Module configuration of the OPC UA client

The OPC UA client can be configured in PLCnext Engineer from version 2023.3.
We recommend to use PLCnext Engineer for the configuration (see also Tutorial - OPC UA setup for PLCnext Control).

The configuration can also be performed using an additional XML file. Note that a manual configuration may be overwritten by PLCnext Engineer. If PLCnext Engineer is not used, the settings are stored in the following config file:

/opt/plcnext/projects/Default/Services/OpcUA/Modules/Client/client.module.config

Example configurationExample configuration

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<OpcUAClientModuleConfigurationDocument schemaVersion="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig" 
xmlns="http://www.phoenixcontact.com/schema/opcuaclientmoduleconfig">
  <Application>
    <CertificateStore>
      <SelfSignedIdentityStoreName>OPC UA Client self-signed</SelfSignedIdentityStoreName>
      <GivenIdentityStoreName>OPC UA Client</GivenIdentityStoreName>
      <TrustStoreName>OPC UA Client</TrustStoreName>   <!-- if necessary fill in the name of your trust store -->
    </CertificateStore>
    <SessionSecurity>
       <!-- values of the following elements can be either "true" or "false" -->
      <ApplicationAuthentication>true</ApplicationAuthentication>
      <ApplicationUriCheck>true</ApplicationUriCheck>
      <CertificateHostnameCheck>true</CertificateHostnameCheck>
      <CertificateTimeCheck>true</CertificateTimeCheck>
      <CertificateIssuerTimeCheck>true</CertificateIssuerTimeCheck>
      <PasswordEncryptionCheck>true</PasswordEncryptionCheck>
    </SessionSecurity>
    <Timeouts>
      <SessionTimeout>1200000</SessionTimeout>   <!-- The time-out for the session in milliseconds -->
      <ConnectTimeout>5000</ConnectTimeout>      <!-- The time-out for the connect call in milliseconds -->
      <WatchdogTimeout>5000</WatchdogTimeout>    <!-- The time-out for watchdog calls in milliseconds -->
      <CallTimeout>10000</CallTimeout>           <!-- The time-out for the service call in milliseconds. The default setting is 10 seconds -->
    </Timeouts>
  </Application>
</OpcUAClientModuleConfigurationDocument>

Certificate store settings

In the certificate store settings, the names for the identity stores and for the trust store can be changed (see OPC UA client security for more details).

By default the following stores are used:

  • Self-signed identity store: OPC UA Client self-signed
    Note: The certificate in this identity store is only used, if the OPC UA client identity store is empty.
  • Given identity store: OPC UA Client
  • Trust store: OPC UA Client

Security settings

In the security settings certain security checks can be disabled. (see OPC UA client security for more details)

  • If the Application Authentication is deactivated, a server certificate verification failure will be ignored.
  • If the Application Uri Check is deactivated, an invalid server certificate application URI will be ignored.
  • If the Certificate Hostname Check is deactivated, an invalid server certificate hostname will be ignored.
  • If the Certificate Time Check is deactivated, an invalid certificate time will be ignored.
  • If the Certificate Issuer Time Check is deactivated, an invalid certificate issuer time will be ignored.
  • If the Password Encryption Check is deactivated, the check for the ServerNonce and the PasswordEncryptionMode will be ignored.

Note: Disabling these checks reduces the security. This is not recommended for production environments.

Timeout settings

  • The Session Timeout is used by the server to support the reuse of a session after a lost connection.
  • The Connect Timeout is used for calls during the connection establishment.
  • The Watchdog Timeout is used as connection check and reconnect after connection errors.
  • The Call Timeout is a general timeout for messages between client and server.

After a failed connection attempt the OPC UA client waits several seconds before repeating the connection attempt.

 

 


• Published/reviewed: 2024-12-19  ☃  Revision 076 •