CIM_HT028: How to Configure the CIMPLICITY OPC UA Client

GE HMI/SCADA - CIMPLICITY

Outline
This document walks through the minimal configuration steps required to configure the CIMPLICITY
OPC Unified Architecture (UA) Client such that it can communicate to an OPC UA Server. The OPC UA
Client allows for communication to any OPC UA Server to retrieve data values into a CIMPLICITY
Project.

Required Software
This document requires CIMPLICITY 9.0 (or newer) as the OPC UA Client was introduced in CIMPLICITY
9.0. An OPC UA Server will also be required. It is important to note that the configuration steps specific
to the OPC UA Server will vary from server to server.

Enabling the Protocol and Configuring the OPC UA Port

The first thing that must be done is to enable the protocol in the CIMPLICITY project, and then create
the OPC UA Client ports.

1. Create a new project (or open an existing CIMPLICITY Project) in the Workbench.
2. Navigate to Project->Properties->General Tab and enable the “OPC UA Client”. Click “OK” on
the dialog when done.

1
 3. Under “Equipment->Ports”, right click and choose to create a “New..” port.
4. From the dropdown on the dialog presented choose a protocol of “UAClient” and a Port of
“UA_0”. If you have an existing port already you can just create a new one. Click on the “OK”
button when complete.

5. A new dialog will appear titled “Port Properties – MASTER_UA_0”. There will be two tabs on the
dialog: General, and OPC UA Settings. The default settings on each of these tabs should be
sufficient. Click “OK” to continue.

6. Now that the port is created, the next step is to create the CIMPLICITY instance Security
Certificate.

Configuring the CIMPLICITY Instance Security Certificate

One of the most important steps when using CIMPLICITY as an OPC UA Client is to create the
CIMPLICITY Instance security certificate. This is the security certificate that the CIMPLICITY OPC UA
Client will use for any connection to an OPC UA Server from the current node. So if you were running
more than one project per node they would all identify themselves with the same security certificate.
However, if you copy the project between two nodes, then you would have to configure the CIMPLICITY
Instance security certificate on the new node.

1. In the CIMPLICITY Workbench, with the project still open, navigate to “Equipment->OPC UA
Security Configuration” and open the “OPC UA Security Configuration” tool.

2
2. When the utility opens de-select the “Use GDS” checkbox, and then click on the “Enable
Security” button. This will start the configuration wizard and will display an update indicating
that it was successful when complete:

3
3. Now click on the “Advanced…” button along the bottom of the dialog. A new dialog will open
titled “Self Signed Certificate Configuration Form”. This dialog shows what certificate will be
used to identify CIMPLICITY OPC UA Clients, as well as the locations of where certificates will
be stored.

4
The most important fields are the following:

Trusted Certificates C:\ProgramData\Proficy\Proficy CIMPLICITY\certificates\trusted\certs\

Location:
Rejected Certificates C:\ProgramData\Proficy\Proficy CIMPLICITY\certificates\rejected\
Location:

The “Trusted Certificates Location” is where OPC UA Server trusted certificates are stored. So if you are
communicating with an OPC UA Server and using a trusted certificate communication mode, then you
would get the OPC UA Server’s certificate and place it in the “Trusted Certificates” folder.

The Rejected Certificates Folder is where the OPC UA Client will place rejected OPC UA Certificates from
OPC UA Servers it has attempted to connect to but been unable to.

Note: These folders are located in the “C:\ProgramData” folder which is hidden by Windows by default.
So when attempting to browse these folders it is required to set the “Show hidden files, folders, and
drives” radio button in the Windows Control Panel Folder Options.

4. Click on the “Select” button in the “Instance Certificate” pane, and now choose the certificate
titled: “Proficy HMI SCADA – CIMPLICITY”. Then click the “OK” button.
5. After this the “Instance Certificate” field should have “Proficy HMI SCADA – CIMPLICITY’ as the
selected certificate.
6. Click on the “OK” button to leave the “Self Signed Certificate Form” dialog.

Configuring the CIMPLICITY Device

The next step is to configure the CIMPLICITY OPC UA Client device to point to the OPC UA Server.

1. In the workbench, navigate to “Equipment->Devices”, right click and choose “New..” from the
right click menu. A dialog will appears as follows:

Type in a valid device name (in this example it was UA_CLIENT_1) and choose the OPC UA Port created
in earlier steps. Click on the “OK” button when complete.

2. The OPC UA Client device properties dialog will appear. Navigate to the Connection tab and
fill in the name and port of the OPC UA Server. For the example in the dialog below it has a
connection address of “opc.tcp://localhost:4841”. This address and port will vary by OPC
Server. It is also important to note that some OPC UA Servers will allow you to specify a Mode
and a Policy. For the purposes of this simplified example it is only using a non-secured
connection so leave Mode and Policy set to “None”.

