Difference between revisions of "OPC UA for AlphaCom - Installation"

Introduction

This document is an installation manual describing how to install the Vingtor-Stentofon OPC UA Server and all required additional software components.

The Vingtor-Stentofon OPC UA Server makes it possible to control and monitor the Alphacom using the OPC UA protocol.

Scope

The article describes:

• The software packages required for the installation
• Installation of packages
• Configuration of the OPC UA Server, Local Discovery Server and test clients.
• Setup and use of the test OPC UA DA (data) and OPC UA AE (Alarm & Event) Clients

OPC UA clients

This article describes the setup of the OPC UA server and the test clients that come with it. OPC UA clients from other suppliers may have different methods of installing and certificate handling than described in this article for the test clients. Please follow the instructions as supplied with these OPC UA clients. The process normally involves:

• Creating a certificate for the server
• Making the OPC UA Client trust the OPC UA Server by importing the server certificate
• Creating a certificate for the client
• Making the OPC UA Server trust the OPC UA Client by importing the client certificate
• Making the OPC UA Discovery Server and the OPC UA Server trust each other

Prerequisites

Vingtor-Stentofon OPC UA Server is based on .NET version 4.8. This package can be freely downloaded from Microsoft.

Software package contents

The software packages consist of the Vingtor-Stentofon OPC UA package (VS-OPC UA). It installs:

• AE-UATestClientNet4.exe
• DA3TestClientUaNet4.exe
• UaClientConfigHelper.exe
• UaPLUS.Net4.exe
• UaServerConfigHelperNet4.exe
• AlphaOPCConfigurator.exe
• UA Local Discovery Server (OPC Foundation Home Page)
• srvman.exe
• Install_AlphaCom_OPC.bat

Installation

Install the VS-OPC UA package

Double-click on the msi-installation package and follow the instructions:

• VS-OPC UA for AlphaCom_Setup_vx.x.x.x.msi (x.x.x.x is the version number, always check the AlphaWiki download page for the latest version)

Set Administrator Privilages for all executables

By default, the software is installed in the following directory: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom

Ensure that ALL executables in this directory run in Administrator Mode.

• Right click on each executable and select 'Properties->Compatibility'
• Set check mark in 'Run this program as an administrator'

Install the OPC Core Components

By default the installation package is located in the directory: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom\OPC Core Components

For 64-bit operating systems it is necessary to install both (x86 and x64) packages

Install the UA Local Discovery Server

The Local Discovery Server (LDS) provides the necessary infrastructure to publicly expose the OPC UA Servers available on a given computer. The LDS is included in the installation package. The latest release can be downloaded from the following link: https://opcfoundation.org/developer-tools/developer-kits-unified-architecture/local-discovery-server-lds

• Navigate to C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom
• Double-click on the installation package and follow the instructions:OPC UA Local Discovery Server x.x.x.exe

Check in the services dialog that OPC UA Local Discovery Server is running and will automatically start at system reboot.

• Open Search Windows and enter Services in the input field. Click on the search result Services

LDS status: Running and Automatic

• Status: Running
• Startup Type: Automatic

In case these settings are not made, right click on the entry in the services dialog and select Properties. Make the appropriate selections under the TAB General and click OK.

UA Security

Introduction

The UA security is based on X509 Certificates. Each UA server and client application requires a certificate with the Application URI of the application.

• Self-signed certificates can be created with the uaPLUS UaServerConfigHelper utility.
• uaPLUS maintains certificates in the Windows Certificates Store.
• The certificates are by default in the stores LocalMachine\UA Applications and LocalMachine\Trusted UA Applications
• The stores are defined in the application UA configuration and can be changed if necessary.
• The UaServerConfigHelper utility creates and imports certificates into the stores defined in the configuration.
• With the server and client on the same machine the certificates are in the right place when created or imported with the Advosol UaServerConfigHelper and UaClientConfigHelper utilities.
• With server and client on different machine the following steps are required:
  • On the server machine create a certificate for the server. UaClientConfigHelper automatically exports created certificates into a .DER file in the utility directory.
  • Copy the client certificate .DER file to the server machine and import it with the UaServerConfigHelper utility.
  • Copy the server .DER certificate file to the client machine and import it. The location depends on the client application. For Advosol UA client applications the UaClientConfigHelper utility imports the certificate to the proper location.

