OPC UA Driver Setting - Geo SCADA 2021 Rel. Feb 2022

Hi Experts, 

I discovered that I did not have discovery server configured. Posting below the snapshots of the working sample. 

Added discovery server and entered the OPC UA Endpoint URL here.

Browse the discovery server from Server URL field.. Then browse the endpoint URL which has security access options such as None, Basic128Rsa15, Basic 256 etc..

Thanks,

Justin

Right, I have certificates in Geo SCADA working with Kepware OPC-UA as well. I will eventually put together a document describing the full process, but in the meantime I think the major sticking point is generating the certificate and key used by Geo SCADA correctly. so I will briefly explain that process here.

Side note: I've tested with three different OPC-UA servers: EcoStruxure OPC-UA Server Expert, the BMENUA0100 coms card of the M580 ePAC and now Kepware. Of the three, Kepware is the strictest in evaluating the certificates - it requires not only that the certificates match, but also that the OPC-UA application uri declared by the client and the hostname of the computer hosting the client are accurately declared in the certificate. It appears that both the BMENUA0100 card and EcoStruxure OPC-UA Server Expert software don't impose this extra burden, and simply validates that the certificate received matches one in their trusted certificates stores.

How to make a certificate and key for Geo SCADA that is acceptable by Kepware:

1. Have OpenSSL installed. A Windows installer can be found at this site: https://slproweb.com/products/Win32OpenSSL.html !!! Note: this is a third party installer of OpenSSL. I take no responsibility for it !!!  

2. Have the bin folder of OpenSSL declared in the PATH environment variable of your user account. In my case the path is "C:\Program Files\OpenSSL-Win64\bin"

3. Create a folder somewhere that you can reach easily in a command prompt. Say, for example: "C:\Certficate"

4. Create a new text file in that folder and rename it to "openssl.cnf".

5. Edit "openssl.cnf" in notepad, and paste the following text in it:

[ req ]
default_bits = 2048
default_keyfile = key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no

[ subject ]
countryName = <your country>
localityName = <your city>
organizationName = <your company name>
organizationalUnitName = <your organizational unit name>
domainComponent = SchneiderElectric:ClearSCADA
commonName = GeoSCADA

[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
extendedKeyUsage = serverAuth,clientAuth

[ req_ext ]
# Nothing in this section...

[ alternate_names ]
DNS.1 = <host name of the Geo SCADA server>
URI.1 = urn:GeoSCADA:SchneiderElectric:ClearSCADA

#Obviously edit this text to suite your scenario (eg. your country, city, etc.), but specifically the Hostname of the Geo SCADA server is important.

6. Open a command prompt and change the working directory to the folder where you placed "openssl.cnf" and run the following three commands:

openssl req -x509 -newkey RSA:4096 -days 3650 -keyout key.pem -out cert.pem -sha256 -config openssl.cnf
openssl x509 -inform pem -in cert.pem -outform der -out cert.der
openssl rsa -inform pem -in key.pem -outform der -out key.der

#You will be asked for a password for the key.pem file - choose any four characters. It does not matter what the password is.

7. Upload the files "cert.der" and "key.der" into the SSL Certificate and Key object referenced by the the OPC-UA server object, in your Geo SCADA database. Also ensure that the Common Name configured in the OPC-UA Server object is "GeoSCADA".

8. Dissable and re-enable the OPC-UA server object. After it connects to Kepware, use the OPC-UA Configuration tool of Kepware to trust the certificate it received. Wait a few second and the connection should become healthy.