Configure a GDS-signed Certificate

OPC UA Certificate Configuration dialog box

After starting the OPC UA Security Configuration from the CIMPLICITY Workbench, the CIMPLICITY OPC UA Certificate Configuration dialog box appears.

The features are described in the following table:

Field Description
Use GDS This check box is selected by default. If you want to create a GDS-signed certificate, leave this check box selected.
Enable Security

This button sets up secure OPC UA communications using certificates.

Note: Enable security only when the CIMPLICITY project is not running, because the certificates cannot be updated when the project is running.
Display area Shows the progress and displays the results when the Enable Security button is clicked.
Check Status When using GDS, click to check the status of pending requests.
Advanced This button opens another screen to view and select configuration options.
Server Host Name Box Used to select the host name that is being configured. This option is available only for projects with Server Redundancy enabled.
Clear Trust List This check box allows you to clear the current Trust List. If unchecked, the GDS-assigned Trust List is added to the existing Trust List.
Toggle Log Used to toggle the Configuration Log window on and off.
Close Closes this page.

Advanced Configuration

If you need to view or modify registration, certificate, or trust list information, click Advanced to open the GDS Agent Panel.

The button bar along the top of the page is used to create an application with default values, load an application from a file, save the current application file, connect to the GDS, disconnect from the GDS, and edit the settings for the agent.

The Registration tab is used to view and select information that allows you to register the current application with the current GDS.

The Certificate Management tab is used to view and select information that allows you to create a certificate for the current application.

The Trust List tab displays information for the locally cached Trust List and the GDS assigned Trust List.

Remotely Manage CIMPLICITY OPC UA Server Certificate

The OPC UA Server in CIMPLICITY supports remote OPC UA security configuration. The following steps are to use a GDS agent to push a GDS signed certificate to a CIMPLICITY OPC UA Server and update the OPC UA server trust list with GDS trust list.

  1. In the Project Properties dialog box, enable the OPC UA Server component.
  2. Ensure at least one CIMPLICITY user has the OPC UA server admin permissions in its role.
  3. Start the CIMPLICITY project.
  4. Launch GDS Agent, and create a new application by selecting the CIMPLICITY server.
  5. Register the application.
  6. Check the ‘Use Push Interface’ button.
  7. Switch to the Certificate Management tab.
  8. Click the Sign Certificate button.
  9. Enter the username/password of a CIMPLICITY user with OPC UA server admin permissions.
  10. If the GDS agent isn’t trusted by the OPC UA server, there will be a message saying the push operation failed due to the OPC UA server does not trust the GDS agent. To solve this, the GDS agent certificate needs to be moved from <CIMPLICITY project folder>/pki/rejected to <CIMPLICITY project folder>/pki/trusted/certs to make the OPC UA server to trust the GDS agent.
  11. Click the Push certificate button to push signed publish key to OPC UA server.
    Note: When the push certificate operation is completed, the OPC UA server will be restarted remotely, which may cause the communication to be disrupted in a short period of time.
  12. Switch to the Trust List tab.
  13. Click the Replace with GDS button.
  14. Click the Push Trust List button.

    The CIMPLICITY OPC UA server should now have a CA issued certificate and allow secure connections from any other application with a certificated issued from the same CA.

Create GDS-signed Certificate

With the Use GDS check box selected, click Enable Security on the CIMPLICITY OPC UA Certification Configuration dialog box.

Result: The OPC UA Security tool performs the necessary steps for interacting with GDS.

The OPC UA Security tool:

  1. Registers CIMPLICITY with the GDS.
  2. Creates a self-signed certificate for CIMPLICITY.
  3. Requests that the GDS sign the certificate.
  4. Replaces or updates the existing trust list.

Success: CIMPLICITY can now talk to any other OPC UA applications that have signed certificates and are trusted by GDS.

Issues: There could be many reasons for not succeeding. If so, do the following:

  1. Click either of the following to view a Log file for data about the operation.
    • Toggle Log button.
    • Log hyper link after each action.
  2. If you login with Super User credentials vs. Administrator credentials, then the certificate request will require an Administrator to approve the request on the GDS server. In this case, all the steps are not completed until the request is approved.  Click Check Status to see if the request has been accepted or rejected.
Note: Clicking the Advanced button will open the GDS Agent Panel, where you can find detailed help about the Global Discovery Server and Global Discovery Agent.

Clear GDS Credentials

For security purposes, you can clear out GDS credentials so they will not be saved on the CIMPLICITY disk.

Select GDS>Clear GDS Credentials on the CIMPLICITY OPC UA Certification Configuration dialog box menu bar.

Result: The GDS credentials will be cleared from the CIMPLICITY machine; you will need to provide credentials the next time the CIMPLICITY connects to the Global Discovery Server.