Industrial

OPC UA .NET for Windows FAQs

We recognized that the 64-bit compiler of Visual Studio 2013 has a bug in optimization. At least one place in SDK code was detected, where the optimizer produced wrong code.
We recommend to use compiler option "/Od" (disabled optimization") to avoid wrong code.

The SDK installation package installs a time limited but otherwise fully SDK package which can be used to develop OPC UA applications. Without entering a client or server license, the SDK based application will stop to work after a runtime of 90 minutes. On Windows systems a message box will notify the user about the elapsed runtime of the demo version. After a restart of the application the 90 minutes timer restarts again.

To remove the run time limitation in applications the appropriate license keys must be provided to the SDK during initialization of the application. Different license keys are available to individually enable different Toolkit features.

License keys depend on the target system. This means that, for example, a Server license for Windows will not unlock the Server feature in a VxWorks server application.

Note:
License keys contain an expiration date, depending on your SDK maintenance contract subscription. Only SDK versions released before end of license key expiration can be activated or source code can be installed with the license key.

The available features are:

UA Server: enables all required functions for OPC UA servers.
UA Client: enables all required functions for OPC UA clients.

Note: If more than one feature shall be used (e.g. if you are developing both a client and server in the same module) all required features must be enabled separately.

Activating a license
The following code illustrates how to activate your license key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX:
ObjectPointer<Application> application = Application::instance();
application->activateLicense(EnumFeature_Server, _T("XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"));
application->activateLicense(EnumFeature_Client, _T("XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"));

Is it possible to run an OPC UA application without an application certificate?

No, because the current version of the OPC UA specification requires that all OPC UA applications have a certificate that is exchanged and validated when creating a Session.

In addition to the reference-specific information, the Browse Service supports only the Mandatory Basic node attributes (NodeId, NodeClass, BrowseName, DisplayName) that each node type must have.

All optional and type-specific attributes can only be handled via the Read Service.

Does the SDK support HTTPS UA Binary & HTTPS UA XML facets?
The SDK supports only the binary encoding for HTTPS.

Does the SDK support HTTPS protocol over a VPN tunnel?
The SDK cannot establish a VPN connection. This has to be done by a third party program.
Once a VPN connection is established, the target network is treated like a local network and the OPC UA communication should work. We didn't test such a VPN connection scenario yet.

How HTTPS certificates (Client and Server) are supported by the SDK?
PKI configuration, self-signed, CA-chain, etc.
In OPC UA, every application requires to have an application instance certificate, which is used for anything related to security.
This specific application instance certificate is used also for the HTTPS communication.
The SDK supports all common certificate features (self signed certificates, CA-chains, revocation lists ...).


Note: As HTTPS is always encrypted, the trust relationship between Client and Server must be established before the very first communication.
Some other OPC UA clients can have problems using typically insecure services
(like GetEndpoints) on a secure HTTPS channel.

Mixing up Attributes and Properties is a common misinterpretation.

An Attribute is some data, bound to a certain node class (Object, ObjectType,Variable, VariableType, ReferenceType, DataType and View). The available Attribues are fixed, thus they cannot be extended to contain additional data.
Properties have almost the same syntactical meaning as Attributes, but Properties are completely different nodes (of the node class Variable) with own Attributes. The Property node is referenced from the parent node via a HasProperty reference.
To read a Property value, you have to get the NodeId of that Property (e.g. via TranslateBrowsePathsToNodeIds) and perform a read on the Value Attribute.

OPC UA applications usually have an Application Instance Certificate.

1. If a signed or encrypted connection shall be established, then the client and server have to trust each other Application Instance Certificate (the certificates are in the trust lists).If that is the case, then the certificates are used to sign and/or encrypt the communication.

2. If a client and server want to establish a not signed and not encrypted communication with anonymous authentication, then the trust relationship between client and server may, but does not have to exist. Then the client can decide to not configure an application instance certificate at all, because no certificate is transported.

