SINEC OPCUA V1 0 en
SINEC OPCUA V1 0 en
SINEC OPCUA V1 0 en
Information from
SINEC NMS in WinCC
Siemens
SINEC NMS Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109766869 Support
This entry is from the Siemens Industry Online Support. The general terms of use
(http://www.siemens.com/terms_of_use) apply.
Security Siemens provides products and solutions with industrial security functions that
Informa- support the secure operation of plants, systems, machines and networks.
tion In order to protect plants, systems, machines and networks against cyber
threats, it is necessary to implement – and continuously maintain – a holistic,
state-of-the-art industrial security concept. Siemens’ products and solutions only
form one element of such a concept.
The customer is responsible to prevent unauthorized access to its plants,
systems, machines and networks. Systems, machines and components should
only be connected to the enterprise network or the internet if and to the extent
necessary and with appropriate security measures (e.g. use of firewalls and
network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be
taken into account. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends to apply product updates as soon
as available and to always use the latest product versions. Use of product
versions that are no longer supported, and failure to apply latest updates may
increase the customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial
© Siemens AG 2019 All rights reserved
1 Introduction
1.1 Overview
Overview
In industrial production plants, use is often made of devices from various
manufacturers with different process controllers and incompatible protocols and
data formats. An open communication standard (OPC, Open Process Control) has
been defined to enable these devices (necessarily) to work together and
communicate despite their differences. This open communication standard enables
plant data, alarms, events and other process data to be exchanged in real time
between any systems. SINEC NMS also provides the option of making data
available via OPC.
Configuration
Each operation includes an OPC UA server. You can explicitly configure which
data from which device is to be sent to the OPC UA server of the Operation. This
device data is then visible to the OPC UA client and can be evaluated and
monitored by it. Device data from non-monitored and passively monitored devices
cannot be sent to the OPC UA server.
The following figure illustrates a sample hardware configuration.
Figure 1-1
© Siemens AG 2019 All rights reserved
HMI system
SINEC NMS
OPC UA Client
OPC UA Server
Data transfer
Industrial Ethernet
Network components
Implementation
This document shows how you can use SINEC NMS to provide the monitored data
to a higher-level HMI system via a signed and encrypted OPC UA connection.
Essential points:
• In SINEC NMS: Configuration of an additional interface for OPC UA
applications as access to the network data.
• In the HMI system: The settings required for access to the acquired data in the
SINEC NMS operation via OPC UA.
Software used
The following software is used in this sample configuration:
• TIA Portal V15.1
• WinCC Professional V15.1 incl. WinCC Runtime
• SINEC NMS (single-node installation)
Role assignment
© Siemens AG 2019 All rights reserved
Engineering PC
The following instructions assume the software packages listed below are installed
together on one PC. These are:
• TIA Portal V15.1
• WinCC Professional V15.1 incl. WinCC Runtime
• SINEC NMS (single-node installation)
In this example the PC has the IP address 10.0.1.4/24.
Component overview
SINEC NMS is a software for the monitoring and administration of networks and
their devices. It consists of the "Control" component and at least one "Operation"
component.
The "Control" component is for the monitoring and administration of the entire
network. An "Operation" component is for the monitoring and administration of a
subnetwork.
The Control and every Operation each have their own web interface for the display
of the monitoring data and for the administration of the network.
An Operation can be installed on the same PC as the Control or on a different PC.
When installing SINEC NMS you can choose which components are to be
installed:
• Single-node installation: The Control and an Operation are installed on the
same PC.
• Multiple-node installation: The Control or an Operation is installed.
Note SINEC NMS must be installed on each computer that is to be used as Control or
Operation.
You need a web browser to open the web interface of the Control and the
Operation.
The following web browsers are required for SINEC NMS:
• Internet Explorer 11.0
• Firefox 60.0 or higher
• Google Chrome 67.0 or higher
• Microsoft Edge
You start the web interface of the Control via a URL in the web browser.
You have the following options to open the web interface of the Operation:
• Via a URL in the web browser
• Via the Operation Monitor (only for UMC users)
• Via the actions on the web interface of the Control
2 Engineering
2.1 Requirements
These instructions assume that you have installed and started the SINEC NMS
system.
The following points are important:
• Initial logon on the Control interface
• Running of system administration on the Control
– Addition of an Operation
– Export of certificates (if necessary)
– Creation of Operation parameter profile
– Execution of authentication management
• Initial commissioning on the Operation
• Start network scan
Note Help on these topics is available in the SINEC NMS Getting Started and in the
manual (see chapter 4).
© Siemens AG 2019 All rights reserved
Note Detailed information about the Operation Monitor is available in section 4.1.
