Industrial

OPC UA .NET Standard SDK FAQs

Please check, if you initialized your Application as Client (or Server and Client). See ApplicationDescription::setApplicationType().
If that is not correctly set, everything seems to work fine, but none of the client specific callbacks to the API will ever be called.
In future versions, we will report some configuration errors for such problems.

We recognized that the 64-bit compiler of Visual Studio 2013 has a bug in optimization. At least one place in SDK code was detected, where the optimizer produced wrong code.
We recommend to use compiler option "/Od" (disabled optimization") to avoid wrong code.

Some operations are risky to be called within a DllMain, like synchronization with other threads, this can cause deadlocks (see msdn.microsoft.com/en-us/library/windows/desktop/dn633971%28v=vs.85%29.aspx). The SDK does this kind of synchronization which causes such a deadlock.
To fix the problem, set up and tear down the SDK after loading and before unloading the DLLs via functions or static methods.

The SDK installation package installs a time limited but otherwise fully SDK package which can be used to develop OPC UA applications. Without entering a client or server license, the SDK based application will stop to work after a runtime of 90 minutes. On Windows systems a message box will notify the user about the elapsed runtime of the demo version. After a restart of the application the 90 minutes timer restarts again.

To remove the run time limitation in applications the appropriate license keys must be provided to the SDK during initialization of the application. Different license keys are available to individually enable different Toolkit features.

License keys depend on the target system. This means that, for example, a Server license for Windows will not unlock the Server feature in a VxWorks server application.

Note:
License keys contain an expiration date, depending on your SDK maintenance contract subscription. Only SDK versions released before end of license key expiration can be activated or source code can be installed with the license key.

The available features are:

UA Server: enables all required functions for OPC UA servers.
UA Client: enables all required functions for OPC UA clients.

Note: If more than one feature shall be used (e.g. if you are developing both a client and server in the same module) all required features must be enabled separately.

Activating a license
The following code illustrates how to activate your license key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX:
ObjectPointer<Application> application = Application::instance();
application->activateLicense(EnumFeature_Server, _T("XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"));
application->activateLicense(EnumFeature_Client, _T("XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"));

Is it possible to run an OPC UA application without an application certificate?

No, because the current version of the OPC UA specification requires that all OPC UA applications have a certificate that is exchanged and validated when creating a Session.

In addition to the reference-specific information, the Browse Service supports only the Mandatory Basic node attributes (NodeId, NodeClass, BrowseName, DisplayName) that each node type must have.

All optional and type-specific attributes can only be handled via the Read Service.

Does the SDK support HTTPS UA Binary & HTTPS UA XML facets?
The SDK supports only the binary encoding for HTTPS.

Does the SDK support HTTPS protocol over a VPN tunnel?
The SDK cannot establish a VPN connection. This has to be done by a third party program.
Once a VPN connection is established, the target network is treated like a local network and the OPC UA communication should work. We didn't test such a VPN connection scenario yet.

How HTTPS certificates (Client and Server) are supported by the SDK?
PKI configuration, self-signed, CA-chain, etc.
In OPC UA, every application requires to have an application instance certificate, which is used for anything related to security.
This specific application instance certificate is used also for the HTTPS communication.
The SDK supports all common certificate features (self signed certificates, CA-chains, revocation lists ...).


Note: As HTTPS is always encrypted, the trust relationship between Client and Server must be established before the very first communication.
Some other OPC UA clients can have problems using typically insecure services
(like GetEndpoints) on a secure HTTPS channel.

Mixing up Attributes and Properties is a common misinterpretation.

An Attribute is some data, bound to a certain node class (Object, ObjectType,Variable, VariableType, ReferenceType, DataType and View). The available Attribues are fixed, thus they cannot be extended to contain additional data.
Properties have almost the same syntactical meaning as Attributes, but Properties are completely different nodes (of the node class Variable) with own Attributes. The Property node is referenced from the parent node via a HasProperty reference.
To read a Property value, you have to get the NodeId of that Property (e.g. via TranslateBrowsePathsToNodeIds) and perform a read on the Value Attribute.