3. If the connection shall be established with an authentication token different to anonymous, then the server may demand a user token security policy.
This is used to encrypt a certain part of the token, in case of the UserNameIdentityToken, the transported password is encrypted, otherwise without having a message encryption, the password would be transported unencrypted and could be read from everybody who listens at the network traffic. For this user token encryption again the server and client certificates are required and transported between the applications.
The difference to case 1 is, that the certificates are not checked whether they are trusted, they are only needed to encrypt the user token at the connection establishment.

You need an Application Instance Certificate for your application. Please have a look at the batch files that we use to create the demo store certificates of our test and sample applications at <installdir>\Source\PKI\batches. You are free to modify them to your needs.
You also need to set a PKIStoreConfiguration that has at least a configured trust list location.
This trust list can be an empty folder, when your client does not have to trust any server certificate. Unfortunately this trust list has to be configured and has to exist in any case.</installdir>

The configuration of the traces can be done through the sourcecode and the XML configuration file.

This are the possible parameters:

  • TraceMask - The trace mask on which the filtering of the logged messages can be done. E.g. log only the messages from the Core and Server SDK. Sets the filtering of the logged messages using the following hexadecimal values. A sum of the values can be used to trace multiple masks. 
    • 0 - Tracing is disabled.
    • 0x00000001 - Output traces from the configuration library (ConfigurationSDK).
    • 0x00000002 - Output traces from the client library (ClientSDK).
    • 0x00000004 - Output traces from the server library (ServerSDK).
    • 0x00000008 - Output traces from the core library (Core).
    • 0x00000010 - Output traces from the exception's stack traces (StackTrace).
    • 0x00000020 - Output traces from the old trace mechanism (OldTrace).
    • 0x00010000 - Output traces from the custom mask User1 - this mask can be used from the application.
    • 0x00020000 - Output traces from the custom mask User2 - this mask can be used from the application.
    • 0x00040000 - Output traces from the custom mask User3 - this mask can be used from the application.
    • 0x00080000 - Output traces from the custom mask User4 - this mask can be used from the application.
    • 0x00100000 - Output traces from the custom mask User5 - this mask can be used from the application.
    • 0x00200000 - Output traces from the custom mask User6 - this mask can be used from the application.
    • 0x00400000 - Output traces from the custom mask User7 - this mask can be used from the application.
    • 0x00800000 - Output traces from the custom mask User8 - this mask can be used from the application.

Example: following the bit mask principle, if one wants to enable traces from Core and Server the follwing mask should be used:

0x00000004 + 0x00000008 = 0x0000000C - this should be the trace mask to use

For further information please check the documentation under the chapter (this also matches for the client programming): Server Development -> Programmers Guide -> HowTo -> Tracing and Logging. 
 

Help file does not show any content

I downloaded a help file from the Internet. However,
it does not show any content on the right pane. Just a Table of Contents on the left pane. 

This problem is caused by the Windows 7 security treatment. It blocks the
help files (. Chm)  that are downloaded from the Internet.

Please save the help file on your PC.
To get around this problem, there are two possibilities: 

  • uncheck the Checkbox "Always ask before opening
    this file" in the Security Warning dialog or
  • open the properties of the .chm file via context menu
    and press the button "Allow".
Error message: „Windows requires a digitally signed driver”

A recently installed program tried to install an unsigned driver. The driver is unavailable and the program that uses this driver might not work correctly!

Your Microsoft Windows version requires that new drivers have a valid digital signature with SHA256 certificate. Softing has changed the driver signature mechanism supporting the new SHA256 certificates. 

To treat the signatures correctly on Windows Server 2008 R2 and Windows 7 PCs, a Windows update for SHA256 certificate support is needed.

Please uninstall the recently installed program and then install the Windows 7 Hotfix KB 3033929 on your Windows Server 2008 R2 or Windows 7 PC.

https://technet.microsoft.com/de-de/library/security/3033929

You will then be able to perform the desired Softing installation successfully.

Some OPC UA services (e.g. HistoryRead to retrieve historical values from a variable) allow clients to restrict the maximum number of results per request. If a server has more results to deliver, it returns a continuation point along with the results which the client can use to request more results. A server application must be able to deliver the remaining result with context information stored within a continuation point.

