KINGSTAR OPC UA

In this section, you will see the explanation about OPC UA, reasons why KINGSTAR chooses to use this protocol and how to configure the security settings.

What is OPC UA?

According to OPC Foundation, OPC is the interoperability standard for the secure and reliable exchange of data in the industrial automation space and in other industries. It is platform independent and ensures the seamless flow of information among devices from multiple vendors. The OPC Foundation is responsible for the development and maintenance of this standard.

The OPC standard is a series of specifications developed by industry vendors, end-users and software developers. These specifications define the interface between Clients and Servers, as well as Servers and Servers, including access to real-time data, monitoring of alarms and events, access to historical data and other applications.

When the standard was first released in 1996, its purpose was to abstract PLC specific protocols (such as Modbus, Profibus, etc.) into a standardized interface allowing HMI/SCADA systems to interface with a “middle-man” who would convert generic-OPC read/write requests into device-specific requests and vice-versa. As a result, an entire cottage industry of products emerged allowing end-users to implement systems using best-of-breed products all seamlessly interacting via OPC.

Initially, the OPC standard was restricted to the Windows operating system. As such, the acronym OPC was borne from OLE (object linking and embedding) for Process Control. These specifications, which are now known as OPC Classic, have enjoyed widespread adoption across multiple industries, including manufacturing, building automation, oil and gas, renewable energy and utilities, among others.

With the introduction of service-oriented architectures in manufacturing systems came new challenges in security and data modeling. The OPC Foundation developed the OPC UA specifications to address these needs and at the same time provided a feature-rich technology open-platform architecture that was future-proof, scalable and extensible.

Today the acronym OPC stands for Open Platform Communications.

 

Unified Architecture

The OPC Unified Architecture (UA), released in 2008, is a platform independent service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework.

Below listed a few of the original design specification goals of:

• Functional equivalence: all COM OPC Classic specifications are mapped to UA

• Platform independence: from an embedded micro-controller to cloud-based infrastructure

• Secure: encryption, authentication, and auditing

Functional Equivalence

Building on the success of OPC Classic, OPC UA was designed to enhance and surpass the capabilities of the OPC Classic specifications. OPC UA is functionally equivalent to OPC Classic, yet capable of much more:

• Discovery: find the availability of OPC Servers on local PCs and/or networks

• Address space: all data is represented hierarchically (e.g. files and folders) allowing for simple and complex structures to be discovered and utilized by OPC Clients

• On-demand: read and write data/information based on access-permissions

• Subscriptions: monitor data/information and report-by-exception when values change based on a client’s criteria

• Events: notify important information based on client’s criteria

• Methods: clients can execute programs, etc. based on methods defined on the server

Integration between OPC UA products and OPC Classic products is easily accomplished with COM/Proxy wrappers that are available in the download section.

Platform Independence

Given the wide array of available hardware platforms and operating systems, platform independence is essential. OPC UA functions on any of the following and more:

• Hardware platforms: traditional PC hardware, cloud-based servers, PLCs, micro-controllers (ARM etc.)

• Operating Systems: Microsoft Windows, Apple OSX, Android, or any distribution of Linux, etc.

OPC UA provides the necessary infrastructure for interoperability across the enterprise, from machine-to-machine, machine-to-enterprise and everything in-between.

Security

One of the most important considerations in choosing a technology is security. OPC UA is firewall-friendly while addressing security concerns by providing a suite of controls:

• Transport: numerous protocols are defined providing options such as the ultra-fast OPC-binary transport or the more universally compatible JSON over Websockets, for example

• Session Encryption: messages are transmitted securely at various encryption levels

• Message Signing: with message signing the recipient can verify the origin and integrity of received messages

• Sequenced Packets: exposure to message replay attacks is eliminated with sequencing

• Authentication: each UA client and server is identified through X509 certificates providing control over which applications and systems are permitted to connect with each other

• User Control: applications can require users to authenticate (login credentials, certificate, web token etc.) and can further restrict and enhance their capabilities with access rights and address-space “views”

• Auditing: activities by user and/or system are logged providing an access audit trail

For more information about OPC UA, please visit: https://opcfoundation.org/about/opc-technologies/opc-ua/

 

How KINGSTAR uses OPC UA?

The reasons why KINGSTAR chooses OPC UA is because of it's full functionality and security.

Data Access: Clients can connect the HMI or SCADA to KINGSTAR subsystem through the OPC UA Data Access feature provided by KINGSTAR. HMI or SCADA can read or write KINGSTAR user variables and PLC global variable through OPC UA　server. For example, users can set a user variable for the moving velocity of each axis, and HMI will show the variable on it's user interface by reading the velocity variables through OPC UA. For more information about the OPC UA settings, please go to OPC UA Server.

API Access: Allows users to call KINGSTAR Motion or EtherCAT APIs on a remote computer. Also clients can easily call KINGSTAR Motion or EtherCAT remotely through KINGSTAR OPC UA client library. For more information about remote APIs, please see IntervalZero.KINGSTAR.OpcUa.Api and IntervalZero.KINGSTAR.OpcUa.Class.

Based on the OPC UA API Access function, KINGSTAR provides two remote control tools, which are KINGSTAR Configuration Tool and Scope. Both of the tools can run on remote computers and are able to monitor and control the control PC. For more information about how to install the Remote Tool, please see Install KINGSTAR Remote Tools.

Management Access: Provides controller management related features. This is built for the control management tool in the coming version.

 

How to configure OPC UA security in KINGSTAR?

KINGSTAR User Roles and their password set-up

Firewall Setting

Certificate Management

The KINGSTAR OPC UA server can automatically generate self-signed certificates for communication. The following content outlines the server's certificate management process and configuration settings.

• Default Certificate Lifetime: the certificates auto-generated by the server have a default lifetime of 10 years (120 months). This is intended to minimize the need for frequent certificate renewal processes and to maintain consistent server-client communication over extended periods.
• Certificate Recreation Threshold: Default is 60 months. To prevent certificate expiration, the server is configured to check the validity period of the certificate upon startup. If the server is starting, and the current certificate has less than 60 months until its expiration date, a new certificate will be automatically created to replace the old one.
• Configuration File Access: to view or modify the certificate lifetime and recreation threshold settings, administrators can access the configuration file for configuration.

1. Access the configuration file located at C:\Program Files\IntervalZero\KINGSTAR\bin\IntervalZero.KINGSTAR.OpcUa.Server.exe.config
2. Find the following parameters in appSettings and configure the value.

• DefaultCertificateLifeTimeInMonths: specifies the default validity period of the certificate in months. Default is 120 months.
• CertificateRecreationThresholdInMonths: defines the threshold period in months for the server to regenerate the certificate before its expiration upon startup. Default is 60 months.

 

By default, the KINGSTAR OPC server supports all certificates. This means any client can connect and data is encrypted but there is no verification on who is the client. Anyone with the correct IP and Password can connect.

To enhance security, you can disable support for all certificates on the server by modifying the KingstarServer.Config.xml file in the KINGSTAR\bin folder. Comment "<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>" in the file to disable support for all certificates. Once this is disabled, store the trusted certificates to the following folder:

• For KINGSTAR 4.5 and later versions, store the trusted certificates to C:\ProgramData\OPC Foundation\pki\server\trusted\certs
• For KINGSTAR 4.4 and earlier versions, store the trusted certificates to C:\ProgramData\OPC Foundation\pki\trusted\certs

See also

OPC UA Server

OPC UA connection

.NET APIs for remote calls