hello world!

OPC

  • OPC previously stands for “OLE for Process Control”, however, now, OPC is just a brand name, with a tagline “Open Productivity & Connectivity”.
  • Physically, OPC is just a Standard i.e. a Document
  • From the document, it is common that a dll is produced which allows third party applications to connect with the OPC server using the dll. Vendors typically publish they’re own dll. However, it is most common to use the official OPC foundation dll, which can be downloaded from their website. However, take note some precautions:
    • Before attempting to download stuff from OPC Foundation, it is important to understand the following terminologies
      • In COM, a proxy/stub is the code used to marshal data across boundaries like process boundaries or apartment boundaries
      • A merge module is a special kind of Windows Installer database that contains the components needed to install a discrete software bundle
    • However, the OPC foundation has poor documentation and is very difficult to answer
    • It is always  best to use vendor dlls, the famous one being the Matrikon Automation dll. The file is called ‘OPCDAAuto.dll’
  • The key elements for OPC transmission is
    • Secure
    • Reliable
    • Vendor Neutral
  • History of OPC
    • The first standard, simply called “OPC Specification” was developed in 1996 by a collaboration task force consisting of various automation vendors and Microsoft.
      • Uses Microsoft COM and DCOM
      • The Idea came about the issue since each hardware/DCS manufacturer will need to create it’s own driver to interface with windows. Third party software developers will have to make different application interfaces to each separate driver
      • The OPC Specification was later name “OPC Data Access 1.0 Specification” or commonly known as “OPC DA”
    • OPC AE (Alarm and Events) standard was first released in 1999.
    • OPC DA 2.0 Specification (Specifically OPC DA 2.05a) was release in 2002
      • Still uses COM and DCOM
    • OPC DA 3.0 Specification was release in 2003
      • Still uses COM and DCOM
      • Technology wise not much changes, just added more software specifications in it
    • The most common OPC standard used worldwide is OPC DA 2.05. If someone says ‘I’m using OPC’, what he really means is that he’s using OPC DA 2.05. OPC DA 3.00 just adds some new features in it which is not so much difference with DA 2.05
    • image
  • The backwards compatibility of OPC is not guaranteed. In the following scenarios both may or may not work
    • An OPC DA 1.00 Client communicating with OPC DA 3.0 Server
      • This should be okay in general, as long as the vendor of the OPC DA 3.0 Server implements creates handlers for OPC DA 1.00 client
      • However, there is no guarantee that an OPC DA Server vendor may choose to do so.
    • An OPC DA 3.00 Client communicating with OPC DA 1.0 Server
      • This may not work if the OPC DA 3.0 client uses special function not implemented by OPC DA 1.0 Server.
      • In this typical scenario, the client should mention which OPC DA version it supports
  • The purpose of OPC is to provide a standard mechanism for communicating numerous data sources for the process industry
  • OPC is considerably fast. Tests have been done by OPC Foundation
    • In a nutshell, the speed is
      • A server can serve up to PC 50,000 Tags/S = each tag being a floating point (8 Byte) = 400 KB/s
      • Standard Ethernet network speed can go up to 1.2 MB/s. Therefore OPC would be no issue. However, nowadays people use Fast Ethernet (100Base-TX) which transfers at 12 MB/s
    • Test was done OPC Foundation
      • On Rockwell software using Pentium 266 Computers (5 Client, 1 Server) at ~500Mhz Processing Speed
      • Each Client added 10,000 Tags and requested the server to update the tag at 250ms per item. All data were changing to simulate a worst case scenario
      • The result was the server able to update 200,000 items per second
      • At average the update speed is
    • It is to note that even though OPC itself is fast, the underlying hardware system it communicates too may not be fast enough to give the actual update. For example, a the Yokogawa FCS’ can only serve around 2000 items per second. If the OPC is requesting more, some of the update cycles may drop out and the OPC server publishes the same items again and again.
  • OPC UA is the latest technology of the OPC Foundation
    • The key difference of OPC UA is
      • Base on SOA (Service Oriented Architecture). No longer based on DCOM
      • Platform Independence
    • Characteristics of OPC UA
      • Uses an Optimized TCP-based UA binary protocol.
      • A single port is sufficient
      • 3 Components (AE, DA,HDA) combined into 1 component
    • OPC UA Security
      • Based on WWW concept
      • Encompasses
        • User authentication
        • Signing of Messages
        • Data Encryption
      • OPC UA Reliability
        • Automatic Error Detection
        • Communication can be monitore
        • Redundancy

