OPC UA Client Interface Reference

Experion HS
Release 511
OPC UA Client Interface Reference

EHDOC-X523-en-511A
August 2019
DISCLAIMER
This document contains Honeywell proprietary information. Information
contained herein is to be used solely for the purpose submitted, and no part of
this document or its contents shall be reproduced, published, or disclosed to a
third party without the express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate,
Honeywell disclaims the implied warranties of merchantability and fitness for
a purpose and makes no express warranties except as may be stated in its
written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or
consequential damages. The information and specifications in this document
are subject to change without notice.
Copyright 2019 - Honeywell International Sàrl
2
Contents
CONTENTS
Contents 3
Chapter 1 - Planning considerations for OPC UA controllers 5
OPC UA Client support 6
Devices supported by the OPC UA Client interface 9
Other documentation for OPC UA Client 9
Architectures for OPC UA Client 9
Single connection to an OPC UA Server 10
Dual LAN connection to an OPC UA Server 10
Communication settings for OPC UA Client 11
Chapter 2 - OPC UA channel and controller reference 13
Main properties for an OPC UA channel 14
Advanced properties for an OPC UA channel 15
Main properties for an OPC UA controller 16
Security properties for an OPC UA controller 18
Advanced properties for an OPC UA controller 19
About time synchronization on OPC UA Client 20
About behavior of redundant communication links 20
Optimizing OPC UA Client scanning performance 20
Chapter 3 - OPC UA points reference 25
Defining an OPC UA address for a point parameter 26
Address syntax for OPC UA controllers 26
Address syntax for OPC UA methods 31
Configuring communication with an OPC UA Server 33
Chapter 4 - OPC UA security reference 37
Generating Experion OPC UA Client certificates 38
3
Contents
Configuring a third-party OPC UA server certificate 40

Configuring an OPC UA controller to use OPC UA certificates 41
Configuring the username and password for OPC UA controllers 42
Chapter 5 - Troubleshooting OPC UA Client issues 45
Testing OPC UA Server communications with the server 46
Troubleshooting OPC UA point configuration errors 52
Notices 53
4
CHAPTER
1 PLANNING CONSIDERATIONS FOR

OPC UA CONTROLLERS
This reference provides the information you need to set up, configure, and
test OPC UA controller communications with the Experion server.
For information about Experion integration with ControlEdge PLC, see the
ControlEdge PLC Interface Reference.
Revision history
Revision Date Description
A August 2019 Initial release of document.
How to use this guide

Complete each step before commencing the next step.
Step Go to
Set up the OPC UA controllers, OPC UA l Documentation supplied by the third-

server and network party OPC UA server manufacturer
l "Architectures for OPC UA Client" on
page 9
l "Configuring communication with an OPC
UA Server" on page 33
Use Quick Builder to define OPC UA l "OPC UA channel and controller
channels and controllers reference" on page 13
l "Building controllers or channels" in the
Quick Builder User’s Guide
Download channel and controller definitions "Downloading items" in the Quick Builder User’s
to the Experion server Guide
Use Quick Builder to define points l "OPC UA points reference" on page 25
l "Building and configuring points" in the
Quick Builder User’s Guide
5
Chapter 1 - Planning considerations for OPC UA controllers
Step Go to
Test communications "Testing OPC UA Server communications with

the server" on page 46
OPC UA Client support

The Experion OPC UA Client supports the following OPC UA features:
Secure connection
The Experion server optionally supports secure connection in the
communication with an OPC UA server by using Sign or Sign And Encrypt
message modes with certificates. To establish a secure connection between
the OPC UA Client and an OPC UA server, you need to generate an OPC
UA Client certificate, export the OPC UA server certificate, and configure the
URLs of the OPC UA server on the Experion server. For more information,
see "OPC UA security reference" on page 37.
User authentication
The Experion server supports the username/ password authentication to
identify itself to the OPC UA server. The anonymous authentication is another
option if the OPC UA server supports it.
Attribute Service Set

The Experion server supports Read and Write service requests to read and
write variables in an OPC UA server.
Method Service Set

The Experion server supports OPC UA method calls to issue simple controls
to the OPC UA server.
An OPC UA method call is invoked whenever a control (write) is issued to the
parameter which has the destination address configured as the OPC UA
method.
For detailed information about the OPC UA method address configuration,
see "Address syntax for OPC UA methods" on page 31.
6
Subscription and MonitoredItem Service Set

The Experion server supports the Subscription and MonitoredItem Service
Set to subscribe to variable data changes.
The Experion server supports setting dead band filters for numeric values.
Data types
The Experion server supports the following OPC UA data types:
OPC UA
String
Data Analog Point Status Point Analog UDSP1 Status UDSP
UDSP
Type
Double Scan and Scan and Control Scan and Scan and Control Not
Control Control supported
No bit wise No bit wise
extraction extraction
Float Scan and Scan and Control Scan and Scan and Control Not
extraction extraction
Int16 Scan and Scan and Control Scan and Scan and Control Not
Cannot control the Cannot control the
upper 16 bit of upper 16 bit of
value for bit wise value for bit wise
control control
Cast to double extraction Cast to double extraction
precision precision
UInt16 Scan and Scan and Control Scan and Scan and Control Not
1UDSP stands for user-defined scanned parameter. For more information, see "About user-
defined scanned parameters" in the Quick Builder User’s Guide.
7
OPC UA
String
Data Analog Point Status Point Analog UDSP1 Status UDSP
UDSP
Type
Control Cannot control the Control Cannot control the supported

upper 16 bit of upper 16 bit of
value for bit wise value for bit wise
control control
Cast to double extraction Cast to double extraction
precision precision
Byte Scan and Scan and Control Scan and Scan and Control Not
Signed Scan and Scan and Control Scan and Scan and Control Not
Byte Control Control supported
Boolean Scan and Scan and Control Scan and Scan and Control Not
Can only write Can only write

value of 1 or 0 value of 1 or 0
String Not supported Not supported Not supported Not supported Scan
only, up
to 64
bytes
Date Scan only Not supported Scan only Not supported Not
Time supported
Need format of Need format of
DATETIME DATETIME
Displayed in Displayed in
local time zone local time zone
of the Experion of the Experion
server server
1UDSP stands for user-defined scanned parameter. For more information, see "About user-
defined scanned parameters" in the Quick Builder User’s Guide.
8
Devices supported by the OPC UA Client

interface
The Experion OPC UA Client supports direct connection to any third-party
OPC UA server supporting v1.03 version of the OPC UA Standard, with
binary transport over TCP. To integrate with the ControlEdge PLC using
OPC UA, see the ControlEdge PLC Interface Reference.
Secure connections are supported using the OPC UA standard security.
Other documentation for OPC UA Client

You should study the OPC UA Specification before configuring the OPC UA
Client. You can download the document from the OPC Foundation's Website,
http://www.opcfoundation.org.
If you are using a third-party OPC UA server, read the documentation from
the OPC UA server manufacturer before attempting to connect to the
Experion server.
The following Honeywell documents complement this guide. You can
download Honeywell documentation from the
http://www.honeywellprocess.com/support website.
n ControlEdge PLC Interface Reference

n Quick Builder User’s Guide
n Server and Client Configuration Guide
n Supplementary Installation Tasks Guide
Architectures for OPC UA Client

