Welcome to the Industrial Automation website!

NameDescriptionContent
XING-Automation
E-mail  
Password  
  
Forgot password?
  Register
当前位置:

OMRON NJ/NX OPC UA Configuration Guide

F: | Au:FAN | DA:2026-05-07 | 341 Br: | 🔊 点击朗读正文 ❚❚ | Share:

OMRON NJ/NX Series Controller OPC UA Server Implementation and Security Configuration Complete Guide

In modern industrial automation systems, breaking down the data barriers between the control layer and IT systems (such as MES, SCADA) is the key to achieving intelligent manufacturing. OPC UA (Open Platform Communication Unified Architecture), as a platform independent, secure and reliable communication protocol, has become the core standard of Industry 4.0. Omron has integrated OPC UA server functionality into its NJ/NX series Machine Automation Controller, allowing the upper system to directly and securely access variable data within the controller through standard Ethernet without the need for intermediate conversion computers. This article aims to provide engineers with a detailed technical guide on configuring, optimizing, and maintaining OPC UA servers on NJ/NX series controllers.

System Overview and Applicable Hardware

The OPC UA server function enables NJ/NX series CPU units to act as OPC UA servers, accepting connection requests from SCADA or other OPC UA clients, and enabling read and write operations on global variables and function block instances within the controller. This feature is deeply integrated with the built-in EtherNet/IP port (specific port) of the controller.

Supported CPU models:

Not all CPUs support this feature, please confirm the hardware version before use:

NX701-1 □□□: Unit version 1.24 or higher.

NX502-1 □□□: Unit version 1.60 or higher.

NJ501-1 □□□: Unit version 1.17 or higher.

NX102- □□□□: Unit version 1.30 or higher.

Key specification limitations:

Connection port: limited to the built-in EtherNet/IP port of the CPU unit (specifically PORT 1 for NX701/NX502/NX102).

Maximum number of sessions: The server can support up to 5 OPC UA client sessions simultaneously.

Monitoring items: The entire server supports up to 2000 monitoring items (up to 20000 for specific models and higher versions).

Number of variables to be published: Up to 10000 network variables can be published (the higher version NX701 supports 100000).


Detailed configuration steps: from beginner to proficient

The configuration of the NJ/NX OPC UA server is mainly divided into four stages: network layer settings, security settings, variable publishing, and online operations, all of which are carried out in Omron's Sysmac Studio software environment.

2.1 Basic Network Settings: Determination of IP Address

OPC UA communication relies on a stable IP address.

Navigate to Configuration and Settings ->Controller Settings ->Built in EtherNet/IP Port Settings.

In TCP/IP settings, select "Fixed settings" or "IP address obtained from BOOTP server".

Important warning: It is strongly not recommended to use DHCP (Dynamic Host Configuration Protocol). The server certificate is bound based on the IP address at the time of generation. If there is a subsequent change in IP address, it will result in a mismatch between the server certificate and IP, causing client connection failure and triggering the 'Server Certificate Mismatch' event.

2.2 OPC UA Server Core Settings

Enable service:

In the multi view browser of Sysmac Studio, find Configuration and Settings ->OPC UA Settings ->OPC UA Server Settings.

Change the 'Server Function Settings' from' Do Not Use 'to' Use '.

Key step: After downloading this project to the controller, it is necessary to cycle the controller to power off and then power on or perform a "controller reset" before the OPC UA server can start.

Endpoint and Port Configuration:

The 'Endpoint' field will automatically display the server's URL in the format of opc.tcp://[IP address]: [port number]/. The default IP is 192.168.250.1 and the default port is 4840.

The 'port number' can be customized (range 1025 to 65535), but it is necessary to ensure that the port is not occupied by other services such as FTP, HTTP, etc.

Execution log settings:

To trace the operational status, connection requests, and errors of OPC UA servers, it is strongly recommended to enable execution logs.

