GEI-100828E

WorkstationST* OPC® UA ServerInstruction Guide

These instructions do not purport to cover all details or variations in equipment, nor to provide for every possiblecontingency to be met during installation, operation, and maintenance. The information is supplied for informationalpurposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflectedherein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or tothe document itself at any time. This document is intended for trained personnel familiar with the GE products referencedherein.

Public – This document is approved for public disclosure.

GE may have patents or pending patent applications covering subject matter in this document. The furnishing of thisdocument does not provide any license whatsoever to any of these patents.

GE provides the following document and the information included therein as is and without warranty of any kind,expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness forparticular purpose.

For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE SalesRepresentative.

Revised: Jan 2018Issued: May 2012

© 2012 - 2018 General Electric Company.___________________________________* Indicates a trademark of General Electric Company and/or its subsidiaries.All other trademarks are the property of their respective owners.

We would appreciate your feedback about our documentation.Please send comments or suggestions to controls.doc@ge.com

For public disclosure

Document UpdatesRevision Location Description

E Application Certificate Sharing Added this section with the procedure to share certificates between OPC UAclient and server

D OPC UA CommunicationRemoved obsolete server URL - only one URL can be used to access theWorkstationST OPC UA serverRemoved obsolete discovery server URL

Acronyms and AbbreviationsAE Alarm and EventDA Data AccessGSM GE Standard MessagesHDA Historical Data AccessOPC A standard for data exchange in the industrial environment

SDI System Data InterfaceUA Unified ArchitectureURI Uniform Resource IdentifierURL Uniform Resource LocatorWCF Windows Communication Foundation

2 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

Contents1 Overview ....................................................................................................................................................42 OPC UA Communication...............................................................................................................................42.1 Application Certificates............................................................................................................................42.2 Client/Server Connection Sequence ............................................................................................................62.3 Application Certificate Sharing..................................................................................................................72.4 Live Data Subscriptions ...........................................................................................................................82.5 Troubleshooting......................................................................................................................................9

3 Client Privileges ...........................................................................................................................................94 Live Data Flow ............................................................................................................................................95 Historical Data Access................................................................................................................................. 105.1 External Historians................................................................................................................................ 105.2 Configure DCOM Settings...................................................................................................................... 10

Instruction Guide GEI-100828E 3For public disclosure

1 OverviewOPC® Unified Architecture (OPC UA) is a standard created by the OPC Foundation, (www.opcfoundation.org). OPC UAcombines the older standards of OPC DA (Data Access), OPC AE (Alarm and Event), and OPC HDA (Historical DataAccess), into one interface. Additionally the UA standard provides Historical Alarm and Event access. An OPC UA serverimplementation can include all or part of these features. The WorkstationST* OPC UA server feature also provides DAreading and writing, and HDA reading features.

2 OPC UA CommunicationAn OPC UA client must have a URL to connect to a server. If the client is not configured with the URL, the client can accessa discovery server to obtain the URL. The WorkstationST OPC UA server is accessed using the following URL:

opc.tcp://<hostname>:64121/GeCssOpcUaServer

The <hostname> entry can be “localhost” or a valid host name or IP address.

The WorkstationST OPC UA server also registers itself with the OPC Foundation’s UA local discovery server, installed withthe WorkstationST application. The discovery server runs as a Windows® service. UA servers register with it and UA clientscan obtain a list of registered UA servers from it.

2.1 Application CertificatesThe OPC UA client and server each own an X509 application certificate. These certificates are created and added to acertificate store when the client or server is installed, when the client application is first run, or through a vendor-suppliedutility.

Creating a client certificate and adding it to the certificate store requires administrative privileges. The OPC UA client is usedin the following:

• Trender• Test OPC UA client• Configuration for the OPC UA client part of the OPC UA server• Running the OPC UA client part of the WorkstationST OPC UA server, allowing data access for variables in external

OPC UA servers

When the client is first accessed, if the application is running as an administrator the certificate is created and placed into thecorrect store location. Otherwise, the user is prompted to allow the certificate to be created. It is then added to the correctstore location with a new process started as an administrator. The user may be required to enter credentials for this process.