The server supports both single and redundant (dual LAN) communications
through Ethernet connections to the OPC UA server.
The topologies described below consider only the network connection
between the Experion server and OPC UA server. In all cases where the type
of Server supports Server Redundancy, the same topology is supported with
Server Redundancy but the redundant server is not shown to simplify the
topology diagrams.
ATTENTION: The maximum number of OPC UA Client connections

(OPC UA controllers connected) that can be configured on a single OPC
UA channel are listed below. Each Experion server can be configured
9
with multiple OPC UA channels.
l 100 OPC UA controllers per channel with the "Redundant

channel" option enabled.
l 200 OPC UA controllers per channel with the "Redundant
channel" option disabled.
Single connection to an OPC UA Server

A single Ethernet connection is connected to the OPC UA server.
Figure 1-1: Single connection to an OPC UA server
Dual LAN connection to an OPC UA Server

In a dual LAN topology, each LAN is configured with a different network
subnet and each LAN is on a separate physical network.
In this topology, data communications from the OPC UA server will default to
the Link A Endpoint URL of the OPC UA server that was defined in the
controller configuration in Experion. Only a diagnostic is sent down to the
other link to maintain the status indication of the inactive link. If the active link
fails, data is polled from the other link until it fails. You can manually enable
and disable each link from the Controller Detail display in Station.
Figure 1-2: Dual LAN connection to an OPC UA server
10
Communication settings for OPC UA Client

Communication between the Experion OPC UA Client and the OPC UA
server can be secured using OPC UA Security. To support secure
communications between the Experion server and the OPC UA server, both
the Experion server and OPC UA server need a certificate issued by a
certificate authority trusted by both.
For information about how to configure secure connections, see "Configuring
communication with an OPC UA Server" on page 33.
11
12
CHAPTER
2 OPC UA CHANNEL AND

CONTROLLER REFERENCE
This section describes the configuration and addressing information specific
to OPC UA channels and controllers.
In this section:
Main properties for an OPC UA channel 14

Advanced properties for an OPC UA channel 15
Main properties for an OPC UA controller 16
Security properties for an OPC UA controller 18
Advanced properties for an OPC UA controller 19
About time synchronization on OPC UA Client 20
About behavior of redundant communication links 20
Optimizing OPC UA Client scanning performance 20
13
Chapter 2 - OPC UA channel and controller reference
Main properties for an OPC UA channel

The Main tab defines the basic properties for an OPC UA channel.
(missing or bad snippet)
Property Description
Name The unique name of the channel. A maximum of 10 alphanumeric characters

(no spaces or double quotes).
NOTE: In Station displays, underscores ( _ ) will be replaced with

spaces.
Description (Optional) A description of the channel. A maximum of 132 alphanumeric

characters, including spaces.
Associated The Tag Name of the Asset to be associated with the OPC UA server.
Asset
For more information, see “Assigning access to system alarms” in the Server
and Client Configuration Guide.
Diagnostic The period, in seconds, between diagnostic scans that verify communications
Scan Rate integrity with the OPC UA server. The default value is 60 seconds.
The diagnostic scans continue even if an OPC UA channel is marked as failed,

thus enabling the system to detect return-to-normal communications.
Read The time, in seconds, the server waits for a response from the OPC UA server
Timeout before aborting the request and marking the request as an error. The default
value is 10 seconds. To ensure most rapid possible reconnection after a
redundant OPC UA server failover, Read Timeout should be configured only
slightly longer than a read is normally expected to succeed based on the
capabilities of the network between the server and the OPC UA server.
Redundant Enable this check box if using a dual LAN topology.
Channel
For more information, see "About behavior of redundant communication links"
on page 20.
Item Type The type of channel specified when this item was created.
Last The date and time the channel properties were modified.
Modified
Last The date and time the channel was last downloaded to the server.
Downloaded
Item The unique item number currently assigned to this channel, in the format
Number CHNcccc, where cccc is the channel number.
14
You can change the Item Number if you need to match your current server
database configuration. The number must be between 0001 and the maximum
number of channels allowed for your system. For more information about
setting the maximum value, see the topic titled "Adjusting sizing of non-licensed
items" in the Supplementary Installation Tasks Guide. Note that the maximum
number of channels that may be used in a system is defined in the Experion
specification for that Experion release, This number is likely to be less than the
maximum number that can be configured in the database as shown in
"Adjusting sizing of non-licensed items."
Advanced properties for an OPC UA channel

The Advanced tab defines the optional advanced properties for an OPC UA
channel. You only need to configure the advanced properties if the reserved
namespaces are insufficient for addressing OPC UA nodes in the OPC UA
server.
Property/Action Description
Namespaces The table lists the abbreviations and the associated namespace URIs to be
used for OPC UA node addressing.
The default Namespaces are listed in the table in non-editable rows. For
example, the default abbreviations include OPCUA, PLC, PLCFB, SVRURI,
UA_DI, and MDIS.
Add Add a namespace abbreviation that does not conflict with the default
abbreviations along with the associated full namespace URI.
You can add a maximum of 8 namespace abbreviations. The user defined

abbreviation entries are listed below the default abbreviations.
TIP:
l You can define a maximum of 6 alphanumeric characters with
no space for each abbreviation. The namespace URI is case
sensitive.
l The total length of the namespace URIs combined cannot
exceed 300 characters.
l The namespace abbreviation should not be only digits as that
may be confused with Namespace Array Index in OPC UA
node addresses.
15
Property/Action Description
Delete Delete the selected user defined namespace entry from the table.
Main properties for an OPC UA controller

The Main tab defines the basic properties for an OPC UA controller.
For information about how to create a controller, see "Building controllers and
channels" in the Quick Builder User’s Guide.
Name The unique name of the controller. A maximum of 10 alphanumeric characters

(no spaces or double quotes).
Description (Optional) A description of the controller. A maximum of132 alphanumeric
characters, including spaces.
Associated The Tag Name of the Asset to be associated with the controller.
Asset
For more information, see "Assigning access to system alarms" in the Server
and Client Configuration Guide.
Channel The name of the OPC UA channel on which the OPC UA controller
Name communicates with the server.
NOTE: You must have already defined an OPC UA channel for it to

appear in this list.
Marginal The communications alarm marginal limit at which the controller is declared to
Alarm Limit be marginal. When this limit is reached, a high priority alarm is generated.
To change the priority of the alarm system wide, see "Configuring system
alarm priorities" in the Server and Client Configuration Guide. To change the
priority of the alarm for one controller, see "About configuring custom system
alarm priorities for an individual channel or controller" in the Server and Client
Configuration Guide.
A controller barometer monitors the total number of requests and the number
of times the controller did not respond or response was incorrect. The
barometer increments by two or more, depending on the error, and
decrements for each valid response received within the read timeout.
The default value is 5 .