Set 'Record Execution Log' to 'Record'.

The number of configurable files (2-100) and the number of records per file (100 to 65536). The log files are saved on the SD memory card of the CPU unit.

2.3 Variable Release: Building Address Space

OPC UA clients need to access controller data through address space. Engineers need to specify which variables are visible to the outside world.

Global variable release:

In the global variable editor, find the variable that needs to be published.

Set its' Network Publishing 'attribute to' Publish Only ',' Input ', or' Output '. System defined variables cannot be published.

User defined feature block variable release (supported in higher versions):

You can select a specific namespace or feature block instance for publishing in the "Network Publishing Settings" of the "OPC UA Server Settings".

This allows structured control logic (such as motor control blocks) to be directly exposed to the upper system.

Expansion control of structures and arrays:

In the 'Node Settings', you can control whether to' expand structure members' and 'expand array elements'.

When selecting 'expand', each member of the structure or each element of the array will be published as an independent node, making it easier for the client to read and write finely. Choosing 'not expand' will treat the entire node as a whole, with a smaller communication load.

Deep Analysis of Security Models

The core advantage of OPC UA lies in its security. The NJ/NX controller implements multiple layers of security mechanisms to ensure that only authorized clients and users can access data.

3.1 Application authentication: Handshake based on X.509 certificate

This is authentication between the server and the client.

Server certificate:

The CPU unit serves as a server and holds a self signed certificate.

Automatic generation: After setting OPC UA to "use" for the first time and restarting, the system automatically generates a certificate using the IP address of the current built-in EtherNet/IP port. Its validity period is usually 20 years.

Manual regeneration: When a 'server certificate mismatch' or IP address change occurs, the certificate must be manually regenerated. Operation path: In online mode, right-click on OPC UA server settings ->server certificate ->regenerate certificate. DN information (organization, city, country, etc.) and validity period can be modified here.

Export: After generating a new certificate, it must be saved as a. der file using the "Export" button and installed on all OPC UA clients that allow connections.

Client certificate:

The client needs to prove its identity to the server.

Import: Administrators can add trusted client certificates (. der files) to the "Trusted Certificate List" of the controller.

Auto Reject: If an unregistered client attempts to connect, its certificate will be automatically placed in the "Reject Certificate List" and the connection will be rejected. The administrator can move the certificate from this list to the trusted list in the future to authorize the client.

3.2 User authentication: Control operation permissions

In addition to device authentication, operator authentication can also be performed.

Username/Password: Administrators can add up to 20 users in "Security Settings". Username (4-32 characters) and password (8-32 characters) are case sensitive.

Anonymous login: You can choose "disable" or "allow". For security reasons, it is recommended to prohibit anonymous login in actual production environments.

Role function (supported in higher versions):

Different users can be assigned roles (Observer, Operator, Maintainer, Designer, Administrator).

The hierarchical progression of role permissions. For example, Observer can only browse and read, not write; And Operator and above can execute methods and write variables.

Even the required roles can be set for different namespace nodes to achieve fine-grained permission control.

3.3 Message Security Strategy: Encryption and Signature

In the "Security Policy" section of the "Security Settings", you can define the communication encryption modes allowed by the server.

None: Not recommended for use in production environments.

Signature: Only sign the message to ensure data integrity (tamper proof), without encryption.

Signature and Encryption: Simultaneously sign and encrypt the message to ensure integrity and confidentiality (anti eavesdropping).

Algorithm selection: Supports Basic128Rsa15, Basic256, Basic256Sha256, as well as newer Aes128Sha256RsaOaep and Aes256Sha256RsaPss.

Best practice: For security reasons, clear the "none" and weaker Basic128Rsa15 options, and choose "sign and encrypt" combined with strong algorithms.


Client Connection and Data Interaction

After completing the server-side configuration, the OPC UA client can connect.

Connection URL: The client needs to use the URL defined in the "endpoint" for connection, such as OPC tcp://192.168.250.1:4840/ .

