Triconex® OPC UA Server

User’s Guide

Assembly Number 9700126-001

September 2013
Information in this document is subject to change without notice. Companies, names and data used in
examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of Invensys Systems, Inc.

© 2012-2013 Invensys Systems, Inc. All rights reserved.

Invensys, the Invensys logo, Triconex, Tricon, Trident, and TriStation are trademarks of Invensys plc, its
subsidiaries and affiliates. All other brands may be trademarks of their respective owners.

Document No. 9720126-001, Rev 1

Printed in the United States of America.
 Contents

Chapter 1 About the Triconex OPC UA Server 1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Supported Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Core Characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Data Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Alarms and Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Secure Communication and Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Address Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Audit Event Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2 Using the Triconex OPC UA Server 17

Configuring the Triconex OPC UA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using Digital Certificates with the Triconex OPC UA Server . . . . . . . . . . . . . . . . . . 18
Redundant Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Connecting an OPC UA Client to the Triconex OPC UA Server . . . . . . . . . . . . . . . . . . . . . 19
Restarting the Triconex OPC UA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
iv Contents
 Preface

This guide describes the features of the Triconex® OPC UA Server and provides information
about connecting a client to the server and configuring the server using TriStation™ 1131.
In this guide, Triconex controllers refers to Tricon™, Trident™, and Triconex General Purpose
controllers.

Related Documentation
• TriStation 1131 Developer’s Guide
• Communication Guide for Trident v2-v3 Systems
• Communication Guide for Triconex General Purpose v2-v3 Systems
• Planning and Installation Guide for Trident v2-v3 Systems
• Planning and Installation Guide for Triconex General Purpose v2-v3 Systems
• Safety Considerations Guide for Trident v2-v3 Systems
• Safety Considerations Guide for Triconex General Purpose v2-v3 Systems

Product and Training Information

To obtain information about Invensys products and in-house and on-site training, see the
Invensys Operations Management website or contact your regional customer center.

Website
http://www.invensys.com

Triconex OPC UA Server User’s Guide

vi Preface

Technical Support
Customers in the U.S. and Canada can obtain technical support from the Invensys Global
Customer Support (GCS) center at the numbers below. International customers should contact
their regional support center.
Requests for support are prioritized as follows:
• Emergency requests are given the highest priority
• Requests from participants in the System Watch Agreement (SWA) and customers with
purchase order or charge card authorization are given next priority
• All other requests are handled on a time-available basis
If you require emergency or immediate response and are not an SWA participant, you may
incur a charge. Please have a purchase order or credit card available for billing.

Telephone
Toll-free number 866-746-6477, or
Toll number 508-549-2424 (outside U.S.)

Fax
Toll number 508-549-4999

Website
http://support.ips.invensys.com (registration required)

Triconex OPC UA Server User’s Guide

 Preface vii

We Welcome Your Comments

To help us improve future versions of Triconex documentation, we want to know about any
corrections, clarifications, or further information you would find useful. When you contact us,
please include the following information:
• The title and version of the guide you are referring to
• A brief description of the content you are referring to (for example, step-by-step
instructions that are incorrect, information that requires clarification or more details,
missing information that you would find helpful)
• Your suggestions for correcting or improving the documentation
• The version of the Triconex hardware or software you are using
• Your name, company name, job title, phone number, and e-mail address
Send e-mail to us at:
[email protected]
Please keep in mind that this e-mail address is only for documentation feedback. If you have a
technical problem or question, please contact the Invensys Global Customer Support (GCS)
center. See Technical Support on page vi for contact information.
Or, you can write us at:
Attn: Technical Publications - Triconex
Invensys
26561 Rancho Parkway South
Lake Forest, CA 92630
Thank you for your feedback.

Triconex OPC UA Server User’s Guide

viii Preface

Triconex OPC UA Server User’s Guide

 1
About the Triconex OPC UA Server

Overview 2
Supported Profiles 3
Secure Communication and Digital Certificates 11
Address Space 12
Audit Event Types 14

Triconex OPC UA Server User’s Guide

2 Chapter 1 About the Triconex OPC UA Server

Overview
Object Linking and Embedding (OLE) for Process Control Unified Architecture (OPC UA) is a
standard set of non-proprietary interfaces used to develop client-server programs. OPC UA
Server is a client-server application that allows OPC UA clients to read from and write to
Triconex program variables.
The Communications Integration Module (CIM) for Trident v3.0 and later systems, and Tri-GP
v3.0 and later systems, has an embedded OPC UA Server that makes an external PC for the
server unnecessary; however, a PC for the client is still required.
The OPC UA protocol is supported on both CIM network ports (NET 1 and NET 2). Configuring
protocol support and disabling the OPC UA Server can be done using TriStation 1131 software.
The embedded OPC UA Server on the CIM supports these specifications:
• Data Access (DA) v1.0.1
• Alarms and Conditions (A & C) v1.00
The embedded OPC UA Server on the CIM currently does not support Historical Data Access.