Fail Alarm The communications alarm fail limit at which the controller is declared to be
Limit
16
failed. When this barometer limit is reached, an urgent alarm is generated and
Experion attempts to reconnect to the OPC UA server at the diagnostic rate
configured on the assigned OPC UA channel.
To change the priority of the alarm system wide, see "Configuring system
alarm priorities" in the Server and Client Configuration Guide. To change the
priority of the alarm for one controller, see "About configuring custom system
alarm priorities for an individual channel or controller" in the Server and Client
Configuration Guide.
Typically, set this to double the value specified for the controller Marginal Alarm
Limit.
The default value is 10 .
NOTE: For redundant OPC UA servers and/or dual LAN

configurations, it is recommended to not increase this limit arbitrarily as
it will impact the time taken for the connection to return to normal when
the active subscription link fails to communicate with the OPC UA
server.
Dynamic Select the Dynamic Scanning check box to enable dynamic scanning of all point
Scanning parameters on this controller. The default setting for this check box is selected.
Fastest Define the fastest possible scan period (in seconds) that dynamic scanning will
Scan Period scan point parameters on this controller. The default is 1 second.
The dynamic scanning period does not affect the static scanning rate for a
parameter. For example, if the scanning rate for a parameter is 10 seconds,
and the dynamic scanning rate for the controller is 15 seconds, the parameter
will still be subscribed to scan at a period of 10 seconds.
Link A Provide the OPC UA server endpoint URL, which is typically in the format Host
Endpoint IP Address:Port Number . For example,10.2.3.15:4840 . It can also be in the
URL format Host Name:Port Number:Addition Text, as required to address the OPC
UA server endpoint URL.
Link B
Endpoint If the Redundant Channel option is enabled on the assigned OPC UA channel,
URL the Link B Endpoint URL will be visible for redundant communications link.
Item Type The type of controller specified when this item was created.
Last The date and time the controller properties were modified.
Modified
17
Last The date and time the controller was last downloaded to the server.
Downloaded
Item The unique item number currently assigned to this controller, in the format
Number RTUnnnnn .
You can change the Item Number if you need to match your current server
database configuration. The number must be between 00001 and the
maximum number of controllers allowed for your system.
For more information about setting the maximum value, see the topic titled
"Adjusting sizing of non-licensed items" in the Supplementary Installation
Tasks Guide.
Note that the maximum number of controllers that may be used in a system is
defined in the Experion specification for that Experion release, This number is
likely to be less than the maximum number that can be configured in the
database as shown in "Adjusting sizing of non-licensed items."
Security properties for an OPC UA controller

The Security tab defines the security properties for an OPC UA controller.
Security The message security mode for the OPC UA connection.

Mode
Valid values are:
l Sign and Encrypt (default) - Messages are signed and encrypted.
l Sign Only - Messages are signed only.
l None - The OPC UA connection has no security configured.
TIP: If Sign and Encrypt or Sign Only is selected, a message appears stating
that certificates must be installed to use the security mode. For information
about how to install the certificates, see "OPC UA security reference" on
page 37.
Security The security policy for the OPC UA connection. A Security Level must be selected if
Level Sign and Encrypt or Sign Only security mode is used.
NOTE: This selection must match the security policy of the certificate that
18
associates with the target OPC UA server.
Valid values are:
l High Security (BASIC256 SHA-256) (default) - Uses SHA256 for the

signature digest and 256-bit Basic as the message encryption algorithm.
l Medium-High Security (BASIC256) - Uses 256-bit Basic as the message
encryption algorithm.
l Medium Security (BASIC128 RSA-15) - Uses RSA-15 as the key wrap
algorithm and 128-bit Basic as the message encryption algorithm.
TIP: This field is disabled if the Security Mode is set to None .
Login The login type for the OPC UA connection.

Type
Valid values are:
l Anonymous (default) - Anonymous login.
l Username - Username/password login.
TIP: If Username is selected, the username and password must be specified

using the rtucredentials utility on the server. For more information, see
"Configuring the username and password for OPC UA controllers" on
page 42.
For more information about the security model for OPC UA, see "OPC UA
Specification Part 2: Security Model" and "Practical Security
Recommendations for Building OPC UA applications" from the
OPC Foundation website http://www.opcfoundation.org.
Advanced properties for an OPC UA controller

The Advanced tab defines the advanced properties for an OPC UA controller.
Use the OPC UA If selected, any alarm raised as a result of a value change from the
server timestamp OPC UA server should be raised with the time sent by the OPC UA
when raising alarms server with the value change (the source field time).
19
The default value is checked .

Use the "Last Usable If selected, either "Uncertain_NoCommunicationLastUsable" or
Value" substatus to "Uncertain_LastUsableValue" OPC UA quality on a value update
indicate a value as should be treated as a stale value in Experion.
stale
The default value is not selected .
Relative Path Prefix Enter a browse style address to a given OPC UA node in the OPC
UA server, that will be the base node from which Relative Browse
Node addresses on scanned point parameters will be resolved.
This may be used, for example, if there is a node in the address space
which contains all the nodes of interest for this OPC UA controller,
and it is desirable to have shorter addresses on the points.
For more information about the relative path syntax, see "BNF
definition" in the OPC UA Specification.
About time synchronization on OPC UA Client

Time synchronization is critical when you use the OPC UA Client interface to
process value updates. The OPC UA Client can be configured to use the
OPC UA server time stamp when raising alarms in the Experion server.
You must configure NTP over TCP/IP or a similar time synchronization
mechanism to synchronize the clocks on the OPC UA server and the
Experion server.
About behavior of redundant communication links

Enable the redundant communication links to the OPC UA server by checking
the Redundant Channel option when configuring the OPC UA Channel.
Subscriptions, reads, and controls are sent on only one enabled link as the
active link. Diagnostic requests are sent on each enabled link. The link used
for the subscriptions will not change until the active link fails according to the
configured Fail barometer limit on the OPC UA controller configuration. The
subscription will also change links if the user manually disables the active link
on the channel or controller.
Optimizing OPC UA Client scanning performance

Use the following tips to optimize the scanning performance for
communications to the OPC UA server:
20
n Reduce the number of different scan periods configured across points on

the same OPC UA controller. This will reduce the number of different
subscriptions for data changes that need to be maintained with the OPC
UA server.
n Configure longer scan periods. This will also reduce the communications
and processing load on both the OPC UA server and the Experion server.
If communications bandwidth is restricted to the OPC UA server, then the drift
deadband configured on Analog points can be configured in Quick Builder to
reduce the number of value updates that are reported back from the OPC UA
server. The deadband is applied both to the subscription to the OPC UA
server, and also to Experion point processing. Therefore, it is important that
the deadband only be configured and downloaded from Quick Builder to
ensure these remain aligned.
The deadband applied in the subscription to the OPC UA server is an
absolute deadband with the calculation applied from the drift deadband %,
which is dependent on the point parameter being scanned according to the
following table (where UDSP is “user-defined scanned parameter”):
Point Scanned
Range to use for calculating OPC UA Server subscription deadband
type parameter
Analog SP, PV, The "0% Range Value" and "100% Range Value" configured for the
A1, A2, point. Use the drift deadband configuration on the point for percentage
A3, A4 calculations.
Status PV, OP No drift deadband.
Analog OP 0 - 100 range is always applied for calculating deadband for OP
parameter.
All UDSP — Use the EUHI/EULO configured for the UDSP.
Numeric
All UDSP — No drift deadband.
Status
All MD No drift deadband.
ATTENTION:
l If multiple points address the same address in the OPC UA server,
it is highly recommended that the same drift deadband is applied
on all of these points. If a different drift deadband is configured, the
smallest deadband of all points will be used for the deadband sent
21
to the OPC UA server. When processing the points, the Experion

will always apply the deadband that applies to the individual point.
l Any drift deadband configuration changes must be made by
downloading from Quick Builder to ensure that both the OPC UA
subscription and Experion point processing deadbands remain
aligned. Changing the EUHI, EULO or deadband percentage
directly from Station may result in unexpected behavior, such as
updates not being processed.
l When monitoring the scanning performance from the point detail
display, note that the Last Scanned Time parameter shows the
timestamp applied by the OPC UA server when the value change
was sent back to the Experion server. The Last Processed Time
shows the time applied by the server when the value was last
processed. It is expected that there will be some delay between
the Last Scanned Time and the Last Processed Time due to OPC
UA protocol publish mechanism, and other expected
communication and processing latency.
When a channel is downloaded there are some parameters created on the

