Module configuration of the OPC UA client
The OPC UA client can be configured in PLCnext Engineer from version 2023.3.
We recommend to use PLCnext Engineer for the configuration (see also Tutorial - OPC UA setup for PLCnext Control).
The configuration can also be performed using an additional XML file. Note that a manual configuration may be overwritten by PLCnext Engineer. If PLCnext Engineer is not used, the settings are stored in the following config file:
/opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/client.module.config
Example configurationExample configuration
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<OpcUAClientModuleConfigurationDocument schemaVersion="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig"
xmlns="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig">
<Application>
<CertificateStore>
<SelfSignedIdentityStoreName>OPC UA Client self-signed</SelfSignedIdentityStoreName>
<GivenIdentityStoreName>OPC UA Client</GivenIdentityStoreName>
<TrustStoreName>OPC UA Client</TrustStoreName> <!-- if necessary fill in the name of your trust store -->
</CertificateStore>
<SessionSecurity>
<!-- values of the following elements can be either "true" or "false" -->
<ApplicationAuthentication>true</ApplicationAuthentication>
<ApplicationUriCheck>true</ApplicationUriCheck>
<CertificateHostnameCheck>true</CertificateHostnameCheck>
<CertificateTimeCheck>true</CertificateTimeCheck>
<CertificateIssuerTimeCheck>true</CertificateIssuerTimeCheck>
<PasswordEncryptionCheck>true</PasswordEncryptionCheck>
</SessionSecurity>
<Timeouts>
<SessionTimeout>1200000</SessionTimeout> <!-- The time-out for the session in milliseconds -->
<ConnectTimeout>5000</ConnectTimeout> <!-- The time-out for the connect call in milliseconds -->
<WatchdogTimeout>5000</WatchdogTimeout> <!-- The time-out for watchdog calls in milliseconds -->
<CallTimeout>10000</CallTimeout> <!-- The time-out for the service call in milliseconds. The default setting is 10 seconds -->
</Timeouts>
</Application>
</OpcUAClientModuleConfigurationDocument>Certificate store settings
In the certificate store settings, the names for the identity stores and for the trust store can be changed (see OPC UA client security for more details).
By default the following stores are used:
- Self-signed identity store: OPC UA Client self-signed
Note: The certificate in this identity store is only used, if the OPC UA client identity store is empty. - Given identity store: OPC UA Client
- Trust store: OPC UA Client
Security settings
In the security settings certain security checks can be disabled. (see OPC UA client security for more details)
- If the
Application Authenticationis deactivated, a server certificate verification failure will be ignored. - If the
Application Uri Checkis deactivated, an invalid server certificate application URI will be ignored. - If the
Certificate Hostname Checkis deactivated, an invalid server certificate hostname will be ignored. - If the
Certificate Time Checkis deactivated, an invalid certificate time will be ignored. - If the
Certificate Issuer Time Checkis deactivated, an invalid certificate issuer time will be ignored. - If the
Password Encryption Checkis deactivated, the check for the ServerNonce and the PasswordEncryptionMode will be ignored.
Note: Disabling these checks reduces the security. This is not recommended for production environments.
Timeout settings
- The
Session Timeoutis used by the server to support the reuse of a session after a lost connection. - The
Connect Timeoutis used for calls during the connection establishment. - The
Watchdog Timeoutis used as connection check and reconnect after connection errors. - The
Call Timeoutis a general timeout for messages between client and server.
After a failed connection attempt the OPC UA client waits several seconds before repeating the connection attempt.