Security negotiation: The client must choose the security policies and modes allowed by the server.

User login: Depending on the server settings, provide a username/password or perform anonymous login.

Address space browsing: After a successful connection, the client can browse the address space. The typical structure is Objects ->DeviceSet ->[Controller Name] ->GlobalVars, where all published variables can be seen.

Read and write operations: The client can read or write to specific nodes. Write permission is subject to a combination of variable attributes (such as constants), user roles, and node security policies.

Operation, maintenance, and troubleshooting

5.1 Start and Stop

Startup: As mentioned earlier, it automatically starts after downloading the configuration and restarting the controller.

Manual stop: You can execute the OPCUA_Shutdown command or click "Server Shutdown" on the "Server Status" page of Sysmac Studio. After stopping, the controller needs to be restarted before it can run again.

5.2 Status Monitoring

Server Status: When Sysmac Studio is online, check the "Server Status" page to obtain the current status (running, error, closed), the number of connected clients, and the number of users.

Event log: The controller's event log will record OPC UA related errors (such as certificate mismatch, variable count exceeding limit, etc.).

Execution log: A detailed log file stored in the SD card, which records authentication success/failure, variable access details, etc. You can view it through the "Display Operation Log" window of Sysmac Studio or directly on the SD card (file path:/packages/OPCUA_Server/ExecutionLog/).

5.3 Common Errors and Countermeasures

Server certificate mismatch (event code 15020000 hex):

Reason: The IP address of the controller has changed, but the server certificate has not been regenerated.

Solution: Manually regenerate the server certificate and export the new certificate for installation on all clients.

Connection rejected (client in rejection list):

Reason: The client's certificate was not added to the controller's' trusted certificate list '.

Solution: On the client authentication page, move the corresponding certificate from the "Rejected Certificate List" to the "Trusted Certificate List".

Variable cannot be read or written:

Reason: Variable size exceeds 60KB; array starting index is non-zero; Structure nested more than 3 layers; The total number of global variables exceeds the upper limit; Insufficient user role permissions.

Check: Check the execution log for records related to SERVER-0100 or SERVER-0101, and adjust the variable structure or optimize the number of publications according to the prompts.

5.4 Hardware replacement and backup recovery

CPU replacement: Server certificates are hardware related information and are not included in regular backups. After replacing the CPU, even if the backup is imported, the server certificate must be regenerated on the new CPU and the new certificate must be exported and installed on the client.

Backup strategy: The controller backup function of Sysmac Studio can backup OPC UA server settings, client certificates, security policies, etc. But when restoring, you can choose whether to restore the OPC UA security configuration file. Execution logs need to be managed separately as they are stored on an SD card.


Performance considerations and system design

Startup time: The startup time of the OPC UA server (from restart to running state) is related to the number of variables published and the proportion of task execution time. The more variables there are, the slower the startup.

System service execution time: The OPC UA server runs as a system service. If the CPU task cycle is too full, resulting in insufficient system service execution time (reference value below 20%), it will cause OPC UA response delay or timeout. Sufficient time should be reserved for system services when designing tasks.

Online editing: When the OPC UA server is running, it is allowed to add network publishing variables through online editing without restarting the server. The newly added variables will be dynamically added to the address space.