• uaPLUS stores untrusted certificates it receives from connecting clients in the store defined in the UA configuration settings for rejected certificates (default: LocalMachine\Rejected UA Certificates). Instead of importing the client certificate before the client connects, the rejected certificate can be copied after a failed connect. The UaServerConfigHelper utility has an option (MOVE button) to copy the certificate.
• Note: The certificates must be configured for the Windows store type.
• The Windows Certificates manager can be used to check and maintain the certificates beyond the capabilities of the UaServerConfigHelper utility.

Creating a Certificate for uaPLUS Server

The UaServerConfigHelper utility is provided with the uaPLUS server toolkit.

• This utility should be used to edit the UA server configuration file whenever possible.
• The UaServerConfigHelper also supports the import, export and creation of the necessary certificates.
• Certificates need to be created with this tool to meet all UA requirements.
• The Edit UA Configuration dialog edits the UA configuration XML file for the selected application.
• The uaPLUS.Net4.exe is the generic part of the OPC UA server.

Creating a certificate for the server is carried out in the way described below.

Drag the uaPLUS.Net4.exe over the UaServerConfigHelperNet4.exe as shown below.

Drag and drop uaPLUS.Net4.exe onto UaServerConfigHelperNet4.exe

This loads the following window.

UA Server Configuration Helper main screen

• 
  
• Press the Create UA Configuration button and accept any changes
  

Press the Edit UA Configuration to load the following window.

UA Configuration

• Set the Security Policies and User Token Policies flags as shown in the screenshot.
• Set the Trace Configuration Output File directory to C:\Tmp\Log\
• Set the Trace Mask can be changed by clicking the Change button followed by the Set All button and accept with the Set button. Enabling all options will set the trace mask to the value 1023 as shown above.
• Click Save to save the changes.

Click on Certificates to load the following window

Manage Certificates

• 
  
• Click Create to create a certificate.
• Click OK

It is possible to make the OPC-UA Server and the Local Discovery Server trust each other by pushing the button "Exchange the Certificates" in the "Local Discovery Server Certificate" group tile. This can also be setup as described in sections "Make OPC UA Server trust LDS" and "Make LDS trust OPC UA Server".

Now back in the UA Configuration window, click Save and Close
Now back in the Configuration Helper, click on Firewall Exceptions to load the following window

Port 62841 and 62443Open in Firewall

• 
  
• Make certain that port 62841 and 62443 are in the column Ports Open in Firewall.
  • If not, select 62841/62443 from the column Ports Used By Server and press Add Selected
  • Click Done

Now back in the Configuration Helper, click Done

Creating a certificate for clients

This section describes how to create certificates for the test clients.

• In 'real' installations, it will also be required to create certificates for the clients which are installed on the specific site.
• The procedure to create those certificates may differ, please consult the with the clients provided documentation.
• The UaClientConfigHelper utility is provided with the uaPLUS server toolkit.
• This utility is only needed for the configuration of the provided test client applications, mainly the management of the needed certificates.

Creating a Certificate for DA3TestClientUaNet4

To create a certificate for the UA-DA test client drag the DA3TestClientUaNet4.exe over UaClientConfigHelperNet4.exe

Drag and drop DA3TestClientUaNet4.exe onto UaClientConfigHelperNet4.exe

This will load the Client Configuration Helper as shown below.

UA DA Client Configuration Helper main screen

Press the Create UA Configuration button to overwrite the existing file.

Press the Edit UA Configuration button to load the following window

UA DA Client Configuration

• Set the Trace Configuration Output File to C:\Tmp\Log\OPC_UA_DA_Client.log
• Set the Trace Mask can be changed by clicking the Change button followed by the Set All button and accept with the Set button.
• Click Save to save the changes.