The application certificates are kept in the Windows local machine certificate store. The WorkstationST Certificate Manageris used to view, import, export and reissue certificates. The WorkstationST Certificate Manager is accessed from theWorkstationST Status Monitor Tools menu.

4 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

The following figure displays five certificates including one for the OPC UA client and one for the OPC Foundation’s UALocal Discovery Server.

Certificate Keys

An OPC UA application certificate has a public key needed by other applications to verify the application certificate. Whenexported, the .der file contains the certificate and public key.

Each application certificate also contains a private key. When exported, the .pfx file contains the certificate and the public andprivate keys. Typically, these are protected with a password when exported.

Instruction Guide GEI-100828E 5For public disclosure

2.2 Client/Server Connection SequenceWhen an OPC UA client and server connect, both the client and the server application have an X509 certificate they own. Forsuccessful communication, both the OPC UA client and server must receive each other's certificate over the communicationlink and verify that it matches a certificate in the trusted store location. The OPC UA client and server use the Windows localmachine certificate store as the trusted store, which is located within the folder UA Applications on the computer where theyare running.

Windows certificate

store

WorkstationST OPC-UA serverOPC UA

clientGetEndpoints Request

GetEndpoints Response

Contains Application Instance Certificate which the server provided from the Windows certificate store. Client validates this with certificates in his Windows certificate store.

Open Secure Channel RequestContains Client Application Certificate. The server validates this with the Windows certificate store.

Secure Channel Response

At startup if no certificate is found, one is added.

ControlST OPC UA client *

At startup if no certificate is found, one is added.

For example, the ControlST OPC UA client.

Certificate Management

Tool

Allows viewing, deleting, importing, and exporting of UA Application Certificates from the Windows Store. (Can be used to reissue expired certificates or import and export certificates from one computer for use on another)

OPC UA client running as non-

administrator user (for example, running in the

trender)

Install of Product

Client / Server connection sequence

Certificate added by running an elevated privilege process

Client/Server Connection Sequence Diagram

6 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

2.3 Application Certificate SharingWhen an OPC UA client uses a security profile other than None to connect to an OPC UA server, the server initially sends itsapplication certificate back to the client (as illustrated in the figure Client/Server Connection Sequence Diagram). The clientlooks into its trusted store for the public certificate of the server. If the certificate is not found, some clients will prompt theuser to trust the certificate, while others will place the certificate into a rejected store location. After the client trusts theserver’s public certificate and the client attempts to connect again, the second part of the communication calls for the client tosend its public certificate to the server. If the server does not trust the certificate, the server will typically place the certificateinto a rejected store.

ControlST OPC UA Client Trusting OPC UA Server Certificate

With the ControlST OPC UA client, which is used by the Trender and the OPC UA test client (accessed from theWorkstationST Component Editor’s View menu), the user is prompted to trust the server’s certificate if the server’s certificateis not already trusted. The user must enter ha administrator credentials to trust the certificate (trusting action requires haadministrator privileges on the computer).

ControlST OPC UA Server Trusting Client Certificate

➢➢ To trust the client certificate

Use the Certificate Manager to trust the client’s certificate on the server node.

1. Select theWorkstationST Status Monitor tray icon to display the WorkstationST Status Monitor.

2. From the WorkstationST Status Monitor Tools menu, select Certificate Manager to display the WorkstationSTCertificate Manager.

Instruction Guide GEI-100828E 7For public disclosure

3. From the Certificate Manager, click the Rejected toolbar icon to display a list of all rejected certificates.

4. From the Server node, select the OPC UA client’s certificate and click Trust Selected Certificates to trust it.

Attempt to connect the client to the OPC UA server again. At this point, when the viewer is started it should be able to talk tothe server.

2.4 Live Data SubscriptionsOPC UA live data subscriptions are similar to OPC DA groups. They are added by a client once a secure channel session isestablished. A subscription contains a list of monitored items that represent a variable or a property of a variable.