2. The "SINEC NMS - Operation status" window opens. Select the "Port / OPC
Settings" tab.
Define an OPC UA port or leave the default setting.
Figure 2-2
© Siemens AG 2019 All rights reserved
Note If, in the "Port / OPC Settings" tab of the Operation Monitor, the option "With user
authentication" is enabled, an authentication is required to access the OPA UA
server of this Operation.
Menu
You reach the appropriate page in the Control navigation via "System
administration > Operation parameter profiles".
Figure 2-6
© Siemens AG 2019 All rights reserved
OPC user
In "OPC settings" parameter group you can define a user and password and see
the default settings.
When you change the user name and password, you save the settings with the
"Save" button.
Figure 2-7
© Siemens AG 2019 All rights reserved
Note This section shows you the configuration in practice. More detailed information
about the setup and function of the configuration page is available in section 4.2.
Menu
You can access the configuration page via the menu command "Network
monitoring > Settings > OPC" on an Operation.
Figure 2-8
© Siemens AG 2019 All rights reserved
the OPC UA interface to the higher-level HMI system. All the available devices
are transferred automatically into the column marked "Devices visible in OPC".
Figure 2-10
3. In the area on the right you select the procedure for generating the OPC UA
index (in the example: "Use OPC system index").
Figure 2-11
Note If you do not want to integrate all the devices into the higher-level HMI system,
you disable the option "Make monitored devices automatically visible in OPC".
You can then select each device individually and add them to the list of devices
visible in OPC.
2. Move the marked devices to the right column with the corresponding arrow
key.
Figure 2-13
© Siemens AG 2019 All rights reserved
2.5.1 Preparation
1. In the "Project tree" you navigate to the item "Connections" and double-click it.
In the top center window you create a new OPC UA connection with the
following parameters:
– Name: <freely selectable, in this example OPC_UA >
– Communication driver: OPC UA
Figure 2-16
© Siemens AG 2019 All rights reserved
2. In this example we have set the OPC UA security mode in the Operation
Monitor so that the connection has to be signed and encrypted. Create a
signed and encrypted OPC UA server connection with the following
parameters:
– UA server discovery URL:
opc.tcp://<Computer name OPC server>:4841
– Security policy: Basic128Rsa15
– Message security mode: "Sign and encrypt"
Figure 2-17
Note For this example we have configured a signed and encrypted OPC UA
connection that requires a subsequent certificate exchange between the WinCC
OPC UA client and the SINEC OPC UA server.
If you choose a non-secure connection type, there is no certificate exchange.
3. In this example, in the Operation Monitor we have selected the OPC UA server
authentication such that the user has to be authenticated. Disable the
"Anonymous" option and enter the user and password that you defined in the
Operation parameter profile (see section 2.3).
Figure 2-18
Note For this example we have configured a server authentication with user
authentication which requires a subsequent user login query.
If you have not chosen server authentication in the Operation Monitor, you can
leave the "Anonymous" option enabled.
© Siemens AG 2019 All rights reserved
1. In the Project tree you navigate to the item "HMI tags > Show all tags" and
select it with a double-click. In the top center window you create the first new
HMI tag by defining a tag name (here: "XB208 device name") in the first line of
the "Name" column.
Figure 2-19
© Siemens AG 2019 All rights reserved
2. In the "Connections" column you select the newly created OPC UA connection
"OPC_UA".
Figure 2-20
3. Then you define the data type "String" for the new tag.
Figure 2-21
© Siemens AG 2019 All rights reserved
4. Finally, in the "Address" field you double-click the drop-down menu icon so that
the error message "Connection failed" appears. Close this dialog by clicking
the green icon "OK".
Figure 2-22
Result:
When attempting to establish the connection the WinCC OPC UA client has to
authenticate itself to the server with a certificate.
Since the OPC UA server has no matching WinCC OPC UA client certificate in its
trusted certificates store it refuses the WinCC OPC UA client the establishment of a
connection.
The rejected WinCC OPC UA client certificate is stored in the "Rejected" folder.
Note In order to be able to browse the OPC UA tags created in the WinCC you have
to make the WinCC OPC UA client certificate known to the SINEC OPC UA
server.
2. Move this certificate into the following folder of the standard installation
© Siemens AG 2019 All rights reserved
directory:
"C:\Siemens\SINECNMS_MON\WinCC_OA\3.15\data\opcua\server\PKI\CA\ce
rts".
3. Switch back to the TIA Portal and the last configuration step (see step 4 of the
previous section).
4. In the "Address" field you again double-click the drop-down menu icon.
Result:
Thanks to the certificate exchange the establishment of the OPC UA connection
works this time and a list of all the monitored network devices is displayed.