OPC UA Client
Application
OPC UA
Protocol
Embedded
OPC UA Server
on the CIM

OPC UA
Protocol
OPC UA Client
Application

Figure 1 Embedded UPC UA Server

Triconex OPC UA Server User’s Guide

 Supported Profiles 3

Supported Profiles
The Triconex OPC UA Server that is embedded in the CIM supports the following OPC UA
Profiles:
• Core Characteristics
• Data Access
• Alarms and Conditions
• Security Policy

Core Characteristics
The embedded OPC UA Server on the CIM supports the following Core Characteristics profiles
from the Server category:
• Core Server Facet—This facet defines the core functionality of the OPC UA Server,
including the ability to discover endpoints, establish secure communication channels,
create sessions, browse the address space and read and/or write to attributes of nodes.
• Base Server Behavior Facet—This facet defines best practices for the configuration and
management of servers when they are deployed in a production environment.
Notes
• The View Services conformance units in the Core Server Facet are not supported by the
embedded OPC UA Server on the CIM.
• The Register Nodes service is not supported and should not be used.

Data Access
The embedded OPC UA Server on the CIM supports the Data Access (DA) v1.0.1 specification
that is used to move real-time data from Programmable Logic Controllers (PLCs), Distributed
Control Systems (DCSs), and other control devices to Human Machine Interfaces (HMIs) and
other display clients. You can use an OPC UA client to view real-time Trident or Tri-GP bin data
such as aliased tagnames and system variables.
The embedded OPC UA Server on the CIM supports the following Data Access profiles from
the Server category:
• Enhanced DataChange Subscription Server Facet—This facet specifies an enhanced
support of subscribing to data changes.
• Data Access Server Facet—This facet specifies the support for an information model
used to provide industrial automation data. This model defines standard structures for
analog and discrete data items and their quality of service. This facet extends the Core
Server Facet which includes support of the basic Address Space behavior.

Triconex OPC UA Server User’s Guide

4 Chapter 1 About the Triconex OPC UA Server

The following table describes the optional conformance units supported from the Data
Access Server Facet.

Data Access
Description
Conformance Unit
AnalogItemType AnalogItemType is a subtype of DataItem. There are two optional
properties for the AnalogItemType data type. The Engineering Units
property is supported and taken from the Trident/Tri-GP symbol table
in the system.
ValuePrecision ValuePrecision property for a variable of the Real data type is taken
from the TriStation’s scaling tab. There are two optional properties in
this data type. The Triconex OPC UA Server will only support the
optional property “ValuePrecision” for variables of the Real data type.
The value is taken from the Trident/Tri-GP symbol table.
PercentDeadBand PercentDeadBand is a special monitoring filter, which is based on an
engineering unit range (EURange). Clients can read or write
DataItems, or monitor them for value changes. A change that is
defined as a change in status or a change in value that exceeds a client-
defined range is called a Deadband.
DeadbandValue is defined as the percentage of the EURange. That is, it
applies only to AnalogItems with an EURange property that defines
the typical value range for the item. This range is to be multiplied with
the DeadbandValue to generate an exception limit. An exception is
determined as follows:
If (absolute value of (last cached value - current value) >
(DeadbandValue/100.0) * ((high–low) of EURange))), then it is an
exception.
If the item is an array of values and any array element exceeds the
DeadbandValue, the entire monitored array is returned.
SemanticChanges SemanticChanges is an informational bit.
OPC UA Servers that implement DA can set this bit in notifications if
one or several of the following properties change:
• EngineeringUnits (could create problems if the client uses the
value to perform calculations)
• EURange (could change the attribute of a subscription if a
PercentDeadband filter is used)
• FalseState, TrueState, EnumStrings (changes can cause
misinterpretation by users or (scripting) programs)
It should not be changed for any of the other DA properties.
Clients should not process the data value until they re-read the
mentioned properties associated with the variable.
TwoStateDiscrete TwoStateDiscreteType is a subtype of DataItem. The TwoStateDiscrete
Type Type is defined by the Data Access specification for OPC UA. In this
specification, when the type is TwoStateDiscreteType, the state names
are in parentheses - the false value is the first value and the true value
is the second.