Subscription settings include:

• Publishing Interval specifies the client’s desired update rate.• Keep-alive Count defines how many times the publishing interval needs to expire without available notifications before

the server sends an empty message to the client that the server is still alive.• Lifetime Count defines how many times the publishing interval expires without having a connection to the client. If the

server cannot deliver notification messages after this time, it deletes the subscription to clear the resources. The minimumlifetime count must be three times the keep-alive count.

• Maximum Notifications per Publish defines the maximum number of notifications per message delivered to the clientin a published response.

• Priority of the subscription in the client is relative to other subscriptions created by the client.

2.4.1 Monitored ItemsAfter configuration, the client adds monitored items to the subscription. Each monitored item represents a variable and thefollowing settings:

• Sampling Interval is the rate (in ms) that the server checks for changes. A change that triggers a notification is definedby the filter. If -1 is used for the sampling interval, the publishing interval of the subscription is used for this setting. Aclient can over sample the value (sample more frequently) by setting the sampling interval to a smaller value than thepublishing interval and the queue size to 1.

• Queue Size is the maximum number of values stored for the monitored item during a publishing interval. After eachpublishing interval, the server sends the values to the client.

• Filter is by default of the type trigger, with the trigger being either a changing value or status of the monitored item. Thetrigger can be set to notify on status change only, or can include status, value, and source time stamp changes. The filtercan also have a deadband type and deadband value. The deadband type is either absolute or percent. If the type is percent,the variable’s EURange must be configured (for ToolboxST application variables, display limits or format specificationengineering units are used).

8 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

2.5 TroubleshootingIf a client is unable to connect to a server, perform the following checks:

• Verify that the client’s application certificate is present in the server's trusted certificate store.• Verify that the server’s certificate is present in the client's trusted certificate store. The WorkstationST OPC UA client

uses the Windows store. Others use a folder in the file system. Depending on the client, the server’s certificate can beexported using the WorkstationST Certificate Manager and placed in the client’s trusted store.

Many clients, such as the WorkstationST OPC UA client display a list of available servers when configuring a connection.The OPC Foundation’s UA local discovery server obtains this list. If the list does not display, stop and restart the UA LocalDiscovery Server (located in Windows services).

3 Client PrivilegesOnce a client is connected to the server, the client can log on with a user token if provided. The user must match a configuredToolboxST user, and be assigned write privileges. If no users and roles are assigned in the ToolboxST configuration, allclients are granted write privileges.

Clients that allow user token authentication send a token containing a user name and password. If the password can beauthenticated, the server associates the user with a matching user in the Users and Roles configuration. The client is thengranted privileges according to that user and its assigned role.

There is a configuration for clients that does not allow user token authentication. The OPC UA server associates a clientapplication certificate with a user in the Users and Roles configuration. When a client connects using one of these applicationcertificates, associated user privileges are granted.

4 Live Data FlowThe OPC DA server has traditionally been the live data provider for the WorkstationST application. After implementing theOPC UA feature, the OPC DA server is still required for its SDI server, which provides live data to the Recorder, Modbus®,GSM, the Alarm Scanner, and the WorkstationST Component Editor.

When the OPC UA feature is not enabled, EGD data is processed by the OPC DA server. When the OPC UA feature isenabled, the OPC UA server processes EGD-consumed exchanges and produces WorkstationST-owned EGD exchanges. Theserver then forwards the consumed exchanges to the OPC DA server through a Microsoft® WCF secure channel.

OPC UA client connections can be configured to add external OPC UA server variables to the OPC UA live namespace.These variables, as well as plug-in variables, are provided through a WCF live list with a periodic update. Plug-in variablesare:

• Variables obtained by proxy• Non-EGD variables obtained by an SDI connection to a controller• OPC DA client connections to external OPC DA servers

Any variables configured in the WorkstationST Component Editor Variables tab are in the OPC DA or OPC UA server’snamespace and can be cyclically moved to any other variable. When the OPC UA feature is enabled, variable mapping isperformed by the OPC UA server; otherwise the mapping is performed by the OPC DA server. There is a configuration rate atwhich the mapping occurs. The following rules apply:

• The destination variable must be writable.• The data type must match between the source and the destination of each mapped variable.