Click on the Certificates button to load the below window.

Create UA-DA Client Certificate

Click the Create button to create the Client Certificate

In the Server Certificates group box, click Browse and select the server certificate.

Add server certificate to the UA-DA Client store

Select the Advosol uaPLUS certification and click Select
Back in the Certificate Helper, click OK

Back in the UA Configuration, click Save and Close

Back in the Client Configuration Helper, click Firewall Exceptions

Port 62841

Ensure that that port 62841 is open in the firewall and click Done

Back in the Client Configuration Helper, click Done

Creating a Certificate for AE-UATestClientNet4

To create a certificate for the AE test client drag the AE-UATestClientNet4.exe over UaClientConfigHelperNet4.exe

Drag and drop AE-UATestClientNet4.exe onto UaClientConfigHelperNet4.exe

Follow the directions for the DA Test Client above and exchange "DA" with "AE".
In case this pops

Different Application URI

just push "Yes".

Make Clients Trusted Applications for the Server

Drag the uaPLUS.Net4.exe over the UaServerConfigHelperNet4.exe

Drag and drop uaPLUS.Net4.exe onto UaServerConfigHelperNet4.exe

This loads the Server Configuration Helper

UA Server Configuration Helper main screen

Press the Edit UA Configuration to load the UA Configuration window.

UA Configuration

Click Certificates to open the Manage Certificates window

Import a Client Certificate

Click Import a Client Certificate to load the certificate list

Import the OPC-UA DA and OPC-UA AE Client Certificates

Select first the OPC UA DA Client certificate and subsequently the OPC UA AE client certificate and press Open

Back in the Manage Certificates window, click OK Back in the UA Configuration window, click Save and Close Back in the Configuration Helper window, click Done

Make OPC UA Server trust LDS

In case the OPC-UA Server and the Local Discovery Server are already configured to trust each other from the OPC UA Server configuration - the following two sections sections should be carried out.
The LDS certificate is stored in this location C:\ProgramData\OPC Foundation\UA\pki\own\certs\ualdscert.der.

• Open a Command Prompt as administrator
• Type mmc and press the ENTER-key
• On the File menu, click Add/Remove Snap In
• In the Available snap-ins box, select Certificates
• Click Add
• In the Certificates snap-in dialog box, select Computer account
• Click Next
• Note: If you are not an administrator of the computer, you can manage certificates only for your user account. Select My User account or Service account in the step above instead.
• In the Select Computer dialog box, click Finish
• In the Add/Remove Snap-in dialog box, click OK

In the Console Root window, click Certificates (Local Computer) to view the certificate stores for the computer.

Import LDS certificate into the store

• 
  
• Navigate to Certificates/Trusted UA Applications/Certificates
• Right click on Certifcates and select All Tasks/Import ...
• The 'Certificate Import Wizard' will open. On the Welcome screen, click Next to load the below window
  

Certificate import

• 
  
• Browse to where the certificate is located (C:\ProgramData\OPC Foundation\UA\pki\own\certs) and open. Note that you need to set the file type to All Files.
• Click Next to open the Select Certificate Store window
  

Select certificate store

Set the Certificate Store to Trusted UA Applications if required and click Next

As the last step click Finish - the certificate will now be imported

Make LDS trust OPC UA Server

From the certificate store, Right-click on Advosol uaPLUS Server and select All tasks > Export...

Export OPC UA Server certificate

• The Certificate Export Wizard will open, click on Next
• Select No, do not export the private key and click Next
• Select DER encoded binary X.509 (.CER) and click Next to load the export window

Select OPC UA server certificate

• 
  
• Browse to C:\ProgramData\OPC Foundation\UA\pki\trusted\certs;
• Enter the name of the certificate: Advosol uaPLUS Server.cer;
• click Save,
• click Next

As the last step click Finish - the certificate will now be exported

OPC Client and Server running on the same machine

Skip forward to Startup of Server and Client Connection

OPC Client and Server running on separate Machines

The following section describes how to setup a system where the clients and server are running on separate machines. The following configuration is used:

The main steps of installing certificates for an OPC system, where the client and server are running on separate machines comprises of the following steps:

1) At the server machine:

• Install the Local Discovery Server.
• Configure and create certificate for the server using the UaServerConfigHelper utility.
• Make the OPC UA Server trust the LDS.
• Make the LDS trust the OPC UA Server.
• Copy the OPC UA Server certificate from the directory "C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom" to the same directory of the client machine.