Triconex OPC UA Server User’s Guide

 Supported Profiles 5

Data Access
Description
Conformance Unit
MultiStateDiscrete MultiStateDiscreteType is a subtype of DataItem. The
Type MultiStateDiscreteType will have state names along with their
corresponding values in parentheses.

DA Performance Considerations
The embedded OPC UA DA on the CIM has the following limitations:
• 10 OPC UA sessions in total (DA and Alarms and Conditions (A&C)) can subscribe to
OPC UA data
• 100 subscriptions in total
• 2,000 monitored items per subscription
• 6,000 monitored items per second for each Trident or Tri-GP system
• 20,000 monitored items in total
If you perform a Download Change operation and the changes to the control application are
significant—for example, adding or deleting 2,000 or more tags—clients connected to the
embedded OPC UA Server may experience a Data Access loss of view for one or two scan times.
If you halt the application running on the controller, connected clients will experience the
following:
• No data updates
• No alarm updates
• No loss of view
• The server state changes from RUNNING (0) to SUSPENDED (3)

Alarms and Conditions

The embedded OPC UA Server on the CIM supports the OPC UA Alarms and Conditions
(A & C) v1.00 standard that provides alarm and event notification on demand for process
alarms, operator actions, informational messages, and tracking/auditing messages. SOE events
and process alarms are an event source of TridentEventsNotifier, which organizes the event
notifiers for SOE events, system events, and process alarms.
Note A large number of generated alarms will decrease the performance of DA monitoring
(fewer items per second can be monitored).
The embedded OPC UA Server on the CIM supports the following Base Eventing profile from
the Server category:
Address Space Notifier Server Facet—This facet adds support for a hierarchy of notifiers
and/or event sources and is intended to supplement the Event Subscription Server Facet. A
hierarchy of notifiers (objects with a Notifier attribute set) is commonly used as a way to
organize a plant into areas that can be managed by different operators. Each notifier in turn

Triconex OPC UA Server User’s Guide

6 Chapter 1 About the Triconex OPC UA Server

may be the root of a hierarchy of event sources, that is, Objects that represent the source of
event notifications.
The embedded OPC UA Server on the CIM supports the following Alarms and Conditions
(A & C) profiles from the Server category:
• A & C Address Space Instance Server Facet—This facet specifies the support required
for a Server to expose Alarms and Conditions in its address space.
• A & C Alarm Server Facet—This facet specifies the support for basic alarm
functionality.

The following table describes the optional conformance units supported from the
A & C Alarm Server Facet.

A&C
Conformance Description
Unit
A & C Comment Supports Comments, includes AddComment method
A & C Trip Supports Trip Alarm type

• A & C Acknowledgeable Alarm Server Facet—This facet adds support for the
acknowledgement of alarms.

The following table describes the optional conformance units supported from the
A & C Acknowledgeable Alarm Server Facet.

A&C
Conformance Description
Unit
A & C Confirm Supports confirming Conditions, includes Confirm method

• A & C Exclusive Alarming Server Facet—This facet adds support for alarms with
multiple sub-states that identify different limit Conditions.

The following table describes the optional conformance units supported from the
A & C Exclusive Alarming Server Facet.

A&C
Conformance Description
Unit
A & C Exclusive Supports Exclusive Level Alarm type
Level
A & C Exclusive Supports Exclusive Deviation Alarm type
Deviation
A & C Exclusive Supports Exclusive RateofChange Alarm type
RateofChange

Triconex OPC UA Server User’s Guide

 Supported Profiles 7

Supported A & C Features

This table identifies the optional features supported by the embedded OPC UA Server on the
CIM.

Object Attribute/Method Supported?

Acknowledgeable Condition ConfirmedState variable Yes
Acknowledgeable Condition Confirm method Yes
Alarm Condition SupressedState variable No
Alarm Condition ShelvingState object No
Alarm Condition MaxTimeShelved variable No
Exclusive Limit Alarm HighHigh Limit Yes
Exclusive Limit Alarm High Limit Yes
Exclusive Limit Alarm Low Limit Yes
Exclusive Limit Alarm LowLow Limit Yes

The embedded OPC UA Server on the CIM does not support shelving or suppressing of alarms.

