OPC UA for AlphaCom - Installation

Introduction

This document is an installation manual describing how to install the Vingtor-Stentofon OPC UA Server and all required additional software components. The Vingtor-Stentofon OPC UA Server makes it possible to control and monitor the Alphacom using the OPC UA protocol.

Scope

The article describes:

• The software packages required for the installation
• Installation of packages
• Configuration of the OPC UA Server, Local Discovery Server and test clients.
• Setup and use of the test OPC UA DA (data) and OPC UA AE (Alarm & Event) Clients

OPC UA clients

This article describes the setup of the OPC UA server and the test clients that come with it. OPC UA clients from other suppliers may have different methods of installing and certificate handling than described in this article for the test clients. Please follow the instructions as supplied with these OPC UA clients. The process normally involves:

• Making the OPC UA Client trust the OPC UA Server by importing the server certificate
• Creating a certificate for the client
• Making the OPC UA Server trust the OPC UA Client by importing the client certificate

Prerequisites

Vingtor-Stentofon OPC UA Server is based on .NET version 4.6.2. This package can be freely downloaded from Microsoft.

Software package contents

The software packages consist of the Vingtor-Stentofon OPC UA package (VS-OPC UA). It installs:

• AE-UATestClientNet4.exe
• DA3TestClientUaNet4.exe
• UaClientConfigHelper.exe
• UaPLUS.Net4.exe
• UaServerConfigHelperNet4.exe
• AlphaOPCConfigurator.exe
• UA Local Discovery Server (OPC Foundation Home Page)
• srvman.exe
• Install_AlphaCom_OPC.bat

Software installation

Double-click on the msi-installation package and follow the instructions:

• VS-OPC UA for AlphaCom_Setup_vx.x.x.x.msi (x.x.x.x is the version number, always check the AlphaWiki download page for the latest version)

By default, the software is installed in the following directory: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom Ensure that ALL executables in this directory run in Administrator Mode. Right click on each executable and select 'Properties->Compatibility'. Set check mark in 'Run this program as an administrator'. This is necessary because the executable accesses restricted areas.

Install the Advosol OPC Core Components Redistributable. By default the installation package is located in the directory: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom\OPC Core Components For 64-bit operating systems it is necessary to install both (x86 and x64) packages

UA Local Discovery Server

The Local Discovery Server (LDS) provides the necessary infrastructure to publicly expose the OPC UA Servers available on a given computer. The LDS is included in the installation package. The latest release can be downloaded from the following link: https://opcfoundation.org/developer-tools/developer-kits-unified-architecture/local-discovery-server-lds

• Navigate to C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom
• Double-click on the installation package and follow the instructions:OPC UA Local Discovery Server x.x.x.exe

Check in the services dialog that OPC UA Local Discovery Server is running and will automatically start at system reboot.

• Open Search Windows and enter Services in the input field. Click on the search result Services

• Status: Running
• Startup Type: Automatic

in case these settings are not made, right click on the entry in the services dialog and select Properties. Make the appropriate selections under the TAB General and click OK.

UA Security

Introduction

The UA security is based on X509 Certificates.
Each UA server and client application requires a certificate with the Application URI of the application. Self-signed certificates can be created with the uaPLUS UaServerConfigHelper utility. uaPLUS maintains certificates in the Windows Certificates Store. The certificates are by default in the stores LocalMachine\UA Applications and LocalMachine\Trusted UA Applications The stores are defined in the application UA configuration and can be changed if necessary. The UaServerConfigHelper utility creates and imports certificates into the stores defined in the configuration. With the server and client on the same machine the certificates are in the right place when created or imported with the Advosol UaServerConfigHelper and UaClientConfigHelper utilities. With server and client on different machine the following steps are required:

• On the server machine create a certificate for the server. UaClientConfigHelper automatically exports created certificates into a .DER file in the utility directory.
• Copy the client certificate .DER file to the server machine and import it with the UaServerConfigHelper utility.
• Copy the server .DER certificate file to the client machine and import it. The location depends on the client application. For Advosol UA client applications the UaClientConfigHelper utility imports the certificate to the proper location.

uaPLUS stores untrusted certificates it receives from connecting clients in the store defined in the UA configuration settings for rejected certificates (default: LocalMachine\Rejected UA Certificates). Instead of importing the client certificate before the client connects, the rejected certificate can be copied after a failed connect. The UaServerConfigHelper utility has an option (MOVE button) to copy the certificate. Note: The certificates must be configured for the Windows store type.

