Connect with the OPC UA DA Server Securely
About this task
All the security related configuration for OPC UA collector to establish secured connectivity to OPC UA server will be done by using ClientConfig.ini file. This file is located in C:\Program Files\GE Digital\Historian. The OPC UA DA Collector\Server64 ClientConfig.ini file has options to select Trust Certificate type, Security Policy, Security Mode, Username and Password. There are default values provided, however these can be configured accordingly.
Procedure
- Access the ClientConfig.ini file. By default, it is located at <Installation Drive>:\Program Files\GE Digital\Historian OPC UA DA Collector\Server64.
-
Enter values as specified in the following table.
Parameter Description ApplicationName Enter OPCUACollector. TrustCertificate Enter one of the following values: - 0: Enter this value if want no trust.
- 1: Enter this value if you want to trust temporarily.
- 2: Enter this value if you want to trust permanently. If you enter this value, you must copy the server certificate in the trusted certificate list of the collector.
SecurityPolicy The security policy that you want to use. A value is required only if the value for theTrustCertificate parameter is 2. Enter one of the following values: - 0: Does not use a security policy.
- 1: Uses the Basic128Rsa15 policy. This policy has theoretical problems and is not recommended.
- 2: Uses the Basic 256 policy. This policy has known vulnerabilities and must not be used unless absolutely necessary.
- 3: Uses the Aes256Sha256RsaPss policy. This policy is the more secure one. However, older versions of the OPC UA HDA clients do not support it.
- 4: Uses the Aes128Sha256RsaOaep policy. This policy is secure and is faster than the most secure policies. However, older versions of the OPC UA HDA clients do not support it.
- 5: Uses the Basic256Sha256 policy. This policy is acceptable and more likely to be supported by older versions of the OPC UA HDA clients.
SecurityMode The security mode that you want to use. Enter one of the following values: - 0: Enter this value if you want to allow communication without security. If you select this option, a certificate is not used for communication between the server and the collector. This option is not recommended; you can use it only in a non-production environment.
- 1: Enter this value if you want to allow secure communication without data privacy. If you select this option, all communication is visible, but the collector is authenticated.
- 2: Enter this value if you want to allow secure communication with data privacy. If you select this option, all communication is kept private, and the collector is authenticated.
CertificateTrustListLocation Enter the path to the trusted certificates folder in the OPC server. CertificateRevocationListLocation Enter the path to the revoked certificates folder in the OPC server. IssuersCertificatesLocation Enter the path to the issuer certificates folder in the OPC server. IssuersRevocationListLocation Enter the path to the ClientCertificate ClientPrivateKey RetryInitialConnect Enter true or false to specify whether to reconnect to the OPC server automatically if the collector fails to connect to the server initially. AutomaticReconnect Enter true or false to specify whether to reconnect to the OPC server automatically if the collector fails to connect to the server subsequently (after the initial connection). Username Enter the username that you want to use to connect to the server. Password Enter the password that you want to use to connect to the server.
Sample ClientConfig.ini File
ApplicationName = OPCUACollector
TrustCertificate = 2
SecurityPolicy = 4
SecurityMode = 1
CertificateTrustListLocation =/[ApplicationPath]/pkiclient/trusted/certs/
CertificateRevocationListLocation =/[ApplicationPath]/pkiclient/trusted/crl/
IssuersCertificatesLocation =/[ApplicationPath]/pkiclient/issuers/certs/
IssuersRevocationListLocation =/[ApplicationPath]/pkiclient/issuers/crl/
ClientCertificate =/[ApplicationPath]/pkiclient/own/certs/uaclientcpp.der
ClientPrivateKey =/[ApplicationPath]/pkiclient/own/private/uaclientcpp.pem
RetryInitialConnect =true
AutomaticReconnect =true
Username =admin
Password =admin