WINDOWS FILE SHARING

  • Two computers on two different domains/workgroup can talk to each other if the same local user on each computer with the same password exist on them
  • To share files remember there are TWO (NOT ONE) PERMISSIONS THAT NEEDS TO BE GIVEN
    • File Sharing PERMISSION
    • Security ACCESS PERMSSION
  • Both exist on two different tabs in the folder property

COM (Component Object Model)

  • COM are used to create objects in Visual Studio
  • To use COM, the DLL must first be registered into windows registry by using the command prompt
    • Regsvr32 [DLL File Name]
  • To uninstall the DLL, simply
    • Regsvr32 [DLL File Name] /u
  • Once registered, one can invoke the COM from VBscript using the create object method
    • Set ObjVar = CreateObject(“Matrikon.OPC.Automation”)
  • Before that, if you don’t know the COM name, you can search it in the windows registry
    • Open RegEdit from Start Run
    • Find/search Data for the DLL file name
    • If you find a folder called ProgID. Open it and the name of the name of the com will be displayed there

  image

Troubleshooting OPC DCOM

  • First do a Network Check
    • Check if the machines can ping each other
    • Check if the machines can Telnet each other on port 135
      • If telnet does not exists, se PuttY
    • Check network status as well (using netstat –an)
  • Next do a User Authentication check
    • Find what user the OPC Client is running as
      • This can easily be checked by checking the task manager
    • Make sure this User exists in the OPC Server machine and the passwords matches
      • It doesn’t matter if the user is in different domains, as long as the Username and Password matches, it works. E.g. Localhost\Administrator = DomainABC\Administrator
      • To check password use windows right click ‘runas’
    • Find what user the OPC Server is running as
      • This is harder to check as one needs to know the exact process the OPC server is running
      • Yokogawa ExaOPC/HISOPC Server run as ‘CTM_PROCESS’. This account needs to be created using the Create CTM Process Tool
    • Make sure the user exists in the OPC Client Machine and the passwords matches
      • To check password use windows right click ‘runas’
  • Finally do a System Wide DCOM  (dcomcnfg) on both OPC CLient and OPC Server
    • Under Default Properties
      • Check if DCOM is enabled
      • Check Default Authentication is either ‘None’ or ‘Connect’
      • Check Default Identification level is ‘Identify’. ‘Impersonte’ and ‘Delegate’ is ok but it is not secure
    • Under Default Protocols
      • Check the port ranges are set there. If there are any set, make sure those ports are open.
      • If any ports are set make sure ‘Internet Range’ is used
      • After setting a port, a computer restart is required.
    • Under COM Security
      • Under Access permission Edit Limits make sure Anonymous Logon is Set (This is usually set, if not, your windows won’t work!)
      • For Access permission Edit Default, Launch Activation Edit Limit and Launch Activation Edit Default ==> Usually this should be left as is.
        • But if you want to open DCOM security wide open, just add ‘Everyone’ and ‘Anonymous Logon’ as this covers everything (SYSTEM, GUEST, INTERACTIVE, NETWORK and SELF is included in EVERYONE)
        • Everyone includes GUEST, which is normally turned off anyway. But if you don’t want to include guest, use AUTHORIZED USERS which is EVERYONE minus GUEST’
    • Any changes on the Server Machine, make sure to restart the OPC Server Service and OPCEnum. One does not need to restart the Entire Server.
      • Some OPC servers do not need to be restarted…  I HAVE YET TO VERIFY THIS.
  • Check OPC Components
    • Install OPC Redistributables
  • Check OPCEnum
    • On the Server, OPCEnum DCOM Authentication Level is ‘None’. Restart OPCEnum service after changing this
    • On the Client, Anonymous Access is set in Default Access Permission.