The Windows Certificates manager can be used to check and maintain the certificates beyond the capabilities of the UaServerConfigHelper utility.

Creating a Certificate for uaPLUS Server

The UaServerConfigHelper utility is provided with the uaPLUS server toolkit. This utility should be used to edit the UA server configuration file whenever possible. The UaServerConfigHelper also supports the import, export and creation of the necessary certificates. Certificates need to be created with this tool to meet all UA requirements. The Edit UA Configuration dialog edits the UA configuration XML file for the selected application.

The uaPLUS.Net4.exe is the generic part of the OPC UA server. Creating a certificate for the server is carried out in the way described below.

Drag the uaPLUS.Net4.exe over the UaServerConfigHelperNet4.exe. This gives a quick access to the server configuration:

Press the Create UA Configuration button and accept any changes.

Press the Edit UA Configuration and check if it looks as shown below. 'User Name' is not supported in the current version of the server.

Note: The default directory for the trace log file is where the executables are installed: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom. This is a restricted area. Therefore, the log file name specification should be prefixed with for instance C:\Tmp\Log\ as is shown in the picture above.
The Trace Mask can be changed by clicking the Change button. Enabling all options will set the trace mask to the value 1023 as shown above.
Click Save to save the changes.
Click on Certificates

Click Create to create a certificate.
Click OK
Click Save and Close
In the UA Server Configuration Helper main screen, click on Firewall Exceptions. Make certain that port 62841 is in the column Ports Open in Firewall.

Click Done
Click Done

Creating a certificate for clients

The paragraphs below describe how to create certificates for the test clients. In 'real' installations, it will also be required to create certificates for the clients which are installed on the specific site. The procedure to create those certificates may differ, please consult the with those clients provided documentation.

The UaClientConfigHelper utility is provided with the uaPLUS server toolkit. This utility is only needed for the configuration of the provided test client applications, mainly the management of the needed certificates. The main dialog manages the configuration files.

Creating a Certificate for DA3TestClientUaNet4

To create a certificate for the UA-DA test client drag the DA3TestClientUaNet4.exe over UaClientConfigHelperNet4.exe

Press the Create UA Configuration-button to overwrite the existing file.
Press the Edit UA Configuration-button.

Note: The default directory for the trace log file is where the executables are installed: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom. This is a restricted area. Therefore, the log file name specification should be prefixed with for instance C:\Tmp\Log\ as is shown in the picture above.
The Trace Mask can be changed by clicking the Change button. Enabling all options will set the trace mask to the value 1023 as shown above.
Click Set, Save and Certificates.

Click Create

In the Server Certificates group box, click Browse and select the server certificate.

Click Select
Click OK
Click Save and Close
Click Firewall Exceptions

Check that port 62841 is open in the firewall.
Click Done
Click Done

Creating a Certificate for AE-UATestClientNet4

To create a certificate for the AE test client drag the AE-UATestClientNet4.exe over UaClientConfigHelperNet4.exe

Press the Create UA Configuration-button and to overwrite the existing file.
Press the Edit UA Configuration-button.

Note: The default directory for the trace log file is where the executables are installed: C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom. This is a restricted area. Therefore, the log file name specification should be prefixed with for instance C:\Tmp\Log\ as is shown in the picture above.
The Trace Mask can be changed by clicking the Change button. Enabling all options will set the trace mask to the value 1023 as shown above.
Click Set, Save and Certificates.