5
Note:

If using a Mode of “Sign”, or “SignAndEncrypt” or a Policy of “Basic 128Rsa15” or “Basic256” then

Security certificates will be necessary. In that scenario it is necessary to copy the OPC UA Server’s
security certificate to the CIMPLICITY OPC Client’s Trusted Certificates Location (as noted
previously) as well as copying the CIMPLICITY Instance certificate to the OPC UA Server’s trusted
certificate folder.

3. Navigate to the “User Identity” tab and choose “Anonymous”. Note that the OPC UA Server
must support this.
4. The other tabs: subscriptions, and CIMPLICITY, can be left at their default values for the time
being.
5. Click on the “Test Connection” button along the bottom of the Device Properties dialog. This
will open another dialog which will display the results of the connectivity attempt.

Note: If any errors occur from the “Test Connection”, please refer to the appendix of this
document for additional information on the error.

6. Once the connection has tested successfully, it is possible to simply create the new points
under the device. When the points are being created then use the browse button (…) next to
the address field on the Device Point’s “Properties->Device” tab and browse to the data item
of interest.
7. When complete, do a configuration update, and then start the CIMPLICITY Project. It is
possible to validate proper communication by the use of the Point Control Panel and looking
at the device points requested.

6
Appendix 1: OPC UA Client Device Test Connection Errors

Error: Connection failed with code "BadCertificateInvalid", which happens in

"OpenSecureChannel" on "Server Side".

The problem has to do with the fact that the OPC UA Server that is being connected to is rejecting the
connection from the client because the connection is untrusted. This usually means that the
CIMPLICITY Instance Certificate needs to be added to the OPC UA Server's trusted list.

Note:

Some OPC UA Server (such as the Industrial Gateway OPC Server) will populate their "Trusted
Certificate" list when you attempt to connect. If that occurs it is simple as going into the Trusted
Certificate list and selecting to "Accept" or "Reject" the request. This mitigates having to go through the
manual steps below.

The CIMPLICITY Instance certificate that is being used can be found by doing the following:

1. Open the project in the CIMPLICITY Workbench

2. Navigate to Project->Equipment->OPC UA Security->OPC UA Security Configuration and
launch the OPC UA Security Configuration utility.
3. When it opens de-select the "Use GDS" checkbox
4. Click on the "Advanced" button along the bottom of the dialog.
5. A dialog will open titled "Self-Signed Certificate Configuration Form"
6. The "Instance Certificate" is the certificate that is used when connecting to the OPC UA Server.
If the field is blank then click the "Create" button and select OK. Ideally the field should be
populated with something like "Proficy HMI SCADA - CIMPLICITY" as the Certificate name.
7. Click on the Display button to the right of it and another dialog will open with the certificate
details.
8. Click on the "Details" tab and then click on the "Copy to File" button. This will allow you to
export the certificate.
9. Use the wizard that launches to export the certificate in the format expected by the OPC UA
Server (most likely a X.509 .CER file.
10. Copy the .CER file to the OPC UA Servers trusted certificate folder (this will vary by OPC UA
Server).

Error: Connection failed with code "BadCertificateUntrusted", which happens in

"CertificateValidation" on "Client Side".

This error means that the CIMPLICITY OPC Client, or rather CIMPLICITY itself, does not have the OPC UA
Server's certificate in it's trusted list. To remedy this you must get a copy of the trusted certificate from
the OPC UA Server, export it, and then copy it into the CIMPLICITY installations' trusted list.

To fix this do the following:

Export the OPC UA Server's Certificate

Navigate to the OPC UA Server and export the OPC UA's Server certificate (*.cer) file. The instructions
for doing this are going to vary for each OPC UA Server.

Copy the Certificate to the CIMPLICITY Trusted Certificates folder

7
1. Open the project in the CIMPLICITY Workbench
2. Navigate to Project->Equipment->OPC UA Security->OPC UA Security Configuration and
laungh the OPC UA Security Configuration utility.
3. When it opens de-select the "Use GDS" checkbox
4. Click on the "Advanced" button along the bottom of the dialog.
5. A dialog will open titled "Self-Signed Certificate Configuration Form"
6. The location specified by "Trusted Certificates Location" is where the *.cer file from the OPC UA
Server must be copied to. Note the location specified.
7. Using Windows Explorer copy the *.cer file from the OPC UA Server to the folder specified by
the "Trusted Certificates Location".
8. Re-attempt the connection with the OPC UA Client in CIMPLICITY and it should now succeed.