OPCUA Plugin
Purpose
The purpose of this plugin is to read data from OPC UA Servers.
Usage
You can run a discover
without a configuration file. In this case, all the variables in the OPC UA namespace are displayed in a hierarchical tree format. If the debug is run from the command line with a debug value of -v
, the actual values for all the namespace nodes will also be displayed. The returned tree will look something like this:
The namespace index is an integer value to denote the enumerated namespace. It will be listed at the very top of a discovery run. It is also shown in the above listing as ns=2
or namespace_index: 2
. In order to log data, there must be a config file. If a configuration file is run with discover
, then only those variables in the configuration file and their values will be shown. If using a configuration file YOU MUST specify the correct namespace, since sometimes the same variables names are contained across different namespaces. ALWAYS run discover
first to see which variables are available, before developing the config file. The config file defines which variables need to be collected, what names they appear as on the the Ardexa cloud, and the units and scaling. Based on the example above, the configuration file required to collect the last 5 items shown above is as follows. Note that the OPCUA Variable Name
is listed as the NodeID (taken from the above listing), but prepended with the namespace index and a colon.
NOTES:
Anything that starts with
#
is a comment line, and will be ignoredThe
Type
can be either:decimal
,integer
,bool
,keyword
orarray
If the
Type
starts witharray
, then there must be 3 components separated by a colon:
, as followsThe 1st item must be the word
array
The 2nd item must be:
decimal
,integer
,bool
,keyword
The 3rd item must be an integer, which defines the array index to capture. Indicies start at
1
Variables are named as (example)
4:INPUT_3
. The leading4
is the namespace index. The available namespaces are displayed when running adiscover
.
Authentication is optional. Most OPC UA Servers do not require authentication. If using authentication, a file must be included in the auth_file
area which can contain up to 2 items of information as follows (note the uppercase Username/Password):
Also, an OPC UA connection string may have a suffix associated with it. For example, the connection string may be something like: "opc.tcp://192.168.1.10:52345/opcua
, where 52345
is the TCP port. The /opcua
at the end is a suffix
. Include it in the cvonfiguration if one exists, otherwise leave it blank
Using Digital Certificates
Some sites require digital certificates to be submitted to the OPC UA Server. This is very rare. However if you do encounter these sites, you need to generate the public and private key as follows. These certificates MUST be given to the OPCUA Server administrator so they can grant permissions based on these new keys.
Once this is done, copy the two *.pem
files to the directory: /opt/ardexa/config/opcua-ardexa
, or use the upload button for the private and public keys. Make sure they are uploaded to the correct name. The OPCUA plugin will change the permission of the private key to 0600 (read only by the root
user), if this hasdn't been done already. In addition to creating the digital certificates, you may need to set 2 more arguments. The application URI
is a string that is usually needed. This should match the certificate and should be something like: urn:example.org:FreeOpcUa:python-opcua
.
The security string details details the crypto algorithms to use, and locations of the public and private keys. It is a comma separate string of 4 items. The last 2 items are the locations of the public and private key, respectively. The security string should be something like: Basic128Rsa15,SignAndEncrypt,/opt/ardexa/config/opcua-ardexa/my_cert.pem,/opt/ardexa/config/opcua-ardexa/my_private_key.pem
. You must consult the administrator of the OPC UA server on the exact contents of the security string. BE AWARE OF THE FOLLOWING; in older versions of the plugin, the user had to manually insert the location of the public and private key into the security string. This is no longer required, as the plugin will automatically fill in the security string with the private and public keys, ONLY if they do not already exist.
Certificate Expired
If the following message (or similar) is received, the certificate is most likely expired:
Received an error: MessageAbort(error:StatusCode(BadCertificateTimeInvalid), reason:Certificate has is expired or not yet valid. NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.)
If you are receiving this error when running discovery, check the expiry date to confirm that it has passed using the following command:
If it is indeed expired, generate a new certificate using the above process and notify the client that you need them to trust the new certificate.
Arguments
IP Address
.. something like: 192.168.1.4configuration File full path
... this is the config file discussed above.--port
This is an optional entry denoting the TCP Port of the OPC UA server. It is defaulted to4840
--namespace_index
. This is an optional entry only available when usingdiscover
. It is the namespace for which toi discover variables. It is defaulted to0
--auth_file
... this is the authentication file discussed above.--suffix
. This is the suffix, if one exists, as discussed above.--app_uri
. This is the Application URI, if one exists, as discussed above.--security_str
. This is the Security String, if one exists, as discussed above.--timeout
. This is the OPC UA connection timeout. Note that a connection can take longer than the timeout, so long as the initial connection to the OPC UA server is less than the timeout value. The default is 10.0 seconds.--report_connection_time
. This is a flag (true/false) on whether reporting on OPC UA connection time is required. See below.--public_key
... The public key (if being used)--private_key
... The public key (if being used)
Debugging OPC UA Connection Time
It is sometimes necessary to measure the speed of connection to the OPC UA server. The report_connection_time
will do this. There are 5 broad steps in collecting data from an OPC UA server. These are:
Initialise collection program.
Connect to the OPC UA Server.
Collect data from the OPC UA Server.
Close the connection to the OPC UA Server.
Format and send data to the Ardexa Cloud.
Once the report_connection_time
argument has been selected, the following events will be sent to the data
table:
Initialsation Event. This will have a source =
time_to_initialise
, and will show the elapsed time in seconds to undertake task 1 above (Initialise collection program)Connection Event. This will have a source =
time_to_connect_to_server
, and will show the elapsed time in seconds to undertake task 2 above (Connect to the OPC UA Server)Total Collection Event. This will have a source =
total_data_extraction_time
, and will show the elapsed time in seconds to undertake tasks 2, 3 and 4 above. That is: a. Connect to the OPC UA Server. b. Collect data from the OPC UA Server. c. Close the connection to the OPC UA Server.
These items will only appear when the log
directive is run, and all data is sent to the data
table. The filename on which the connection time is requested will also be displayed/collected. Be sure to set the timeout
value to JUST BELOW the rate of collection. For example; if the scenario is set to collect data every 30 seconds, then set the timeout
to be 29.8
. This will result in a log entry being recorded EVERY TIME, even though the connect itself may timeout.
Last updated