Click Create

In the Server Certificates group box, click Browse and select the server certificate.

Click Select
Click OK
Click Save and Close
Click Firewall Exceptions

Check that port 62841 is open in the firewall.
Click Done
Click Done

Make Clients Trusted Applications for the Server

Drag the uaPLUS.Net4.exe over the UaServerConfigHelperNet4.exe

Press the Edit UA Configuration

Click Certificates

Click Import a Client Certificate

Select first the OPC UA DA Client certificate and subsequently the OPC UA AE client certificate

Click OK
Click Save and Close
Click Done

Make OPC UA Server trust LDS

The LDS certificate is stored in this location C:\ProgramData\OPC Foundation\UA\pki\own\certs\ualdscert.der.

Open a Command Prompt as administrator
Type mmc and press the ENTER-key
On the File menu, click Add/Remove Snap In
In the Available snap-ins box, select Certificates
Click Add
In the Certificates snap-in dialog box, select Computer account
Click Next
Note: If you are not an administrator of the computer, you can manage certificates only for your user account. Select My User account or Service account in the step above instead.
In the Select Computer dialog box, click Finish
In the Add/Remove Snap-in dialog box, click OK
In the Console Root window, click Certificates (Local Computer) to view the certificate stores for the computer.

Navigate to Certificates/Trusted UA Applications/Certificates
Right click on Certifcates and select All Tasks/Import ...
The 'Certificate Import Wizard' will open. On the Welcome screen, click Next
Browse to where the certificate is located (make certain to search for 'All files *.*') and click Next

In the following step, browse to Trusted UA Applications and click Next

As the last step click Finish - the certificate will now be imported

Make LDS trust OPC UA Server

Open a Command Prompt as administrator
Type mmc and press the ENTER-key
On the File menu, click Add/Remove Snap In
In the Available snap-ins box, select Certificates
Click Add
In the Certificates snap-in dialog box, select Computer account
Click Next
Note: If you are not an administrator of the computer, you can manage certificates only for your user account. Select My User account or Service account in the step above instead.
In the Select Computer dialog box, click Finish
In the Add/Remove Snap-in dialog box, click OK
In the Console Root window, click Certificates (Local Computer) to view the certificate stores for the computer. Navigate to Certificates/Trusted UA Applications/Certificates
Right-click on Advosol uaPLUS Server and select All tasks > Export...

The Certificate Export Wizard will open, click on Next
Select No, do not export the private key and click Next
Select DER encoded binary X.509 (.CER) and click Next
Browse to C:\ProgramData\OPC Foundation\UA\pki\trusted\certs; Enter the name of the certificate: Advosol uaPLUS Server.cer; click Save, click Next

As the last step click Finish - the certificate will now be exported

OPC Client and Server running on separate Machines

The following section describes how to setup a system where the clients and server are running on separate machines. The following configuration is used:

The main steps of installing certificates for an OPC system, where the client and server are running on separate machines comprises of the following steps:

1) At the server machine:

• Install the Local Discovery Server.
• Configure and create certificate for the server using the UaServerConfigHelper utility.
• Make the OPC UA Server trust the LDS.
• Make the LDS trust the OPC UA Server.
• Copy the OPC UA Server certificate from the directory "C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom" to the same directory of the client machine.

2) At the client machine:

• Configure and create certificates for the OPC UA DA and OPC UA AE clients using the UaClientConfigHelper utility.
• Make the clients trust the OPC UA Server by importing the server certificate.
• Copy the OPC UA Client certificates from the directory "C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom" to the same directory of the server machine.

3) At the server machine:

• Make the server trust the clients by importing the client certificates.
  

Clean up old Certificates

On the MMC – Microsoft Management Console – it is possible to display installed certificates. Before starting it may be appropriate to clean up old certificates and delete certificate in the certificate stores “Trusted UA Applications”, “UA Applications” and C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom.