Alarm Condition Mapping

TriStation 1131 alarm condition mapping (from the function block and the OPC UA Server
alarm condition) applies to both multi-state alarms (level, rate of change, deviation) and single-
state (trip) alarms.
.
TS1131 TS1131
TS1131 TS1131 UA Alarm UA UA
Alarm Process
Active Acknowledged Condition Active Acknowledged
Condition State
Not High High
HighHigh 
normal Active
Not High High
HighHigh    
normal Acked
High High
HighHigh Normal 
Inactive
High High
HighHigh Normal   Acked 
Inactive
Not High
High  
normal Active
Not High
High  
normal Acked
High
High Normal 
Inactive

Triconex OPC UA Server User’s Guide

8 Chapter 1 About the Triconex OPC UA Server

TS1131 TS1131
TS1131 TS1131 UA Alarm UA UA
Alarm Process
Active Acknowledged Condition Active Acknowledged
Condition State
High
High Normal   Acked 
Inactive
Not Low
Low  
normal Active
Not
Low   Low Ack  
normal
Low
Low Normal 
Inactive
Low
Low Normal   Acked 
Inactive
Not LowLow
LowLow   
normal Active
Not LowLow
LowLow    
normal Acked
LowLow
LowLow Normal 
Inactive
LowLow
LowLow Normal   Acked 
Inactive
Not Trip
Trip  
normal Active
Not Trip
Trip    
normal Acked
Trip
Trip Normal 
Inactive
Trip
Trip Normal   Acked 
Inactive
Normal Normal Normal

Triconex OPC UA Server User’s Guide

 Supported Profiles 9

A & C Performance Considerations

The embedded OPC UA A & C on the CIM has these limitations:
• When more than 100 alarms are configured, the TriStation control application runs out
of memory and cannot build.
• The Sequence of Events (SOE) Buffer Size has an effect on the maximum number of
events that can be captured in one burst. Assigning an SOE Buffer Size of 4,000 events
or more to SOE blocks configured for OPC UA will likely catch all events from one
burst.
• The scan time has an effect on the number of periodic alarms that can be handled. A
lower scan time is capable of processing more alarms on a periodic basis.
• When subscribing to events in OPC UA, the CIM requires that in order to see Process
Alarms, the user must subscribe to Server, which will display Process Alarms, SOE
Events, and System Events. Process Alarms is not currently available as an individual
subscription.

The numbers listed below are what the CIM can handle without losing events. For the
one minute burst, this means that the CIM was experiencing a several-second delay in
reporting the alarm, but that the alarm was reported and no events were lost during the
one minute.

300 Configured
Alarms
Scan SOE Continuous Alarm One minute
time size Alarms Burst burst
275 20000 30 300 40
450 20000 50 300 60
275 10000 30 300 40
450 10000 50 300 60
275 4000 30 300 40
450 4000 50 300 60
275 2000 30 260 40
450 2000 50 270 60
275 1000 30 140 40
450 1000 50 150 60

Minimum scan time without alarms: 73 msecs

Minimum scan time with alarms: 271 msecs
Additional scan time needed: 198 msecs

Triconex OPC UA Server User’s Guide

10 Chapter 1 About the Triconex OPC UA Server

100 Configured
Alarms
Scan SOE Continuous Alarm One minute
time size Alarms Burst burst
125 10000 30 100 40
125 4000 30 100 40
125 2000 30 100 40
125 1000 30 100 40

Minimum scan time without alarms: 73 msecs

Minimum scan time with alarms: 141 msecs
Additional scan time needed: 68 msecs
• Processing alarms has an effect on scan time. For every alarm generated during a scan,
the controller takes approximately an additional 0.2 milliseconds for that scan. For
example, 10 simultaneous alarms would add 2 milliseconds to the scan time. Note that
the reported scan time is an average of the last 100 scans.

