OPC UA TCP

Jump to Section

The OPC UA TCP Connection connects to an OPC UA server and supports browsing, reading and writing. The connection supports built-in and complex UA types, Alarms & Events, and Methods. Below are details on the connection, input, and output settings and supported features.

Connection Settings

Host, Port and Path

These settings control the IP address or hostname for the OPC UA Server, it’s port, and the path. The path is informational only and not used as part of the connection.

Mode

The connection supports two modes; Subscribe or Poll.

Subscribe is the default mode, and recommended for most cases. In this mode, a single subscription is created to monitor data changes for all tags. The server sends the data changes on each Subscription Rate interval. The changes are cached locally in the connection, and reads pull from this cache. This mode works with both polled and event based data flows. Polled flows read from the cache, and event flows are triggered any time there is a data change for a tag.

In Polled mode, all reads are performed on-demand, meaning an explicit read is sent to the server asking for the current tag values. Depending on the server, this can make it harder for the server to optimize communications to the device, and generally is not recommended. This mode also does not work with event based data flows.

Subscription Rate

This setting only applies for Subscribe mode, and controls how often the subscription reports data changes for tags. This is also the default tag scan rate used by the OPC UA server to monitor tags. Data is received from the OPC UA server no faster than this rate.

Security

Level of security required by the OPC UA Sever. Valid options are None, Basic256Sha256-Sign and Basic256Sha256-SignEncrypt.

Security Policy: None

The Intelligence Hub supports the ability to turn off security as allowed by the OPC UA specification. In this mode, all communication is no encrypted (public) and not signed (unverified).

Security Policy: Basic256Sha256-Sign and Basic256Sha256-SignEncrypt

When security is enabled for the connection (Sign or SignEncrypt), the Intelligence Hub behaves as follows:

  1. Automatically creates an application instance certificate the first time it is run (named app-certificate-private-key).

  2. Connects to servers using asymmetric security algorithms encryption to securely exchange public keys and create a secure connection.

  3. Signs or Signs and Encrypts all requests before sending it to the server.

  4. Decrypts (if applicable) and verifies the signature of all responses coming from the server.

The first time the Intelligence Hub makes a secure connection to any OPC UA server, you will need to Trust the Intelligence Hub application certificate where the server is installed. Consult your OPC UA server documentation for instructions.

Authentication Type

The level of authentication required by the OPC UA Server. Valid options are Anonymous and Username-Basic256.

Setting Description
Anonymous No user credentials are passed as part of the connection.
Username_Basic256 Username and password are required and sent during the connection using Basic256 encryption defined by the OPC UA specification.

We recommend using a minimum of Basic256Sha256–Sign along with username/password authentication for all OPC UA communications.

Setting Description
Client Certificate Select the certificate used for secure communication with the OPC UA server. By default, an auto-generated certificate name app-certificate-private-key is used.
Connection Timeout Maximum time to wait for a connection to be established. Valid range is 1–60 seconds.
Request Timeout Maximum time to wait for a connection to respond. Valid range is 100–60000 milliseconds.
Max Items Per Read Specifies the number of items that can be read each attempt. Increasing this value can add performance improvements to connections that have to read hundreds or thousands of items each time. However, increasing this value can also introduce stress onto the OPC UA server.
Max Items Per Write Specifies the number of items that can be written each attempt. See performance considerations for the read setting above.
Session Name Specifies the session name that is supplied to the server during session creation. When left blank, the product URN is used.

Input Settings

Inputs have a number of types to read different data from the UA server. The types are summarized in the table. Some input types can be used in polled or event based data flows, and others can only be used in polled data flows.

The settings and details for each type are described below.

Type Description Data Flow Support
Tag Reads the value for a single OPC UA tag/node. Polled & Event
Collection Reads a collection of tags that can exist in any part of the OPC UA address space. Polled Only
Branch Browses and reads all child nodes of the specified node in the OPC UA address space. Polled Only
Method Calls a Method using optional input parameters and optionally receive method result data from the OPC UA server. Polled Only
Event Subscribes to a node in the UA server and to receives alarms and events. Polled & Event

Inputs support all built-in UA types, as well as custom structures and enumerated types (i.e. ExtensionObject in the UA specification).