OPC DCOM

  • MOST of the difficulties surrounding OPC is due to DCOM
  • DCOM stands for "Distributed Component Object Model (DCOM)”
  • How does OPC Relates to DCOM?
    • OPC is based on Microsoft’s Component Object Model (COM) technology.
    • Remote connectivity is accomplished using Distributed COM (DCOM), which contains a Security Layer.
    • DCOM Security is used to determine which users have Access and Launching rights in DCOM-enabled applications on either the local PC or on PCs in the local network/domain.
    • DCOM depends on Remote Procedure Calls (RPC) for remote connections. Any connection made to applications running under different accounts on a local PC is treated as a remote procedure call. This is important to remember when configuring the security settings.
    • DCOM was intended for use in domains, in which it is much easier to configure and manage connectivity. When connecting between Workgroup PCs or Domain and Workgroup PCs, the process becomes much more difficult.
  • It is a proprietary Microsoft technology for communication among software components distributed across networked computers
  • For example, one can create a program that has certain subroutines that can be processed not on the server but on another server in the network. Using DCOM interfaces, the program (now acting as a client object ) can forward a Remote Procedure Call ( RPC ) to the specialized server object, which provides the necessary processing and returns the result to the program.
  • DCOM in Windows Registry
    • In any system, every COM Object is listed in
      • HKEY_CLASSES_ROOT\
        • The OPC Address should be listed here.
        • In here reference to the CLSID should be given
    • Each com object will have a CLSID, which is listed under:
      • HKEY_CLASSES_ROOT\CLSID\
        • In here one will see a list of all the COM Objects IDs. these IDs are in the form of a GUID, which is a random ID Generator.
        • A reference for the AppID will also be given here
        • The AppID is DCOMs, because apart from a CLSID, it also as an APPID. The APPID represents a security setting which one would configure using the DCOMCNFG tool. One APPID can be shared by multiple CLSIDs
          • The APPIDs are all listed under HKEY_CLASSES_ROOT\AppID
            • In here all the APPID GUIDs will be listed
  • OPCEnum
    • is used to browse a particular machine.
      • OPC Enum is installed on the OPC Server. The remote client first connects to OPC Enum to browse all available OPC Servers.
      • NOTE: SOMETIMES IT IS NECESSARY FOR THE OPC CORE COMPONENTS REDISTRIBUTABLE TO BE INSTALLED ON THE CLIENT MACHINE AS WELL FOR OPC BROWSE TO WORK. This is probably because the client needs some of the OPC Components to work.
    • OPC Enum Can be downloaded from the OPC Foundation Website. It is called ‘OPC Core Components Redistributable’. There is x86 and x64 versions.
    • OPC Enum runs as a service, hence uses the ‘Local System Account’
    • When OPC Enum initiates a call back, the callback request comes as ‘Anonymous’, therefore ‘ANONYMOUS LOGON’ need to be allowed on the CLIENT MACHINE. OPC ENUM needs have AUTHENTICATION LEVEL SET as ‘NONE’
  • For OPC DCOM, some clients do not use OPC Enum. In this case, the OPC’s CLSID need to be manually added in the client machine
    • Below is example of a registry file (This needs to be copied and added to a .reg file)
        REGEDIT4
        [HKEY_CLASSES_ROOT\AppID\{F8582CF2-88FB-11D0-B850-00C0F0104305}]
        @="MatrikonOPC Server for Simulation and Testing"

        [HKEY_CLASSES_ROOT\CLSID\{F8582CF2-88FB-11D0-B850-00C0F0104305}]
        @="MatrikonOPC Server for Simulation and Testing"
        "AppID"="{F8582CF2-88FB-11D0-B850-00C0F0104305}"

        [HKEY_CLASSES_ROOT\CLSID\{F8582CF2-88FB-11D0-B850-00C0F0104305}\ProgID]
        @="Matrikon.OPC.Simulation.1"

        [HKEY_CLASSES_ROOT\Matrikon.OPC.Simulation.1]
        @="MatrikonOPC Server for Simulation and Testing"

        [HKEY_CLASSES_ROOT\Matrikon.OPC.Simulation.1\CLSID]
        @="{F8582CF2-88FB-11D0-B850-00C0F0104305}"
    • Below is another example, this is for connecting to Yokogawa HIS OPC for Centum CS3000
        REGEDIT4
        [HKEY_CLASSES_ROOT\Yokogawa.CSHIS_AE.1]
        @="Yokogawa CSHIS OPC Alarms & Events Server"

        [HKEY_CLASSES_ROOT\Yokogawa.CSHIS_AE.1\CLSID]
        @="{21FF9972-DE40-11D1-B324-00A024770B10}"