Normally when loading a DLL library dynamically, the whole initialization is done during a DllMain function. None the less, some operations are very risky to be called within a DllMain, like synchronization with other threads, this can cause deadlocks (see msdn.microsoft.com/en-us/library/windows/desktop/dn633971%28v=vs.85%29.aspx.
The loadToolbox() function does this kind of synchronization which would likely cause such a deadlock.

To fix the problem, call loadToolbox() or unloadToolbox() after loading the DLLs, respectively before unloading the DLLs. This can be done via functions or static methods. Also keep in mind, that all instances of SDK classes (including data classes) are destroyed before unloadToolbox() is called.

If you have the source code of the SDK, you can download the desired OpenSSL ".tar.gz" file to <InstallDir>/Source/Core/OpenSSL, move/remove the prior ".tar.gz" file from that folder and try to build the toolkit with the different OpenSSL (see OpenSSL Functionality). The toolkit should be compatible with most OpenSSL versions, otherwise it will report compilation errors.
If you have the binary version of the Windows SDK, then the only problem is, that the two different OpenSSL DLLs typically want to have the same names. To solve that, you can rename the libraries libeay32.dll and ssleay32.dll to names with an equal length, e.g. libeayua.dll and ssleayua.dll. Then you can open the DLLs TB5STACK.dll (or TB5STACKx64.dll) and the renamed ssleay32.dll in an editor and search and rename the original DLL names by the new names.

Note: This will work only if the old and new DLL names have the same size, changing the size of the DLL content will cause problems!

OPC UA applications usually have an Application Instance Certificate.

1. If a signed or encrypted connection shall be established, then the client and server have to trust each other Application Instance Certificate (the certificates are in the trust lists).If that is the case, then the certificates are used to sign and/or encrypt the communication.

2. If a client and server want to establish a not signed and not encrypted communication with anonymous authentication, then the trust relationship between client and server may, but does not have to exist. Then the client can decide to not configure an application instance certificate at all, because no certificate is transported.

3. If the connection shall be established with an authentication token different to anonymous, then the server may demand a user token security policy.
This is used to encrypt a certain part of the token, in case of the UserNameIdentityToken, the transported password is encrypted, otherwise without having a message encryption, the password would be transported unencrypted and could be read from everybody who listens at the network traffic. For this user token encryption again the server and client certificates are required and transported between the applications.
The difference to case 1 is, that the certificates are not checked whether they are trusted, they are only needed to encrypt the user token at the connection establishment.

You need an Application Instance Certificate for your application. Please have a look at the batch files that we use to create the demo store certificates of our test and sample applications at <installdir>\Source\PKI\batches. You are free to modify them to your needs.
You also need to set a PKIStoreConfiguration that has at least a configured trust list location.
This trust list can be an empty folder, when your client does not have to trust any server certificate. Unfortunately this trust list has to be configured and has to exist in any case.</installdir>

The Use of Status Codes in the SDK
All functions that may encounter errors during execution use the enumeration EnumStatusCode to specify the error condition. The values of the StatusCode enumeration are defined by the OPC Foundation and are also used to denote errors in service calls. Also the quality of a variable's value is denoted by the same StatusCode. See the reference manual to receive the complete list of all enumeration values.
The SDK provides the global function getEnumStatusCodeString() to retrieve the textual description of a StatusCode. This method can be useful for debugging error conditions.
The StatusCode class provides convenience methods for testing status codes. The static method StatusCode::isGood(), for example, may be used to test whether a given status code is 'good', i.e. does not indicate an error.

Enabling Tracing for the SDK Components
If a status code does not provide enough information to identify a problem, you may turn on tracing of diagnostic messages. Tracing of diagnostic messages can be enabled in the Trace singleton class. The following code illustrates how to enable tracing to a log file:
Trace::instance()->enableFileLogging(_T("logging.txt"), 10000, 5, 256);
Trace::instance()->enableTraceLevel(EnumTraceGroup_All, EnumTraceLevel_WarningAndHigher);
The trace output can also be streamed over a TCP connection. See the Trace Viewer topic for further reference.
It is also possible to implement an individual tracing. To do this, invoke the Trace::enableCallbackLogging(). The given callback will be invoked on every enabled trace level / trace group.

Help file does not show any content

I downloaded a help file from the Internet. However,
it does not show any content on the right pane. Just a Table of Contents on the left pane. 

