EXPERION OPC UA SERVER

OPC UA SELECTOR AND SECURE CONNECTION CONFIGURATION

Article: 129042
Revision: 3
Date: Jan 2022
Owner: HPS Technical Support
 Honeywell

REVISION DETAILS
3 Jan 2022
2 Nov 2021
1 Nov 2021
Added Experion Read/Write Security
Added more guidance on OPC UA port usage in a scenario where another application might use
the same port.
Document Enhancement

0 November 2021 Initial Release

Rev. Date Details

CONTENTS

1 PURPOSE .............................................................................................................................................. 3
2 OPC UA SUPPORT: .............................................................................................................................. 3
3 VIDEO RECORDING GOING THROUGH THE ENTIRE CONFIGURATION PROCESS: ...................... 3
4 RECOMMENDED EXPERION UPDATE LEVEL .................................................................................... 3
5 TROUBLESHOOTING FLOW ................................................................................................................ 4
6 EXPERION OPC SERVER UA PORT CONSIDERATION: .................................................................... 4
7 CAPACITY: ............................................................................................................................................ 5
8 EXPERION READ/WRITE SECURITY: .................................................................................................. 5
9 OS CONSIDERATION WHEN INSTALLING OPC UA SELECTOR ....................................................... 6
10 STEPS USED IN THE VIDEO RECORDING: ......................................................................................... 6

Revision: 3 Document Name:

Date: January 2022 Page: 2 of 7
 Honeywell

1 Purpose
The purpose of this document is to provide steps to establish an OPC UA Connection from a OPC client to an Experion Server.
✓ The OPC UA documentation can be found in the following guide: Supplementary Installation Tasks Guide EPDOC-X138-
en-520A
✓ Multiple redundant pairs support was introduced in R511.3 . It uses clusters.json file for configuration instead of
servers.config file. Information on the syntax used for the json file is documented under "Installation and Migration >
Supplementary Installation Tasks Guide > Setting up a third-party OPC client or server > Setting up the OPC UA Server
Selector".

The video recording provides the full configuration details going through the entire setup.

2 OPC UA Support:
OPC UA Data Access support in R511x and R520x:
▪ Read
▪ Write
▪ Subscription
▪ Browse
OPC UA Historical Access support in R520x:
▪ Data only
▪ Raw history values read
▪ History aggregates : Average, Interpolative, Maximum and Minimum

3 Video recording going through the entire configuration process:

There is no video streaming available, once clicked on the link, use the download button to download the video file locally as
shown on the picture below.

https://honeywellprocess.my.salesforce.com/sfc/p/1a000000HLfB/a/1P000000cK4E/DfL1Lb.t_e9hpuV3L506nkYDc
K5igT5wodoEOdPD98s

4 Recommended Experion Update level

The following Experion releases are recommended for stability:
• R511.1, R511.2 : For enhanced stability and functionality, use Experion R511.3 or later
• R511.3 SP7 or later
• R511.4 SP3 or later
• R511.5 SHU1 or later
• R520.1 SHU1 or later

For R511.x systems Only:

it is recommended to refresh the OPC UA Certificate after having installed the required Experion update, to increase the
certificate validity to 20 years (instead of 1 year). This has to be performed before starting the OPC UA configuration.
1. Deploy the required updates on the Experion system.

2. Delete the C:\ProgramData\Honeywell\Experion PKS\Server\data\CertStore folder

Revision: 3 Document Name:

Date: January 2022 Page: 3 of 7
 Honeywell

3. Start a Command Prompt window as Administrator and run:

hscconfig /createcertstoredir

Perform the above commands on all Experion Servers (A, B, EAS, etc…).

5 Troubleshooting Flow
Test with
OPC UA Connection
Anonymous
Support flow
connection

Connecting? No

Verify that no other

Application use the
Yes same port as the
No Experion OPC UA
using steps
described in this
Configure Secure document
connection

Test using the OPC UA Explorer

Connecting? Using the method described in
the GTAC video

Yes

End

Recommended OPC Client: OPC UA Expert - https://www.unified-automation.com/index.html

6 Experion OPC Server UA Port Consideration:

By default, Experion OPC Server UA is using port 4840, if required, this can be changed by modifying the Windows Service
file, refer to article https://honeywellprocess-community.force.com/hpsservice/Search_Knowledge_Base#Unable-to-connect-
to-the-Experion-OPC-UA-Server for details. The article describes the scenario where an application installed on the
Experion Server might also use port 4840, preventing the OPC Server UA to function.
This might be the case when for example an OPC UA application such as Matrikon OPC UA Tunneller is installed on
Experion server.
To confirm that there is no conflict, on Experion Servers, execute the command netstat -ano | find “4840” from an
administrative command prompt, and confirm that the PID matches the OPC Server UA process PID as shown below. No
other application should be listed in the netstat output command

Revision: 3 Document Name:

Date: January 2022 Page: 4 of 7
 Honeywell

7 Capacity:
From the Experion Specification document:

8 Experion Read/Write Security:

• When using an Anonymous Access:
An OPC UA Client configured as an anonymous connection/access can only perform reads from Experion. Writes are not
allowed (as it is not secure). It is not possible to configure a OPC UA User SOR for Anonymous Access, use Encrypted
connection if required.
• When using a Secured/Encrypted connection:

