Fundamentals
Open Platform Communications Unified Architecture (OPC UA) describes a collection of specifications. These specifications are used to standardize machine-to-machine communication (M2M) in the field of industrial automation. OPC UA enables the data exchange across operating systems between products from different manufacturers, e.g. between a HEIDENHAIN control system and third-party software. Thus, OPC UA has become the data exchange standard for secure, reliable, manufacturer- and platform-independent industrial communication over the last years.
In 2016, the German Federal Office for Information Security (BSI) published a security analysis related to OPC UA. The security analysis was updated in 2022. The specification analysis performed by the BSI determined that OPC UA provides a high level of security as compared to most other industrial protocols.
HEIDENHAIN follows the BSI recommendations and provides SignAndEncrypt, which exclusively features up-to-date IT security profiles. For this purpose, OPC UA-based industrial applications and the OPC UA NC Server exchange certificates for authentication. In addition, any transferred data is encrypted. This effectively prevents messages between the communication partners from being intercepted or altered.
Application
Both standard and custom software can be used with the OPC UA NC Server. Compared to other established interfaces, significantly less development effort is required for OPC UA connection, thanks to the uniform communication technology.
The OPC UA NC Server allows you to access the data and functions of the HEIDENHAIN NC information model exposed in the server address space.
Pay attention to the interface documentation of the OPC UA NC Server as well as the documentation of the client application.
Related topics
- Information Model interface documentation with the specification of the OPC UA NC Server in English
ID: 1309365-xx or OPC UA NC Server Interface Documentation
- Quickly and easily connecting the OPC UA client application to the control
The OPC UA connection assistant function (#56-61 / #3-02-1*)
Requirements
- OPC UA NC Server software options (#56-61 / #3-02-1*)
For OPC UA-based communication, the HEIDENHAIN control provides the OPC UA NC Server. For each OPC UA client to be connected, you need one of the six available software options (56 to 61).
If your control features a SIK2, you can order this software option multiple times and enable up to six connections.
- Firewall configured
- The OPC UA client supports the security policy and authentication method of the OPC UA NC Server:
- Security Mode: SignAndEncrypt
- Algorithm:
- Basic256Sha256
- Aes128Sha256RsaOaep
- Aes256Sha256RsaPss
- User Authentication: X509 certificates
Description of function
Both standard and custom software can be used with the OPC UA NC Server. Compared to other established interfaces, significantly less development effort is required for OPC UA connection, thanks to the uniform communication technology.
The control supports the following OPC UA functions:
- Write and read variables
- Subscribe to value changes
- Run methods
- Subscribe to events
- Creation of service files
- Read and write tool data (the corresponding right is required)
- File system access to the TNC: drive
- File system access to the PLC: drive (the corresponding right is required)
- Validation of 3D models for tool carriers
- Validate 3D models for tools (#140 / #5-03-2)
Machine parameters in conjunction with OPC UA
The OPC UA NC Server enables OPC UA client applications to query general machine information, such as the year of construction of the machine or its location.
The following machine parameters are available for the digital identification of your machine:
- For users: CfgMachineInfo (no. 131700)
- For the machine tool manufacturer: CfgOemInfo (no. 131600)
Access to directories
The OPC UA NC Server enables read and write access to the TNC: and PLC: drives.
The following actions are permitted:
- Creation and deletion of folders
- Reading, editing, copying, moving, creating, and deleting of files.
While the NC software is running, the files referenced in the following machine parameters are locked against write access:
- Tables referenced by the machine manufacturer in the machine parameter CfgTablePath (no. 102500)
- Files referenced by the machine manufacturer in the machine parameter dataFiles (no. 106303, branch CfgConfigData no. 106300)
The OPC UA NC Server enables access to the control even if the NC software is switched off. As long as the operating system is active, you can create and transmit service files, for example.
- System-relevant files must be edited only by authorized specialists
Required certificates
The OPC UA NC Server requires three different types of certificates. The server and the client need two of them, the application instance certificates, in order to establish a secure connection. The third certificate (user certificate) is required for authorization and for starting a session with specific user permissions.
The control automatically generates a two-level certificate chain referred to as the Chain of Trust for the server. This certificate chain consists of a self-signed root certificate (including a revocation list) and a certificate for the server that is created on the basis of the root certificate.
The client certificate must be added on the Trusted tab of the PKI Admin function.
All other certificates should be added on the Issuers tab of the PKI Admin function for verification of the entire certificate chain.
User certificate
The control uses the HEROS functions Current User or UserAdmin for administration of the user certificate. When you initiate a session, the rights of the associated internal user are active.
To assign a user certificate to a user:
- Open the Current User HEROS function
- Select SSH keys and certificates
- Press the Import certificate soft key
- The control opens a pop-up window.
- Select the certificate
- Select Open
- The control imports the certificate.
- Press the Use for OPC UA soft key
Self-generated certificates
You can also create and import all of the required certificates yourself.
Self-generated certificates must fulfill the following requirements:
- General requirements
- File format: *.der
- Signature with hash SHA256
- Validity period of at most 5 years is recommended
- Client certificates
- Host name of the client
- Application URI of the client
- Server certificates
- Host name of the control
- Application URI of the server according to the following structure:
urn:<hostname>/HEIDENHAIN/OpcUa/NC/Server
- Validity period of 20 years maximum
Note
OPC UA is a manufacturer/platform-independent, open communication standard. For this reason, an OPC UA client SDK is not included in the OPC UA NC Server.