Worked Example: Exposing a Blink Program over OPC-UA
This walkthrough takes a project that contains a simple blink program and exposes one variable to an OPC-UA client. The end result is a server an operator can connect to with UAExpert (or any other OPC-UA client) using a username and password over an encrypted channel.
The starting point is a project with a single BOOL variable named led mapped to %QX0.0 on the program main. The variable that blinks on and off. You can follow the same steps for any project; the variable names will differ.
Step 1: Add an OPC-UA Server
- In the project explorer click the + button.
- Choose Server.
- Type
plant_floor_opcuaas the Server name and pick OPC-UA from the Protocol dropdown. - Click Create.
The server appears under the Servers folder and the configuration view opens.
Step 2: Configure General Settings
Open the General Settings tab.
- Toggle Enable Server on. The helper text changes to "Server will start when PLC runs."
- Set Server Name to
Plant Floor PLC. - Leave Network Interface at
All Interfaces (0.0.0.0). - Leave Port at
4840. - Set Endpoint Path to
/openplc/opcua. - In the Application Identity section, set Application URI to
urn:plant_floor:opcua:serverand leave Product URI at the placeholder. - Leave Cycle Time (ms) at
100. - Leave Namespace URI at
urn:openplc:opcua:namespace.
The endpoint URL clients will use, once the project runs on a vPLC at 192.168.1.50, is:
codeopc.tcp://192.168.1.50:4840/openplc/opcua
Step 3: Replace the Default Security Profile
Open the Security Profiles tab. The profile named insecure is enabled by default; you will replace it with an encrypted one.
- Click + Add Security Profile.
- Profile Name:
secure_password. - Leave Enabled toggled on.
- Security Policy: select Basic256Sha256 (Recommended). Note that Security Mode auto-switches to Sign and Encrypt and the Anonymous checkbox is disabled.
- In Authentication Methods, leave Username / Password checked. Uncheck Anonymous (already disabled) and Certificate.
- Click Add Profile.
Now disable the original profile:
- In the
insecurerow, click the toggle to turn it off. Because there is now another enabled profile, the toggle is no longer locked.
The list now shows two profiles: insecure (disabled) and secure_password (enabled, Basic256Sha256 / Sign and Encrypt / Username / Password).
Step 4: Add an Operator User
Open the Users tab.
- Click + Add User.
- Leave Authentication Type at Password.
- Username:
operator1. - Password: type a password of at least 4 characters (for example
change-me-now). - Confirm Password: type the same password.
- Role: select Operator.
- Click Add User.
The user appears in the list with a 👤 icon, an amber Operator badge, and an Edit / Delete pair on the right.
Step 5: Use the Default Self-Signed Certificate
Open the Certificates tab.
The default Certificate Strategy is Auto-generate Self-Signed. Leave it as is. The helper text reads: "The runtime will automatically generate a self-signed certificate." The runtime creates the certificate the first time the server starts on the target.
You do not need to add anything to Trusted Client Certificates for this example, because the security profile uses Username / Password authentication rather than Certificate authentication.
Step 6: Expose the Blink Variable
Open the Address Space tab.
- Confirm Namespace URI is
urn:openplc:opcua:namespace. - In the Available PLC Variables panel, expand the
mainprogram node. - Click the
led (BOOL)row.
The Configure OPC-UA Node modal opens with these defaults:
- Node ID:
PLC.main.led - Browse Name:
led - Display Name:
Led - Description: empty
- Initial Value:
false - Access Permissions: Viewer = Read Only, Operator = Read Only, Engineer = Read/Write
Make two adjustments:
- Change Display Name to
Blink Output. - Change Operator in the Access Permissions panel to Read/Write so
operator1can both observe and force the blink output. - Click Add to Address Space.
The right-hand Selected for OPC-UA panel now shows Blink Output with the permission summary V:r O:rw E:rw. The header reads "1 variable configured."
Step 7: Deploy and Connect
- Save the project.
- Transfer the project to a Runtime v4 vPLC and start it.
- From a workstation that can reach the vPLC, open UAExpert (or your preferred OPC-UA client) and connect using:
- Endpoint URL:
opc.tcp://<vPLC_IP>:4840/openplc/opcua - Security Policy:
Basic256Sha256 - Security Mode:
SignAndEncrypt - Authentication:
Username - Username:
operator1 - Password: the password you set in Step 4
- Endpoint URL:
- The first time the client connects it will warn that the server certificate is self-signed. Accept it once and the warning will not appear again.
- Browse the server's address space until you find
Blink Outputunder theurn:openplc:opcua:namespacenamespace. Subscribe to it. The value alternates betweentrueandfalseat the rate dictated by the blink program. - Right-click the node and write
trueto it. Because the Operator role has Read/Write permission on this node, the write succeeds and the runtime applies the new value on the next scan cycle.
Optional: Add a Certificate-Authenticated Engineer
To allow an engineering workstation to connect with a certificate instead of a password:
- Export the engineer's client certificate from the OPC-UA client.
- On the Certificates tab, click + Add Trusted Certificate, give it a Certificate ID of
eng_workstation, paste the PEM, and click Add Certificate. - On the Security Profiles tab, edit
secure_password(or add a second profile) and check the Certificate authentication box. - On the Users tab, click + Add User, switch Authentication Type to Certificate, choose
eng_workstationfrom the Client Certificate dropdown, set the role to Engineer, and click Add User.
Re-deploy. The engineering workstation can now connect by presenting its certificate, and it will have read/write access to every exposed node.
What's Next?
- Troubleshooting: common errors and how to fix them.
- Address Space: expand the example by exposing more variables, structures, or arrays.
- Users: add Viewer accounts for monitoring-only clients.
On This Page