Note Consumed EGD devices and external OPC DA and OPC UA servers can limit the rate at which writes are allowed todestination variables.

Instruction Guide GEI-100828E 9For public disclosure

5 Historical Data AccessThe OPC UA server namespace contains a variable named HistorianSource. HistorianSource is an enumerated integer typevariable where a value of 0 = None, 1 = Recorder, and 2 = Historian. If the local WorkstationST computer has either theRecorder or Historian feature enabled, the HistorianSource variable allows an OPC UA client to control the source of thehistorical data for variables in the main server’s namespace. For example, if the variable G1.TNH is collected in both theRecorder and the Historian, a client could set HistorianSource to Recorder so historical read requests would provide data fromthe Recorder. A default value for clients that do not want to write to HistorianSource can be configured. This allows clients toreceive historical data from either the Recorder or the Historian without writing to HistorianSource.

5.1 External HistoriansOPC HDA historian servers are configured on the OPC UA tab. Each external historian is given a name that is used as aprefix for each variable in the server.

When the OPC UA server starts, it attempts to use an OPC HDA client to obtain the list of variables in the external historianand add them to the OPC UA server namespace. Subsequent requests are sent to the external OPC HDA server.

5.2 Configure DCOM Settings

Note Refer to theWorkstationST OPC DA Server Instruction Guide (GEI-100621) and the WorkstationST OPC AE ServerInstruction Guide (GEI-100624) for additional settings information.

The OPC UA server and the OSI PI OPC HDA server both run under the SYSTEM account by default. The ProficyHistorian’s OPC HDA server defaults to run under the interactive user account. When configuring the external historianconnection in the OPC UA server settings, a client user is specified for access to the external historian. This same client usermust be configured in the DCOM settings for the external historian OPC HDA server to allow the OPC UA server tocommunicate with the OPC HDA Server.

10 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

➢➢ To configure the PI OSI HDA server in DCOM

1. Run dcomcnfg.exe.

2. From the Component Services window, expand DCOM Config, right-click PI OSI HDA Server, and selectProperties.

3. Configure the user account.

Note On 64-bit operating systems, the PI OPC HDA Server may not display in the list of DCOM configurable objects. Todisplay the PI OSI DA Server and PI OSI HDA Server entries in dcomcnfg: Run MMC /32 %windir%\syswow64\comexp.msc to open the 32-bit version of the DCOM Configuration utility. The entries will permanently display.

Instruction Guide GEI-100828E 11For public disclosure

4. From the Control Panel, double-click Administrative Tools, Services, and PI OPC HDA Server, then right-clickand select Properties.

5. Log on to the server account.

From the Log On tab, select Th is acco un t.

Enter the same User as the PI OSI HDA Server .

The OPC UA server’s OPC HDA client must be set to run under the same user.

➢➢ To configure the OPC UA server’s OPC HDA client: from theWorkstationST Component Editor OPC UAtab, select an External Historian item and in the Property Editor enter the User Name and User Password.

Note There is no corresponding DCOM identity setting for the OPC UA server.

Once the remote PI HDA server and the OPC UA server are running under the same user, and the DCOM settings for bothcomputers have been set, the OPC UA server displays variables from the PI server in the OPC UA Server tab Tree Viewunder the External Historians item.

Note The initial retrieval of the variable namespace for an external server can take a couple of minutes. The namespace ispopulated after this initial retrieval.

12 GEI-100828E GEI-100828 WorkstationST OPC UA Server Instruction GuideFor public disclosure

The Proficy Historian HDA server must also be configured to run under the same user.

➢➢ To configure the Proficy Historian HDA server in DCOM

1. Run dcomcnfg.exe.

2. From the Component Services window, expand DCOM Config, right-click Proficy Historian HDA Server, andselect Properties.

3. Configure the user account.

From the Iden t ity tab, select Th is user.

The system accoun t (serv ices on ly) option cannot be selected.

It is recommended that this setting be configured as a valid Windows user. (Windows user must be a member of the administrators group.)

Note The Proficy OPC HDA Server does not run as a Service and does not require any user assignment in Services.

For public disclosure