Easily Manage OPC UA Endpoint and Security Settings

Comprehensive management for OPC UA endpoints and security settings

The TOP Server OPC UA Configuration Manager is accessible through the TOP Server Administration system tray icon and provides centralized management of all OPC UA server endpoints, their associated ports and supported security and encryption settings and management for trust relationships with OPC UA servers and clients.

The OPC UA Configuration Manager is also key to managing secure certificates whether you're self-issuing an OPC UA certificate or importing a certificate from a third-party firm.

Two key sections for TOP Server OPC UA server configuration

There are two places in TOP Server with OPC UA server related settings:

  • Project Properties - contains general settings such as enabling the OPC UA interface, enabling/disabling anonymous authentication from OPC UA clients, the maximum number of connections allowed and more.

  • OPC UA Configuration Manager - contains sections for defining one or more OPC UA server endpoints for OPC UA client access of your TOP Server including encryption, self-issuing certificates, importing and exporting certificates and managing trust relationships with OPC UA clients and other OPC UA servers (for details on the OPC UA Client Driver, click here).

Configuring the OPC UA Project Properties

The first step of configuring OPC UA access for TOP Server is located in the TOP Server Configuration under the Project Properties under the OPC UA section. Most settings here can be left at the default - the key settings of interest here are the following:

  • Enable - Defaults to No for secure-out-of-the-box operations. You'll need to set this to "Yes" if you plan to use the OPC UA server interface for connectivity from your OPC UA client applications.
  • Log Diagnostics - Defaults to No - Only set this to "Yes" if you need to troubleshoot OPC UA client connection issues - this allows OPC UA calls to be logged to the OPC Diagnostics and does result in some additional resource usage while enabled.
  • Allow Anonymous Login - Defaults to No - Only set this to "Yes" if you absolutely sure your company and/or control network is secure from external access as this allows OPC UA client connections without requiring a username and password (see TOP Server User Manager for details on defining users). It is recommended to consult your IT and/or cybersecurity departments prior to changing this setting.

The Client Sessions and Browsing sections are described in detail in the help file and control how the TOP Server behaves when OPC UA clients attempt to connect to the TOP Server. For most applications, these can remain at the defaults.

OPC UA Security Configuration

OPC UA security configuration is accomplished in the OPC UA Configuration which can be found by right-clicking on the TOP Server Administration system tray icon.

This part of the configuration is needed if connecting with any OPC UA client or using the TOP Server OPC UA Client Driver to connect to other OPC UA servers. You must have administrative permissions on the operating system for access to this part of the configuration.

 

OPC UA Server Endpoint Configuration

An OPC UA server endpoint is a URL that OPC UA clients use to access the OPC UA server (if you're more familiar with OPC DA Classic, this is the OPC UA equivalent of a ProgID). Most OPC UA servers (including TOP Server) can support multiple endpoints for different purposes including different levels of security and whether the endpoint is accessible from an external machine or not.

The server endpoint is where you can define the following parameters for connecting an OPC UA client application:

  • Network Adapter - Allows you to specify the NIC that should be used for OPC UA communications with this endpoint - this will determine the IP Address and Host Name associated with this endpoint for external access.  Specifying "Localhost Only" restricts access to this endpoint to only OPC UA clients installed on the same machine as TOP Server.
  • Port Number - This port number is configurable and is included as part of the server endpoint URL used by the OPC UA client. For successful OPC UA communications with this endpoint through a secure firewall, you will need to discuss the necessary port requirements for your company with your IT department.
  • Security Policies - These settings define the encryption and signing behavior supported by this endpoint.
    • Policies:
      • None (Disabled by default)
      • Basic128Rsa15 (Enabled by default)
      • Basic256 (Enabled by default)
    • Signing/Encryption Options:
      • Sign
      • Sign and Encrypt
      • Sign; Sign and Encrypt (Default)

The most secure encrypted endpoint would enable only Basic256 with Sign and Encrypt (with other options disabled), for example.  The least secure endpoint would enable only None (with other options disabled), for example - this is NOT recommended.

For a more in-depth explanation of how OPC UA encryption and signing keeps your process data secure, review our blog series on Exploring OPC UA.

OPC UA Trusted Clients Configuration

This section of the OPC UA Configuration Manager controls which OPC UA client applications have certificates that are trusted for connecting to TOP Server. Only trusted OPC UA clients will be able to successfully connect to TOP Server.

