Content Type Support Article

Article # 000034386

Title Citect / Plant SCADA OPC UA client cannot connect to an OPC UA server when running as a service.

Legacy DocId

Confidence Expert Reviewed

Published On 12/10/2022

ISSUE
You configure Citect / Plant SCADA to run as a service. One or more of your IO devices are using the OPC UA client driver to connect to equivalent OPC UA servers. After configuring the OPC UA client driver to run as a service as well, you are not able to establish a connection with the OPC UA server.

Connection to the OPC UA server is successful when running in application mode.

In the syslog file of the IO server there is no entry pointing to a specific issue, just the error message below:
[ERROR] [CORE ] [0x0b68] [IOServer ] [(GLOBAL) ] [ErrorLog() ] [errlog.cpp ] [266 ] Error: Unit offline UINIT 000c PORT1_BOARD1 IODevUA Error_in_CMD-3 16 Generic 000012 Driver 00000023 (0x00000017)

ENVIRONMENT

Applies to:

Citect SCADA 2016 onwards (v8.xx)

Plant SCADA 2020 R2 (v8.30)

RESOLUTION

To correct this issue, follow the steps below:

1. Check that the user running Citect /Plant SCADA as a service is a member of the Citect.Driver.Users Windows Local Group. This user will be the NT SERVICE\Citect Runtime Manager for Plant SCADA 2020 R2 or any Windows user for Citect SCADA (Figure 1 below).

Figure 1: Members of the Citect.Driver.Users Windows Local Group.

2. Open the Windows Local computer Certificate store by typing certlm.msc on the Windows search bar.
3. Go to the Personal Store and select the OPC UA Client Certificate, which is by default the Citect / Plant SCADA OPC UA Client Driver certificate.
4. Right Click on the certificate and select All Tasks > Manage Private Keys... (Figure 2 below).

Figure 2: Manage private Keys.

5. Make sure that the group Citect.Driver.Users is listed in the Groups/Users assigned with permissions for the private key of the certificate (Figure 3 below).

Figure 3: Permisssions for Citect / Plant SCADA OPC UA Client Driver private key.

CAUSE

The issue can be due to the rights a user has on the Citect / Plant SCADA OPC UA Client Certificate which is used by default to authenticate the OPC UA client with the OPC UA server. check the persmissions

You can encounter the problem in the following cases:

1. When you are running as a service a Citect SCADA version and you are using another user rather than the default user running the processes, which is the Local System Account (SYSTEM user).
2. When you are running as a service Plant SCADA 2020 R2 and using the virtual user NT SERVICE\Citect Runtime Manager, which is the default setting and needs to be kept like that in order to use encryption.

By default, when you are running the Configurator to set up the OPC UA Client Driver, when the Plant SCADA I/O process is configured to run as a service, you need to select the option The driver process will run as a service. In that case the Configurator will add the Runtime Manager service account to the Citect.Driver.Users group.

If the user running Citect / Plant SCADA as a service is not a member of the Citect.Driver.Users or the Citect.Driver.Users is missing from the Security Configuration for the permissions on the Citect / Plant SCADA OPC UA Client Certificate private key, then you can encounter the aforementioned problem.

Terms of Use| Privacy Policy

© 2022 AVEVA Group plc and its subsidiaries.All rights reserved.