Connection configuration
X509_V_FLAG_X509_STRICT
. As firmware 2024.0 LTS is updated to OpenSSL 3.0, the X.509 certificate validation became more strict, especially for non self-signed certificates. This may cause the server to return the error BadSecurityChecksFailed
on client connection attempts. Make sure that, according to OPC UA Part 6, client issuer as well as client application X.509 certificates are conform to RFC 5280, especially to the sections listed below. The same applies for user-managed server certificates.
- 4.1.1.2 signatureAlgorithm
- 4.1.2.6 Subject
- 4.2.1.1 Authority Key Identifier
- 4.2.1.2 Subject Key Identifier
- 4.2.1.3 Key Usage
- 4.2.1.6 Subject Alternative Name
- 4.2.1.9 Basic Constraints
Definition in PLCnext Engineer or connection XML files
The OPC UA client can be configured in PLCnext Engineer from version 2023.3. We recommend to use PLCnext Engineer for the configuration (see also Tutorial - OPC UA setup for PLCnext Control).
In addition to PLCnext Engineer, the connections can be defined in connection XML files that are located in the following folder:
/opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/Configs/*.xml
All connection configuration files are aggregated (including the one from PLCnext Engineer).
The format of the XML file is described in OPC UA client XML schema.
Note: To reload the settings and connection files a restart of the PLC is required.
Example configurationExample configuration
<?xml version="1.0" encoding="utf-8"?>
<eUAClientConfigurationDocument xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:uax="http://opcfoundation.org/UA/2008/02/Types.xsd"
xmlns="http://phoenixcontact.com/OpcUA/PLCnext/UAClientConfig/Types.xsd">
<eUAClientConfiguration>
<Name>ClientConnectionsConfiguration</Name>
<NamespaceArray>
<uax:String>http://phoenixcontact.com/OpcUA/PLCnext/GlobalDataSpace/</uax:String>
</NamespaceArray>
<ServerConnections>
<eUAClientServerConnection>
<EncodingMask>3</EncodingMask>
<Endpoint>
<uax:EndpointUrl>opc.tcp://192.168.178.123:4840</uax:EndpointUrl>
<uax:SecurityMode>Sign_2</uax:SecurityMode>
<uax:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</uax:SecurityPolicyUri>
</Endpoint>
<UserTokenType>UserName_1</UserTokenType>
<UserName>admin</UserName>
<Password>secretpassword</Password>
</eUAClientServerConnection>
</ServerConnections>
<VariableGroups>
<eUAClientVariableGroup>
<GroupType>Subscribe_0</GroupType>
<CycleTime>100</CycleTime>
<NodeMappings>
<eUAClientNodeMapping>
<LocalVariable>
<uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.i_OPCUACLIENT_CNT</uax:Identifier>
</LocalVariable>
<RemoteVariableDescriptor>
<EncodingMask>2</EncodingMask>
<ServerIndex>1</ServerIndex>
<NodeId>
<uax:Identifier>ns=1;s=Arp.Plc.Eclr/MainInstance.i_OPCUASERVER_CNT</uax:Identifier>
</NodeId>
</RemoteVariableDescriptor>
</eUAClientNodeMapping>
</NodeMappings>
</eUAClientVariableGroup>
</VariableGroups>
</eUAClientConfiguration>
</eUAClientConfigurationDocument>
Server connections
The connection configuration contains a list of servers that can be accessed by the client. For each server the connection information can be described as follows (see also OPC UA client XML schema):
server URL
: This URL shall always start with opc.tcp:// since this is currently the only supported protocol.
Optionally the port can be specified. If omitted, the default OPC UA discovery port4840
is used.Username
(optional): If omitted, anonymous authentication is used.Password
(optional): Only required ifUsername
is specified.- The
securityMode
to use (see OPC UA client security for more details). - The
securityPolicy
to use: This can be best available for most secure communication (default) or one of the supported specific security policies.
Note:None
and the deprecated security profiles can only be used explicitly (see OPC UA client security for more details).
Variable groups
The configuration can contain multiple variable groups. Each has a GroupType
(subscribe or write) and a CycleTime
(see also OPC UA client XML schema).
Variable mapping
Every VariableGroup
can contain multiple variable mappings. These mappings contain a local variable and a description how to find the remote variable.
The local variable is described by a NodeId
of the own PLCnext Technology OPC UA server.
The remote variable is described by a reference to the remote server and a NodeId
for a variable on that server.
In the XML file the namespace is specified as namespace index. This is an index into the NamespaceArray
which is also defined in the XML file.
In PLCnext Engineer the NodeId
is specified by two parts:
- a namespace: The unique URI as scope for the identifier.
- an identifier: The unique integer, string, guid, or opaque id within the namespace.
The type of such an identifier is specified via a prefix as it is defined in OPC UA. Here are some examples:
- i=2258 (integer)
- s=Arp.Plc.Eclr/GlobalVariable (string)
- g=1c35cb2b-e5d0-495a-93c9-da095c652230 (guid)
- b=M/RbKBsRVkePCePcx24oRA== (opaque / binary)