GEI-100828F

WorkstationST* OPC® UA Server

Instruction Guide
These instructions do not purport to cover all details or variations in equipment, nor to provide for every possible
contingency to be met during installation, operation, and maintenance. The information is supplied for informational
purposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,
and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected
herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to
the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced
herein.
Public Information – This document contains non-sensitive information approved for public disclosure.
GE may have patents or pending patent applications covering subject matter in this document. The furnishing of this
document does not provide any license whatsoever to any of these patents.
GE provides the following document and the information included therein as is and without warranty of any kind,
expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness for
particular purpose.
For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE Sales
Representative.

Revised: Dec 2018

Issued: May 2012

© 2012 - 2018 General Electric Company.

___________________________________
* Indicates a trademark of General Electric Company and/or its subsidiaries.
All other trademarks are the property of their respective owners.

We would appreciate your feedback about our documentation.

Please send comments or suggestions to controls.doc@ge.com

Public Information
Document Updates
Revision Location Description
Overview
Live Data and Alarm/Event Subscriptions
F Added content for Alarm/Event Subscriptions
Monitored Items
Alarm/Event
Added this section with the procedure to share certificates between
E Application Certificate Sharing
OPC UA client and server
Removed obsolete server URL; only one URL can be used to
D OPC UA Communication access the WorkstationST OPC UA server
Removed obsolete discovery server URL

Acronyms and Abbreviations

AE Alarm and Event
DA Data Access
GSM GE Standard Messages
HDA Historical Data Access
OPC A standard for data exchange in the industrial environment
SDI System Data Interface
UA Unified Architecture
URI Uniform Resource Identifier
URL Uniform Resource Locator
WCF Windows Communication Foundation

2 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
Contents
1 Overview ....................................................................................................................................................4
2 OPC UA Communication ...............................................................................................................................4
2.1 Application Certificates............................................................................................................................4
2.2 Client/Server Connection Sequence ............................................................................................................6
2.3 Application Certificate Sharing..................................................................................................................7
2.4 Live Data and Alarm/Event Subscriptions....................................................................................................9
2.5 Troubleshooting.................................................................................................................................... 10
3 Client Privileges ......................................................................................................................................... 10
4 Live Data Flow .......................................................................................................................................... 10
5 Alarm/Event .............................................................................................................................................. 11
6 Historical Data Access................................................................................................................................. 12
6.1 External Historians................................................................................................................................ 12
6.2 Configure DCOM Settings...................................................................................................................... 12

Instruction Guide GEI-100828F 3

Public Information
1 Overview
The OPC® Unified Architecture (OPC UA) standard combines the older standards of OPC Data Access (DA), OPC Alarm
and Event (AE), and OPC Historical Data Access (HDA) into one interface. Additionally, the OPC UA standard provides
Historical Alarm and Event access. An OPC UA server implementation can include all or part of these standard’s features.
The WorkstationST* OPC UA server provides DA reading and writing, live AE data, and HDA reading features.

Note The OPC UA standard that was created by the OPC Foundation. For more information, visit www.opcfoundation.org.

2 OPC UA Communication
An OPC UA client must have a URL to connect to a server. If the client is not configured with a URL, the client can access a
discovery server to obtain a URL. The WorkstationST OPC UA server is accessed using the following URL:

opc.tcp://<hostname>:64121/GeCssOpcUaServer
The <hostname> entry can be “localhost” or a valid host name or IP address.

The WorkstationST OPC UA server also registers itself with the OPC Foundation’s UA local discovery server, which is
installed with the WorkstationST application. The discovery server runs as a Windows® service. UA servers register with it
and UA clients can obtain a list of registered UA servers from it.

2.1 Application Certificates

The OPC UA client and server each own an X509 application certificate. These certificates are created and added to a
certificate store when the client or server is installed, when the client application is first run, or through a vendor-supplied
utility.
Creating a client certificate and adding it to the certificate store requires administrative privileges. The OPC UA client is used
in the following:

• Trender
• Test OPC UA client
• Configuration for the OPC UA client part of the OPC UA server
• Running the OPC UA client part of the WorkstationST OPC UA server, allowing data access for variables in external
OPC UA servers
When the client is first accessed, if the application is running as an administrator the certificate is created and placed into the
correct store location. Otherwise, the user is prompted to allow the certificate to be created. It is then added to the correct
store location with a new process started as an administrator. The user may be required to enter credentials for this process.
The application certificates are kept in the Windows local machine certificate store. The WorkstationST Certificate Manager
is used to view, import, export and reissue certificates. The WorkstationST Certificate Manager is accessed from the
WorkstationST Status Monitor Tools menu.