Install Local Discovery Server (LDS)

Install the Local Discovery Server by double click:

from the installation directory.

Create and Configure Certificates for uaPLUS.Net4 Server

Drag the server application uaPLUS.Net4.exe over the client configuration utility UaServerConfigHelperNet4.exe

Push the “Create UA Configuration”-button.

Push the “Yes”-button.

Push the “Yes”-button.
Push the “Check UA Configuration”-button.

Push the “OK”-button.

Push the “Firewall Exceptions”.
Check that port “62841” is in the “Ports Open in Firewall” column.
Press “Done” when completed.
Press “Edit UA Configuration”.

Set the “Security Policies” check marks as shown.
Select a log-file path and name.
Press the “Change”-button to enable logging levels

Press “Set All” and “Set” to complete this setting.
Press the “Certificates”-button.

Press “Create”-button to create a new self signed server certificate.

Close all windows by:
Press “OK”.
Press “Save and Close”.
Press “Done”.

Check that the server certificate is now store in “Trusted UA Applications/Certifcates” and “UA Applications/Certificates/” stores.

Make the OPC UA Server trust the LDS

On the MMC scroll down to “Trusted UA Applications/Certificates”.

Right click on “Trusted UA Applications/Certificates” and select “All Tasks” and “Import”.

Press “Next”.

Browse to “C:\ProgramData\OPC Foundation\UA\pki\own\certs\” .
Select “All files”.
Select file “ualdcert.der”.
Press “Next”.

Press “Next”.

Press “Finish”.

Press “OK”.

The “UA Local Discovery Server” is now a trusted application:

Make the LDS trust the OPC UA Server

Locate the “Advosol uaPLUS Server” in the “Trusted UA Applications”.
Right click and select “All Tasks” and “Export”.

Press “Next”.

Press “Next”.

Press “Next”.

Browse to directory C:\ProgramData\OPC Foundation\UA\pki\trusted\certs and enter file name:

“Advosol uaPlus Server”.

Press “Save” (If the certificate is already stored from a previous installation just press “Yes” to the question of overwrite).

Press “Next”.

Press “Finish”.

Press “OK”.

Copy the OPC UA Server certificate from the directory

“C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” to the same directory of the client machine

Create and Configure Certifcate for the DA3TestClientUaNet4 test Client

The certificate for the test client DA3TestClientUaNet4 is created and configured by the means of the configuration utility UaClientConfigHelperNet4

Drag the icon for DA3TestClientUaNet4 over the UaClientConfigHelperNet4.

Press “Yes”.

Press “Check UA Configuration”.

Close pressing “X” in upper right corner.

Press “Firewall Exceptions”.

Check that port “62841” is listed in the column “Ports Open in Firewall”.
Press “X” in upper right corner.
Press “Edit UA Configuration”.

Edit “Output File” for appropriate path and file name.
Press “Change” and set logging level.

Press “Set All”.
Press “Set”.
Press “Certificates”.
Press “Create” in the “Create a new self signed certificate”-pane.

The server certificate from the server machine “C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” is supposed to be copied to the same directory of the client machine.

To make the client trust the server - in the “Server Certificates” press “Import” and select the Server certificate and press “Open”.

Close all windows by:
Press “OK”
Press “Save and Close”
Press “Done”.

Create and Configure Certificate for the AE-UATestClientUaNet4 Client

The certificate for the test client DA3TestClientUaNet4 is created and configured by the means of the configuration utility UaClientConfigHelperNet4.

Drag the application of the test client AE-UATestClientNet4.exe over configuration utility UaClientConfigHelperNet4.exe

The creation and configuration is carried out as for the DA3TestClientUaNet4 test client with one exception.
Press “Edit UA Configuration”.
Change all “DA” to “AE”

It should now look as:

Insert log output file name.
Push the Trace Mask “Change”-button
Select “Set all”.
Push “Set”-button.