$CHANNELxxxx system point (where xxxx is the zero padded channel
number) that can be assigned to history and added to a trend to monitor the
communications performance.
NOTE: For OPC UA channels, the read/write statistics relating to

bandwidth consumption, such as Bytes/Sec statistics are NOT valid.
The following parameters are valid and can be used to monitor performance
of the communications channel:
Combined channel LinkA specific LinkB specific Comment
CNQLength Queue of
controls
(writes) to be
written to the
OPC UA
server.
RequestsPerSec RequestsPerSecLinkA RequestsPerSecLinkB Count of
requests and
value change
callbacks being
processed per
second.
22
RequestsPerSecA RequestsPerSecAvgLin RequestsPerSecAvgLin Average count

vg kA kB of requests and
value change
callbacks being
processed per
second.
RequestsPerSecM RequestsPerSecMaxLin RequestsPerSecMaxLin Maximum
ax kA kB count of
requests and
value change
callbacks being
processed per
second.
RequestsPerSecMi RequestsPerSecMinLink RequestsPerSecMinLink Minimum count
n A B of requests and
value change
callbacks being
processed per
second.
ResponseTime ResponseTimeLinkA ResponseTimeLinkB Response time
in milliseconds.
ResponseTimeAvg ResponseTimeAvgLinkA ResponseTimeAvgLinkB Average
response time
in milliseconds.
ResponseTimeMax ResponseTimeMaxLink ResponseTimeMaxLink Maximum
A B response time
in milliseconds.
ResponseTimeMin ResponseTimeMinLinkA ResponseTimeMinLinkB Minimum
response time
in milliseconds.
LnkATotalRequests LnkBTotalRequests Request count
on channel
detail display.
LnkATotalErrors LnkBTotalErrors Error count on
channel detail
display
23

LnkAPercentErrors LnkBPercentErrors Error
percentage on
channel detail
display
LnkABarCount LnkBBarCount Communicatio
ns barometer
count on
channel detail
display.
ATTENTION:
l A communication's channel trace on an OPC UA channel does not
contain data sent or received over the wire to the OPC UA server.
If there is a requirement to analyze communication's traffic, 3rd
party network monitoring tools such as Wireshark must be used in
place of the communication's trace.
l The Channel Marginal and Fail limits are intentially set to 0 as all
communications is via TCP/IP connection which is logically
maintained per controller, not per channel. Increasing the
controller marginal and fail limits from their defaults, may
negatively impact the recovery of communications after
communication failures are resolved or upon a redundant link
failover.
l Wireshark is a registered trademark of the Wireshark Foundation
(https://www.wireshark.org/about.html.)
You verify your scanning strategy by using the List Scan utility, lisscn , to
inspect the list of OPC UA Node IDs you have built. For more information
about the lisscn utility, see "lisscn" in the Server and Client Configuration
Guide.
24
CHAPTER
3 OPC UA POINTS REFERENCE
This section describes how to configure points for an OPC UA controller using
Quick Builder.
In this section:
Defining an OPC UA address for a point parameter 26

Configuring communication with an OPC UA Server 33
25
Chapter 3 - OPC UA points reference
Defining an OPC UA address for a point

parameter
For PV Source Address, Source Address, and Destination Address, the format
for an OPC UA address is:
ControllerName FullAddress
Part Description
ControllerName The name of the OPC UA controller.

FullAddress The address within the controller where the value is stored. For more
information, see "Address syntax for OPC UA controllers" below.
For help when defining an address, click next to Address to display

Address Builder.
Address syntax for OPC UA controllers

The format for an OPC UA controller address is:
T nsabrv D address (Optional)[Array Index]
[B:b|W:w|DataFormat]
Part Description
T Specifies the address type of the OPC UA controller.
There are three address types supported, valid values are:
l N = The Node ID address type. The Node ID namespace

nsabrv, data type D, and ID address specify the address.
l B = The address type is a Browse Name from the root of the
OPC UA information model. Full browse path to a node is
provided in the address.
For more information about the BrowsePath syntax, see "BNF
definition" in the OPC UA Specification.
l R = The address type is a relative path address. It is a Browse
Name relative from base node defined for the OPC UA
controller. Use the base node defined at controller level as
starting point.
nsabrv (Only applicable to address type N.) Specifies the namespace
abbreviation for the node being addressed in the OPC UA server
address space. The namespace abbreviation must be one of the
26
Part Description
default or user added abbreviations defined in the Advanced tab for
the OPC UA channel. It can also be a numeric value to reference the
namespace index in the OPC UA server directly.
D (Only applicable to address type N.) Specifies the Node ID data type,
the value is a single letter which can be:
l N = The Node ID data type is a numeric value.
l S = The Node ID data type is a string.
l G = The Node ID data type is a GUID, in this case the GUID

must be in the OPC UA format. For example, 64d63324-79f5-
4b0b-ab2d-766a0fc4bef4 .
address The format of address is dependent on the address type and Node
ID data type.
The maximum string length for address field is 255 characters.
For more information about the syntax of the Node ID for different
variable types, refer to the T and D part descriptions above.
(Optional) [Array (Optional) Specifies the address is an array element for a Node ID
Index] that has the value of an array. The Array Index must be in the format
of [index], e.g., [10]. Index must be between 0 to the maximum value
of signed 32 bit integer.
TIP: A space is required between the address and the [Array

Index].
[B:b|W:w|DataFormat] Specifies the optional Bit number extraction (b), the Bit field width
(w), or Data Format which specifies a scaled or unscaled, system or
user defined, data format to apply scaling to the value from the OPC
UA server.
To use B and W in addressing, note the following rules:
l For source addresses only, b must be 0 – 31, w must be 1 – 32.

l Only the data types listed in the table below are supported for
the Bit field, and the correct data format must be provided for
each data type:
27
Part Description
Bit field data types Data format required
BYTE, SINT, USINT HALFWD

INT, UINT, WORD WORD
DINT, UDINT, DWORD U32B
l Writes to Bit field in DINT, UDINT, or DWORD data type

variables are not supported for bits in the upper word (16 bits)
of the value.
For more information on supported data formats, see "Unscaled data
formats" on the facing page and "Data formats for scaling" on the
facing page.
If you want to use a user-defined data format, you must define the
format on the server. For more information, see "About user-defined
data formats" in the Server and Client Configuration Guide.
Sample address
l Server Namespace Array Index, addressing Numeric Node ID:

N 0 N 2255
l Variable Node in OPC UA Server URI namespace with a string

identifier of @GV.CNTLR_CPUFREE:
N SVR S @GV.CNTLR_CPUFREE
l Variable Node in OPC UA Server URI namespace with a GUID

identifier of d2f53a46-77f3-407b-afba-24f1d3ea3cbc:
N SVR G d2f53a46-77f3-407b-afba-24f1d3ea3cbc
l Relative browse path address:

