Skip to main content

Brownfield OPCUA Devices

Configuration of Brownfield OPC UA

The Sterfive OPCUA Omni Edge Server can connect to existing ("brownfield") OPC UA servers on your network. This powerful feature allows you to integrate legacy systems into a modern infrastructure, effectively bridging the gap between old and new technologies.

A primary use case is to map complex or poorly structured data models from a legacy OPC UA server into a more modern, manageable, and standardized data model that you have defined in the Omni Edge Server.

Configuration File

You can configure connections to external OPC UA servers within the brownfieldDevices section of your main configuration file.

Configuration File Example

You can configure connections to external OPC UA servers within the opcuaConnections: section under the brownfieldDevices section of your main configuration file.


# Configuration for Brownfield OPC UA

# a list of external OPC UA devices the server will be connected to
brownfieldDevices:
  opcuaConnections:
      # Example 1:  Anonymous connection
    - name: LegacyMachine_S1
      endpointUrl: opc.tcp://opcuademo.sterfive.com:26541
    
      # Example 2: Connection with username and password
    - name: ProductionLine_S2
      endpointUrl: opc.tcp://opcuademo.sterfive.com:26541
      username: admin
      password: admin

      # Example 3: Secure connection with a specific security policy
    - name: SecureSystem_S4
      endpointUrl: opc.tcp://opcuademo.sterfive.com:26541
      username: admin
      password: admin
      securityMode: SignAndEncrypt
      securityPolicy: Basic256Sha256

Configuration Options

  • name: A unique, descriptive name for this specific OPC UA connection.
  • endpointUrl: The network address of the target OPC UA server.
  • username: (Optional): The username for authentication, if required by the server.
  • password: (Optional): The password for authentication, if required by the server.
  • securityMode: (Optional): The security mode for the connection. Defaults to None.
    • None (default),
    • Sign,
    • SignAndEncrypt).
  • securityPolicy: (Optional) The algorithm suite to use for secure communication. Defaults to None. Common policies include Basic256 and ̀Basic256Sha256`.

Security Best Practices

When connecting to external systems, security is paramount.

Securing Credentials with Environment Variables

To avoid storing sensitive information like passwords directly in the configuration file, you can use environment variables. The Omni Edge Server will substitute ${VARIABLE_NAME} with the value of the corresponding environment variable at runtime.

#...
    - name: SecureSystem_S4
      endpointUrl: opc.tcp://opcuademo.sterfive.com:26541
      username: ${OPCUA_S4_USERNAME}
      password: ${OPCUA_S4_PASSWORD}
      securityMode: SignAndEncrypt
      securityPolicy: Basic256Sha256

Security Policy

short namefull name
Basic256Rsa15http://opcfoundation.org/UA/SecurityPolicy#Basic256Rsa15
Basic256Sha256http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
V1.05
Aes128_Sha256_RsaOaephttp://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
Aes256_Sha256_RsaPsshttp://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss
PubSub_Aes128_CTRhttp://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes128_CTR
PubSub_Aes256_CTRhttp://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes256_CTR
obsoletes
Basic128http://opcfoundation.org/UA/SecurityPolicy#Basic128
Basic192http://opcfoundation.org/UA/SecurityPolicy#Basic192
Basic192Rsa15http://opcfoundation.org/UA/SecurityPolicy#Basic192Rsa15
Basic128Rsa15http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
Basic256http://opcfoundation.org/UA/SecurityPolicy#Basic256"

Security Considerations

When configuring connections to OPC UA servers, ensure that you follow best practices for security:

  • Use secure endpoints (e.g., opc.tcp with appropriate security modes).

  • Use strong passwords and authentication methods.

  • Regularly update your configuration to reflect any changes in the OPC UA server's security settings.

  • make sure that the omni-edge-server certificats are trusted by the OPC UA server you are connecting to. You can do this by adding the server's certificate to the trust list of the omni-edge-server.

  • If you are using self-signed certificates, ensure that the certificate is properly configured and trusted by both the server and client.

  • If you are using a custom security policy, ensure that it is supported by both the server and client.

  • Regularly review and update your security settings to ensure compliance with best practices and organizational policies.

PKI

  • The omni-edge-server uses a Public Key Infrastructure (PKI) to manage the certificates used for secure communication with OPC UA servers.
  • The PKI is used to ensure that the certificates used for secure communication are trusted and valid.
  • The PKI is located in the pki direcpromtory of the omni-edge-server.
  • The PKI contains the following directories:
    • certs: contains the certificates used for secure communication.
    • private: contains the private keys used for secure communication.
    • trusted: contains the trusted certificates used for secure communication.
    • rejected: contains the rejected certificates used for secure communication.

Mapping at the connection level

You can also map the OPC UA connection to a specific data model by using the mapping property in the connection configuration. This allows you to define how the data from the OPC UA server should be represented in the Sterfive OPCUA Omni Edge Server.

  • source: The source node in the OPC UA server to bind.
  • destination: The destination node in the Sterfive OPCUA Omni Edge Server where the data will be bound.
  • samplingInterval: (Optional) The interval at which the data will be sampled from the source node.
  • type: The type of mapping to be applied (e.g., binding, replicate, copy) (see below for details).
# Configuration for Brownfield OPC UA with mapping  
brownfieldDevices:
  opcuaConnections:
    - name: S1
      endpointUrl: opc.tcp://opcuademo.sterfive.com:26541
      username: ${OPCUA_USERNAME}
      password: ${OPCUA_PASSWORD}
      securityMode: SignAndEncrypt
      securityPolicy: Basic256Sha256
      mapping:
         - source: /di:DeviceSet/1:CoffeeMachineA/commercialKitchenEquipment:Parameters/commercialKitchenEquipment:BoilerTempWater
          destination: /1:ProcessValues/1:BoundVariable
          samplingInterval: 1000
          type: binding
        - source: /di:DeviceSet/1:CoffeeMachineA
          destination: /di:DeviceSet
          type: replicat 
        - source: /di:DeviceSet/1:CoffeeMachineA/commercialKitchenEquipment:Parameters/commercialKitchenEquipment:BoilerTempWater
          destination: /1:ProcessValues
          type: copy