There are two methods for trusting your OPC UA client's security certificate in the TOP Server OPC UA Configuration Manager:

  1. Import the certificate file (.der or .cer) from your OPC UA client prior to attempting the connection using the "Import" button in this section of the TOP Server OPC UA configuration.
  2. Attempt to connect from your OPC UA client first (yes, it will fail) - the certificate from your OPC UA client will then be listed in the OPC UA Configuration Manager with an "X" mark showing that it is untrusted.  Simply highlight the certificate in the list and click the "Trust" button. 

Additionally, you can later Reject any certificates or Remove them from the list if you decide you want to revoke this trust in the future. You can also View Certificate properties here.

OPC UA Discovery Servers Configuration

Any OPC UA server (including TOP Server) may register with an OPC UA Discovery Server in order to make its endpoint information available to OPC UA clients for browsing purposes. In order to perform this registration, TOP Server must know what endpoint or endpoints to use for registering with that Discovery Server.

The certificate of the Discovery Server must be obtained and stored in TOP Server's trusted certificate store.

In the same fashion, the TOP Server's UA server certificate must be obtained and stored in the UA Discovery Server's trusted certificate store.

The OPC UA Configuration Manager provides the ability to import, remove and view trusted Discovery Server endpoints that will be identified to the UA server interface.

NOTE: While TOP Server does NOT install with its own OPC UA Discovery Server, registering with third-party OPC UA Discovery Servers is supported.

OPC UA Trusted Servers Configuration

Since TOP Server can also act as an OPC UA client to other OPC UA server using the OPC UA Client driver (part of the TOP Server OPC Client Suite), this section pertains to OPC UA server certificates that have been trusted for connectivity by that driver.  NOTE: This section will only be displayed if the OPC UA Client driver is actually installed.

As with the section on Trusted Clients, the same functionality is present for importing the certificates of any OPC UA servers that you need to connect TOP Server to, as well as, being able to Trust OPC UA servers you want to connect to or Reject and/or Remove certificates for OPC UA servers that you choose not to trust.

OPC UA Instance Certificates Configuration

This section allows management of the OPC UA security certificates for both the TOP Server OPC UA server interface and the OPC UA Client driver. This section makes it possible to do the following for both server and client interfaces:

  • View certificate - these buttons open the properties of the respective certificate including who it was issued to, who it was issued by, how long it's valid until, the security policy used and other details.
  • Export certificate - these buttons allow you to export the server certificate for import into an OPC UA client or to export the client certificate for import into an OPC UA server.
  • Reissue certificate - these buttons allow you to reissue the self-signed certificates issued by TOP Server for either interface. This invalidates the previous certificate, effectively invalidating the trust relationship for any OPC UA client or server you have previous established with the previous certificate and you will need to reestablish that trust to connect again successfully.
  • Import certificate - these buttons allow you to import a certificate to be used for the respective client or server interface. Certificates must be in the PKCS12 format (.pfx extension) and must contain both the instance certificate and private key (they may also be password protected). This makes it possible to use certificates from third-party certificate authorities such as Verisign or others.

Important Notes:

  • Download the OPC U Configuration Manager Help File (PDF)
  • If the "Trusted Servers" section is not visible, that indicates that the OPC UA Client driver was NOT selected for install during the TOP Server installation. If you need to connect TOP Server to another OPC UA server, you will need to run the TOP Server installation again, perform a Modify operation and make sure to the select the OPC UA Client driver (or the entire OPC Client Suite) from the available options.
  • Reissuing a client or server certificate will invalidate TOP Server's trust relationship with any OPC UA clients or server where you have previously exchanged certificates. As such, it will be necessary to re-establish those connections and trust relationships after reissuing a certificate.
  • Higher levels of encryption provide the greatest level of security (i.e. Basic256 with Sign and Encrypt should be selected in your TOP Server OPC UA server endpoint for the greatest level of security). Be aware that this also can introduce additional latency or overhead for your OPC UA connections using that endpoint. Discuss with your IT department the architecture of your network and what level of encryption and signing will be best for your systems to achieve the desired level of security.
  • It is NOT recommended to use an encryption level of None and user authentication of Anonymous for your OPC UA connections to TOP Server - these options are provided for use in initial setup and testing within networks already implementing other security measures including firewalls and security and authentication should be increased based on your IT departments recommendations.

Get Started Now

The demo is the full product once licensed. Once a client application connects to the  TOP Server, the TOP Server runtime will operate for 2 hours at a time. At the end of the 2 hour demo period, the demo timer must be reset by restarting the TOP Server runtime service.

Connect with Us

1-888-665-3678 (US + Canada toll free)
+1-704-849-2773 (Global)
support.softwaretoolbox.com