Skip to content

lua-opcua

This is a lua wrapper for the open62541 library, see https://github.com/ogsadmin/open62541-lua.

OGS configuration

Here is a sample configuration for the OPC-UA line interface:

[OPCUA_CLIENT]
; OPCUA connection URL:
SERVER_URL=opc.tcp://192.168.0.1:4840
SERVER_USERNAME=OGSInterfaceUser
SERVER_PASSWORD=OGSPassword1
SERVER_SECURITY=1
SERVER_CERT_FILE=d:/test_cert.der
SERVER_CERT_KEY=d:/test_key.der
; Namespace of variables:
SERVER_NS=3
; Define the full path for the variables                                                         
TO_PLC_VAR=""DB_OGS_V3"."st01"."line"."ogs_to_plc""
TO_OGS_VAR=""DB_OGS_V3"."st01"."line"."plc_to_ogs""
DEBUG=2

The parameters are:

  • SERVER_URL: The URL of the OPC-UA server to connect to
  • SERVER_USERNAME: The username to be used for authentication - leave empty for anonymous login. Note, that usually you should also specify a certificate and a key file, so the client can encrtypt the credential (so no plaintext passwords are sent over the wire)
  • SERVER_PASSWORD: The password for the authentication (see the comments above for encryption and anonymous login)
  • SERVER_SECURITY: defines the security level: 1 = NONE (default), 2 = SIGN, 3 = SIGN & ENCRYPT
  • SERVER_CERT_FILE: Full path to the x509 binary DER encoded certificate file used for client authentication and/or encryption. Default: empty, no encryption used
  • SERVER_CERT_KEY: Full path to the x509 binary DER encoded key file used for client authentication and/or encryption
  • SERVER_NS: The namespace used for OPC-UA variables access (for TO_PLC_VAR and TO_OGS_VAR)
  • TO_PLC_VAR, TO_OGS_VAR: Full OPC-UA node path of the variables to be used for cyclic data exchange
  • DEBUG: Set the debug verbosity level for ETW trace output (0 = off, 1 = low, 2 = medium, 3 = high)

Notes

Username/Password authentication

Username/password authentication over an unencrypted channel (security mode = NONE) is usually not allowed by servers (for good reasons) - so a client certificate is almost always needed to use username/password authentication (technically, the enpoints provided by the server does not include any token policy without encryption for the SecurityPolicy#NONE endpoint)

Here is a log from the Open62541 client trying to connect to a Siemens S7-1500 PLC server using username/password without encryption - and failes:

alt text

Note

On a first glance, SecurityMode#NONE and UserName Authentication seems to work with other clients (like the Softing OPC-UA Explorer), but actually these are creating a default certificate and using this to enrypt username/password according to one of the accepted security/user-token policies provided by the server.

To correctly create a connection with username/password authentication, for most servers therefore a client certificate is needed to encrypt the credentials, so use the following:

-- Sample configuration for authenticating with username/password
-- and SecurityMode#NONE for a Siemens PLC 
-- Note, that you **must** provide a (selfsigned) certificate for this
-- to work!
local connInfoLine_Siemens_UserPass_NONE = {
    URL = "opc.tcp://192.168.0.1:4840",         -- Siemens PLC
    NAMESPACE = 3,
    TO_PLC_VAR = '"DB_OPCUA"."st01"."line"."ogs_to_plc"',
    TO_OGS_VAR = '"DB_OPCUA"."st01"."line"."plc_to_ogs"',
    SECURITYMODE = 0,   -- 0 = SecurityMode#NONE
    CERTFILE = 'd:/temp/localhost_cert.der',
    KEYFILE = 'd:/temp/localhost_key.der',
    SERVER_USERNAME = 'OGSInterfaceUser',
    SERVER_PASSWORD = 'OGSPassword1',
    --DEBUG=3
}
local connInfo = connInfoLine_Siemens_UserPass_NONE

-- Create the client instance and configure security properties
cyclicio = opcua.CyclicIO.new(
    connInfo.SECURITYMODE or 0, 
    connInfo.CERTFILE, 
    connInfo.KEYFILE)
--local tbl, tmp = cyclicio:getInfo()

-- update the client configuration
local cfg = cyclicio.config
cfg:setTimeout(5000)
cfg:setSecureChannelLifeTime( 10 * 60 * 1000 )

-- start the client and the cyclic IO exchange
cyclicio:start(
    connInfo.URL or connInfo.SERVER_URL, 
    connInfo.NAMESPACE or connInfo.SERVER_NAMESPACE,
    connInfo.TO_PLC_VAR, '',
    connInfo.TO_OGS_VAR, '',
    100, 
    connInfo.SERVER_USERNAME or '', 
    connInfo.SERVER_PASSWORD or ''
    )

Create self-signed certificates

For testing, one can use the create-selfsigned.py script from https://github.com/ogsadmin/open62541/tree/master/tools/certs.

You can also direclty use openssl to generate the files as follows:

# create localhost.cer (certificate) and localhost.key (private key)
openssl req -new -nodes -x509 -sha256 -newkey rsa:2048 -keyout localhost.key -days 365 -subj "/C=DE/O=open62541/CN=open62541Server@localhost" -out localhost.crt
# convert to x509 binary encoded der format
openssl x509 -in localhost.crt -outform der -out localhost_cert.der
openssl rsa -inform PEM -in localhost.key -outform DER -out localhost_key.der
# delete pem format files
rm localhost.key
rm localhost.crt

Use the *.der files in the lua-opcua initialization.