Connecting with an OPC UA Client with UaExpert
Connecting with an OPC UA Client Using UaExpert
An application like Unified Automation's UaExpert can be used to verify the flow of data from devices through Kepware Edge.
The UaExpert tool is designed to be a general-purpose OPC UA test client; it is not meant for production. Below is a walk-through of creating a secure user with specific data access rights to read and write tags.Default OPC UA Server Settings
• URL: opc.tcp://<hostname>:<port>
• Port: 49330
• Security Policies: Basic256Sha256
• Authentication: (Enabled by default)
• Server Interface Enabled: True
Creating a User Group and User with Read / Write / Browse Access
1. Install Kepware Edge with default settings.
2. Add a new user group with data access and browse permissions via the Config API:
Endpoint (POST):
https://<hostname>:<port>/config/v1/admin/server_usergroups
Body:
{"common.ALLTYPES_NAME": "Group1","libadminsettings.USERMANAGER_GROUP_ENABLED": true,"libadminsettings.USERMANAGER_IO_TAG_READ": true,"libadminsettings.USERMANAGER_IO_TAG_WRITE": true,"libadminsettings.USERMANAGER_BROWSE_BROWSENAMESPACE": true}
3. Add a new user with a password to the group created in above.
Endpoint (POST):
https://<hostname>:<port>/config/v1/admin/server_users
Body:
{"common.ALLTYPES_NAME": "User1","libadminsettings.USERMANAGER_USER_GROUPNAME": "Group1","libadminsettings.USERMANAGER_USER_ENABLED": true,"libadminsettings.USERMANAGER_USER_PASSWORD": "<insert_password>"}
Adding Server Connection to UaExpert
1. Download, install, and launch UaExpert from Unified Automation.
2. Select the Server | Add drop-down menu option.
3. In the Add Server configuration window, double-click the Add Server option located under Custom Discovery.
4. Enter the URL and port for the machine to connect. For example: “opc.tcp://<hostname>:49330”.
5. A new server connection is added in the Custom Discovery group.
6. Expand the new server connection for a list of valid endpoints. These are the available security options for the server. In this example, only one option is available.
7. Choose the Basic256Sha256 – Sign & Encrypt security option.
8. Set the user name and password using the settings used in the creation of the user above.
9. Check the Store checkbox to save the password or leave it unchecked and to be prompted for a password when connecting to the server.
10. Click OK to close the window.
11. Verify that "Kepware Edge/UA" appears under Servers.
12. Right-click on the server and select Connect.
13. A certificate validation window appears.
14. Click Trust Server Certificate for the client to trust the Kepware Edge/UA server.
15. Click Continue. There is an error until the server trusts the client certificate.
16. To trust the client certificate on the server, these instructions use the edge_admin tool (see the server help for other methods).
17. The client certificate’s thumbprint is required to trust it. To get the thumbprint, use the edge_admin tool to list the certificates in the UA Server trust store:
$ ./edge_admin manage-truststore --list uaserver
18. The output of the list shows a thumbprint, a status, and a common name of the certificate. 
The UaExpert certificate will be Rejected. Use the thumbprint to trust the certificate.
The UaExpert certificate will be Rejected. Use the thumbprint to trust the certificate.$ ./edge_admin manage-truststore --trust=<certificate_thumbprint> uaserver
19. List the certificates of the UA Server to verify that the certificate is now trusted.
20. In UaExpert, right-click on the server and click Connect. The connection should succeed and the Address Space window in the lower right pane should be populated, which enables browsing for and adding tags.
21. Add a tag in the data access view to verify that the user has read access.
22. Change the value of the tag to verify that the user has write access.