For ExtensionObject types the UA server must include the schema definition in a DataType Dictionary in accordance to the OPC UA 1.03 specification or older. DataTypeDefinitions (1.04+) are not yet supported.

Type: Tag

A Tag input is used to read a single tag.

Setting Description
Namespace Index Numeric index of the namespace the identifier belongs to.
Identifier Type Specifies the type of data used in the identifier field. This can be set to String or Numeric. This is not the data type of the value associated with this OPC UA input.
Identifier Specifies the identifier used to reference the OPC UA input.
Sampling Interval Specifies the rate that the input should be monitored (read) for change. By default, this value is zero, which uses the subscription rate set on the connection. Set this value to something slower than the connection’s subscription rate to sample less frequently (down sample). Setting this value to something faster than the connection’s subscription rate will be clamped to the subscription rate (over sampling is not supported).
Include Metadata When enabled the OPC UA input includes metadata in the read. The metadata includes the timestamp, quality, and tag name of the input.

Type: Collection

A Collection is a read of one or more tags that can exist anywhere in the OPC UA address space. The result is returned as a complex object containing all the tag names and their values.

Each tag in the collection has the following settings. Use the Find button to browse for tags to add to the collection.

Setting Description
Name The name of the tag in the collection. When the collection is read the resulting read is in name: <value> format.
Tag NamespaceIndex, Identifier Type, and Identifier are the same as the Tag type settings.

The collection has the following additional settings.

Type Description
Ignore Bad Quality When enabled, if some tags in the collection are bad quality, those tags are omitted from the result. When disabled, if any tag in the collection is bad the read fails.

Type: Branch

A Branch input is a read on a branch node in the OPC UA server that returns the nodes children.

Below is an example of an OPC UA hierarchy and the result Branch read value.

// OPC UA Branch structure
- rootBranch
    - childBranch1
        - tag1
        - tag2
    - childBranch2
        - tag1

// The result of the read in JSON
"rootBranch": {
    "childBranch1": {
        "tag1": 100,
        "tag2": "hello world",
    },
    "childBranch2": {
        "tag1": 1.2
    }
}
Setting Description
Branch The root node for the branch. NamespaceIndex, Identifier Type, and Identifier are the same as the Tag type settings.
Max Branch Depth Limits the depth of the resulting read. For example, if set to 2 and a branch has 4 levels of hierarchy, only tags in the first 2 levels of hierarchy are read.
Cache Interval Controls how often the input browses the OPC branch to detect changes, like new tags being added or removed. On the first branch read the input browses up to Max Branch Depth and caches the tags and addresses. Subsequent reads use the cache to issue reads for efficiency. After the cache interval expires, the cache is cleared and the input re-browses, picking up any changes made to the branch. Changing the input configuration or saving the connection will also clear the cache.
Ignore Bad Quality When enabled, if some tags in the branch are bad, those tags are omitted from the result. When disabled, if any tag in the branch is bad the read fails.

Type: Method

Method inputs execute an OPC UA Method in the server. Methods can take arguments and return values. It is recommended to use the browse feature to find and configure method inputs.

Setting Description
Parent Object The parent node that has the method. NamespaceIndex, Identifier Type, and Identifier are the same as the Tag type settings.
Method The node identifier for the method. NamespaceIndex, Identifier Type, and Identifier are the same as the Tag type settings.
Input Arguments Defines one or more input arguments to pass to the method. Each argument has a value and data type. The value can be a static value or a reference. If the data type is set to Auto, the value is converted to the data type required by the method. Otherwise, set the data type to the method input argument data type. The name and description fields are optional, and are not sent to the OPC server.
Output Arguments OPC UA methods can return one of more output arguments. This setting allows you to assign each argument a name.

