Professional Documents
Culture Documents
Public Information
Document Updates
Revision Location Description
Overview
Live Data and Alarm/Event Subscriptions
F Added content for Alarm/Event Subscriptions
Monitored Items
Alarm/Event
Added this section with the procedure to share certificates between
E Application Certificate Sharing
OPC UA client and server
Removed obsolete server URL; only one URL can be used to
D OPC UA Communication access the WorkstationST OPC UA server
Removed obsolete discovery server URL
Note The OPC UA standard that was created by the OPC Foundation. For more information, visit www.opcfoundation.org.
2 OPC UA Communication
An OPC UA client must have a URL to connect to a server. If the client is not configured with a URL, the client can access a
discovery server to obtain a URL. The WorkstationST OPC UA server is accessed using the following URL:
opc.tcp://<hostname>:64121/GeCssOpcUaServer
The <hostname> entry can be “localhost” or a valid host name or IP address.
The WorkstationST OPC UA server also registers itself with the OPC Foundation’s UA local discovery server, which is
installed with the WorkstationST application. The discovery server runs as a Windows® service. UA servers register with it
and UA clients can obtain a list of registered UA servers from it.
• Trender
• Test OPC UA client
• Configuration for the OPC UA client part of the OPC UA server
• Running the OPC UA client part of the WorkstationST OPC UA server, allowing data access for variables in external
OPC UA servers
When the client is first accessed, if the application is running as an administrator the certificate is created and placed into the
correct store location. Otherwise, the user is prompted to allow the certificate to be created. It is then added to the correct
store location with a new process started as an administrator. The user may be required to enter credentials for this process.
The application certificates are kept in the Windows local machine certificate store. The WorkstationST Certificate Manager
is used to view, import, export and reissue certificates. The WorkstationST Certificate Manager is accessed from the
WorkstationST Status Monitor Tools menu.
Certificate Keys
An OPC UA application certificate has a public key needed by other applications to verify the application certificate. When
exported, the .der file contains the certificate and public key.
Each application certificate also contains a private key. When exported, the .pfx file contains the certificate and the public and
private keys. Typically, these are protected with a password when exported.
GetEndpoints Response
Contains Application Instance Certificate
which the server provided from the Windows
certificate store. Client validates this with
certificates in his Windows certificate store.
Open Secure Channel Request
Contains Client Application
Certificate. The server
validates this with the
Windows certificate store.
Secure Channel Response
1. Select the WorkstationST Status Monitor tray icon to display the WorkstationST Status Monitor.
2. From the WorkstationST Status Monitor Tools menu, select Certificate Manager to display the WorkstationST
Certificate Manager.
3. From the Certificate Manager, click the Rejected toolbar icon to display a list of all rejected certificates.
4. From the Server node, select the OPC UA client’s certificate and click Trust Selected Certificates to trust it.
Attempt to connect the client to the OPC UA server again. At this point, when the viewer is started it should be able to talk to
the server.
Subscription Settings
Setting Description
Publishing Interval Specifies the client’s desired update rate
Defines how many times the Publishing Interval needs to expire without available notifications
Keep-alive Count
before the server sends an empty message to the client that the server is still alive
Defines how many times the Publishing Interval expires without having a connection to the client. If
Lifetime Count the server cannot deliver notification messages after this time, it deletes the Subscription to clear
the resources. The minimum Lifetime Count value must be three times the Keep-alive Count value.
Maximum Notifications Defines the maximum number of notifications per message delivered to the client in a published
per Publish response
Note The priority of the Subscription in the client is relative to other subscriptions created by the client.
• Verify that the client’s application certificate is present in the server's trusted certificate store.
• Verify that the server’s certificate is present in the client's trusted certificate store. The WorkstationST OPC UA client
uses the Windows store. Others use a folder in the file system. Depending on the client, the server’s certificate can be
exported using the WorkstationST Certificate Manager and placed in the client’s trusted store.
Many clients, such as the WorkstationST OPC UA client, display a list of available servers when configuring a connection.
The OPC Foundation’s UA local discovery server obtains this list. If the list does not display, stop and restart the UA Local
Discovery Server (located in Windows services).
3 Client Privileges
Once a client is connected to the server, the client can log on with a user token if provided. The user must match a configured
ToolboxST user, and be assigned write privileges. If no users and roles are assigned in the ToolboxST configuration, all
clients are granted write privileges.
Clients that allow user token authentication send a token containing a user name and password. If the password can be
authenticated, the server associates the user with a matching user in the Users and Roles configuration. The client is then
granted privileges according to that user and its assigned role.
There is a configuration for clients that does not allow user token authentication. The OPC UA server associates a client
application certificate with a user in the Users and Roles configuration. When a client connects using one of these application
certificates, associated user privileges are granted.
Note Consumed EGD devices and external OPC DA and OPC UA servers can limit the rate at which writes are allowed to
destination variables.
A discrepancy between the ControlST alarm system and the OPC UA Alarm Standard is the number of states for analog
alarms. ControlST analog alarms can have H, HH, HHH, L, LL and LLL states. OPC UA Alarm Standard analog alarms can
only have H, HH, L and LL states. Therefore, the ControlST HH and HHH states are mapped to the OPC UA HH level and
the ControlST LL and LLL states are mapped to the OPC UA LL level.
Note Although the alarm state on the OPC UA client displays as HI HI even when the alarm is HHH, the description of the
alarm will include the HHH alarm description from ControlST.
Normally, an OPC UA client only subscribes to receive alarm/event notifications. However, in addition to this, the OPC UA
server Address Space also includes the alarm definitions. Located within the Objects folder in the address space is an
_AllAlarms component that contains all of the alarm definitions.
Note Refer to the WorkstationST OPC DA Server Instruction Guide (GEI-100621) and the WorkstationST OPC AE Server
Instruction Guide (GEI-100624) for additional settings information.
Note On 64-bit operating systems, the PI OPC HDA Server may not display in the list of DCOM configurable objects. To
display the PI OSI DA Server and PI OSI HDA Server entries in dcomcnfg: Run MMC /32 %windir%\syswow64
\comexp.msc to open the 32-bit version of the DCOM Configuration utility. The entries will permanently display.
The OPC UA server’s OPC HDA client must be set to run under the same user.
➢ To configure the OPC UA server’s OPC HDA client: from the WorkstationST Component Editor OPC UA
tab, select an External Historian item and in the Property Editor enter the User Name and User Password.
Note There is no corresponding DCOM identity setting for the OPC UA server.
Once the remote PI HDA server and the OPC UA server are running under the same user, and the DCOM settings for both
computers have been set, the OPC UA server displays variables from the PI server in the OPC UA Server tab Tree View
under the External Historians item.
Note The initial retrieval of the variable namespace for an external server can take a couple of minutes. The namespace is
populated after this initial retrieval.
From the
Identity tab ,
It is recommended
select This that this setting be
user. configured as a
valid Windows
user. (Windows
user must be a
member of the
administrators
The system group .)
account
(services
only) option
cannot be
selected.
Note The Proficy OPC HDA Server does not run as a Service and does not require any user assignment in Services.
Public Information