2) At the client machine:

• Configure and create certificates for the OPC UA DA and OPC UA AE clients using the UaClientConfigHelper utility.
• Make the clients trust the OPC UA Server by importing the server certificate.
• Copy the OPC UA Client certificates from the directory "C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom" to the same directory of the server machine.

3) At the server machine:

• Make the server trust the clients by importing the client certificates.
  

Clean up old Certificates

On the MMC – Microsoft Management Console – it is possible to display installed certificates. Before starting it may be appropriate to clean up old certificates and delete certificate in the certificate stores “Trusted UA Applications”, “UA Applications” and C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom.

Install Local Discovery Server (LDS)

Install the Local Discovery Server by double click:

from the installation directory.

Create and Configure Certificates for uaPLUS.Net4 Server

Drag the server application uaPLUS.Net4.exe over the client configuration utility UaServerConfigHelperNet4.exe

Push the “Create UA Configuration”-button.

Push the “Yes”-button.

Push the “Yes”-button.
Push the “Check UA Configuration”-button.

Push the “OK”-button.

Push the “Firewall Exceptions”.
Check that port “62841/62443” are in the “Ports Open in Firewall” column.
Press “Done” when completed.
Press “Edit UA Configuration”.

Set the “Security Policies” check marks as shown.
Select a log-file path and name.
Press the “Change”-button to enable logging levels

Press “Set All” and “Set” to complete this setting.
Press the “Certificates”-button.

Press “Create”-button to create a new self signed server certificate.

Close all windows by:
Press “OK”.
Press “Save and Close”.
Press “Done”.

Check that the server certificate is now store in “Trusted UA Applications/Certifcates” and “UA Applications/Certificates/” stores.

Make the OPC UA Server trust the LDS

On the MMC scroll down to “Trusted UA Applications/Certificates”.

Right click on “Trusted UA Applications/Certificates” and select “All Tasks” and “Import”.

Press “Next”.

Browse to “C:\ProgramData\OPC Foundation\UA\pki\own\certs\” .
Select “All files”.
Select file “ualdcert.der”.
Press “Next”.

Press “Next”.

Press “Finish”.

Press “OK”.

The “UA Local Discovery Server” is now a trusted application:

Make the LDS trust the OPC UA Server

Locate the “Advosol uaPLUS Server” in the “Trusted UA Applications”.
Right click and select “All Tasks” and “Export”.

Press “Next”.

Press “Next”.

Press “Next”.

Browse to directory "C:\ProgramData\OPC Foundation\UA\pki\trusted\certs" and enter file name: “Advosol uaPlus Server”.

Press “Save” (If the certificate is already stored from a previous installation just press “Yes” to the question of overwrite).

Press “Next”.

Press “Finish”.

Press “OK”.

Copy the OPC UA Server certificate from the directory “C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” to the same directory of the client machine

Create and Configure Certifcate for the DA3TestClientUaNet4 test Client

The certificate for the test client DA3TestClientUaNet4 is created and configured by the means of the configuration utility UaClientConfigHelperNet4

Drag the icon for DA3TestClientUaNet4 over the UaClientConfigHelperNet4.

Press “Yes”.

Press “Check UA Configuration”.

Close pressing “X” in upper right corner.

Press “Firewall Exceptions”.

Check that port “62841” is listed in the column “Ports Open in Firewall”.
Press “X” in upper right corner.
Press “Edit UA Configuration”.

Edit “Output File” for appropriate path and file name.
Press “Change” and set logging level.

