Fundamentals
Open Platform Communications Unified Architecture (OPC UA) describes a collection of specifications. These specifications are used to standardize machine-to-machine communication (M2M) in the field of industrial automation. OPC UA enables the data exchange across operating systems between products from different manufacturers, e.g. between a HEIDENHAIN control system and third-party software. Thus, OPC UA has become the data exchange standard for secure, reliable, manufacturer- and platform-independent industrial communication over the last years.
In 2016, the German Federal Office for Information Security (BSI) published a security analysis related to OPC UA. The security analysis was updated in 2022. The specification analysis performed by the BSI determined that OPC UA provides a high level of security as compared to most other industrial protocols.
HEIDENHAIN follows the BSI recommendations and provides SignAndEncrypt, which exclusively features up-to-date IT security profiles. For this purpose, OPC UA-based industrial applications and the OPC UA NC Server exchange certificates for authentication. In addition, any transferred data is encrypted. This effectively prevents messages between the communication partners from being intercepted or altered.
Application
Both standard and custom software can be used with the OPC UA NC Server. Compared to other established interfaces, significantly less development effort is required for OPC UA connection, thanks to the uniform communication technology.
The OPC UA NC Server allows you to access the data and functions of the HEIDENHAIN NC information model exposed in the server address space.
Pay attention to the interface documentation of the OPC UA NC Server as well as the documentation of the client application.
Related topics
- Information Model interface documentation with the specification of the OPC UA NC Server in English
ID: 1309365-xx or OPC UA NC Server Interface Documentation
- Quickly and easily connecting the OPC UA client application to the control
The OPC UA connection assistant function (#56-61 / #3-02-1*)
- User roles and user rights for OPC UA
- Comparison of the transmission duration of different protocols
Example: Transmission duration of different transmission types
Requirements
- OPC UA NC Server (#56-61 / #3-02-1*) software options
For OPC UA-based communication, the HEIDENHAIN control provides the OPC UA NC Server. For each OPC UA client to be connected, you need one of the six available software options (56 to 61).
If your control features the SIK2, you can order this software option multiple times and enable up to ten connections.
- Firewall configured
- The OPC UA client supports the security policy and authentication method of OPC UA NC Server:
- Security Mode: SignAndEncrypt
- Algorithm:
- Basic256Sha256
- Aes128Sha256RsaOaep
- Aes256Sha256RsaPss
- User authentication:
- X509 certificates
- User name and password
- For logon with the user name and password:
- Permitted by the machine manufacturer
- User administration is active
- NC.OpcUaPwAuth or NC.OpcUaPwAuthOnlyMachineNet right
Description of function
Both standard and custom software can be used with the OPC UA NC Server. Compared to other established interfaces, significantly less development effort is required for OPC UA connection, thanks to the uniform communication technology.
The control supports the following OPC UA functions:
- Write and read variables
- Subscribe to value changes
- Run methods
- Subscribe to events
- Creation of service files
- Read and write tool data (the corresponding right is required)
- Read from and write to the counter (the corresponding right is required)
- File system access to the TNC: drive
- File system access to the PLC: drive (the corresponding right is required)
- Validation of 3D models for tool carriers
- Validate 3D models for tools (#140 / #5-03-2)
Machine parameters in conjunction with OPC UA
The OPC UA NC Server enables OPC UA client applications to query general machine information, such as the year of construction of the machine or its location.
The following machine parameters are available for the digital identification of your machine:
- For users: CfgMachineInfo (no. 131700)
- For the machine tool manufacturer: CfgOemInfo (no. 131600)
Access to directories
The OPC UA NC Server enables read and write access to the TNC: and PLC: drives.
The following actions are permitted:
- Creating and deleting folders
- Reading, editing, copying, moving, creating, and deleting files
While the NC software is running, the files referenced in the following machine parameters are locked against write access:
- Tables referenced by the machine manufacturer in the machine parameter CfgTablePath (no. 102500)
- Files referenced by the machine manufacturer in the machine parameter dataFiles (no. 106303, branch CfgConfigData no. 106300)
The OPC UA NC Server enables access to the control even if the NC software is switched off. As long as the operating system is active, you can create and transmit service files, for example.
- System-relevant files must be edited only by authorized specialists
Login options
The OPC UA NC Server requires three different types of certificates. The server and the client need two of them (the application instance certificates) in order to establish a secure connection. The third certificate (user certificate) is required for authorization and for starting a session with specific user permissions. As an alternative to the user certificate, the OPC UA NC Server also permits login with a user name and password.
The control automatically generates a two-level certificate chain referred to as the Chain of Trust for the server. This certificate chain consists of a self-signed root certificate (including a revocation list) and a certificate for the server that is created on the basis of the root certificate.
The client certificate must be added on the Trusted tab of the PKI Admin function.
All other certificates should be added on the Issuers tab of the PKI Admin function for verification of the entire certificate chain.
User certificate
The control uses the HEROS functions Current User or UserAdmin for administration of the user certificate. When you initiate a session, the rights of the associated internal user are active.
To assign a user certificate to a user:
- Open the Settings application
- Select Operating System
- Double-tap or double-click Current User
- The control opens the Active user window.
- Select SSH keys and certificates
- Select Import certificate
- The control opens the Import certificate window.
- Select the certificate
- Select Open
- The control imports the certificate.
- Select Use for OPC UA
- The control uses the certificate for OPC UA.
Self-generated certificates
You can also create and import all of the required certificates yourself.
Self-generated certificates must fulfill the following requirements:
- General requirements
- File format: *.der
- Signature with hash SHA256
- Validity period of at most 5 years is recommended
- Client certificates
- Host name of the client
- Application URI of the client
- Server certificates
- Host name of the control
- Application URI of the server according to the following structure:
urn:<hostname>/HEIDENHAIN/OpcUa/NC/Server
- Validity period of 20 years maximum
Login with user name and password
The machine manufacturer can permit login with a user name and password, for example for client applications that do not support login with a user certificate.
For this type of login, a user with NC.OpcUaPwAuth or NC.OpcUaPwAuthOnlyMachineNet rights must exist while user administration is active.
In the OPC UA menu item of the Settings application, the control indicates the options available to the current user for logging in.
Notes
- OPC UA is a manufacturer/platform-independent, open communication standard. For this reason, an OPC UA client SDK is not included in the OPC UA NC Server.
- Refer to your machine manual.
The machine manufacturer can create additional function users (for example, to enable client applications in order to access specific machine data when user administration is active).