Browsing the Address Space
OPC UA provides the services Browse and BrowseNext to browse the address space of a server. Browsing the address space is a way to get all nodes that are connected to another node by references. To retrieve for example complete trees or the whole address space, several browse calls are necessary which use the results of previous browse calls. The service allows both the client and the server to restrict the number of the returned results. If the number of results exceeds this maximum, a so-called continuation point is created in the server and passed to the client. The continuation can be passed with the BrowseNext to retrieve the remaining browse results.

In case you are not able to connect to an OPC UA Server running on a different machine then please check the following:

- make sure the Server endpoint is accessible. i.e. the Server machine can be accessed over the network and the Server port is not blocked (Firewall).
- make sure that Softing OPC UA Client certificate is trusted by the Server application. Softing OPC UA Client will display a pop-up and the user can decide what to do in case the Server certificate is not trusted. So no manual steps required.
- make sure that the Client and Server clocks are synchronized (also the TimeZone). OPC UA applications require Client and Server clocks to be in sync and sometimes this can be the source of rejected connections.
- make sure that at least the Client can discover the available Server endpoints. In "Session Connect" window, you go to "Manual\Double Click to Add Server...". Insert the Server address and click the button from the right side. If the server is accessible you should see all available endpoints. Choose one of them and try to connect to it.

If still not working please check what kind of error you get in the Client logs. Softing OPC UA Client has a live message log viewer on the bottom side of the main window. Copy the exact error message you get in the client log and send it to us for further investigation.

The naming about the redundancy can be a bit confusing, we don't provide support for the server redundancy on the server side, but server redundancy on the client side - the client can communicate with a set of redundant servers.

Besides that, the SDK only supports the redundancy modes cold and warm.
The displayed enumeration displays all possibly existing redundancy types, but not all of them are supported.
The transparent redundancy mode is implicitly supported for the client, because this mode looks like a single server to clients.

The SDK provides only support on the client side to handle redundant servers.
The SDK does not provide support for redundancy on the server side, as all the sophisticated details depend on the application. (How to calculate the service levels? Shall the secondary server be started on a primary failure or is it always running? Is there data to be exchanged between the servers and how to exchange it?...).

Using a Softing dataFEED SDK with activated Source Code License provides full source code availability and enables the user to compile his activation free version of the SDK.
Activation of the Source Code License key must be done within the Installation Setup. After activation the source code for the activated components/features will be installed/extracted on your machine. There are different Source Code licenses available depending on your purchased SDK. Also there is a difference between a Client and a Server license.
After installing the SDK with source code license option, the SDK must be compiled in order to generate the full licensed libraries.

If you don't have a valid Source Code License key please contact the Softing's Sales Department.

The Browse service can return reference specific information and node specific information for the mandatory base attributes (NodeId, NodeClass, BrowseName and DisplayName). All optional or type specific attributes must be retrieved by an extra Read service call.

It is a known issue of LDS and can happen, if it is installed multiple times.
In many cases this can be solved via registering it again via command line (maybe administrative rights are necessary):

cd C:\Program Files (x86)\Common Files\OPC Foundation\UA\Discovery\bin
opcualds.exe -i SYSTEM

According to OPC UA specifications the timestamps are transported as UTC time in order to avoid inconsistencies in case Client and Server applications are running on different time zones.

The UA applications should convert these values to the local time at the receive moment (now.ToLocalTime()).

In OPC UA the server's address space is described using the name-spaces concept. All addressable entities in the server must belong to one single namespace.
The namespace must contain unique identifiers and using different name-spaces, the server's designer, can ensure a name collision free addressing even in case the same identifiers are used.
A namespace in the server is uniquely represented by an URI (string). The server exposes the list of it's namespace URIs in an array. The index () location of an namespace URI is this array very important because on the regular read/write/subscribe operations only the namespace index will be used for performance reasons. (It is faster to transport an integer value than a full blown string.)
In a server the namespace URIs may not change, but the position of a certain namespace URI in the namespace array may change. That's the reason of existence of a so called ExpandedNodeID structure that besides the namespaceID and Identifier contains the URI of the namespace as well. This ExpandedNodeID should only be used for persisting the identifiers at the client side and for validating that the namespace indexes did not change on the server after a server restart. Nn order to read / write / monitor, the API requires the application to provide a NodeID. This structure is supposed to uniquely identify a certain resource in the address space of a server.
The NodeID consists of a NamespaceIndex (ns) and an Identifier (which is a union and can be a string or an integer or a GUID or a byteArray - opaque). For the NodeID no Namespace URI (nsu) is required. The nsu is only required for an ExpandedNodeID definition.
The namespace URI string is never used in the actual interaction with the server, just the namespace index is used.
The namespace index is always mandatory, the namespace URI is optional and actually not required when NodeID class is used.