Press “Set All”.
Press “Set”.
Press “Certificates”.
Press “Create” in the “Create a new self signed certificate”-pane.

The server certificate from the server machine “C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” is supposed to be copied to the same directory of the client machine.

To make the client trust the server - in the “Server Certificates” press “Import” and select the Server certificate and press “Open”.

Close all windows by:
Press “OK”
Press “Save and Close”
Press “Done”.

Create and Configure Certificate for the AE-UATestClientUaNet4 Client

The certificate for the test client DA3TestClientUaNet4 is created and configured by the means of the configuration utility UaClientConfigHelperNet4.

Drag the application of the test client AE-UATestClientNet4.exe over configuration utility UaClientConfigHelperNet4.exe

The creation and configuration is carried out as for the DA3TestClientUaNet4 test client with one exception.
Press “Edit UA Configuration”.
Change all “DA” to “AE”

It should now look as:

Insert log output file name.
Push the Trace Mask “Change”-button
Select “Set all”.
Push “Set”-button.

Push the “Certificates”-button.

Push the “Create” button.

In the “Server Certificates” push the “Import” button and select the server certificate.
Press the “Open” button.

Close all windows by:
Push the “OK” button.
Push the “Save and Close” button.
Push the “Done”-button.
The client machine certificate store should now look as:

Copy the OPC UA test client certificates from the directory “C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” to the same directory of the server machine

Make the Server trust the Client

Drag the server “uaPLUS.Net4” onto the configuration utility “UaServerConfigHelperNet4”.

Push the “Edit UA Configuration”-button.

Push the “Certificates”-button.

In the “Client Certificates” push the “Import a Client Certificate”-button and select the OPCAE.NET.UA test client.
Push the “Open”-button.

Again, in the “Client Certificates” push the “Import a Client Certificate”-button and select the OPCDA.NET.UA test client.

Push the “Open”-button.

Close all windows by:
Pushing the “OK”-button
Pushing the “Save and Close”-button.
Pushing the “Done”-button.

Check “Trusted UA Applications”

Startup of Server / Client Connection

Setup the OPC Server using the OPC Server Configurator tool.

Follow the details here; OPC Classic for AlphaCom - Installation - Zenitel Wiki

Start the server uaPLUS.Net4 and copy the Endpoint URL

Start the OPCDA.NET-UA test client.

In the Browse Server box, type ua: then paste the server URL and press Connect

After connection push “Browse Items” and the list of OPC Data points should populate.

Start the OPCAE.NET-UA test client.
Enter the same Server URL and push “Connect”.

The server shows the two client connections:

Installing the service

In File explorer, navigate to the installation directory C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom
Go to File/Open Windows Powershell/Open Windows Powershell as administrator
Enter .\Install_AlphaCom_OPC.bat and press <Enter>
Edit the configuration file uaPLUS.Net4.Ua.Config.Xml and remove the Thumbprint line of the SecurityConfiguration section - otherwise the service cannot start. Before starting any clients make certain that the AlphaCom_OPC server is running and that the Startup Type has been set to Automatic

Server is running and set to Automatic

AlphaNetServiceProvider

The OPCServerConfigurator utility tool makes it possible to configure whether the OPC-Server is directly or remotely connected to the AlphaCom.

In case the OPC-Server connection to the AlphaCom is configured as a direct connection, the AlphaCom IP-address is specified and which of the two port (61112 or 61113) that should be used.

In case the OPC-Server connection to the AlphaCom is configured as a remote connection, the IP-address of the service provider is specified and which port that should be used. This service provider is name AlphaNetServiceProvider and is currently available in the VS-SDK for AlphaCom installation package. The AlphaNetServiceProvider is also available as a service, which can be installed via the package AlphaNetServiceProviderService_Setup. Configuration of the service is done via the AlphaNetServiceProvider GUI.

Please find the documentation of the AlphaNetServiceProvider at AlphaWiki.

Related articles

• OPC Server
• ServerConfiguration Tool