7. Repeat the previous section entitled "Creating OPC UA tags" (section 2.5.3)
© Siemens AG 2019 All rights reserved
and create in the HMI tag table the tags you need for your visualization.
1. In the Project tree you navigate to the "Screens" item and create a new
visualization screen. For this you double-click the "Add new screen" item.
Figure 2-24
2. In the window that now opens you create your visualization interface with the
© Siemens AG 2019 All rights reserved
name "Screen_1".
To have the value of the HMI tags displayed you define an output field for each
tag and link the output field to the corresponding HMI tag. The figure below
shows a possible visualization interface.
Figure 2-25
3 Operation
When you have completed all the procedures in chapter 2 you can proceed by
starting an encrypted OPC UA data exchange.
2. The started WinCC Client Runtime cannot yet display any values. You must
leave the visualization screen that appears open, even if it does not display the
correct data.
Figure 3-2
Note When the Runtime starts, the OPC UA client initiates establishment of a
connection to the OPC UA server. The OPC UA server sends its certificate,
which is however not yet known to the OPC UA client.
This is why the OPC UA client rejects the server certificate and stores it in its
internal "Rejected" folder.
Storing certificates
For encrypted OPC UA data exchange the certificates of the OPC UA client and
the OPC UA server must be made mutually known to each other.
Since each client has its own certificate, the making known of the certificates must
be done for each client.
Note In this example the Engineering PC is also used for the WinCC Runtime. If this is
not the case with you, you should execute the following steps on the device on
which the WinCC Runtime is running.
Result:
Now the OPC UA server certificate is known to the OPC UA client. Because of the
bidirectional OPC UA communication, the OPC UA client certificate must then also
be made known to the OPC UA server.
© Siemens AG 2019 All rights reserved
3. For this you once again open the Windows Explorer (keyboard shortcut
<Windows+E>). The second rejected WinCC OPC UA client certificate is
located in the directory
"C:\Siemens\SINECNMS_MON\WinCC_OA\3.15\data\opcua\server\PKI\CA\rej
ected".
4. Also move this certificate into the following folder of the standard installation
directory:
"C:\Siemens\SINECNMS_MON\WinCC_OA\3.15\data\opcua\server\PKI\CA\ce
rts".
Result:
After these steps the two OPC UA client certificates are now known to the SINEC
OPC UA server and the OPC UA client knows the required OPC server certificate.
In this way the client can establish a signed and encrypted connection to the
server.
The visualization screen now displays the relevant data "correctly".
Figure 3-3
© Siemens AG 2019 All rights reserved
4 Information
4.1 Operation Monitor
Description
The Operation Monitor is an administrative component that you can use to
configure settings specifically for an Operation. The Operation Monitor runs on
each PC on which an Operation is installed and starts automatically after the
installation of the Operation and after each start of the PC.
There is a button in the taskbar to open the pop-up menu of the Operation Monitor.
The functions of the Operation Monitor are presented in this pop-up menu.
This icon can have different colors depending on the status of the Operation.
Note You must have administrator rights in Microsoft Windows to edit the settings in
the Operation Monitor.
monitoring > Settings > OPC" of the Operation are visible regardless of how the
devices are assigned to views.
The following options are available:
• With user authentication: Authentication with the configured user is required for
access to the OPC UA server.
• Without user authentication: Authentication with the configured user is not
required for access to the OPC UA server.
Table 4-1
Operating element Function
Make monitored devices If you enable this option, the data of all the devices
automatically visible in OPC. monitored by the Operation is visible in OPC.
Procedure for generating the The Operation generates an OPC UA index for
OPC UA index. monitored devices that do not yet have an OPC UA
index. You can select the following types:
• Use IPv4 address: The OPC UA index is made up of
the four numbers of the IPv4 address of the device.
• Use PNIO name: The PNIO name of the device is
used as the OPC UA index.
© Siemens AG 2019 All rights reserved
Provide status overview via If you enable this option, the following information is
OPC UA. provided via OPC:
• The number of devices per overall status.
• The worst overall status available.
• The information gives the name of the view for each
view:
– Name of the higher-level view if available.
– Worst overall status available.
– Number of accessible devices.
– Number of non-accessible devices.
– Number of non-connected devices.
The overall statuses are specified via the following
values:
1: Not accessible
2: Error
3: Maintenance requested
4: Maintenance required
5: OK
6: Not connected
7: Not monitored
8: Passively monitored
settings, the settings made in this respect are not taken into account and the
associated control elements are disabled.
Figure 4-2
Although the assignment of columns is preset in the data area you can change it at
will. The necessary tool is available in the footer. You can choose all the device
properties and how they are available via the device window and device details.