OMRON NJ/NX OPC UA Configuration Guide

In the 'Node Settings', you can control whether to' expand structure members' and 'expand array elements'.

When selecting 'expand', each member of the structure or each element of the array will be published as an independent node, making it easier for the client to read and write finely. Choosing 'not expand' will treat the entire node as a whole, with a smaller communication load.

Deep Analysis of Security Models

The core advantage of OPC UA lies in its security. The NJ/NX controller implements multiple layers of security mechanisms to ensure that only authorized clients and users can access data.

3.1 Application authentication: Handshake based on X.509 certificate

This is authentication between the server and the client.

Server certificate:

The CPU unit serves as a server and holds a self signed certificate.

Automatic generation: After setting OPC UA to "use" for the first time and restarting, the system automatically generates a certificate using the IP address of the current built-in EtherNet/IP port. Its validity period is usually 20 years.

Manual regeneration: When a 'server certificate mismatch' or IP address change occurs, the certificate must be manually regenerated. Operation path: In online mode, right-click on OPC UA server settings ->server certificate ->regenerate certificate. DN information (organization, city, country, etc.) and validity period can be modified here.

Export: After generating a new certificate, it must be saved as a. der file using the "Export" button and installed on all OPC UA clients that allow connections.

Client certificate:

The client needs to prove its identity to the server.

Import: Administrators can add trusted client certificates (. der files) to the "Trusted Certificate List" of the controller.

Auto Reject: If an unregistered client attempts to connect, its certificate will be automatically placed in the "Reject Certificate List" and the connection will be rejected. The administrator can move the certificate from this list to the trusted list in the future to authorize the client.

3.2 User authentication: Control operation permissions

In addition to device authentication, operator authentication can also be performed.

Username/Password: Administrators can add up to 20 users in "Security Settings". Username (4-32 characters) and password (8-32 characters) are case sensitive.

Anonymous login: You can choose "disable" or "allow". For security reasons, it is recommended to prohibit anonymous login in actual production environments.

Role function (supported in higher versions):

Different users can be assigned roles (Observer, Operator, Maintainer, Designer, Administrator).

The hierarchical progression of role permissions. For example, Observer can only browse and read, not write; And Operator and above can execute methods and write variables.

Even the required roles can be set for different namespace nodes to achieve fine-grained permission control.

3.3 Message Security Strategy: Encryption and Signature

In the "Security Policy" section of the "Security Settings", you can define the communication encryption modes allowed by the server.

None: Not recommended for use in production environments.

Signature: Only sign the message to ensure data integrity (tamper proof), without encryption.

Signature and Encryption: Simultaneously sign and encrypt the message to ensure integrity and confidentiality (anti eavesdropping).

Algorithm selection: Supports Basic128Rsa15, Basic256, Basic256Sha256, as well as newer Aes128Sha256RsaOaep and Aes256Sha256RsaPss.

Best practice: For security reasons, clear the "none" and weaker Basic128Rsa15 options, and choose "sign and encrypt" combined with strong algorithms.

Client Connection and Data Interaction

After completing the server-side configuration, the OPC UA client can connect.

Connection URL: The client needs to use the URL defined in the "endpoint" for connection, such as OPC tcp://192.168.250.1:4840/ .

Security negotiation: The client must choose the security policies and modes allowed by the server.

User login: Depending on the server settings, provide a username/password or perform anonymous login.

Address space browsing: After a successful connection, the client can browse the address space. The typical structure is Objects ->DeviceSet ->[Controller Name] ->GlobalVars, where all published variables can be seen.

Read and write operations: The client can read or write to specific nodes. Write permission is subject to a combination of variable attributes (such as constants), user roles, and node security policies.

Operation, maintenance, and troubleshooting

5.1 Start and Stop

Startup: As mentioned earlier, it automatically starts after downloading the configuration and restarting the controller.

Manual stop: You can execute the OPCUA_Shutdown command or click "Server Shutdown" on the "Server Status" page of Sysmac Studio. After stopping, the controller needs to be restarted before it can run again.