Security Policy
The embedded OPC UA Server on the CIM supports the following Security Policy profiles from
the Security category:
• SecurityPolicy - None—This Security facet defines a Security Policy used for
configurations with the lowest security needs. This Security Policy can affect the
behavior of the CreateSession and Activate Session services. It also results in a
SecureChannel which has no Channel Security. By default this Security Policy should
be disabled if any other Security Policies are available.
• SecurityPolicy - Basic128Rsa15—This Security facet defines a Security Policy for
medium to highly secure configurations.
• SecurityPolicy - Basic256—This Security facet defines a Security Policy for
configurations with high security needs.
The embedded OPC UA Server on the CIM does not support the Security User Name and
Password conformance unit.

Triconex OPC UA Server User’s Guide

 Secure Communication and Digital Certificates 11

Secure Communication and Digital Certificates

Secure communication can be enabled for clients connecting to the CIM's OPC UA server. To
enable secure communication, you need to add digital certificates, and their associated private
keys, to your TriStation 1131 project. These certificates are then downloaded to the CIM when
you download your application to the controller.
For more information on using digital certificates, see Using Digital Certificates with the
Triconex OPC UA Server on page 18. For procedures on managing certificates, see the TriStation
1131 Developer’s Guide.

About Digital Certificates

The use of X.509 digital certificates is required by OPC UA security. These certificates are used
for verification of the end point and encryption keys for communication.
The structure of an X.509 v3 digital certificate is as follows:
• Certificate
• Version
• Serial Number
• Algorithm ID
• Issuer
• Validity
— Not Before
— Not After
• Subject
• Subject Public Key Info
— Public Key Algorithm
— Subject Public Key
• Issuer Unique Identifier (Optional)
• Subject Unique Identifier (Optional)
• Extensions (Optional)
• Certificate Signature Algorithm
• Certificate Signature

Certificate Authority
In cryptography, a certificate authority (also known as a certification authority) is an entity that
issues digital certificates for use by other parties. It is an example of a trusted third party.
Certification authorities (CAs) are characteristic of many public-key infrastructure (PKI)
schemes.

Triconex OPC UA Server User’s Guide

12 Chapter 1 About the Triconex OPC UA Server

There are many commercial CAs that charge for their services. There are also several providers
issuing digital certificates to the public at no cost. Institutions and governments may have their
own CAs.
If a user trusts the CA and can verify the CA’s signature, then the user can also verify that a
certain public key does indeed belong to whoever is identified in the certificate.

Public Key
The Public Key is shared via the certificate to decrypt and validate the message from the user.

Private Key
The Private Key is only known by the user and must be kept secret. It is used for signing and
encrypting messages.

Address Space
An address space contains a set of nodes that are hierarchically organized. Typical OPC API
address spaces operate independently, preventing nodes in one address space from referencing
those in another and requiring client applications to correlate items between them. OPC UA
integrates these separate address spaces and allows servers to define named subsets of the
address space that are independently browseable. These subsets are called views, and clients
access them as though they are independent address spaces. The servers can define and restrict
views to specific users or groups of users, which optimizes views for specific clients.
There are four views available to a user:
• Flat—Contains all user-defined tags within the system. Any tag defined in TriStation
will show up in the Flat view, except for tags declared as aliased memory points.
System attributes that are assigned an alias number will also be visible in the Flat view.
Note that you cannot assign aliased system attributes to a hierarchical data structure;
however, in addition to the Flat view, they will also be visible in the System view, along
with the other system attributes.
• Area—Organized in a hierarchical structure by Area, Equipment, and Safety
Instrumented Function (SIF).
• System—Contains all status variables for the system. All module and system attributes
are visible in the System view. Note that you do not have to assign alias numbers to
module and system attributes; however, ones that are assigned alias numbers will also
be visible in the Flat view.
• Groups—Organized in a hierarchical structure; Group 1, a higher level directory, and
Group 2, a lower level directory and a component of Group 1.
All the views are in alphabetical order.
The OPC UA Server provides a hierarchical view of Area, Equipment, and SIF used to define
the hierarchy.

Triconex OPC UA Server User’s Guide

 Address Space 13

The status of the OPC UA server is available in the Server address space. The Status node gives
the current status of the OPC UA server. The supported values are:
• RUNNING (0)—The OPC UA server is running normally.
• SUSPENDED (3)—The OPC UA server is not receiving data updates from the
controller. This corresponds to the control program being in a HALTED or PAUSED
state.
The following figure shows the defined hierarchy for the Trident or Tri-GP system:

MP Attributes
System
Attributes CIM-Left

MP CIM-Right
System

Control Program IO Slot n IOP Attributes

Name
I/O Module(s)

Tag 1 Level Alarm

Tag 2
Flat

...

