Use GDS Certificates for Web HMI Clients

Use the GE HMI Server Configuration Manager to register with the Global Discovery Server (GDS) and use the certificates provided by GDS to establish a trusted relationship between Web HMI clients and OPC UA endpoints.

You must enable GDS security and register your project with a GDS in CIMPLICITY.
  1. In the GE HMI Server Configuration Manager, select the OPC UA Client tab.
  2. Set up the GDS server connection by selecting the Use GDS check box.
  3. Enter the URL, user name, and password of the GDS server.
    When you first enter a value in the password field, you can view the entry in plain text by selecting Show. The Show button is only enabled when a value has been entered in the password field. For security purposes, if you navigate away from this window, or if the GE HMI Server Configuration Manager has read a saved password from a configuration file, the Show button is disabled.
  4. Select Test to confirm a connection can be established with the GDS. A Log window appears to the right of the application displaying information relevant to diagnosing connectivity issues between Web HMI and GDS.
    You can encounter these issues during a connection attempt:
    Certificate Validation FailedWhen the Server Certificate window appears with the certificate information:
    1. From the endpoint's <project folder>\pki\rejected, copy the rejected client certificate in to <project folder>\pki\trusted\cert .
    2. Once the certificate is trusted, select Close.
    3. Select Test again to verify that the client accepted the endpoint certificate.
    Bad Security Checks FailedIf the log indicates a failed connection to the endpoint because the client certificate is in a rejected state:
    1. From the endpoint's <project folder>\pki\rejected folder, copy the rejected client certificate in to <project folder>\pki\trusted\cert.
    2. Select Test again to verify the endpoint accepted the client certificate.
    Bad Identity Token RejectedIf the log indicates a failed connection to the endpoint because of a bad identity token:
    1. Verify that you entered the correct user name.
    2. Verify that you entered the correct password by selecting the Show button or re-entering the password.
    3. Confirm that the user account is enabled and exists in the OPC UA server user account list.
    4. Select Test again to verify the endpoint accepted the user name and password that you entered.
  5. Select Ok on the Configure GDS window.
  6. Select Enable Security.
    This begins the process of registering the Web HMI client with GDS for the first time. After this first GDS registration, you can re-register the client by enabling Use GDS and selecting Enable Security.
    The Task panel shows the status of the GDS registration and certificate creation process:
    1. Creates a self-signed certificate.
    2. Authenticates Web HMI with GDS using the GDS URL, user name, and password.
    3. If authentication is successful, registers Web HMI as an OPC UA application.
    4. Creates a GDS signed certificate for Web HMI.
    5. Generates a certificate trust list that contains all GDS trusted servers and clients.
  7. Select Save to save the ID created by GDS during the above registration process.
    This ID checks whether Web HMI was previously registered with GDS.
    Note: Every time you re-register with the same GDS, the GE HMI Server Configuration Manager asks you to re-trust the GDS certificate. For security purposes, the server certificate is removed at the end of the registration process.