The ServerIndex is an advanced field that provides the information if the addressed NodeID is located on the local Server, or it resides on a remote Server. This is relevant for the Servers that act as aggregation Servers and retrieve their data from underlying OPC Servers. Therefore there is the ServerIndex that identifies the Server that contains the TargetNode. This Server may be the local Server or a remote Server.

This index is the index of that Server in the local Server's Server table.
The index of the local Server in the Server table is always 0.
All remote Servers have indexes greater than 0.

The Server table is contained in the Server Object in the AddressSpace. The Client may read the Server table Variable to access the description of the target Server.

Using a normal non aggregation Server / Server chaining solution that parameter is always 0.

OPC Foundation is providing an implementation of the OPC UA Local Discovery Server. The LDS ensures the very first interoperability step between OPC UA Clients and Servers. The LDS is expected to open well known port (4840) specified in the OPC UA Specification in order to respond to server registration respective clients interrogation calls, therefore it is impossible to run multiple variants of LDS server on the same machine. Softing, together with other vendors decided to support the OPC Foundation’s LDS implementation and to use and recommend it to be used by customers.
All Softing’s Windows based OPC UA products (SDKs, clients and servers) are redistributing the OPC Foundation’s LDS as a separate component in their setups.
We encourage the customers to download and deploy by themselves the LDS from the OPC Foundation website as well. The most recent version can be found here:
opcfoundation.org/developer-tools/developer-kits-unified-architecture/local-discovery-server-lds/

Some OPC UA services (e.g. HistoryRead to retrieve historical values from a variable) allow clients to restrict the maximum number of results per request. If a server has more results to deliver, it returns a continuation point along with the results which the client can use to request more results. A server application must be able to deliver the remaining result with context information stored within a continuation point.

Browsing the Address Space
OPC UA provides the services Browse and BrowseNext to browse the address space of a server. Browsing the address space is a way to get all nodes that are connected to another node by references. To retrieve for example complete trees or the whole address space, several browse calls are necessary which use the results of previous browse calls. The service allows both the client and the server to restrict the number of the returned results. If the number of results exceeds this maximum, a so-called continuation point is created in the server and passed to the client. The continuation can be passed with the BrowseNext to retrieve the remaining browse results.

By default it is not possible to have several applications in the same process, the limitation is caused by several singletons which are accessible from the entire process.

The closest approach is to use several Client::Sessions or Server::Endpoints and configure them with individual application instance certificates (see Client::Session::setInstanceCertificate() and Server::Endpoint::setInstanceCertificate()), but all will share the same ApplicationDescription and all servers will share the same address space.

Note: The application instance certificates shall have the same ApplicationUri as the ApplicationDescription, thus all certificates must use the same ApplicationUri.
There is another possible approach to produce several applications in one process by separating the different applications into several DLLs (Windows) or shared objects (Linux).

Different DLLs or shared objects have separate code and don't conflict if they know symbols of the same name, but it is important to load the SDK as static library into the DLLs or shared objects to have duplicate instances.

Note: For Windows the binaries are only available as DLLs. A source code license is needed to produce static libraries for Windows. Please contact the support for additional help how to configure projects for static libraries.

Question: Server Monitored Items may report invalid initial values when the related nodes are updated cyclically.

Reply: A cyclic update usually means that providing the initial value to the node can have a small delay, thus the initial NULL value may be reported.

You can override the method Server Subscription on Provide Initial Values to configure the related Server Monitored Items to take the initial value from the next data change instead of using the current cache value.

x

Softing Industrial Support

USA, Canada, Mexico
(865) 251-5244 (Knoxville, TN)
  
Callback

Germany HQ


«