  • Basler SR32A2B05B3E Static Voltage Regulator
  • Basler Electric BE1-59N Ground Fault Overvoltage Relay
  • Basler Electric 9110000113 Excitation Module
  • Basler Electric 90-72300-114 Control Accessory
  • Basler Electric PRS-250 Protection Relay System
  • Basler Electric BE1-50/51M-109 Overcurrent Relay
  • Basler Electric SR4A1B10B3E Static Voltage Regulator
  • Basler Electric CBS 212 Current Boost System
  • Basler Electric SR32A2B05B3E Static Voltage Regulator
  • Basler Electric MOC2207 Motor Operated Potentiometer
  • Basler Electric SR4A1B05A3E Static Voltage Regulator
  • Basler Electric BE1-32R Power Relay B2EE1PA0N1F
  • Basler BEI-81 Underfrequency Relay
  • Basler CBS 212A Current Boost System
  • Basler SSR 63-12 Static Voltage Regulator
  • Basler DGC-2020 Digital Genset Controller
  • Basler BE1-32 Reverse Power Relay
  • Basler BE1-50/51B-207 Overcurrent Relay
  • Basler BE1-951 Overcurrent Protection System
  • Basler 9073800-103 Power Supply
  • Basler SCA1300-32FC CCD Camera
  • Basler 9073800-103 Power Supply
  • Basler SCA1300-32FC CCD Camera
  • Basler L304KC Protective Relay
  • Basler BE3-25-1S1N4 Time Overcurrent Relay
  • Basler 9032300113 Excitation Support System
  • Basler BE1-59N Ground Overvoltage Relay
  • Basler MVC-300 Manual Voltage Control Unit
  • Basler MOC2102 Potentiometer
  • Basler BE1-87G Generator Differential Relay
  • Basler Electric DECS-200 Digital Excitation Control System
  • Basler Electric DECS 125-15-B2C5 Digital Excitation System
  • Basler Electric PLA2400-12GM Power Supply
  • Basler Electric BE1-50/51B-235 Overcurrent Relay
  • Basler Electric BE1-27/59 Undervoltage Overvoltage Relay
  • Basler Electric CEM-2020 Contact Expansion Module
  • Basler Electric BE1-32R Solid State Power Relay
  • Basler Electric BE1-700 Digital Generator Management Relay
  • Basler Electric BE1-59N Ground Fault Overvoltage Relay
  • Basler Electric BE10493002 Protection Module
  • Basler Electric BEI-79A1AA5CA3M1F Digital Annunciator
  • Basler Electric SSR 32-12 Static Voltage Regulator
  • Basler Electric BE1-CDS240 Current Differential System
  • Basler Electric BE1-67 Directional Overcurrent Relay
  • Basler Electric 9121000106 DECS-100 Voltage Controller
  • Basler Electric BEI-871 Interface Module
  • Basler Electric 8650C72 Exciter Control Module
  • Basler Electric RDP-110-S1 Generator Annunciator
  • Basler Electric BE1-32O/U Directional Power Relay
  • Basler Electric BE2000E AVR Voltage Regulator
  • BASLER ELECTRIC BE1-50F2EA1PA0N0F Instantaneous Overcurrent Relay
  • BASLER ELECTRIC BE1-81T1EE1WA0N1F Underfrequency Relay
  • Basler BE1-67 Directional Overcurrent Relay
  • Basler BE1-25/79TR Reclosing Relay
  • Basler CEM-2020 Contact Expansion Module
  • Basler BE1-11 Overcurrent Protection Relay
  • Basler BE1-GPS Generator Protective Relay
  • BASLER ELECTRIC MVC-300 MANUAL VOLTAGE CONTROL UNIT 9121000106
  • Basler Electric KR2FF Voltage Regulator 9 1163 00 109
  • BASLER ELECTRIC BE1-87G-G1E-A1K-A0N0F Generator Differential Relay
  • Basler BE1-47NE3EA1PA0N2F Phase Sequence Relay
  • Basler BE1-81-T1E-E1C-B0N1F Frequency Relay
