How to establish OPC-UA communication between Movicon PC(client) & iC9200 Controller(Server)

Version Number	Description
1.0	Basic description of steps to establish OPCUA communication between iC9200 Server and Movicon client by manually exchanging certificates.

1. Supported Components

Component Name	Version
iC9200 series	≥ 2024.3.1
iCube Engineer	≥ 2024.3

2. Supported Libraries

All libraries

3. Introduction

This Application note aims to provide a step-by-step procedure to establish OPC UA communication between Movicon PC and iCube Controller. This can be done either by manually exchanging certificates between the client and server or accepting the server certificate when trying to connect from the client, both of these approaches will be explained in later sections.

This document contains the following points:

Create OPC-UA Server on iCube Controller
Create a Movicon Project and import tags from the Server.
Manual certificate exchange between OPC-UA Client and Server. (In case the request to accept server certificate does not come for the client)

4. Create OPC-UA Server on iCube Controller

4.1 Set the server settings in the iCube controller project

In the iCube Engineer go to the Project tree and click on OPC UA to open OPC Server Settings.
Under Basic Settings set the visibility of variables as Marked (to only port variables in which the OPC property is selected in the variable declaration table).
Under Security, set the server settings as highlighted in the below image.

Select the Type of Subject as the IP address and provide the IP address of the controller
Set the security policies as the user desires.
Uncheck the use if trust store for client authentication, this allows UA expert to connect to the server.

Note: The server settings shown under Application, to use the trust store for client authentication can be kept checked. However, this will not allow software like UA expert to connect to the server because it will only be the clients whose certificate is added to the controller.

Enable the OPC in the variables tab which are required to be shared on the server and these variables can be imported into the OPC-UA client.

4.2 Create a new user in iCube

New users should be created using the web-based manager of the iCube Controller. This is recommended for safety reasons, as the HMI should not have administrator rights to the controller.

Login to the iCube Controller WBM as admin.
To create a new user, go to Security → User Authentication → Add User
Edit the user with the following roles:
- Certificate Manager
- Service
- Data Viewer
- Data Changer

5. Create a Movicon Project and import tags from the Server.

This section will describe the steps to create a simple project and how to connect and import tags from the server.

Open a new project in Movicon (HMI Editor 11.6)
Click on OPC UA Client and Add New OPC UA Tag
Click on Add Endpoint, and add the details of the Server Endpoint.
After adding the new endpoint, there will be an automatic pop-up to accept the server certificate

Note: IF this pop-up doesn't come or the OPC UA connection cannot be established follow Section 6 of this FAQ to manually exchange the certificates.
Click on the + symbol of the endpoint and the server variables can be found under the PLCnext tab.
Double-click on the variables that are needed to be added to the Movicon project.

6. Manual certificate exchange between OPC-UA Client and Server.

This section is to be referred to in case the request from the server to accept the security certificate is not possible for the client. In that case, manual certificate exchange can be used.

6.1 Convert the Movicon self-signed certificate and upload it to iCube WBM

The certificate from the Movicon client (PC) is provided in 2 formats: '.der' and '.pem'. Both cannot be directly uploaded to the iCube WBM. So, we follow simple steps as mentioned below

First, we convert the '.der' format certificate to a '.cer' format certificate and save it on our PC.
Then we open the '.cer' format certificate in a text editor and add it to the iCube Controller (Server) Web-based manager.

Let's break the above-mentioned steps into smaller steps in detail below:

We need to find the .der certificate for the Movicon client on the PC. The folder that stores the client authentication certificate is automatically created when Movicon is installed on the PC.
The default location of the ‘.der’ certificate is: C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
Note: Please keep in mind that ProgramData is a hidden folder, so showing hidden items should be enabled on the PC.
if open in step 1 close the properties window.
Open the security certificate and go to details.
This will open the Certificate Export Wizard, click next, and then select the file export format as Base-64 encoded X.509(.CER)
Specify the name and location of the exported certificate. And then complete the certificate export.
Now the '.der' certificate is exported in '.cer' format and must be opened by the text editor. After opening the certificate copy the complete text, this will be required in the next steps to add the certificate in to the iCube Controller web based manager.
Login in the web-based manager of the controller. Go to Certificate Authentication -->Trust Stores --> OPC UA configurable tab.
To add the certificate there are two main points to keep in mind:

Change the Input Method to Text Content
Paste the complete certificate copied in step 5.

After uploading the certificate, it should be available in the OPC-UA configurable tab.

6.2 Convert the Server certificate and place it in the Movicon Client folder on the PC.

In the previous section, the OPC UA self-signed certificate from Movicon Client was placed into the iCube controller(OPC-UA server) in the correct format. In this section, the OPC-UA self-signed certificate from the iCube controller (OPC-UA Server) will be placed into the Movicon PC (OPC-UA client) in the correct format.

Follow the below-mentioned steps for changing the certificateformat and then place it in the correct folder for the Movicon client to access it:

Login to the web-based manager of the controller and go to Client Authentication --> Identity Stores --> Download the OPC UA-self signed Certificate.
The certificate downloaded is in CRT format, to convert it to DER format, open online SSL Converter:SSL Converter - Convert SSL Certificates to different formats (sslshopper.com). And upload the certificate that was downloaded in the previous step. The type of current certificate does not need to be changed and then click on Convert Certificate. This step converts from CRT format to DER format and automatically downloads the newly converted DER certificate.
The downloaded DER format security certificate will be moved to UA Application folders under OPC Foundation. This is where the Movicon software will access the server certificate.
The default location for this certificate is:C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs

All the steps required for exchanging the self-signed certificate between the OPC-UA Server (iCube Controller) and the OPC-UA Client (Movicon PC) are complete.

NOTE: The manual certificate handling section steps can also be used when using Movicon on HMI. The only step that needs to be changed is the first step in section 6.1 because the location of the Movicon certificate is different in HMI and PC. So, the user should pay attention to where the certificate can be found and the UA application folder where the server certificate has to be saved.