
There was a problem hiding this comment.
I get that you probably copied these headers from a message/comment I sent previously - but I think they might be clearer on the wiki as headings like "Authentication", "Communication", "Troubleshooting" etc.
I've put this comment once but applies to most of the headers in this file
doc/specific_iocs/plcs/OPCUA.md
Outdated
| Currently, authentication configurations in Windows only seem to work with username and password. This is likely due to functionality missing from the `open62541` library, the open source library that we use in conjunction with `opcua` EPICS module. A username and password is set on the PLC itself, and those values can be read at IOC startup to authenticate, and sent via Basic256 encryption to the PLC to sign in. When implementing/installing onto a new instrument, the `client_private_key.pem`, `cert.txt` (which will need to be edited to reflect current username and password for the target PLC/server), and `OPCUA_01.cmd` should be moved from the Experiment Controls non-public share `OPCUA` folder, to the instrument's configurations area, in a new folder that should be named `opcua`. If done properly, the `opcua` EPICS module should be able to pick up the user name and password, log in to the OPC server properly, and begin a connection. | ||
|
|
||
| ## Do any settings in the PLC side need to be adjusted to get communicating properly? | ||
| On occasion, a client certificate needs to be trusted manually, from the PLC technician side. However, things *_should_* be set up on our PLCs currently deployed; this step is done in deployment/implementation. A security policy might be set that is not what the IOC is trying to use, if everything else seems fine but you are unable to connect. Lastly, another person might be connected to the server (perhaps testing an IOC or something), and they would need to be kicked off in order for the IOC to communicate properly. Speak with Tim Carter or a member of his team to see if this is the case. |
There was a problem hiding this comment.
or a member of his team to see if this is the case.
Which team is this?
doc/specific_iocs/plcs/OPCUA.md
Outdated
| ## How is authentication handled? | ||
| Currently, the IOC does not seem to be able to support encrypted message security policy. It does, however, support “None” security mode, and connecting with a username and password, which also appears to require sending the password encrypted with Basic256 (username and password connection works with None security mode, but does not work if there is no certificate and private key provided via the `opcuaCLientCertificate` option in the `st-common.cmd` or `st.cmd` file, which loads the IOC with some other options. | ||
|
|
||
| Currently, authentication configurations in Windows only seem to work with username and password. This is likely due to functionality missing from the `open62541` library, the open source library that we use in conjunction with `opcua` EPICS module. A username and password is set on the PLC itself, and those values can be read at IOC startup to authenticate, and sent via Basic256 encryption to the PLC to sign in. When implementing/installing onto a new instrument, the `client_private_key.pem`, `cert.txt` (which will need to be edited to reflect current username and password for the target PLC/server), and `OPCUA_01.cmd` should be moved from the Experiment Controls non-public share `OPCUA` folder, to the instrument's configurations area, in a new folder that should be named `opcua`. If done properly, the `opcua` EPICS module should be able to pick up the user name and password, log in to the OPC server properly, and begin a connection. |
There was a problem hiding this comment.
client_private_key.pem,cert.txt
How does one acquire or generate these files? Are they something that was exported from the PLC, or something you generated?
doc/specific_iocs/plcs/OPCUA.md
Outdated
| On occasion, a client certificate needs to be trusted manually, from the PLC technician side. However, things *_should_* be set up on our PLCs currently deployed; this step is done in deployment/implementation. A security policy might be set that is not what the IOC is trying to use, if everything else seems fine but you are unable to connect. Lastly, another person might be connected to the server (perhaps testing an IOC or something), and they would need to be kicked off in order for the IOC to communicate properly. Speak with Tim Carter or a member of his team to see if this is the case. | ||
|
|
||
| ## Where are instrument-specific configs loaded from | ||
| We load instrument specific configs from the $(INSTRUMENT)/configurations/opcua/ folder. This `opcua` folder is created at implementation time, on the `NDX` machine. It should contain a `OPCUA_01.cmd` file, which contains any `DbLoadRecords` calls, and where paths are specified to the `db` files for that `NDX`'s specific `OPCUA` IOC. If an `NDX` is missing an `opcua` folder, create one; if you cannot find it's `OPCUA_01.cmd` file, it _should_ be placed in the Experiment Controls non-public network share, in the `OPCUA` folder, in a folder specific to that `NDX`. For example, `NDXMAPS`'s `OPCUA_01.cmd` file is in `<network share>/OPCUA/MAPS_OPCUA/`. |
There was a problem hiding this comment.
Suggested change
| We load instrument specific configs from the $(INSTRUMENT)/configurations/opcua/ folder. This `opcua` folder is created at implementation time, on the `NDX` machine. It should contain a `OPCUA_01.cmd` file, which contains any `DbLoadRecords` calls, and where paths are specified to the `db` files for that `NDX`'s specific `OPCUA` IOC. If an `NDX` is missing an `opcua` folder, create one; if you cannot find it's `OPCUA_01.cmd` file, it _should_ be placed in the Experiment Controls non-public network share, in the `OPCUA` folder, in a folder specific to that `NDX`. For example, `NDXMAPS`'s `OPCUA_01.cmd` file is in `<network share>/OPCUA/MAPS_OPCUA/`. | |
| We load instrument specific configs from the `$(INSTRUMENT)/configurations/opcua/` folder. This `opcua` folder is created at implementation time, on the `NDX` machine. It should contain a `OPCUA_01.cmd` file, which contains any `dbLoadRecords` calls, and where paths are specified to the `db` files for that `NDX`'s specific `OPCUA` IOC. If an `NDX` is missing an `opcua` folder, create one; if you cannot find it's `OPCUA_01.cmd` file, it _should_ be placed in the Experiment Controls non-public network share, in the `OPCUA` folder, in a folder specific to that `NDX`. For example, `NDXMAPS`'s `OPCUA_01.cmd` file is in `<network share>/OPCUA/MAPS_OPCUA/`. |
Comment on lines
+586
to
+587
| opc | ||
| opcua |
There was a problem hiding this comment.
Is this the preferred stylisation - I thought it was generally OPCUA?
There was a problem hiding this comment.
I think it's technically "OPC UA" annoyingly
There was a problem hiding this comment.
OK - then probably we just need OPC and UA in the wordlist (and maybe OPCUA if we want to refer to the ioc name). But probably not opcua.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add file for general OPCUA knowledge