4 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
The following figure displays five certificates, including one for the OPC UA client and one for the OPC Foundation’s UA
Local Discovery Server.

Example Application Certificates in WorkstationST Certificate Manager

Certificate Keys
An OPC UA application certificate has a public key needed by other applications to verify the application certificate. When
exported, the .der file contains the certificate and public key.
Each application certificate also contains a private key. When exported, the .pfx file contains the certificate and the public and
private keys. Typically, these are protected with a password when exported.

Instruction Guide GEI-100828F 5

Public Information
2.2 Client/Server Connection Sequence
When an OPC UA client and server connect, both the client and the server application have an X509 certificate they own. For
successful communication, both the OPC UA client and server must receive each other's certificate over the communication
link and verify that it matches a certificate in the trusted store location. The OPC UA client and server use the Windows local
machine certificate store as the trusted store, which is located within the folder UA Applications on the computer where they
are running.

Allows viewing, deleting, importing, and exporting

of UA Application Certificates from the Windows
Store. (Can be used to reissue expired certificates OPC UA client
or import and export certificates from one running as non-
Certificate computer for use on another) administrator user
Management
(for example,
Tool
running in the
trender)
At startup if Certificate added by
no certificate running an elevated
is found, one privilege process Install of
is added. Product
Windows
certificate
At startup if store
ControlST no certificate
OPC UA is found, one For example, the
is added. Client / Server
client * ControlST OPC UA client.
connection sequence

WorkstationST OPC-UA server

OPC UA
GetEndpoints Request
client

GetEndpoints Response
Contains Application Instance Certificate
which the server provided from the Windows
certificate store. Client validates this with
certificates in his Windows certificate store.
Open Secure Channel Request
Contains Client Application
Certificate. The server
validates this with the
Windows certificate store.
Secure Channel Response

Client/Server Connection Sequence Diagram

6 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
2.3 Application Certificate Sharing
When an OPC UA client uses a security profile other than None to connect to an OPC UA server, the server initially sends its
application certificate back to the client (as illustrated in the figure Client/Server Connection Sequence Diagram). The client
looks into its trusted store for the public certificate of the server. If the certificate is not found, some clients will prompt the
user to trust the certificate, while others will place the certificate into a rejected store location. After the client trusts the
server’s public certificate and the client attempts to connect again, the second part of the communication calls for the client to
send its public certificate to the server. If the server does not trust the certificate, the server will typically place the certificate
into a rejected store.

ControlST* OPC UA Client Trusting OPC UA Server Certificate

With the ControlST OPC UA client, which is used by the Trender and the OPC UA test client (accessed from the
WorkstationST Component Editor’s View menu), the user is prompted to trust the server’s certificate if the server’s certificate
is not already trusted. The user must enter ha administrator credentials to trust the certificate (trusting action requires ha
administrator privileges on the computer).

Instruction Guide GEI-100828F 7

Public Information
ControlST OPC UA Server Trusting Client Certificate

➢ To trust the client certificate

Use the Certificate Manager to trust the client’s certificate on the server node.

1. Select the WorkstationST Status Monitor tray icon to display the WorkstationST Status Monitor.
2. From the WorkstationST Status Monitor Tools menu, select Certificate Manager to display the WorkstationST
Certificate Manager.

3. From the Certificate Manager, click the Rejected toolbar icon to display a list of all rejected certificates.
4. From the Server node, select the OPC UA client’s certificate and click Trust Selected Certificates to trust it.

Attempt to connect the client to the OPC UA server again. At this point, when the viewer is started it should be able to talk to
the server.

8 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
2.4 Live Data and Alarm/Event Subscriptions
A client adds Subscriptions once a secure channel session is established. A live Data Subscription contains a list of monitored
items that represent a variable or a property of a variable. A live Alarm/Event Subscription normally contains the Server
Object as the event monitored item. By subscribing to the Server Object, the OPC UA Client receive notifications for all
events as they occur and all alarms currently in an alarm queue.

Subscription Settings
Setting Description
Publishing Interval Specifies the client’s desired update rate
Defines how many times the Publishing Interval needs to expire without available notifications
Keep-alive Count
before the server sends an empty message to the client that the server is still alive
Defines how many times the Publishing Interval expires without having a connection to the client. If
Lifetime Count the server cannot deliver notification messages after this time, it deletes the Subscription to clear
the resources. The minimum Lifetime Count value must be three times the Keep-alive Count value.
Maximum Notifications Defines the maximum number of notifications per message delivered to the client in a published
per Publish response

Note The priority of the Subscription in the client is relative to other subscriptions created by the client.