R /3:GlobalVars/1:zStaticINT32ArrayVar [6]
l Full browse path address:

B
/0:Objects/2:DeviceSet/4:PLCConfiguration/3:Reso
28
urces/4:eclrRes/3:GlobalVars/EDGPLC:zStaticINT32
Var
Unscaled data formats

Data Format Description
WORD Whole word

HALFWD Upper half word
REAL Native real (float)
INT4 Native int4 (signed int)
DBLE Native dble (double)
C16 16-bit counter
C3BCD 3-digit BCD 0–999 counts
C4BCD 4-digit BCD 0–9,999 counts
C8BCD 8-digit BCD 0–99,999,999 counts
IEEEFP IEEE Floating Point (Big Endian)
IEEEFPL IEEE Floating Point (Little Endian)
INT2 Native int2 (signed short)
IEEEFPBB Byte-swapped Big Endian float
IEEEFPLB Byte-swapped Little Endian float
S32BB 32-bit signed binary Big Endian
U32BB 32-bit unsigned binary Big Endian
S32B 32-bit signed binary
U32B 32-bit unsigned binary
FENUM Enumerated integer
REVWD Reverse word
Data formats for scaling

You can scale point parameter values to the range of the PV with a scaled
data format. Select the format that corresponds to the counts that have been
29
set in the controller register.
Data Format1 Counts in Controller Register
U1023 0–1,023 (U=unsigned)

U4095 0–4,095
U9999 0–9,999
S9999 –9,999–9,999 (S=signed)
U999 0–999
U3BCD 3 digit BCD 0–999
U4BCD 4 digit BCD 0–9999
U6BCD 6 digit BCD 0–999,999
U8BCD 8 digit BCD 0–99,999,999
UBCD16 4 digit BCD 0–4,095
UBCD12 3 digit BCD 0–410
U16B 16 bit unsigned binary
S16B 16 bit signed binary
E3BCD 3 digit BCD with error status
U100 0 to 100 percent
SLC_AI A-B SLC Analog Input 3,277–16,384
SLC_AO A-B SLC Analog Output 6,242–31,208
U9998 0–9,998 for Square D AI
S8B 8 bit signed binary
D9999 double integer for A-B QCL
U16B0TO20MA 16 bit unsigned binary 0 mA–20 mA
1S = Signed, U = Unsigned
30
Data Format1 Counts in Controller Register
U16B4TO20MA 16 bit unsigned binary 4 mA–20 mA

U16B0TO5V 16 bit unsigned binary 0 V–5 V
S32BS 32 bit signed binary
U32BS 32 bit unsigned binary
S32BSB 32 bit signed binary Big Endian
U32BSB 32 bit unsigned binary Big Endian
ATTENTION: If auxiliary parameters have a data format type that requires scaling
(U4095, U999, and so on), they take the same range as the PV.
Address syntax for OPC UA methods

An OPC UA method is called whenever a control (write) is issued to the
parameter which has the destination address configured as the OPC UA
method. For Destination Address, the format for an OPC UA method address
is:
MT nsabrv D address method [arguments]
ATTENTION:
l The OPC UA method address is only valid for a parameter's
destination address.
l The OPC UA method address defined refers to the Method
Context Object Node, not the Method itself. For more information,
see "Method NodeClass" in the OPC UA Specification.
l If the OPC UA method call fails, it is treated as a control failure.
1S = Signed, U = Unsigned
31
Part Description
MT Specifies the address type of the OPC UA method.
There are three address types supported, valid values are:
l MN = The Node ID address type. The Node ID namespace nsabrv, data

type D, and ID address specify the address.
l MB = The address type is a Browse Name from the root of the OPC UA
information model. Full browse path to a node is provided in the address.
For more information about the BrowsePath syntax, see "BNF definition"
in the OPC UA Specification.
l MR = The address type is a relative path address. It is a Browse Name
relative from the base node defined for the OPC UA controller. Use the
base node defined at controller level as the starting point.
nsabrv (Only applicable to address type MN.) Specifies the namespace abbreviation for
the node being addressed in the OPC UA server address space. The
namespace abbreviation must be one of the default or user added abbreviations
defined in the Advanced tab for the OPC UA channel. It can also be a numeric
value to reference the namespace index in the OPC UA server directly.
D (Only applicable to address type MN.) Specifies the Node ID data type, the
value is a single letter which can be:
l N = The Node ID data type is Numeric.

The address is a validated numeric value.
l S = The Node ID data type is String.
The address is the string Node ID
l G = The Node ID data type is GUID.
GUID must be in the OPC UA format. For example, 64d63324-79f5-
4b0b-ab2d-766a0fc4bef4 .
address The format of address is dependent on the address type and Node ID data type.
The maximum string length for address field is 73 characters.
For address types MB and MR, an optional namespace abbreviation is followed

by : (colon), then is followed by the browse name, and then is followed by /
(forward slash) to separate from the next browse name. If the optional
namespace is not provided then the browse path is followed without specifying
a namespace.
method Specifies the Browse Name of the method. The Browse Name is used to
32
Part Description
identify the method that is referenced by the Method's Context Object Node. It's
value contains two elements: name and namespace index/abbreviations.
For example, MDIS:EnableDisable .

[arguments] Specifies the arguments to be passed to the method when the method is called
by the OPC UA Client.
Note the following rules:
l Each method can support either no arguments with a changing value, or a

single argument with a changing value (control value).
l Each method can have more than one argument with fixed values.
l The arguments are limited to OPC UA numeric scalar data types, such as
UInt16, UInt32, UInt64, Int16, Int32, Int64, Double, Float, Boolean (value
is either TRUE or FALSE), Byte, and ByteString.
l You can set the arguments with fixed values. To set with a fixed value, the
fixed value should be enclosed within () (brackets). For example, Double
(6.2) .
l Each method can have only one argument set as the control value being
written in the point parameter.
For example, Double(6.2) Double Double(3.0) . This method has 3
arguments of data type Double , Argument 1 is set with the fixed value 6.2 ,
Argument 2 is set with the control value Double , Argument 3 is set with
the fixed value 3.0 .
Configuring communication with an OPC UA

Server
This section describes how to set up communications between the Experion
server and an OPC UA server.
Prerequisites
n You have logged on to Configuration Studio using an account with
engineer or manager privileges, and you have connected to the Experion
server.
n You have logged on to Station using an account with manager privileges.
33
To configure an OPC UA channel and controller

1. From Configuration Studio, choose Control Strategy > SCADA Control >
Build Channels to launch Quick Builder.
2. From the Channels section within the Library, drag and drop the OPC UA
Channel item into the List View.
3. Configure the channel in the properties tabs.
For more information, see "Main properties for an OPC UA channel" on
page 14 .
4. Click to download the channel to the server database.