Method Output Arguments Example

If a method returns two values and no output arguments are defined the read result looks as follows.

json 
{
	"outputArguments": {
		"output0": 0,
		"output1": 0
	}
}

If two output arguments are defined “myArg1” and “myArg2” the result looks as follows.

json 
{
	"outputArguments": {
		"myArg1": 0,
		"myArg2": 0
	}
}

Type: Event

Event inputs subscribe to Alarms and Events for a node, and allow configuration of what attributes are returned as part of the event.

Note the input does not request a refresh on the first read, and will not return the current state of conditions. The first read subscribes to the node with the event filter, and only returns a result when a new event is generated in the server.

The Find feature for the Attribute Filter setting browses the OPC UA server for all event and condition types, and available attributes.

Setting Description
Tag/Node The node to monitor for alarms and events. For example, this could be the Server node, in which case all events are subscribed to for the server. NamespaceIndex, Identifier Type, and Identifier are the same as the Tag type settings.
Attribute Filter The list of attributes to subscribe to for the event. This directly controls what data the event can return. If the event contains the attribute, it’s included in the payload, otherwise it’s omitted.

Attribute Filter Examples

By default, when there are no attributes in the filter, the input subscribes to the base EventId, SourceName, Severity, Time, Message, ConditionName, and Retain attributes. EventId is converted to a GUID if possible. Below is an example read result from the default filter.

json 
{
  "eventId": "18a12e4c-40f1-9f46-924b-d62bd3deab21",
  "sourceName": "ExclusiveLevelAlarmTrigger",
  "severity": 800,
  "time": "2024-03-15T17:51:09.448Z",
  "message": "Exclusive level alarm active in LowLow",
  "conditionName": "ExclusiveLevelAlarm",
  "retain": true
}

Now assume the Find feature is used to find Event/Condition types and select only the EventId, SourceName, and MyCustomAttribute attributes for the filter. The read result looks follows. Note MyCustomAttribute is not in the event data, so it’s ignored.

json 
{
  "eventId": "18a12e4c-40f1-9f46-924b-d62bd3deab21",
  "sourceName": "ExclusiveLevelAlarmTrigger"
}

Output Settings

OPC UA outputs support writing to single tag or a branch. When writing to a branch, the out tries to match the write data to the OPC UA branch address space. Below is an example of how this mapping works.

Outputs do not support writing to complex structures at this time.

// Example payload being written to OPC UA Output
{
    "branch1": {
        "tag1": 1,
        "branch2": {
            "tag2": 2,
            "branch3": {
                "tag3": 3
            } 
        }
    }
}

// Example OPC UA branch structure. In this example the payload's branch1.branch2.tag value maps to the branch and is 
// written. tag1 and tag3 do not map and are ignored. 
- branch1
    - branch2
        - tag2
        - branch3

Namespace Index, Identifier Type, and Identifier

The tag or root node the output writes to.

Data Type

The data type used for the write. OPC UA is generally very strict on matching the data type of the server and this option provides control over this from the client side. The following options exists:

  • Auto: The client will browse or read the UA Server tags data type before the write and attempt to convert the write value to the UA Server required value. This option is often used when writing complex data to a branch
  • Implicit: The client will use the data type of the value being written.
  • Boolean, String, etc: Use this data type for the write.

If the output cannot convert that write type to the type specified by this setting, the write will fail and output an error to the logs.

Max Branch Depth

When writing to a branch, the output first does a browse to get the tags for the branch. This setting controls how deep the browse will traverse. From the above example, if the Max Branch Depth was set to 1, tag2 would not be browsed and written to, and would instead be ignored.

Cache Interval

Like the branch reads setting, this controls how often the browse cache is refreshed to detect changes in the branch.

Named Root

When disabled, the payload is mapped to the OPC UA server’s branch structure as expected. When enabled, this setting allows writing multiple Instances to a single branch, where the root branch has a child branches with each Instance name. This allows a single flow to send multiple instances to the same output. For example, assume the OPC UA root branch looks as follows. Enabling this setting will cause the write to map to rootBranch.instance1 versus just rootBranch.

- rootBranch
    - instance1
        - temp
    - instance2
        - temp