Tag n Level Alarm

Group1 A Group2 A Tag 1

Group2 B Tag 2
Groups
Objects
... ...

Group2 x Tag n
Group1 B

...
Level Alarm
Group1 x

Equipment A SIF 1 Tag 1

Area A
Areas

Equipment B SIF 2 Tag 2

... ... ...

Equipment x SIF n Tag n

Area B

...

Area x

SOE Events
Server Status
Server

System Events
Trident Events Notifier

Tag1.Level
Process Alarms
Alarm

Figure 2 Address Space Hierarchy

Triconex OPC UA Server User’s Guide

14 Chapter 1 About the Triconex OPC UA Server
Audit Event Types
The Triconex OPC UA Server supports the following audit event types:
Name
AuditOpenSecureChannelEventType
AuditCreateSessionEventType
AuditUrlMismatchEventType
AuditActivateSessionEventType
AuditCancelEventType
AuditCertificateDataMismatchEventType
AuditCertificateExpiredEventType
AuditCertificateInvalidEventType
Triconex OPC UA Server User’s Guide
Description
This is a subtype of AuditChannelEventType and is used
for events generated from calling the
OpenSecureChannel service. Services are a collection of
abstract Remote Procedure Calls (RPC) that are
implemented by OPC UA Servers and called by OPC UA
Clients. All interactions between OPC UA Clients and
Servers occur via these services. These services are
considered abstract because no particular RPC
mechanism for implementation is defined.
This is a subtype of AuditSessionEventType and is used
for events generated from calling the CreateSession
service.
This is a subtype of AuditCreateSessionEventType and
is used for events generated from calling the
CreateSession service, if the EndpointUrl used in the
service call does not match the server’s HostNames.
This is a subtype of AuditSessionEventType and is used
for events generated from calling the ActivateSession
service.
This is a subtype of AuditSessionEventType and is used
for events generated from calling the Cancel service.
This is a subtype of AuditCertificateEventType and is
used only for categorization of certificate-related events.
This type follows all attributes of its parent type. This
audit event is generated in the following situations:
• If the host name in the URL used to connect to the
server is not the same as one of the host names
specified in the Certificate
• If the application and software certificates contain an
application or product URI that does not match the
URL specified in the application description
provided with the certificate.
This is a subtype of AuditCertificateEventType and is
used only for categorization of certificate-related events.
This type follows all attributes of its parent type. This
audit event is generated if the current time is not after
the start of the validity period and before the end of the
validity period.
This is a subtype of AuditCertificateEventType and is
used only for categorization of certificate-related events.
This type follows all attributes of its parent type. This
audit event is generated if the certificate structure is
invalid or if the certificate has an invalid signature.

Name
AuditCertificateUntrustedEventType
AuditCertificateMismatchEventType
AuditWriteUpdateEventType
Audit Event Types 15
Description
This is a subtype of AuditCertificateEventType and is
used only for categorization of certificate-related events.
This type follows all attributes of its parent type. This
audit event is generated if the certificate is not trusted,
that is, if the issuer certificate is unknown.
This is a subtype of AuditCertificateEventType and is
used only for categorization of certificate-related events.
This type follows all attributes of its parent type. This
audit event is generated if a certificate’s set of uses does
not match the use requested for the certificate (that is,
application, software, or CA).
This is a subtype of AuditUpdateEventType and is used
for categorization of write update-related events. This
type follows all attributes of its parent type.
Triconex OPC UA Server User’s Guide
16 Chapter 1 About the Triconex OPC UA Server

Triconex OPC UA Server User’s Guide

 2
Using the Triconex OPC UA Server

Configuring the Triconex OPC UA Server 18

Connecting an OPC UA Client to the Triconex OPC UA Server 19
Restarting the Triconex OPC UA Server 20

Triconex OPC UA Server User’s Guide

18 Chapter 2 Using the Triconex OPC UA Server

Configuring the Triconex OPC UA Server

You configure the Triconex OPC UA Server that is embedded in CIMs by using TriStation 1131
software. For more information, including configuration procedures, see the TriStation 1131
Developer’s Guide.

Using Digital Certificates with the Triconex OPC UA Server

For the OPC UA Server to start, the OPC UA Server certificate has to be specified in the
TriStation 1131 project and downloaded to the controller. If an OPC UA Server certificate is not
specified, the OPC UA Server will not start and the CIM will fault.
Note TriStation 1131 and the OPC UA Server do not check for a certificate's valid start date;
they only verify the expiration date. In other words, if a certificate is not valid until 6
weeks in the future, the certificate can still be used for secure communication.