5. From the Controllers section within the Library, drag and drop the OPC
UA Controller item into the List View.
6. Configure the controller in the properties tabs, and make sure the
following properties are specified:
l In the Main tab, from the Associated Asset list, select an asset.
The selected asset is assigned to all points on this controller with the
default Integration Mappings.
l In the Security tab, in the Security Mode field, select Sign Only or Sign
and Encrypt from the drop-down list.
l In the Security tab, in the Security Level field, select High Security
(BASIC256 SHA-256) from the drop-down list.
For more information, see "Main properties for an OPC UA controller" on
page 16 .
7. Click to download the controller to the server database.
To configure a secure connection to the OPC UA

server
1. Generate OPC UA Client certificates using the Experion Server
Certificate Utility.
For more information, see "Generating Experion OPC UA Client
certificates" on page 38.
2. Export the OPC UA server certificate and download the OPC UA Client
certificate to the Experion server.
For more information, see "Configuring a third-party OPC UA server
certificate" on page 40.
34
3. Configure the OPC UA controller to use the OPC UA Client certificate

and the OPC UA server certificate for the secure connection.
For more information, see "Configuring an OPC UA controller to use OPC
UA certificates" on page 41.
4. (Optional) Configure the username and password for the OPC UA
controller if required.
For more information, see "Configuring the username and password for
OPC UA controllers" on page 42.
35
36
CHAPTER
4 OPC UA SECURITY REFERENCE
This section describes how to configure a secure connection between the

Experion OPC UA Client interface and an OPC UA server.
In this section:
Generating Experion OPC UA Client certificates 38

Configuring a third-party OPC UA server certificate 40
Configuring an OPC UA controller to use OPC UA certificates 41
Configuring the username and password for OPC UA controllers 42
37
Chapter 4 - OPC UA security reference
Generating Experion OPC UA Client certificates

You can use the Experion Server Certificate Utility to generate OPC UA
Client certificates. This section describes how to generate an Experion OPC
UA Client certificate for a secure connection to an OPC UA server. In a
redundant server system, you need to generate an OPC UA Client certificate
for each primary and secondary Experion server.
Prerequisite
You have logged on to the Experion server using a Windows account that is a
member of the Product Administrators group.
To generate a client certificate as the OPC UA Client

certificate
1. On the Experion server, open a Command Prompt window.
2. Type certtool to start the Certificate Management utility.
3. Type 1 to select option 1. Certification Authority operations.
4. Type 1 to select option 1. Create a new certificate and private key pair .
5. Type 1 to select option 1. Client.
6. Type a file name for the client certificate with the suffix .crt.
7. Type a file name for the client private key with the suffix .key.
8. Type a pass-phrase for the private key and confirm.
9. Type Y at the confirmation prompt if the certificate and key are being
created for use on this computer, then skip to step 13. Otherwise type N to
continue with the next step.
10. Type the computer name of the Experion server.
TIP: This is the actual computer name of the Experion server, not
the base name.
11. Type the DNS suffix of the Experion server.
TIP: Type local if no DNS suffix configured on the Experion server.
12. Type the IP address of the Experion server.

13. Type the URI of the certificate.
38
TIP: If URI is unknown, type urn:<hostname> where the hostname

is the computer name of the Experion server.
The Experion OPC UA Client certificate, .crt file, is generated.

14. From the Windows Certificate Viewer, double-click the generated .crt file
to review the certificate details.
TIP: Check the Details tab and the value of Subject Alternative
Name . The Subject Alternative Name value should contain the
expected hostname, URI, DNS suffix, and IP address(es).
To extract the CA certificate for the OPC UA Client

certificate
4. Type 3 to select option 3. Get this CA's certificate .
5. Type a file name for the CA certificate with the suffix .crt.
TIP: Make sure the CA certificate's file name is different from the
client certificate's file name created in "To generate a client
certificate as the OPC UA Client certificate " on the previous page.
To extract the CA Certificate Revocation List (CRL) for

the OPC UA Client certificate
4. Type 4 to select option 4. Get this CA's CRL .
5. Type a file name for the CA CRL with the suffix .crl.
39
ATTENTION:
l The Certificate Management utility certtool exports certificates and

CRLs in the Base-64 Encoding PEM format. It requires the input
certificates to be in the Base-64 Encoding PEM format. It requires
the input private key file to be in the Base-64 Encoding PKCS#8
PEM format.
l In a redundant server system, you need to generate an OPC UA
Client certificate for each primary and secondary Experion server.
l For Experion servers running Backup Control Center (BCC), you
need to generate an OPC UA Client certificate for each primary
and backup Experion server.
l Do not re-use a client certificate and key pair on more than one
Experion server. Due to the server name and IP address
differences, each server needs its own client certificate and key
pair.
Configuring a third-party OPC UA server

certificate
This section describes how to configure the OPC UA server's certificate on a
third-party OPC UA server.
Prerequisites
n You have confirmed that the third-party OPC UA server is compatible with
the Experion OPC UA Client.
n You have connected the third-party OPC UA server to the Experion
server.
To configure a third-party OPC UA server certificate

1. Use the third-party OPC UA server's configuration utility to download the
client certificate, client CA certificate, and client CA's CRL from the
Experion server to the OPC UA server.
2. Configure the OPC UA server certificate.
3. Export the OPC UA server certificate configured to the Experion server.
For detailed instructions, see the third-party OPC UA server's documentation.
40
Configuring an OPC UA controller to use OPC UA

certificates
This section describes how to configure an OPC UA controller to use the
OPC UA Client certificate and the OPC UA server certificate.
Prerequisite
You have logged on to the Experion server using a Windows account that is a
member of the Product Administrators group.
To configure an OPC UA controller to use the OPC UA

Client certificate
2. Type certtool to start the Certificate Tool utility.
3. Type 2 to select option 2. Channel and Controller certificate configuration .
4. Type 1 to select option 1. Store Certificate .
5. Type 1 to select option 1. Client.
6. Type the controller number of the OPC UA controller.
TIP: Type 0 if you use the same OPC UA Client certificate for all
OPC UA connections. If you are prompted for entering a channel
number to use the same OPC UA Client certificate for a single
OPC UA channel, you can type 0 to use the same OPC UA Client
certificate for all OPC UA channels.
7. Type 1 to select option 1. Certificate and Private Key.

8. Type the OPC UA Client certificate file name that was created in step 1 in
"Generating Experion OPC UA Client certificates" on page 38.
9. Type the OPC UA Client private key file name that was created in step 1
in "Generating Experion OPC UA Client certificates" on page 38.
10. Type the pass-phrase for the OPC UA Client private key that was created
in step 1 in "Generating Experion OPC UA Client certificates" on page 38.
41
To configure the OPC UA controller to use the OPC UA

server certificate
2. Type certtool to start the Certificate Tool utility.
3. Type 2 to select option 2. Channel and Controller certificate configuration .
4. Type 1 to select option 1. Store Certificate .
5. Type 2 to select option 2. Server .
6. Type the controller number of the OPC UA controller.
7. Type 1 to select option 1. Certificate .
8. Type the OPC UA server certificate file name that was exported from the
OPC UA server, see in "Configuring a third-party OPC UA server
certificate" on page 40.
ATTENTION:
l In a redundant server system, you need to configure OPC UA

certificates for the OPC UA controller on each primary and secondary
Experion server.
l For Experion servers running Backup Control Center (BCC), you
need to configure OPC UA certificates for the OPC UA controller on
each primary and backup Experion server.
Configuring the username and password for OPC

UA controllers
This section describes how to configure the username and password if the
OPC UA server requires the username/password session authentication.
Prerequisites
n On the OPC UA controller Security tab, the login type has been set to
Username .
n You have logged on to the Experion server using a Windows account that
is a member of the Local Engineers group.
42
To configure the username and password for an OPC

