Ewon Technical Forum

Hi,

I'm trying to set up OPC UA communication with a Flexy 205 connecting as client to a Simatic S7-1211 acting as server.

If I set the "Security policy" to "None" and "Authentication settings" to "Anonymous" it works flawlessly and I can browse and add the PLC published tags as expected.

Problem arises when I change the "Security policy" to "Basic256Sha256" and "Security mode" to "Sign and encrypt".
I have exported/downloaded the Flexy's "Own" certificate and installed it in my TIA project.

Certificates before connecting LAN to PLC:
[attachment=1363]

Certificates after connecting LAN to PLC:
[attachment=1364]

Certificates after successfully trusting the server certificate:
[attachment=1365]

Certificates after refreshing OPCUA IO server web-page; new rejected server certificate! (why?):
[attachment=1366]

The configured tags doesn't work in this state (red symbol with exclamation mark) and if I try to browse server tags the dialog says  OPCUA Server not ready:
[attachment=1369]

Realtime Logs says "client 0: connect error CertificateValidation":
[attachment=1370]

I'm probably/obviously doing something wrong here but have gone over the documentation and vimeo video over and over several times but can't seem to find the solution...

Hopefully someone here on the forum can shed some light into this.

Setup:
Flexy 205 FW14.5s0
S7-1211 FW4.5 (also tried FW4.4)

Steps to setup working OPC UA comm Flexy<->S7-1200 (TIA V17) without security (no certificates, no encryption, no user authentication):

1. S7-1200: Enable OPC UA server [attachment=1373]
   
2. S7-1200: Select No security (default setting) [attachment=1374]
   
3. S7-1200: Select Runtime license for OPC UA [attachment=1375]
   
4. S7-1200: Create global DB and enable access for OPC UA client [attachment=1376]
   
5. S7-1200: Create server interface to expose selected tags to OPC UA clients [attachment=1378]
   
6. Flexy: Enable OPCUA IO Server [attachment=1377]
   
7. Flexy: Add tags by browsing the OPC UA server [attachment=1379]
   
8. Flexy: Reading/writing tags working [attachment=1380]
   

Enabling security "Basic256Sha256 - Sign and Encrypt" in S7-1200 and Flexy using self signed certificate in S7-1200 ("Use global security settings for certificate manager" NOT selected):
[attachment=1389]
The Flexy receives a new server certificate from the S7-1200 which must be trusted:
[attachment=1390]
After trusting the server certificate, I would expect the communication to work again but it fails:
[attachment=1391]
In the Event log the traces of the successive steps of activating the security can be seen, and the final entries are "opcuaiosrv-Connect fail (BadTimeout)" followed by "opcuaiosrv-Connect fail (OpenSecureChannel)" which I assume might be caused by the S7-1200 not accepting the Flexy certificate?
[attachment=1392]

Hi,

First of all, thanks for your great explanations !

Regarding the problem with OPCUA encrypted, that is weird.
I remember to get this kind of communication working.
have you trusted the certificate of the Ewon in the Siemens PLC ?
If you are still facing issues, we can organize a meeting to check that together.

Simon

(17-05-2022, 12:19 PM)simon Wrote: [ -> ]Hi,

First of all, thanks for your great explanations !

Regarding the problem with OPCUA encrypted, that is weird.
I remember to get this kind of communication working.
have you trusted the certificate of the Ewon in the Siemens PLC ?
If you are still facing issues, we can organize a meeting to check that together.

Simon

Hi,

Thanks, I tried to document the necessary steps here to be able to come back for upcoming projects and also hopefully make it useful to someone else, but haven't really reached that point yet...

Unfortunately I have still not had any success with the encrypted communication.
I'm a total newbie on certificate handling and have searched the net and various PDFs, just to find out that in most cases "No security" is used and comments like "security is important and encryption should be used", but no detailed description on how this is done.

There are, as far as I know, no tools available in TIA portal nor online in the S7-1200 CPU (in current FW4.4.1) to diagnose the OPC UA connection process or the certificate  exchange handling.
So the only "debug information" available, I think, are the event log entries in the Flexy.

I have imported the Flexy certificate in TIA and added it to the CPU trusted clients and also enabled the setting "Automatically accept client certificates...":
[attachment=1395]
I thought that either one of these actions should suffice but I still get "opcuaiosrv-Connect fail (BadTimeout)" followed by "opcuaiosrv-Connect fail (OpenSecureChannel)" in the event  log.

I have tried using self signed certificates, CA certificates from the TIA global certificate manager, replaced the Flexy Own certificate with TIA generated client certificate and so on but all ending up with Flexy event log entries "opcuaiosrv-Connect fail (BadCertificateChainIncomplete)" or "opcuaiosrv-Connect fail (BadTimeout)".