This problem is caused by the Windows 7 security treatment. It blocks the
help files (. Chm)  that are downloaded from the Internet.

Please save the help file on your PC.
To get around this problem, there are two possibilities: 

  • uncheck the Checkbox "Always ask before opening
    this file" in the Security Warning dialog or
  • open the properties of the .chm file via context menu
    and press the button "Allow".
Error message: „Windows requires a digitally signed driver”

A recently installed program tried to install an unsigned driver. The driver is unavailable and the program that uses this driver might not work correctly!

Your Microsoft Windows version requires that new drivers have a valid digital signature with SHA256 certificate. Softing has changed the driver signature mechanism supporting the new SHA256 certificates. 

To treat the signatures correctly on Windows Server 2008 R2 and Windows 7 PCs, a Windows update for SHA256 certificate support is needed.

Please uninstall the recently installed program and then install the Windows 7 Hotfix KB 3033929 on your Windows Server 2008 R2 or Windows 7 PC.

https://technet.microsoft.com/de-de/library/security/3033929

You will then be able to perform the desired Softing installation successfully.

The reason is a ABI break between compiler versions. Please compile the test and sample applications with
make -f linux.mak MACHINE_TYPE="armv-6" MACHINE_OPT="-D_GLIBCXX_USE_CXX11_ABI=0 -std=gnu++03"

The MACHINE_TYPE just defines the folder name below ...Source/lib/linux where the archives are searched.

All Softing’s Windows based OPC UA products (SDKs, clients and servers) are redistributing the OPC Foundation’s LDS (Local Discovery Server) as a separate component in their setups.
Unfortunately the OPC Foundation doesn’t provide an LDS for Linux systems.

The Windows installation of the SDK installs the LDS and we deliver the batch file “update_discovery_server_store.bat”, which copies the LDS certificate to the server PKI store and the server certificate to the LDS PKI store.
That is how the file “cert_discovery_server.der” appears in the server PKI store.

Currently the only way to use a server on Linux with an LDS is to install and register the LDS on a remote Windows machine.
This step requires to exchange the certificates manually and to configure the correct IP address to the LDS in the sample.
For a quick approach, simply install the C++ SDK for Windows on that Windows machine, then have a look at “<installdir>/Source/PKI/update_discovery_server_store.bat“, where to get and insert the certificate files.

Note: the use of an LDS mainly makes sense when there are several servers and when you need one entry point, where all existing servers are visible. For one server only, the self discovery is sufficient. When you ask that server, which servers are available, then the server replies with the contact data of itself. This feature is automatically provided by the SDK without additional configuration.

Note: it is not necessary to create a certificate for the Local Discovery Server. The LDS should be existent locally. The LDS can register itself.

How to setup certificates in VxWorks?

The batch file (for Windows) or shell script (for Linux) to create the PKI store can be called with command line parameters to configure the PKI store for any IP address or hostname (use the --help argument to see the options and required syntax).
Create a PKI store for your VxWorks device, copy it somewhere where the device can find it (on the device directly, a network path or a plugged flash card ...).
Then you also have to configure the application code to use the correct path.

Note: When you use the client and server on different machines, then both need an own PKI store, where you have to copy the "own" certificates to the "trusted" folder of the other ones PKI store.

Some OPC UA services (e.g. HistoryRead to retrieve historical values from a variable) allow clients to restrict the maximum number of results per request. If a server has more results to deliver, it returns a continuation point along with the results which the client can use to request more results. A server application must be able to deliver the remaining result with context information stored within a continuation point.

Browsing the Address Space
OPC UA provides the services Browse and BrowseNext to browse the address space of a server. Browsing the address space is a way to get all nodes that are connected to another node by references. To retrieve for example complete trees or the whole address space, several browse calls are necessary which use the results of previous browse calls. The service allows both the client and the server to restrict the number of the returned results. If the number of results exceeds this maximum, a so-called continuation point is created in the server and passed to the client. The continuation can be passed with the BrowseNext to retrieve the remaining browse results.