Revision: 3 Document Name:

Date: January 2022 Page: 5 of 7
 Honeywell

When configuring a secured/encrypted connection, the Experion Read/Write security is provided by the Scope of
Responsibility (SOR) of the User configured as part of the secured OPC UA connection (refer to the video recording for
configuration details. For example, through the user SOR configuration, we have the possibility to limit read/write to specific
Experion assets.
The Windows User used in the encrypted configuration needs to be defined on Experion as an Operator, either explicitly or
through domain membership. The user can be a local user (the user must be built on Experion Server A and B with
matching password) or a domain user. Unlike an OPC Classic configuration, there is no requirement to configure the mngr
user or OPC UA user on the OPC UA Client node.

9 OS Consideration when installing OPC UA Selector

The OPCUA Selector would require a matching OS to be installed on the OPC UA client, for example:
For Experion R511.x : Win 2016
For Experion R520.x : Win 2019

10 Steps used in the Video Recording:

• Installing the OPC Server Connect (OPC UA Server Selector software) on the CLIENT machine from Experion PKS media
or ESIS as an OPTIONAL Component:
o For EPKS R511.X use Install DVD1
o For EPKS R520.X use Install DVD 1 & 3
• Download and Install OPC UA Expert client application for Windows from Unified-Automation website (registration is
required):
o https://www.unified-automation.com/fileadmin/files/client/uaexpert-bin-win32-x86-vs2008sp1-v1.5.1-331.zip
o Generate UA Expert Client application certificate during first launch
• Enable OPC UA Server communication using STATION application from Primary EPKS Server and setup additional pre-
requisites:
o SYSTEM HARDWARE >> SERVER WIDE SETTINGS >> OPC OPTIONS >> OPC UA >> Application
Connections >> Allow OPC UA and UA HDA Access
o Add OPC UA Client machine name & IP in HOSTS file on both Experion PKS servers
o Add Experion PKS Servers name and IP in HOSTS file on OPC UA Client computer
o Create dedicated LOCAL Windows user account for OPC UA connectivity on both Experion PKS servers, add it
as a member of “Local Operators” group and remove USERS group
▪ Honeywell GTAC does NOT recommend using AD Domain User account for OPC UA connections as
usually the EPKS system and OPC Client are located across firewalls and almost never in same
Domain environment or same subnet
▪ MNGR user account to NOT be used for any OPC UA connections
o Define the LOCAL user account for OPC UA in the OPERATIONAL SECURITY on the Primary EPKS Server
• Steps to generate and import required CERTIFICATES on nominated computer (usually ServerB), redundant server(s)
(ServerA or BCC servers - if present) and client computer:

*** Steps to complete on Server B ***

certtool /OPCUASERVER:CreateImportLocalCertificate
certtool /CA:GetCACert /CAcert:RootCA.pem
certtool /CA:GetCRL /CACRL:RootCRL.pem

*** Creating certificate for Server A on Server B

certtool /OPCUASERVER:CreateCertificate
*** Importing certificates on server A
certtool /OPCUASERVER:ImportCA /CACERT:rootCA.pem /CACRL:rootCRL.pem
certtool /OPCUASERVER:ImportCertificate /CERT:server.suffix_application.der
/PRIVKEY:server.suffix_application_key.pem

*** Creating selector certificate on ServerB ***

certtool /OPCUASERVER:ServerSelectorCertificate
*** Trusting client certificate on Servers
certtool /OPCUASERVER:ImportTrustedCert /CERT:"C:\temp\OPCUA\uaexpert.der"

*** On client machine ***

--import server selctor certificates
"<install folder>\Honeywell\Experion PKS\OPC UA ServerSelector\svrseltool" -a s
--import client certificate
"<install folder>\Honeywell\Experion PKS\OPC UA Server

Revision: 3 Document Name:

Date: January 2022 Page: 6 of 7
 Honeywell

Selector\svrseltool" -a c -c <certificate file>

• Convert RootCA.PEM to RootCA.DER using MMC and Certificate Manager on the OPC Client computer to configure the
Trust between the EPKS Server and OPC Client Application (UA Expert)
• OPC UA Server Selector configuration
o For EPKS R511.X OPC Server Connect uses SERVERS.CONFIG file for redundancy selection with following
syntax p.ex:
▪ SERVERA, 4840
▪ SERVERB, 4840
o For EPKS R520.X OPC Server Connect uses CLUSTERS.JSON file for redundancy selection. Configuration file
syntax is described in Experion User Assistance documentation:
▪ “Installation > Supplementary Installation Tasks Guide > Setting up a third-party OPC client or server >
Setting up the OPC UA Server Selector”
▪ SERVERS.CONFIG can be used to automatically translate the EPKS servers configuration to the new
JSON format used for OPC UA Selector in R520
o Confirm from Elevated CMD prompt the OPC UA Selector process is RUNNING and LISTENNING on defined
port “4840” by default using (netstat -a | find “4840”)

Revision: 3 Document Name:

Date: January 2022 Page: 7 of 7