UA controller
2. Type rtucredentials to start the RTU Credentials utility.
3. Type the Controller number of the OPC UA controller.
4. Type the Username configured on the OPC UA server.
5. Type the Password configured on the OPC UA server.
43
44
CHAPTER
5 TROUBLESHOOTING OPC UA
CLIENT ISSUES
This section describes troubleshooting tasks for OPC UA Client that you can
perform either on the server or from any Station.
In this section:
Testing OPC UA Server communications with the server 46

Troubleshooting OPC UA point configuration errors 52
45
Chapter 5 - Troubleshooting OPC UA Client issues
Testing OPC UA Server communications with the

server
The first indication of an issue with communications to a field device using the
OPC UA server is that the error count on the Controller (and Channel) Detail
display will begin rising with the request count.
To help diagnose the cause of the errors, view the Experion HS Server Log
(HLV application) for errors being logged on the channel.
Adding an include filter for pascn*rtu*N where N is the OPC UA server of
interest will filter the diagnostic log for error messages related to the OPC UA
server of interest.
The following sections contain common examples of messages and their root
cause.
Unknown NodeID defined as source address

Log messages similar to the following example indicate that an unknown
NodeID defined as a source address. You can filter on the bold and italic text
to show just these messages.
24-Feb-17 11:37:14.1081 ( -1 16728 11804 T00000000)

pascn.exe:OPCUATransaction.cpp:987: COPCUATransaction::
ProcessDataValue (rtu=50, link=0, tid=2) .. AddressId 1: Node Id unknown
(uStatus=0x80340000)
24-Feb-17 11:37:14.1091 ( -1 16728 11804 T00000000)
pascn.exe:OPCUATransaction.cpp:990:
COPCUATransaction::ProcessDataValue..NodeId : Type=String,
Value='Demo.Static.Scalar.NonExistent', NamespaceIndex=2
To resolve:
Correct the address configuration in Configuration Studio. In this example,
correct the address of which the Value is currently configured to
Demo.Static.Scalar.NonExistent as in the second log message above.
Incorrect drift deadband defined for NodeID with non-

numeric value (date or string)
Log messages similar to the following example indicate that incorrect drift
deadband defined for NodeID with non-numeric value. You can filter on the
46
bold and italic text to show just these messages.
24-Feb-17 11:45:20.5111 ( -1 16728 11804 T00000000)

pascn.exe:OPCUATransaction.cpp:3585: COPCUATransaction[rtu=50, link=0,
tid=116]::ProcessCreateMonitoredItemsResp () .. ItemId 2: Node Id does not
support numeric deadband filter (StatusCode=0x80450000)
24-Feb-17 11:45:20.5111 ( -1 16728 11804 T00000000)
tid=116]::ProcessCreateMonitoredItemsResp () .. NodeId : Type=Numeric,
Value=2257, NamespaceIndex=0
Or if drift deadband was added after the first download:
24-Feb-17 11:50:22.4464 ( -1 16728 11804 T00000000)

tid=194]::ProcessModifyMonitoredItemsResp () .. ItemId 12 Server Handle 1: Node
Id does not support numeric deadband filter (StatusCode=0x80450000)
24-Feb-17 11:50:22.4464 ( -1 16728 11804 T00000000)
tid=194]::ProcessModifyMonitoredItemsResp () .. NodeId : Type=Numeric,
Value=2257, NamespaceIndex=0
To resolve:
For the address configured to these NodeIDs, ensure that a 0 deadband is
configured on the point configuration in Configuration Studio, and re-
download any points for which the deadband is changed.
NodeID value is an array and array index is not

specified in source address
Log messages similar to the following example indicate that a NodeID value is
an array and array index is not specified in source address. You can filter on
the bold and italic text to show just these messages.
24-Feb-17 11:47:57.2062 ( -1 16728 11804 T00000000)
47
COPCUATransaction::ProcessDataValue (rtu=50, link=0, tid=159) .. AddressId 1:
Node Id is an array value but address is not configured with an array index
24-Feb-17 11:47:57.2062 ( -1 16728 11804 T00000000)
COPCUATransaction::ProcessDataValue .. NodeId : Type=String,
Value='Demo.Static.Arrays.Int32', NamespaceIndex=2
To resolve:
1. Correct the address for any points with the Value as given in the second
log message above.
2. Ensure the Array Index of the address is configured according to the
address configuration.
3. Ensure there is a space between the NodeID and the Array Index.
4. Re-download any points for which the address is changed.
NodeID value is an array and array index is out of

array range
an array and array index is out of array range. You can filter on the bold and
italic text to show just these messages.
24-Feb-17 13:25:50.9307 ( -1 16728 11804 T00000000)

Node Id configuration has invalid array index (uStatus=0x80370000)
24-Feb-17 13:25:50.9307 ( -1 16728 11804 T00000000)
Value='Demo.Static.Arrays.UInt32', NamespaceIndex=2 ArrayIndex=100
To resolve:
1. Correct the address for any points with the Value as given in the second
log message above.
2. Ensure the Array Index of the address is configured within the range of
48
the array in the OPC UA server.

3. Re-download any points for which the address is changed.
NodeID value is a structured type or not a base type

variable
a structured type or not a base type variable. You can filter on the bold and
italic text to show just these messages.
24-Feb-17 11:53:13.1112 ( -1 16728 11804 T00000000)

Node Id has unsupported data type (22)
24-Feb-17 11:53:13.1112 ( -1 16728 11804 T00000000)
Value='Demo.Static.Scalar.CarExtras', NamespaceIndex=2
To resolve:
Correct the data type for any NodeIDs with the Value as given in the second
log message above.
TIP:
l Experion OPC UA Client supports node addresses in base

types only. The OPC UA server must therefore represent the
elements of structured types as individual nodes, so the address
configured should be a full element within the structure.
l If a global variable named MYSTRUCT is an instance of a
structured data type, and that data type has a REAL element
RealValue , then the FullAddress should be: N EDGPLC S
@GV.MYSTRUCT.RealValue.
l Trying to configure an address with just N EDGPLC S
@GV.MYSTRUCT will not be readable to the Experion server
because it does not identify the element in the structure.
49
Runtime errors
Log messages similar to the following example indicate that no response was
received from the OPC UA server within the READ timeout configured for the
channel. You can filter on the bold and italic text to show just these messages.
24-Feb-17 11:57:32.9062 ( -1 20168 4028 T00000000)

Unable to read value (uStatus= 0x80890000 )
24-Feb-17 11:57:32.9062 ( -1 20168 4028 T00000000)
Value='/ObjectsFolder/MyFolder/Quality_BadConfigError', NamespaceIndex=1
To resolve:
n Change the PADLL paranoid on pascn.exe to 11 , put the point to off-scan

and then on-scan .
n For the uStatus value that is provided on the first log message above,
further information is available by looking at the descriptive text provided
by the OPC Foundation for OPC UA Status Codes
(https://opcfoundation.org/UA/schemas/1.02/Opc.Ua.StatusCodes.csv.)
Client certificate/client private key/server certificate is

not configured for the controller
Log messages similar to the following example indicate that the connection to
the controller has failed due to the client certificate, client private key, or server
certificate not configured for the controller. You can filter on the bold and italic
text to show just these messages.
26-Apr-18 10:57:35.9371 ( -1 11932 4520 T00000000)