In case you are not able to connect to an OPC UA Server running on a different machine then please check the following:

- make sure the Server endpoint is accessible. i.e. the Server machine can be accessed over the network and the Server port is not blocked (Firewall).
- make sure that Softing OPC UA Client certificate is trusted by the Server application. Softing OPC UA Client will display a pop-up and the user can decide what to do in case the Server certificate is not trusted. So no manual steps required.
- make sure that the Client and Server clocks are synchronized (also the TimeZone). OPC UA applications require Client and Server clocks to be in sync and sometimes this can be the source of rejected connections.
- make sure that at least the Client can discover the available Server endpoints. In "Session Connect" window, you go to "Manual\Double Click to Add Server...". Insert the Server address and click the button from the right side. If the server is accessible you should see all available endpoints. Choose one of them and try to connect to it.

If still not working please check what kind of error you get in the Client logs. Softing OPC UA Client has a live message log viewer on the bottom side of the main window. Copy the exact error message you get in the client log and send it to us for further investigation.

The naming about the redundancy can be a bit confusing, we don't provide support for the server redundancy on the server side, but server redundancy on the client side - the client can communicate with a set of redundant servers.

Besides that, the SDK only supports the redundancy modes cold and warm.
The displayed enumeration displays all possibly existing redundancy types, but not all of them are supported.
The transparent redundancy mode is implicitly supported for the client, because this mode looks like a single server to clients.

The SDK provides only support on the client side to handle redundant servers.
The SDK does not provide support for redundancy on the server side, as all the sophisticated details depend on the application. (How to calculate the service levels? Shall the secondary server be started on a primary failure or is it always running? Is there data to be exchanged between the servers and how to exchange it?...).
But of course, it is possible using the OPC UA C++ SDK to build redundant servers.

Using a Softing dataFEED SDK with activated Source Code License provides full source code availability and enables the user to compile his activation free version of the SDK.
Activation of the Source Code License key must be done within the Installation Setup. After activation the source code for the activated components/features will be installed/extracted on your machine. There are different Source Code licenses available depending on your purchased SDK. Also there is a difference between a Client and a Server license.
After installing the SDK with source code license option, the SDK must be compiled in order to generate the full licensed libraries.

If you don't have a valid Source Code License key please contact the Softing's Sales Department.

The Browse service can return reference specific information and node specific information for the mandatory base attributes (NodeId, NodeClass, BrowseName and DisplayName). All optional or type specific attributes must be retrieved by an extra Read service call.

It is a known issue of LDS and can happen, if it is installed multiple times.
In many cases this can be solved via registering it again via command line (maybe administrative rights are necessary):

cd C:\Program Files (x86)\Common Files\OPC Foundation\UA\Discovery\bin
opcualds.exe -i SYSTEM

According to OPC UA specifications the timestamps are transported as UTC time in order to avoid inconsistencies in case Client and Server applications are running on different time zones.

The UA applications should convert these values to the local time at the receive moment (now.ToLocalTime()).

In OPC UA the server's address space is described using the name-spaces concept. All addressable entities in the server must belong to one single namespace.
The namespace must contain unique identifiers and using different name-spaces, the server's designer, can ensure a name collision free addressing even in case the same identifiers are used.
A namespace in the server is uniquely represented by an URI (string). The server exposes the list of it's namespace URIs in an array. The index () location of an namespace URI is this array very important because on the regular read/write/subscribe operations only the namespace index will be used for performance reasons. (It is faster to transport an integer value than a full blown string.)
In a server the namespace URIs may not change, but the position of a certain namespace URI in the namespace array may change. That's the reason of existence of a so called ExpandedNodeID structure that besides the namespaceID and Identifier contains the URI of the namespace as well. This ExpandedNodeID should only be used for persisting the identifiers at the client side and for validating that the namespace indexes did not change on the server after a server restart. Nn order to read / write / monitor, the API requires the application to provide a NodeID. This structure is supposed to uniquely identify a certain resource in the address space of a server.
The NodeID consists of a NamespaceIndex (ns) and an Identifier (which is a union and can be a string or an integer or a GUID or a byteArray - opaque). For the NodeID no Namespace URI (nsu) is required. The nsu is only required for an ExpandedNodeID definition.
The namespace URI string is never used in the actual interaction with the server, just the namespace index is used.
The namespace index is always mandatory, the namespace URI is optional and actually not required when NodeID class is used.