Push the “Certificates”-button.

Push the “Create” button.

In the “Server Certificates” push the “Import” button and select the server certificate.
Press the “Open” button.

Close all windows by:
Push the “OK” button.
Push the “Save and Close” button.
Push the “Done”-button.

Copy the OPC UA test client certificates from the directory “C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom” to the same directory of the server machine

Make the Server trust the Client

Drag the server “uaPLUS.Net4” onto the configuration utility “UaServerConfigHelperNet4”.

Push the “Edit UA Configuration”-button.

Push the “Certificates”-button.

In the “Client Certificates” push the “Import a Client Certificate”-button and select the OPCAE.NET.UA test client.
Push the “Open”-button.

Again, in the “Client Certificates” push the “Import a Client Certificate”-button and select the OPCDA.NET.UA test client.

Push the “Open”-button.

Close all windows by:
Pushing the “OK”-button
Pushing the “Save and Close”-button.
Pushing the “Done”-button.

Check “Trusted UA Applications”

Startup of Server / Client Connection

Make sure that the service “AlphaCom_OPC” is not running:

Make sure that the AlphaCom is running and that the server is configured with correct AlphaCom IP-address and port. To setup correct configurationuUse the configuration application

Start the server uaPLUS.Net4 and ensure it is connected to the AlphaCom:

Start the OPCDA.NET-UA test client.
Enter the server link “ua:opc.tcp://fgn46y2:62841/Advosol/uaPLUS” and push “Connect”. After connection push “Browse Items”.
The computer name “fgn46y2” must exchanged with the actual server computer name.

Start the OPCAE.NET-UA test client.
Enter the server link “ua:opc.tcp://fgn46y2:62841/Advosol/uaPLUS” and push “Connect”.

The server shows the two client connections:

Installing the service

In File explorere, navigate to the installation directory C:\Program Files (x86)\Vingtor Stentofon\VS-OPC UA for AlphaCom
Go to File/Open Windows Powershell/Open Windows Powershell as administrator
Enter .\Install_AlphaCom_OPC.bat and press <Enter>
Before starting any clients make certain that the AlphaCom_OPC server is running and that the Startup Type has been set to Automatic

Server Browsing

Before the background service is set for running after installation an available UA-server browsing must be executed.

This is done by starting the uaPLUS.Net4.exe and check that it connects to the AlphaCom. The test client DA3TestClientUaNet4.exe is started and "Network" discovery (may be omitted) is carried out by pushing the "Network" followed by the server browsing by pushing the "Browse Servers". This should result in two links to the server (name is the computer name):

ua:http://name:80/Advosol/PLUS, and (please check that port 80 is open in the firewall)

ua:opc:tcp:://name::62841/Advosol/PLUS (port 62841 is opened during certificate installation)

Select a link and push the "Connect" button, which should result in connection established and push the "Browse Items" to check that data from the AlphaCom is received.

The uaPLUS.Net4.exe and the test client can now be shot down. Start the AlphaCom_OPC service and the test client an check that connection now again can be established to the AlphaCom.

AlphaNetServiceProvider

The OPCServerConfigurator utility tool makes it possible to configure whether the OPC-Server is directly or remotely connected to the AlphaCom.

In case the OPC-Server connection to the AlphaCom is configured as a direct connection, the AlphaCom IP-address is specified and which of the two port (61112 or 61113) that should be used.

In case the OPC-Server connection to the AlphaCom is configured as a remote connection, the IP-address of the service provider is specified and which port that should be used. This service provider is name AlphaNetServiceProvider and is currently available in the VS-SDK for AlphaCom installation package. The AlphaNetServiceProvider is also available as a service, which can be installed via the package AlphaNetServiceProviderService_Setup. Configuration of the service is done via the AlphaNetServiceProvider GUI.

Please find the documentation of the AlphaNetServiceProvider at AlphaWiki.

Related articles

• OPC Server
• ServerConfiguration Tool