Secure Connections to OPC UA Endpoints

Use the GE HMI Server Configuration Manager to discover and configure CIMPLICITY OPC UA endpoints. An endpoint is the server found at the discovery URL (Uniform Resource Locator).

To establish a secure connection, an OPC UA endpoint and Web HMI client must be able to identify and accept each other's digital certificate. Use this procedure to check the authenticity of both certificates and test the connectivity to the OPC UA endpoint.

During this procedure, you enter a Discovery URL, select an endpoint (found at the Discovery URL), and then select the security settings for Web HMI to use when establishing a data connection with this endpoint.

In CIMPLICITY, verify the GE Web HMI server information was set up in Project Properties > OPC UA Server > Web HMI Configuration.
Note: Web HMI supports standard OPC UA architecture and was qualified with a CIMPLICITY OPC UA server.
  1. In the GE HMI Server Configuration Manager, select the OPC UA Endpoints tab.
  2. Select Add.
  3. Select a discovery method for your OPC UA server endpoints from the top right drop-down menu:
    OptionDescription
    DirectDiscovers the endpoint of an OPC UA server (default, recommended). To use this discovery method, you must know the location of the OPC UA endpoint.
    Local NetworkRetrieves all OPC UA endpoints within your local network.
    DirectoryRetrieves all OPC UA endpoints that are registered with a Global Discovery Server (GDS).
  4. Type the discovery URL in the Discovery URL field and select Discover.
    • If you selected the Local Network discovery method, leave the Discovery URL entry as opc.tcp://localhost.
    • If you selected the Directory discovery method, you may be prompted to trust the GDS certificate before continuing. If the Server Certificate window appears with the option to trust the certificate, click Trust and Close. Select Discovery again to continue with the discovery process.
    The discovery results appear on the screen in a tree structure consisting of these three categories:
    Discovery URLEntry that you typed in to the Discovery URL field. This shows an example of a Direct URL:

    OPC UA ServersEndpoints found by the specified Discovery URL. Each endpoint entry consists of the application name and URN (Uniform Resource Name). This shows an example of the discovered CIMPLICITY endpoint found at the above URL:

    Endpoint Security ConfigurationEach endpoint supports a combination of security configurations ranging from none (none-none) to encrypted and digitally signed (SignAndEncrypt - Basic256Sha256). This shows the security options you can define for the above CIMPLICITY endpoint:

  5. Expand the Discovery URL results and select the endpoint.
    The security options appear for the selected endpoint.
  6. Select the appropriate security policy and mode for this connection. The None-None option creates an unsecure connection.
  7. Check the connectivity to the endpoint by selecting Server Credentials.
  8. In the Server Credentials window, enter the user name and password for the server.
    When you first enter a value in the password field, you can view the entry in plain text by selecting Show. The Show button is only enabled when a value is entered in to the password field. For security purposes, if you navigate away from this window, or if the GE HMI Server Configuration Manager has read a saved password from a configuration file, the Show button is disabled.
  9. For Web HMI to use credentials of the logged-in user when writing values or acknowledging alarms, check the Use logged-in Web HMI credentials for data writes and alarm acknowledgment box. If unchecked, Web HMI uses the credentials specified here.
  10. Select Test.
    A Log window appears to the right of the application displaying diagnostic information for resolving connectivity issues between Web HMI and the OPC UA server. You can encounter these issues during a connection attempt:
    Certificate Validation FailedWhen the Server Certificate window appears with the certificate information:
    1. If satisfied with the authenticity of the certificate, select Trust to save the certificate in the ProgramData\Proficy\WebHMI\DataServices\pki\trusted\certs file on the Web HMI client.
    2. Once the certificate is trusted, select Close.
    3. Select Test again to verify that the client accepted the endpoint certificate.
    Bad Security Checks FailedIf the log indicates a failed connection to the endpoint because the client certificate is in a rejected state:
    1. From the endpoint's <project folder>\pki\rejected, copy the rejected client certificate into <project folder>\pki\trusted\cert.
    2. Select Test again to verify the endpoint accepted the client certificate.
    Bad Identity Token RejectedIf the log indicates a failed connection to the endpoint because of a bad identity token:
    1. Verify that you entered the correct user name.
    2. Verify that you entered the correct password by selecting the Show button or re-entering the password.
    3. Confirm that the user account is enabled and exists in the OPC UA server user account list.
    4. Select Test again to verify the endpoint accepted the user name and password that you entered.
  11. Optional: To use the Local Network filter:
    1. Select Edit Filters.
    2. In the Max Records field, define the limit for the number of endpoints returned when you select the Discover button. Note that the GE HMI Server Configuration Manager combines endpoints from the same server. As a result, the number of items appearing in the list may be less than expected given the specified Max Records value.
  12. Optional: To use the Directory filters:
    1. Select Edit Filters.
    2. In the Max Records field, define the limit for the number of endpoints returned when you select the Discover button. Note that the GE HMI Server Configuration Manager combines endpoints from the same server. As a result, the number of items appearing in the list may be less than expected given the specified Max Records value.
    3. In the Server Name field, enter the human-readable name of the server to use in the endpoint search. You can use the % wildcard.
    4. In the Server URI field, enter the global unique identifier of the server instance to use in the endpoint search. You can use the % wildcard.
    5. In the Product URI field, enter the global unique product identifier to use in the endpoint search. You can use the % wildcard.
    6. Select the Capabilities box to select from a list of OPC UA features. These capabilities limit results to endpoints supporting the OPC UA feature selections. For example, the provides historical alarms and events selection returns endpoints only supporting alarms.
    Note: Not all endpoints publish their capabilities to the directory, and an NA (not available) is returned when endpoints do not provide this information.
  13. Select OK and then Save.