I'm really happy if you would like to help me out on this!

I have now successfully connected to the S7-1200 using another OPC UA client running on my laptop with the encryption activated.

I found an informative video that compares three PC based OPC UA clients (https://www.youtube.com/watch?v=w7eM3osLxsE); UaExpert, OPC Expert and Siemens application note that uses .NET.

I downloaded the Siemens application note 109737901, (verified the file SHA256) unpacked .zip and browsed to the application folder, see image below:
[attachment=1396]
As the image shows; after accepting the S7-1200 certificate, I can connect and browse the node and read/write the values using this client.

The Flexy is connected to the LAN at the same time but cannot connect; eventlog shows "opcuaiosrv-Connect fail (BadTimeout)" followed by "opcuaiosrv-Connect fail (OpenSecureChannel)".
Settings in the Flexy OPCUA IO Server is the same as in the Siemens client, and S7-1200 certificate trusted:
[attachment=1397]

I noticed during my previous tests that the Flexy certificate, when imported into TIA Portal global certificate manager, displays as a CA certificate.
Shouldn't that be type endpoint or client or something?

Perhaps I'm missing something here or there might be some issue with the Flexy client certificate?

After testing with NRO, I realized that the problem was probably the timeout parameter of the Ewon that is too short.
Since we cannot configure this timeout, this must be processed by the R&D.
Hope to get it increased or configurable in a next firmware version

Thanks for your effort in this, Simon!

I couldn't stop thinking about the timeout issue during the weekend...
Just did some further testing and found a workaround :-)

If the S7-1200 CPU is set to STOP mode the Flexy OPC UA IO server manages to establish a connection, with the encryption activated!
The connection continues to work when the S7-1200 is set to RUN mode.

I verified the behaviour a couple of times by the following sequence:

1. First disabling the Flexy OPC UA IO server and deleting the trusted server certificate.
   
2. Enabling the IO server again + trusting new server certificate (no connection established and also causing disturbance on S73&400 IO server connection!?).
   
3. Switching S7-1200 to STOP-mode => connection establishes (and also disturbance on S73&400 dissapears).
   

[attachment=1399]

That is super interesting indeed !!
Well done !!!

(23-05-2022, 01:42 PM)simon Wrote: [ -> ]That is super interesting indeed !!
Well done !!!

Thanks!

Unfortunately after rebooting the Flexy, it is necessary to repeat the sequence of changing operating mode on the S7-1200 from RUN -> STOP (approx a minute) -> RUN to get the Flexy OPC UA client connected again.

Also, I find it odd that the S73&400 IO server is affected/disturbed by the status of the OPC UA IO server.

My idea is that the OPCUA connection attempt is taking all the PLC comm resources and therefore does not answer anymore the S7 protocol requests...
Your tests and feedback will be for sure useful for our R&D team!

Yeah, you're probably right about the PLC comm resources.

I did some further testing using UaExpert with the Flexy OPCUA IO server disabled.

Every time UaExpert establishes a connection to the PLC, the tags managed by the S73&400 IO server in the Flexy errors out for a while (status = 2) and then some seconds later goes back to normal polling (state = 1).
At the same time the IsoTcpCReadErr increases by two:
[attachment=1408]

If the Flexy OPCUA IO server is enabled in the Flexy IsoTcpCReadErr increases by two every 40 seconds, so I guess the IO server tries to establish a connection at this interval.
This of course also disturbs the UaExpert communication to the PLC rendering messages "ConnectionWarningWatchdogTimeout":
[attachment=1409]

(20-05-2022, 03:00 PM)simon Wrote: [ -> ]After testing with NRO, I realized that the problem was probably the timeout parameter of the Ewon that is too short.
Since we cannot configure this timeout, this must be processed by the R&D.
Hope to get it increased or configurable in a next firmware version

Hi,

Any news on this matter?

I have an upcoming project this autumn where certificate based encrypted OPC UA communication to S7-1200 PLCs is a requirement.
Some of the machines will be shipped worldwide at the end of the year so it's important to be able to develop and evaluate this setup, the sooner the better...

It has not been planned yet but I have added your comment in my report.
Hope it will increase the priority of this topic.
I will keep you updated.

(04-07-2022, 08:55 AM)simon Wrote: [ -> ]It has not been planned yet but I have added your comment in my report.
Hope it will increase the priority of this topic.
I will keep you updated.

Are there any updates on this issue?
I currently have the same problem and have tried all the steps.
As suggested here.