Skip to content

OPC-UA Security Example

This example usage of the OPC-UA Device Service demonstrates the onboarding of the Prosys OPC-UA Simulation Server to Edge Xpert over a secure connection. Find an example of using a regular / insecure connection under the OPC-UA General Example page.

A guide on configuring the OPC-UA Device Service to run with the Prosys OPC-UA Simulation Server can be found here.

Before you start you need to create your key/certificate pair and configure the OPC-UA Device Service to use these as described in OPC-UA Security.

Start the OPC-UA Device Service

To start the OPC-UA Device Service, enter the following command:

edgexpert up device-opc-ua  --api-gateway

Device Onboarding

Once the OPC-UA Device Service has been started, OPC-UA devices can be onboarded to Edge Xpert using either the Edge Xpert Manager UI or through Edge Xpert REST API commands. Instructions on how to use both methods can be found below.

Please confirm the NodeId and DateType attributes of the resources defined in the example device profile match the NamespaceIndex, NodeId, and IdentifierType values defined for Objects in the Prosys Simulation Server. See Using the Prosys Simulator.

Device Onboarding with the Edge Xpert Manager UI

Note

Please refer to the Edge Xpert Manager UI Device Management capability for full details.

  1. Ensure the Edge Xpert Manager UI is started, for example: 

    edgexpert up xpert-manager --api-gateway

  2. Open a browser and go to localhost:9090. The default username and password is admin.

  3. Using the device profile upload capability, upload the provided OPC-UA example device profile at /usr/share/edgexpert/examples/device-services/opc-ua/prosys-opc-ua-simulation-server-profile.yaml

  4. Onboard the device using the device onboarding capability. The following values can be used to provision the OPC-UA Simulation device:

    Field Example Value Description Required
    Name Prosys-OPC-UA-Simulation-Server-SECURITY The unique name used to identify device Required
    Description Simulated OPC-UA server Any additional information used to identify the device Optional
    Label OPC-UA Any additional information used to identify the device Optional
    Protocol OPC-UA The name of the protocol Required
    Host 172.17.0.1:53530/OPCUA/SimulationServer The OPC-UA endpoint. The provided example is the address for Prosys OPC-UA Simulation Server. Required
    Security Policy Basic256Sha256 The security policy used to connect to the OPC-UA server Required
    Security Mode SignEncrypt The message security mode used with secure to the OPC-UA server Required
    Username The username to use when connecting to an endpoint. Default is an empty string Optional
    Password The base64 encoded password to use when connecting to an endpoint. Default is an empty string Optional
    Application URI urn:open62541.server.application Application URI string associated with any certificate used to connect to the server. Default is an empty string Optional
    Certificate Filename /keys/server_cert.der The name of the DER file containing the certificate used to establish a secure connection. The file must be located in the keys/ directory. Default is certificate.der Required
    Private Key Filename /keys/server_key.der The name of the DER file containing the private key used to establish a secure connection. The file must be located in the keys/ directory. Default is private_key.der Required
    Browse Depth 0 The maximum depth of the server tree browse for the device. If set to 0, no browse or browsePath translations take place for this device Optional
    Root Node The nodeId representing the starting point for the Browse Service. If not specified, the browse functionality is disabled for the device Optional
    Requested Session Timeout 1200000 The suggested timeout for sessions created between the Device Service and an OPC-UA server endpoint in milliseconds. Default is 1200000 Optional
    Device Profile Prosys-OPC-UA-Simulation-Server-Profile The name of the device profile uploaded above Required
    Device Service device-opc-ua The name of the appropriate device service Required
    Auto Events Interval: 5s
    OnChange: false
    ResourceName: Counter1    		 Automated events to retrieve the data at specific frequencies

    Note: If OnChange is set to true, values will only be pushed if a change in value has occurred during the specified interval. If set to false, values will be sent on the specified interval regardless of if there has been a change.    		 Optional

You can view the Certificates in Prosys OPC-UA Simulation Server under the "Certificates" tab when using "Expert Mode". If the example ApplicationURI (urn:open62541.server.application) does not work you can find your own one in the certificate details, but this should only be required if you have made modifications to the .py script.

It may be necessary to restart the device service to ensure the device is properly loaded into the service. Use the following command: 

edgexpert restart device-opc-ua

Device Onboarding using the Edge Xpert REST API

Info

If Edge Xpert is running in secure mode, you will need to replace localhost in the URL with the IP address for the service. See CLI Service Ports for details.

  1. Upload the provided OPC-UA example device profile: 

    curl http://localhost:59881/api/v2/deviceprofile/uploadfile -F "file=@/usr/share/edgexpert/examples/device-services/opc-ua/prosys-opc-ua-simulation-server-profile.yaml"

  2. Onboard the device using similar values as with the Edge Xpert Manager UI: 

    curl -X 'POST' \
  'http://localhost:59881/api/v2/device' \
  -H 'Content-Type: application/json' \
  -d '[
  {
    "apiVersion": "v2",
    "device": {
      "name": "Prosys-OPC-UA-Simulation-Server-SECURITY",
      "description": "Example OPCUA Server",
      "adminState": "UNLOCKED",
      "operatingState": "UP",
      "labels": [
        "OPCUA"
      ],
      "serviceName": "device-opc-ua",
      "profileName": "Prosys-OPC-UA-Simulation-Server-Profile",
      "protocolName": "opc-ua",
      "autoEvents": [
        {
          "interval": "5s",
          "onChange": false,
          "sourceName": "Counter1"
        }
      ],
      "protocols": {
        "OPC-UA": {
          "Address":"172.17.0.1:53530/OPCUA/SimulationServer",
          "BrowseDepth":"0",
          "Certificate":"/keys/server_cert.der",
          "PrivateKey":"/keys/server_key.der",
          "ApplicationURI":"urn:open62541.server.application",
          "RequestedSessionTimeout":"1200000",
          "SecurityPolicy":"Basic256Sha256",
          "SecurityMode":"SignEncrypt"
        }
      }
    }
  }
]'

Device Data Flow

Once a device is connected to Edge Xpert, you can view the data flow between the device service and the connected device in a number of ways.

The Edge Xpert Manager UI supports Read and Write functionality for each device. Readings can also be viewed and queried within the Edge Xpert Manager UI Data Center.

Alternatively, you can read and write data with cURL commands or through REST API applications, such as Postman.

Info

If Edge Xpert is running in secure mode, you will need to replace localhost in the URL with the IP address for the service. See CLI Service Ports for details.

Both the GET and PUT commands can be made to the following address: 

http://localhost:59882/api/v2/device/name/{deviceName}/{commandName}

Using the example above, a GET request to this device service could be: 

curl http://localhost:59882/api/v2/device/name/Prosys-OPC-UA-Simulation-Server-SECURITY/Counter1

For more information on the GET and PUT commands, see the Core Command Microservice.

Any data collected by the device service can be processed like all other Edge Xpert sensor data. Data readings can be exported for data processing in a number of other applications and services. See the Support Services and Application Services for more details.