If a session is established and this

happens...
The OPC UA Server certificate is deleted in the
TriStation 1131 project and a Download
Changes operation is performed
The OPC UA Server certificate is changed in
the TriStation 1131 project and a Download
Changes operation is performed
An OPC UA client certificate is deleted,
changed, or expired in the TriStation 1131
project and a Download Changes operation is
performed
The result is...
All active sessions will close and the CIM will be in
a fault state until a new, valid OPC UA Server
certificate is downloaded
All active sessions will close and the OPC UA
Server will re-initiate with the new certificate. An
OPC UA client must then initiate a new connection
Communication will continue until the session
terminates. Any subsequent attempts to reconnect
will fail, as the certificate is no longer in the OPC
Trusted Certificates list.

For more information on secure communication and digital certificates, see Secure
Communication and Digital Certificates on page 11. For procedures on managing certificates,
see the TriStation 1131 Developer’s Guide.

Redundant Configuration
The embedded OPC UA Server can be configured for dual redundancy by using two CIMs. One
of the CIMs must be on the primary network and the other on the redundant network. You
configure properties for the primary and redundant CIMs by using TriStation 1131 software.
Note that the client is responsible for switching from the primary to the redundant OPC UA
Server.

Triconex OPC UA Server User’s Guide

 Connecting an OPC UA Client to the Triconex OPC UA Server 19

Connecting an OPC UA Client to the Triconex OPC UA

Server
There are many types of OPC UA clients that you can use to connect to the embedded Triconex
OPC UA Server on the CIM. For instructions on connecting your client, refer to the client user
documentation.
To connect to the OPC UA Server, most OPC UA clients require only the IP address of the
server, which is configured in your TriStation 1131 project.

Triconex OPC UA Server URL:

opc.tcp://<IP address>:4840

For <IP address>, enter the IP address of the port on your CIM (NET 1 or NET 2) that is
configured for OPC UA communication. The default TCP port number used for OPC UA
communication is 4840. You will need to change the port number only if it has been changed to
something other than 4840 in your TriStation 1131 project.
Notes
• When you perform a Download All operation, the OPC UA Server terminates and will
restart after the control program finishes downloading. When the server terminates,
clients are disconnected and must be reconnected after the server restarts. Additionally,
it could take up to three minutes for the address space to be fully populated, even
though a client will be able to connect to the OPC UA Server as soon as it restarts.
• After you perform a Download Changes or Download All operation, new subscription
requests or monitored item requests to existing subscriptions will be refused while the
OPC UA Server is updating the address space.
• If a connected OPC UA client abnormally shuts down, the OPC UA Server will take the
amount of time specified by the client for “session timeout” to recognize that the
connection has been lost. During this time, you cannot connect another client if the
maximum of 10 clients had been connected when the OPC UA client abnormally shut
down. Note that the OPC UA Server will allow a maximum of 10 minutes for session
timeout.

Triconex OPC UA Server User’s Guide

20 Chapter 2 Using the Triconex OPC UA Server

Restarting the Triconex OPC UA Server

The OPC UA Server will restart if you change any of the following CIM properties in your
TriStation 1131 project and then perform a Download Changes or Download All operation:
• IP Address or IP Subnet Mask—In the CIM Setup dialog box, on the Network tab,
change the IP Address or the IP Subnet Mask of the network port (NET 1 or NET 2) that
is configured for OPC UA communication.
• TCP Port Number—In the CIM Setup dialog box, on the OPC tab, change the TCP Port
Number.
• Network port—In the CIM Setup dialog box, on the OPC tab, change the Network port
that is configured for OPC UA communication (NET 1 to NET 2 or vice versa, or None
and then back to the previous port setting).
• Alarms SOE Block Number—In the CIM Setup dialog box, on the OPC tab, change the
Alarms SOE Block Number.
Additionally, the OPC UA Server will restart if you perform a Download All operation of a new
control program.

Triconex OPC UA Server User’s Guide

Invensys
10900 Equity Drive
Houston, TX 77041
United States of America
http://www.invensys.com

Global Customer Support

Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424 or contact your
local Invensys representative.
Website: http://support.ips.invensys.com