The ServerIndex is an advanced field that provides the information if the addressed NodeID is located on the local Server, or it resides on a remote Server. This is relevant for the Servers that act as aggregation Servers and retrieve their data from underlying OPC Servers. Therefore there is the ServerIndex that identifies the Server that contains the TargetNode. This Server may be the local Server or a remote Server.

This index is the index of that Server in the local Server's Server table.
The index of the local Server in the Server table is always 0.
All remote Servers have indexes greater than 0.

The Server table is contained in the Server Object in the AddressSpace. The Client may read the Server table Variable to access the description of the target Server.

Using a normal non aggregation Server / Server chaining solution that parameter is always 0.

OPC Foundation is providing an implementation of the OPC UA Local Discovery Server. The LDS ensures the very first interoperability step between OPC UA Clients and Servers. The LDS is expected to open well known port (4840) specified in the OPC UA Specification in order to respond to server registration respective clients interrogation calls, therefore it is impossible to run multiple variants of LDS server on the same machine. Softing, together with other vendors decided to support the OPC Foundation’s LDS implementation and to use and recommend it to be used by customers.
All Softing’s Windows based OPC UA products (SDKs, clients and servers) are redistributing the OPC Foundation’s LDS as a separate component in their setups.
We encourage the customers to download and deploy by themselves the LDS from the OPC Foundation website as well. The most recent version can be found here:
opcfoundation.org/developer-tools/developer-kits-unified-architecture/local-discovery-server-lds/

Not all OPC UA servers support writing timestamps. This is not a bug of the dataFEED OPC UA C++ SDK or the third party server, it is the official way of a server to say, that it does not support writing timestamps. Don't call DataValue::setServerTimestamp() and maybe not even DataValue::setSourceTimestamp() on the DataValue that shall be written, respectively call these methods with an empty DateTime variable to clear existing timestamps.

Some OPC UA services (e.g. HistoryRead to retrieve historical values from a variable) allow clients to restrict the maximum number of results per request. If a server has more results to deliver, it returns a continuation point along with the results which the client can use to request more results. A server application must be able to deliver the remaining result with context information stored within a continuation point.

Browsing the Address Space
OPC UA provides the services Browse and BrowseNext to browse the address space of a server. Browsing the address space is a way to get all nodes that are connected to another node by references. To retrieve for example complete trees or the whole address space, several browse calls are necessary which use the results of previous browse calls. The service allows both the client and the server to restrict the number of the returned results. If the number of results exceeds this maximum, a so-called continuation point is created in the server and passed to the client. The continuation can be passed with the BrowseNext to retrieve the remaining browse results.

By default it is not possible to have several applications in the same process, the limitation is caused by several singletons which are accessible from the entire process.

The closest approach is to use several Client::Sessions or Server::Endpoints and configure them with individual application instance certificates (see Client::Session::setInstanceCertificate() and Server::Endpoint::setInstanceCertificate()), but all will share the same ApplicationDescription and all servers will share the same address space.

Note: The application instance certificates shall have the same ApplicationUri as the ApplicationDescription, thus all certificates must use the same ApplicationUri.
There is another possible approach to produce several applications in one process by separating the different applications into several DLLs (Windows) or shared objects (Linux).

Different DLLs or shared objects have separate code and don't conflict if they know symbols of the same name, but it is important to load the SDK as static library into the DLLs or shared objects to have duplicate instances.

Note: For Windows the binaries are only available as DLLs. A source code license is needed to produce static libraries for Windows. Please contact the support for additional help how to configure projects for static libraries.

Question: Server Monitored Items may report invalid initial values when the related nodes are updated cyclically.

Reply: A cyclic update usually means that providing the initial value to the node can have a small delay, thus the initial NULL value may be reported.

You can override the method Server Subscription on Provide Initial Values to configure the related Server Monitored Items to take the initial value from the next data change instead of using the current cache value.

 

OPC UA .NET standard SDK

dataFEED OPC UA .NET Standard SDKs

Integration of OPC UA communication into .NET standard-applications

x

Softing Industrial Support

USA, Canada, Mexico
(865) 251-5244
(Knoxville, TN)
E-mail Request  
Callback

«