2.4.1 Monitored Items

After configuration, the client adds monitored items to the Subscription. For Data Subscriptions, each monitored item
represents a variable. Alarm/Event Subscriptions contain an event monitored item. The following table provides the common
and specific settings for monitored items and event monitored items.

Monitored Item Settings

Setting Description
For a Data Subscription, this is the rate (in ms) at which the server checks for changes. A change
that triggers a notification is defined by the filter. If -1 is the Sampling Interval value, the
Subscription’s Publishing Interval value is used for this setting. A client can over-sample the value
Sampling Interval
(sample more frequently) by setting the Sampling Interval value to less than the Publishing Interval
value and setting the Queue Size value to 1. For Alarm/Event Subscriptions, the client can set the
Sampling Interval value to 0 and notifications will be sent as they occur.
Maximum number of values stored for the monitored item during a publishing interval. After each
Queue Size
publishing interval, the server sends the values to the client.
For a Data Subscription, a filter is by default of the type trigger, with the trigger being either a
changing value or the status of the monitored item. This trigger can be set to notify when there is a
status change only, or it can include status, value, and source time stamp changes. The filter can
also have a deadband type and deadband value. The deadband type is either Absolute or Percent.
Filter
If the type is Percent, the variable’s EURange must be configured (for ToolboxST application
variables, display limits or format specification engineering units are used). Alarm/Event monitored
items use an item event filter. This includes a where clause that normally includes ConditionType. It
also contains many select clauses.

Instruction Guide GEI-100828F 9

Public Information
2.5 Troubleshooting
If a client is unable to connect to a server, perform the following checks:

• Verify that the client’s application certificate is present in the server's trusted certificate store.
• Verify that the server’s certificate is present in the client's trusted certificate store. The WorkstationST OPC UA client
uses the Windows store. Others use a folder in the file system. Depending on the client, the server’s certificate can be
exported using the WorkstationST Certificate Manager and placed in the client’s trusted store.
Many clients, such as the WorkstationST OPC UA client, display a list of available servers when configuring a connection.
The OPC Foundation’s UA local discovery server obtains this list. If the list does not display, stop and restart the UA Local
Discovery Server (located in Windows services).

3 Client Privileges
Once a client is connected to the server, the client can log on with a user token if provided. The user must match a configured
ToolboxST user, and be assigned write privileges. If no users and roles are assigned in the ToolboxST configuration, all
clients are granted write privileges.
Clients that allow user token authentication send a token containing a user name and password. If the password can be
authenticated, the server associates the user with a matching user in the Users and Roles configuration. The client is then
granted privileges according to that user and its assigned role.
There is a configuration for clients that does not allow user token authentication. The OPC UA server associates a client
application certificate with a user in the Users and Roles configuration. When a client connects using one of these application
certificates, associated user privileges are granted.

4 Live Data Flow

The OPC DA server has traditionally been the live data provider for the WorkstationST application. After implementing the
OPC UA feature, the OPC DA server is still required for its SDI server, which provides live data to the Recorder, Modbus®,
GSM, the Alarm Scanner, and the WorkstationST Component Editor.
When the OPC UA feature is not enabled, EGD data is processed by the OPC DA server. When the OPC UA feature is
enabled, the OPC UA server processes EGD-consumed exchanges and produces WorkstationST-owned EGD exchanges. The
server then forwards the consumed exchanges to the OPC DA server through a Microsoft® WCF secure channel.
OPC UA client connections can be configured to add external OPC UA server variables to the OPC UA live namespace.
These variables, as well as plug-in variables, are provided through a WCF live list with a periodic update. Plug-in variables
are:

• Variables obtained by proxy

• Non-EGD variables obtained by an SDI connection to a controller
• OPC DA client connections to external OPC DA servers
Any variables configured in the WorkstationST Component Editor Variables tab are in the OPC DA or OPC UA server’s
namespace and can be cyclically moved to any other variable. When the OPC UA feature is enabled, variable mapping is
performed by the OPC UA server; otherwise the mapping is performed by the OPC DA server. There is a configuration rate at
which the mapping occurs. The following rules apply:

• The destination variable must be writable.

• The data type must match between the source and the destination of each mapped variable.

Note Consumed EGD devices and external OPC DA and OPC UA servers can limit the rate at which writes are allowed to
destination variables.

10 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
5 Alarm/Event
When alarms are included in the OPC UA server the process can use significantly more memory. Because of this, alarms are
not included (default setting). Beginning with ControlST V07.02.07C, the configuration setting Include Alarms in OPC UA
Server can be enabled (set to True) to add alarms to the OPC UA server.