  • Basler DECS125-15 Excitation Control
  • Basler BE1-25 Sync-Check Relay
  • Basler BE1-50/51B Overcurrent Relay
  • Basler BE1-40Q Loss of Excitation Relay
  • Basler BE1-50/51M-104 Overcurrent Relay
  • Basler SSE-N 250-9 KW Shunt Exciter Assembly
  • Basler BE1-87T Transformer Differential Relay
  • Basler BE1-60 Solid State Protective Relay
  • Basler DECS125-15 Excitation Control System
  • Basler SR4A-2B15B3A Static Voltage Regulator
  • Basler BE150BF Overcurrent Relay
  • BASLER ELECTRIC BE1A1HF1JD1S2F Overcurrent Relay
  • Basler BE1-81O Under/Over Frequency Relay
  • Basler EDM-200 Exciter Diode Monitor
  • Basler DECS125-15-B2C5 Excitation Control
  • Basler 9261402100 PCB Board
  • Basler 9252000107 Overcurrent Relay
  • Basler BE1-87T Solid State Protective Relay
  • Basler Electric Phase Directional Overcurrent Relay BE1-Z2JA0N2F
  • Basler SSR125-12 Static Voltage Regulator
  • Basler Electric KR7F VOLTAGE REGULATOR 9116200100
  • BASLER ELECTRIC BE1-59N-A8E-E1L-N0S1F Ground Overvoltage Relay
  • Basler SR8A2B06B3A Static Voltage Regulator
  • BASLER ELECTRIC BE1-81O/UT3EE1KA7N1F Under/Over Frequency Relay
  • Basler MOC2107 Output Module
  • Basler 9125600102 Control Module
  • BASLER ELECTRIC BE1-81T1EE1EA2N0F
  • Basler BE3-25A Time Overcurrent Relay
  • Basler Electric CBS 212 Current Boost System 9 2650 00 100 120/240 VAC 50/60Hz
  • Basler Electric BE1-27 Under Voltage Relay A3EC1JA0N5F
  • Basler BE1-32R Power Relay B2EE1PA0N1F
  • Basler DECS100-B15 Automatic Voltage Regulator
  • Basler SR8A-2B15B3A Static Voltage Regulator
  • Basler AVC63-4 Analog Voltage Regulator
  • Basler UFOV 260 A Overvoltage Module
  • Basler SR4A-2B16B3A Static Voltage Regulator
  • Basler SR4A-2B16B3E Static Voltage Regulator
  • Basler SCA1300-32GM CCD Camera
  • Basler BE34062001 G18 Transformer
  • Basler BE1-87T Transformer Differential Relay
  • Basler 9 2849 00 101 DECS Power Module
  • Basler RAL6144-16GM Line Scan Camera
  • Basler 9269101107 Voltage Regulator Board
  • Basler BE1-851 Overcurrent Relay
  • Basler SR32A-2B13B3E Static Voltage Regulator
  • Basler 9 2007 00 100 Current Boost System CBS 305
  • Basler DECS-100-B11 Automatic Voltage Regulator
  • Basler BE127 Under Voltage Relay
  • Basler 3300C03B1028-G01 Spike Suppressor
  • Basler SSR 125-12 Static Voltage Regulator
  • Basler SCA1300-32GM CCD Camera Lens Enclosure
  • Basler BE32965001 Transformer Timer Kit
  • Basler D90 96801 100 PCB Card
  • Basler BE1-81-T1E-E1C-A0N1F / 9106400 Underfrequency Relay
  • Pro-Face Basler AGP3600-T1-D24 HMI Touch
  • Basler SR4A2B10B1A Static Voltage Regulator
  • Basler SR8A2B05B3A Static Voltage Regulator
  • Basler BE1-25 Time Overcurrent Relay M1FA6PA4S0F
  • Basler SR4A2B05B3E Static Voltage Regulator
  • Basler DECS-200-2L Digital Excitation Control
  • Basler BE303280001 Control Transformer
  • Basler 9262103004 Voltage Regulator Board For Basler DECS-400
  • Basler ICRM-7 Inrush Current Reduction Module
  • Basler BE1-32R Power Relay
  • BASLER ELECTRIC KR4F VOLTAGE REGULATOR 9042600100 600V 50/60Hz
  • Basler 9222600101 Power Module