        [HKEY_CLASSES_ROOT\CLSID\{21FF9972-DE40-11D1-B324-00A024770B10}]
        @="Yokogawa CSHIS OPC Alarms & Events Server"
        "AppID"="{21FF9972-DE40-11D1-B324-00A024770B10}"

        [HKEY_CLASSES_ROOT\CLSID\{21FF9972-DE40-11D1-B324-00A024770B10}\ProgID]
        @="Yokogawa.CSHIS_AE.1"

        [HKEY_CLASSES_ROOT\AppID\{21FF9972-DE40-11D1-B324-00A024770B10}]
        @="Yokogawa CSHIS OPC Alarms & Events Server"
        "RunAs"="CENTUM"
        "AuthenticationLevel"=dword:00000001

      • Tested to work ==> The RunAs and AuthenticationLevel may be ommitted
  • The APPID configurations are stored in a registry key
    • [HKEY_CLASSES_ROOT\AppID\{<AppID>}]
  • Individual CLSID are mapped to their corresponding APPID in windows registrey
    • [HKEY_CLASSES_ROOT\CLSID\{<clsid>}]
    • "AppID" = "{<appid>}"
  • OPC ERROR CODES
    • OPC will give error codes, this will be given out by the client (in client logs, popup and etc). The common client codes are as follows:
      • 0xC0042329 : This means the OPC’s maximum connection has exceeded
  • DCOM Firewall Requirements
    • When a computer wishes to host a DCOM Service, it need to allow inbound TCP port 135
    • The computer will then dynamically allocate secondary inbound ports for communication. The client will connect to these inbound ports.
    • Due to this, for DCOM to work TCP Port 135 plus all the dynamically allocated ports need to be allowed pass the firewall
    • This is typically done by either
      • Allowing only the OPCEnum and OPCServer programs to communicate with unrestricted firewall port range
      • Limiting the dynamically allocated DCOM ports. This can be done in windows dcomcnfg window
        • From the Start menu, point to Programs, point to Administrative Tools, and then click Component Services to start Component Services.
        • Click to expand the Component Services and Computers nodes. Right-click My Computer, and then click Properties.
        • On the Default Protocols tab, click Connection-oriented TCP/IP in the DCOM Protocols list box, and then click Properties.
        • In the Properties for COM Internet Services dialog box, click Add.
        • In the Port range text box, add a port range (for example, type 5000-5020), and then click OK.
        • Leave the Port range assignment and the Default dynamic port allocation options set to Internet range.
        • Click OK three times, and then restart your computer.'
    • The following shows TCPView for OPC Server Connections
      • image
      • Port 135 is only used for initial connection. It will be disconnected once it’s finished
    • The following shows TCPView when 2 Machines are connected to the OPC Server
      • image
      • It is to note here that for the OPC Server, DCOM has allocated only one inbound IP address (22008) for both connection. A second IP Address (22007) is allocated for OPC Enum. We can conclude here that the port allocation is specific for each process. Theoritically, it should work if only 2 ports are allowed in DCOMCNFG, hence reducing the hole in the firewall. However, it is best to set it to five ports (1 for OPCEnum and 4 for OPC Server). The reason is because this is recommended by most vendors, Even though the current OPC Server only needs 1 dynamically allocated port, we do not sure what will happen to future releases.
  • DCOM Configuration Basics
    • It is important to note that any configuration changes you do on DCOM object the DCOM Application or Service needs to be restarted before the DCOM takes into effect.
    • Everytime you add a group to a particular user (join a user in a group), you need to either:
      • Log in using that user so that the User Profile gets registered into that group
      • Restart the machine
  • DCOM Configuration Steps for OPC
    • image 
    • image
    • image
    • The ‘Enable Distributed COM’ check box allows one to completely disable DCOM on a machine.
    • Default Authentication Level
      • Generally, we want to set this at ‘NONE’ or ‘CONNECT’
      • Authentication is the process of the DCOM to identify the caller’s identity. Authentication is specified for each DCOM object. There are several authentication levels which are:
        • None
          • No Authentication is performed between client and server (DCOM). In this case to access the DCOM object, no credentials are required. For this to work though, ANONYMOUS LOGON must be specified in the Edit limits (especially for Access Permission)
        • Connect
          • Authentication is done only during initial connection
        • Call
          • Authentication is done for every DCOM Call
        • Packet
          • Authentication is done for every packet. Packets are not signed, not encrypted
        • Packet Integrity
          • Authentication is done at for every packet. Packets are signed, not encrypted.
        • Packet Privacy
          • Authentication is done at for every packet. Packets are signed, encrypted.