ToolboxST Configuration Setting, Include Alarms in OPC UA Server

A discrepancy between the ControlST alarm system and the OPC UA Alarm Standard is the number of states for analog
alarms. ControlST analog alarms can have H, HH, HHH, L, LL and LLL states. OPC UA Alarm Standard analog alarms can
only have H, HH, L and LL states. Therefore, the ControlST HH and HHH states are mapped to the OPC UA HH level and
the ControlST LL and LLL states are mapped to the OPC UA LL level.

Note Although the alarm state on the OPC UA client displays as HI HI even when the alarm is HHH, the description of the
alarm will include the HHH alarm description from ControlST.

Normally, an OPC UA client only subscribes to receive alarm/event notifications. However, in addition to this, the OPC UA
server Address Space also includes the alarm definitions. Located within the Objects folder in the address space is an
_AllAlarms component that contains all of the alarm definitions.

Instruction Guide GEI-100828F 11

Public Information
6 Historical Data Access
The OPC UA server namespace contains a variable named HistorianSource. HistorianSource is an enumerated integer type
variable where a value of 0 = None, 1 = Recorder, and 2 = Historian. If the local WorkstationST computer has either the
Recorder or Historian feature enabled, the HistorianSource variable allows an OPC UA client to control the source of the
historical data for variables in the main server’s namespace. For example, if the variable G1.TNH is collected in both the
Recorder and the Historian, a client could set HistorianSource to Recorder so historical read requests would provide data from
the Recorder. A default value for clients that do not want to write to HistorianSource can be configured. This allows clients to
receive historical data from either the Recorder or the Historian without writing to HistorianSource.

6.1 External Historians

OPC HDA historian servers are configured on the OPC UA tab. Each external historian is given a name that is used as a
prefix for each variable in the server.
When the OPC UA server starts, it attempts to use an OPC HDA client to obtain the list of variables in the external historian
and add them to the OPC UA server namespace. Subsequent requests are sent to the external OPC HDA server.

6.2 Configure DCOM Settings

The OPC UA server and the OSI PI OPC HDA server both run under the SYSTEM account by default. The Proficy
Historian’s OPC HDA server defaults to run under the interactive user account. When configuring the external historian
connection in the OPC UA server settings, a client user is specified for access to the external historian. This same client user
must be configured in the DCOM settings for the external historian OPC HDA server to allow the OPC UA server to
communicate with the OPC HDA Server.

Note Refer to the WorkstationST OPC DA Server Instruction Guide (GEI-100621) and the WorkstationST OPC AE Server
Instruction Guide (GEI-100624) for additional settings information.

12 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
➢ To configure the PI OSI HDA server in DCOM
1. Run dcomcnfg.exe.
2. From the Component Services window, expand DCOM Config, right-click PI OSI HDA Server, and select
Properties.
3. Configure the user account.

Note On 64-bit operating systems, the PI OPC HDA Server may not display in the list of DCOM configurable objects. To
display the PI OSI DA Server and PI OSI HDA Server entries in dcomcnfg: Run MMC /32 %windir%\syswow64
\comexp.msc to open the 32-bit version of the DCOM Configuration utility. The entries will permanently display.

Instruction Guide GEI-100828F 13

Public Information
4. From the Control Panel, double-click Administrative Tools, Services, and PI OPC HDA Server, then right-click
and select Properties.
5. Log on to the server account.

Enter the same

From the Log User as the PI
On tab, select OSI HDA
This account. Server .

The OPC UA server’s OPC HDA client must be set to run under the same user.

➢ To configure the OPC UA server’s OPC HDA client: from the WorkstationST Component Editor OPC UA
tab, select an External Historian item and in the Property Editor enter the User Name and User Password.

Note There is no corresponding DCOM identity setting for the OPC UA server.

Once the remote PI HDA server and the OPC UA server are running under the same user, and the DCOM settings for both
computers have been set, the OPC UA server displays variables from the PI server in the OPC UA Server tab Tree View
under the External Historians item.

Note The initial retrieval of the variable namespace for an external server can take a couple of minutes. The namespace is
populated after this initial retrieval.

14 GEI-100828F GEI-100828 WorkstationST OPC UA Server Instruction Guide

Public Information
The Proficy Historian HDA server must also be configured to run under the same user.

➢ To configure the Proficy Historian HDA server in DCOM

1. Run dcomcnfg.exe.
2. From the Component Services window, expand DCOM Config, right-click Proficy Historian HDA Server, and
select Properties.
3. Configure the user account.

From the
Identity tab ,
It is recommended
select This that this setting be
user. configured as a
valid Windows
user. (Windows
user must be a
member of the
administrators
The system group .)
account
(services
only) option
cannot be
selected.

Note The Proficy OPC HDA Server does not run as a Service and does not require any user assignment in Services.

Public Information