pascn.exe:systemservices.h:354: CSystemServices::GetCertificateData (nRtu=54)
.. failed to get server certificate data
26-Apr-18 10:57:35.9371 ( -1 11932 4520 T00000000)
pascn.exe:OPCUARtu.cpp:851: COPCUARtu::SetupSecurityContext(rtu=54,
link=0) .. failed to get certificate data
To resolve:
50
1. Run certtool and select the option to show certificates that have been
configured for the controller.
2. Find out which certificate/key file is missing from the following list:
l Server certificate: server.cer
l Client certificate: client.cer
l Client private key: client.key
l (Optional) Client certification authority certificate: client.ca.cer
l (Optional) Client certification authority CRL: client.ca.crl
l (Optional) Server certification authority certificate: server.ca.cer
l (Optional) Server certification authority CRL: server.ca.crl
3. Use certtool to store the missing certificate/key on the controller. For more
information, see "Configuring an OPC UA controller to use OPC UA
certificates" on page 41.
Client certificate/server certificate is not correct

the controller has failed due to the incorrect client certificate or server
certificate. You can filter on the bold and italic text to show just these
messages.
26-Apr-18 11:15:30.1067 ( -1 11932 4520 T00000000)

pascn.exe:OPCUARtu.cpp:2509: COPCUARtu::ProcessResponse (rtu=54,
Type=3, nLink=0) .. error encountered when processing of transaction (TID=47)
action RAConnect, uStatus=0x80130000
To resolve:
n Check the OPC UA server's certificate configuration and ensure the client
certificate is configured for access on the OPC UA server.
n For the uStatus value that is provided on the log message above, further
information is available by looking at the descriptive text provided by the
OPC Foundation for OPC UA Status Codes
(https://opcfoundation.org/UA/schemas/1.02/Opc.Ua.StatusCodes.csv.)
Username/password is not correct

the controller has failed due to the incorrect user name or password. You can
51
filter on the bold and italic text to show just these messages.
27-Apr-18 15:28:41.2932 ( -1 33380 37872 T00000000)

COPCUATransaction::ProcessActivateSessionResp (rtu=4, link=0, tid=28) ..
service invoke failed (uStatus=0x80210000 )
27-Apr-18 15:28:41.3522 ( -1 33380 25736 T00000000)
pascn.exe:OPCUARtu.cpp:2538: COPCUARtu::ProcessResponse(rtu=4,
Type=3, nLink=0) .. error encountered when processing of transaction (TID=28)
action RAActivateSession, uStatus=0x80210000
To resolve:
Use rtucredentials to correct the username/password configuration. For more
information, see "Configuring the username and password for OPC UA
controllers" on page 42.
Troubleshooting OPC UA point configuration

errors
Point configuration errors appear when you download the OPC UA points
from Quick Builder to the Experion server.
Cause
Most typically, the cause is an invalid address for the OPC UA server.
Solution
Confirm the address for the OPC UA server is correct. For more information,
see "Defining an OPC UA address for a point parameter" on page 26.
52
Notices
NOTICES
Trademarks
Experion®, PlantScape®, and SafeBrowse® are registered trademarks of
Honeywell International, Inc.
Other trademarks
Microsoft and SQL Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the
trademark owner, with no intention of trademark infringement.
Third-party licenses
This product may contain or be derived from materials, including software, of
third parties. The third party materials may be subject to licenses, notices,
restrictions and obligations imposed by the licensor. The licenses, notices,
restrictions and obligations, if any, may be found in the materials
accompanying the product, in the documents or files accompanying such third
party materials, in a file named third_party_licenses on the media containing
the product, or at http://www.honeywell.com/ps/thirdpartylicenses.
Documentation feedback
You can find the most up-to-date documents on the Honeywell Process
Solutions support website at: http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation,
send your feedback to: hpsdocs@honeywell.com
Use this email address to provide feedback, or to report errors and omissions
in the documentation. For immediate help with a technical problem, contact
your local Honeywell Technical Assistance Center (TAC).
How to report a security vulnerability

For the purpose of submission, a security vulnerability is defined as a software
defect or weakness that can be exploited to reduce the operational or security
capabilities of the software.
53
Notices
Honeywell investigates all reports of security vulnerabilities affecting

Honeywell products and services.
To report a potential security vulnerability against any Honeywell product,
please follow the instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Support
For support, contact your local Honeywell Process Solutions Customer
Contact Center (CCC). To find your local CCC visit the website,
https://www.honeywellprocess.com/en-US/contact-us/customer-support-
contacts/Pages/default.aspx.
Training classes
Honeywell holds technical training classes that are taught by process control
systems experts. For more information about these classes, contact your
Honeywell representative, or see http://www.automationcollege.com.
54

OPC UA Client Interface Reference

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OPC UA Client Interface Reference

Uploaded by

Copyright:

Available Formats

Experion HS

OPC UA Client Interface Reference

Configuring a third-party OPC UA server certificate 40

1 PLANNING CONSIDERATIONS FOR

A August 2019 Initial release of document.

How to use this guide

Set up the OPC UA controllers, OPC UA l Documentation supplied by the third-

Test communications "Testing OPC UA Server communications with

OPC UA Client support

Attribute Service Set

Method Service Set

Subscription and MonitoredItem Service Set

Control Cannot control the Control Cannot control the supported

Can only write Can only write

Devices supported by the OPC UA Client

Other documentation for OPC UA Client

n ControlEdge PLC Interface Reference

Architectures for OPC UA Client

ATTENTION: The maximum number of OPC UA Client connections

with multiple OPC UA channels.

l 100 OPC UA controllers per channel with the "Redundant

Single connection to an OPC UA Server

Figure 1-1: Single connection to an OPC UA server

Dual LAN connection to an OPC UA Server

Figure 1-2: Dual LAN connection to an OPC UA server

Communication settings for OPC UA Client

2 OPC UA CHANNEL AND

Main properties for an OPC UA channel 14

Main properties for an OPC UA channel

Name The unique name of the channel. A maximum of 10 alphanumeric characters

NOTE: In Station displays, underscores ( _ ) will be replaced with

Description (Optional) A description of the channel. A maximum of 132 alphanumeric

The diagnostic scans continue even if an OPC UA channel is marked as failed,

Advanced properties for an OPC UA channel

You can add a maximum of 8 namespace abbreviations. The user defined

Main properties for an OPC UA controller

Name The unique name of the controller. A maximum of 10 alphanumeric characters

NOTE: You must have already defined an OPC UA channel for it to

The default value is 5 .

The default value is 10 .

NOTE: For redundant OPC UA servers and/or dual LAN

Security properties for an OPC UA controller

Security The message security mode for the OPC UA connection.

l Sign and Encrypt (default) - Messages are signed and encrypted.

l Sign Only - Messages are signed only.

l None - The OPC UA connection has no security configured.

associates with the target OPC UA server.

Valid values are:

l High Security (BASIC256 SHA-256) (default) - Uses SHA256 for the

TIP: This field is disabled if the Security Mode is set to None .

Login The login type for the OPC UA connection.

l Anonymous (default) - Anonymous login.

l Username - Username/password login.

TIP: If Username is selected, the username and password must be specified

Advanced properties for an OPC UA controller

The default value is checked .

About time synchronization on OPC UA Client

About behavior of redundant communication links

Optimizing OPC UA Client scanning performance

n Reduce the number of different scan periods configured across points on

to the OPC UA server. When processing the points, the Experion

When a channel is downloaded there are some parameters created on the

NOTE: For OPC UA channels, the read/write statistics relating to

Combined channel LinkA specific LinkB specific Comment