Configuring Kepware for OPC-UA

creating a read only opc ua user kepware uses user groups to control opc ua access rights open user manager right click on the kepware system tray icon → settings → user manager create a user group (e g , opcua readers ) and assign the following minimum privileges allow access to tags allow read deny all write or config permissions add a user (e g , factry collector ) to this group optionally, allow anonymous access open project properties → allow anonymous login → set to yes perform a runtime reinitialization (explained later) enable the opc ua server endpoint open the opc ua configuration right click the kepware tray icon → opc ua configuration verify or edit the endpoints for local installations, use opc tcp\ //127 0 0 1 49320 for remote installations, replace 127 0 0 1 with the server ip address or hostname set allowed security policies and modes each endpoint can allow multiple policies and security modes none no encryption or signing, insecure but easy to configure sign messages are signed for integrity sign & encrypt messages are signed and encrypted for full confidentiality policies include basic256sha256 (recommended for secure connections) basic128rsa15 , none , and others (for legacy compatibility) match these security settings with the client or collector you're connecting to if sign or sign & encrypt are used, you will need to manually trust the collector’s certificate go to trusted clients in the opc ua configuration tool accept the certificate after the first connection attempt opc ua project settings open project properties → opc tab recommended settings return data asap enabled shutdown wait period default or as per system requirement synchronous request timeout time kepware waits before failing a read request opc diagnostics enable this for easier debugging reinitialize kepware runtime many configuration changes (e g , users, security, namespaces) require reinitialization right click the kepware tray icon → reinitialize wait a few seconds for the runtime to restart save and restore kepware configuration saving and restoring configurations allows you to back up your setup or clone it across environments save export the current configuration as a project file restore load the configuration file to apply the setup on another instance troubleshooting here are common issues you may encounter when working with kepware missing drivers problem you cannot find the desired driver when creating a channel cause the driver was not installed solution re run the kepware installer → choose modify → add the missing driver historian status shows “bad” after renaming tags or devices problem tags show a bad status in historian after changes solution perform a reinitialize runtime in kepware to apply renaming good tag in kepware, but not in opc ua collector problem collector has never received data, even though the tag appears correct in kepware solution reinitialize kepware runtime to ensure all changes are loaded by the opc ua server tag read fails in monitored mode but works in polled mode problem namespace mismatch (e g ns=2 vs ns=3) the opc ua server may expose multiple namespaces cause the tag is being referenced with the wrong namespace, which can cause it to succeed in one mode (polled) but fail in another (monitored), or vice versa solution verify which namespace the tag actually resides in on the server adjust the configuration accordingly if issues persist, try switching between polled and monitored collection modes opc ua collector always reads same value problem value remains static in the collector, even though it changes in kepware possible fix reinitialize kepware runtime, opc ua may not be exposing the updated tag state correctly changing namespaces causes unstable data problem after a namespace change, you see incorrect or unstable data solution confirm correct namespace index and restart the runtime all measurements show statusbadconfigurationerror / statusbadnodeidunknown when reading from kepware problem all measurements on a collector fail with these statuses cause the kepware license has probably expired solution check the status of the kepware license renew or reactivate the license to restore normal operation statusbadtimeout (0x800a0000) problem the opc ua request sent to the opc ua server (and its underlying plc's) and back to the opc ua collector does not return in time (in a time period ≤ opc ua collector docid\ xqc3ckoljmoor 7pkpj2e ) cause more often than not, this is caused by one or more plc's responding slowly (or being turned off) , which slows down the opc ua request that also holds data of plc's that respond faster (more info opc ua time synchronization ) solution choose one or a combination of the solutions below 1 1 try increasing the opc ua collector docid\ xqc3ckoljmoor 7pkpj2e setting (it is recommended to keep it ≤ 30000 milliseconds) 2 2 make use of channels in kepware in which you can group devices or separate them from each other for devices in one channel kepware requests data from each device consecutively this means that the total time needed to answer the opc ua request of the collector increases with each device added, potentially surpassing the opc ua readtimeout configured and resulting in a badtimeout for devices in separate channels kepware requests data from each device in parallel this means that the total time needed to answer the opc ua request of the collector is similar to the slowest responding plc, which minimally slows downs the opc ua request it is recommended to maximally keep a few devices in a channel if the devices respond similarly fast the devices are generally turned off at the same time to maximally benefit from the channels, each device is configured in a separate channel 3 3 in kepware a plc can be ignored using auto demotion for a configured time period when it's slowly or not responding, to not slow down the entire opc ua request in kepware right click the device (in the pane on the left) > properties > auto demotion and set the following settings for each device depending on the type of driver configured for the device in kepware, the auto demotion settings may not be available to you if the auto demotion setting is not available for your device, put the device in a separate kepware channel and move the according measurements to a separate opc ua collector demote on failure enable timeouts to demote set the number of successive timeouts the device may encounter when kepware requests data from it before the device is indicated as demoted e g 3 demotion period the time period (in milliseconds) for kepware to not request data from the device when the device is demoted e g 10000 (= 10 seconds) discard requests when demoted disable in the figure below, the total time needed to respond to the opc ua request is decreased from 3800 milliseconds (for 3 devices in one channel without auto demotion ) to 800 milliseconds (for the same devices in one channel with auto demotion ) if by making use of channels and/or auto demotion in kepware, you still receive a statusbadtimeout on the collector (re)move the measurements on the collector to decrease the number of kepware devices that you're requestion data from in exceptional cases, that might bring you down to one slowly responding device that is isolated in a kepware channel and isolated on a opc ua collector minimum system requirements check kepware system requirements to ensure compatibility with your operating system and hardware this guide ensures a clean and professional setup of kepware as a single opc ua bridge for industrial devices if you're working in a factry environment, this setup will allow seamless collection of legacy or multi brand plc data through one standardized interface