Siemens S7-1200 OPC-UA

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
SidewayZ
Jr. Member
Jr. Member
Posts: 3
Joined: 18 Mar 2023, 12:46

Siemens S7-1200 OPC-UA

Post by SidewayZ »

Hello,

Me and some fellow colleagues have been trying to get an OPC UA server running on a Siemens S7-1200 PLC.

Connection works just fine while we connect as anonymous users and with no security policy.
We have tried every combination of policies with no luck.

We have tried configuring the server with the certificates locally on and with the global certificate manager in TIA.
We have tried trusted and untrusted client and server meaning presharing certs or not.

There are really not that many choices when setting up the service in TIA/PLC.
We need fresh eyes on what could cause this issue.

CPU outputs these fault explanations:
An OPC UA client tried to invoke a service. One or more nodes could not be found in the address space of the CPU or any of the used parameters is not correct. This can lead to high communication load.
Remedy:
- Remove missing items from client configuration
- Add missing items in server or generic interface
- Correct service call of the clients that sent services with invalid parameters


An OPC UA client invoked a service with invalid parameters or in a wrong sequence. The OPC UA Server sent a service fault to the client.
Remedy:
- Correct service call of the clients that sent services with invalid parameters or in a wrong sequence.


We are currently using UA Expert 1.6.2

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Siemens S7-1200 OPC-UA

Post by Support Team »

Hi,

in OPC UA there are certificates used on both sides (client and server). They must be "trusted" vice versa. The public keys are transferred between the two during connect attempt (GetEndpoints), which every client is supposed to call (and so is UaExpert). UA clients that have GUI will typically display the receuived certificate and ask the user for trust, temporary trust, or decline. Servers very often represent a headless device (like PLC), hance can not display the certificate, and can not ask the user. For that reason they put the requesting client side certificate into quarantaine folder, hoping for the engineering system to connect some day and trust/clean up the pending quarantained certificates. For S7-1200 the TIA Portal sounds like the correct choice.

Make sure the SecurityPolicy you select to be used in UaExpert, is supported by the S7-1200. Check S7-1200 manual for supported SecurityPolicies and required key length. You should check with the Siemens support team, in case you can not operate/configure the serverside trust on the S7-1200.
Best regards
Unified Automation Support Team

SidewayZ
Jr. Member
Jr. Member
Posts: 3
Joined: 18 Mar 2023, 12:46

Re: Siemens S7-1200 OPC-UA

Post by SidewayZ »

Hi and thanks for reply!

In the server settings i can choose to accept the connecting clients certificate automatically or via the certificate manager.
We have tested both of the methods.
The server certificate how ever is generated manually after setting up the server. When a client connects to the PLC it will push the certificate to the client. In UA Expert we accept the server as trusted. We have no extra settings other than user and password.
Additional settings or restrictions could be made in the global security manager of the PLC. But its better to get connection working before making it harder to connect :)

The PLC we use can be set up with the following policies:
* No security
* Basic128Rsa15-Sign
* Basic128Rsa15-Sign&encrypt
* Basic256-sign
* Basic256-Sign&encrypt
* Basic256Sha-Sign
* Basic256Sha-Sign&encrypt

Where as the manual states that the S7-1500 has more options how the encryption and authentication can be set up.
Since we are running an S7-1200 we are a bit restricted.
We cannot use every combination of policies.

Something is definitely missed, question is what!
We will wait and see what Siemens support has to say :)

SidewayZ
Jr. Member
Jr. Member
Posts: 3
Joined: 18 Mar 2023, 12:46

Re: Siemens S7-1200 OPC-UA

Post by SidewayZ »

Hello!

Just wanted to share the progress.

We have the problem solved but problems still remain :)

The main problem was the communication load which had to be increased.
After adjusting that we got the connection running locally p2p.

Second problem was the device is to be connected on a process network and the connection is routed or goes through a simple NAT
so we had to include the routers IP in the certificate. Otherwise the client would reject the server certificate.

Third problem was timing in the process network which lead to timeouts in the server.
We had to slow the PLC down to get it working over the connection provided.

Doesn't feel optimal at all but works.

Post Reply