      • Note that when anything other than ‘NONE’ is selected, the authentication must occur. This means that ‘ANONYMOUS LOGON’ will not work.
      • The ‘Default authentication level’ is used to specify when the DCOM object specified ‘Default’ in it’s setting. It’s can be said as a computer-wide security policy.
    • Default Impersonation Level
      • Generally, ‘Identify’ is used as it allows the DCOM object to verify the caller
      • Impersonation Level is the amount of authority/credentials given to each DCOM object to impersonate a client. If too little authority/credential is given, the DCOM server may refuse to run the call. If the too much authority is given, this can be dangerous as the server may impersonate ‘malicious’ clients.
      • Impersonation Levels
        • Anonymous
          • The client is anonymous to the server
          • In simpler words, the credentials of the caller is hidden/unknown.
        • Identify
          • The servers knows the client’s identity and uses it for Access Control List Checking
          • In simpler words, Allows the server to query the credentials of the caller
        • Impersonate
          • The server acts as the client (The server becomes the client)
          • The server cannot make out going calls on behalf of the client
          • In simpler words, Allows objects to use the credentials of the caller.
        • Delegate
          • The server acts as the client (The server becomes the client)
          • The server CAN make out going calls on behalf of the client
          • In simpler words, Allows objects to use the credentials of the caller and other object called by the first object to use the caller’s credentials as well
      • The default impersonation level simply sets the computer-wide default impersonation level. This will take place if the DCOM object does not set it’s impersonation level.
    • image
    • Over here, one is allowed to set the overall COM/DCOM Security.
      • COM/DCOM Security is about who can or cannot access the DCOM\COM. This sets computer-wide COM/DCOM Security
      • There are two types of security permissions
        • Access Permissions
          • Allow which users can connect to an Instance of a COM Class. In other words, authenticates who can access an already running COM/DCOM
        • Launch and Activation Permissions
          • Allows which users can start a new COM/DCOM
      • There are two type of Edits
        • Edit Limits
          • This modifies the computer-wide restriction policy. If an application specified an access setting for a particular account MORE then what is specified here, it will be limited. It is therefore generally recommended to put this as high as possible (i.e. Allow many access)
            • One thing to note here is for ‘NONE’ Authentication Level. ‘ANONYMOUS LOGON’ needs to be allowed in here for ‘NONE’ Authentication level to work.
          • Programatically, application that call the ‘CoInitializeSecurity’ win API. An application may opt not to set it’s security by not calling this function. In this case, the application will use the default COM Security.
        • Edit Default
          • This modifies the computer-wide default setting. Whenever an Application does not specify it’s access permission, this default will be used
          • Programatically, applications that do NOT call the ‘CoInitializeSecurity’ win API
      • The important thing here is that both needs to be configured with ‘ANONYMOUS LOGON’ for OPCEnum to work
      • Sometimes ‘NETWORK’ logon is also required. NETWORK logon is used for File/IIS Authentications
        • image
        • image
    • image
    • image
    • The General Tab
      • In the general Tab the Authentication Level is the key thing in allowing DCOM access
        • If Authentication is set ‘NONE’,
          • DCOM authentication will not perform any Authentication on the caller.
          • ‘ANONYMOUS LOGON’ need not be allowed, it still works without it.
            • however, ‘ANONYMOUS LOGON’ needs to be allowed in the ACCESS PERMISSION, LAUNCH AND ACTIVATION PERMISSIONS ==> EDIT LIMITS. Here, Anonymous logon needs to be keyed in.
          • This is least secure, but it works!
        • If Authentication is set other than ‘NONE’, DCOM authentication will be performed. ‘ANONYMOUS LOGON’ will not work.
          • ‘CONNECT’ means authentication will be performed upon connection
          • ‘PACKET’ means authentication will be performed for each packet. This is more secure
          • ‘PACKET' PRIVACY’ means authentication will be performed and the packets are all encrypted. This is the most secure
        • if Authentication is set as ‘DEFAULT’ it will be based on the computer-wide setting mentioned above.
      • Generally, we set this to connect meaning the DCOM will ask authentication upon connection. FOR QUICK and EASY configuration set the AUTHENTICATION to NONE.
    • image
    • The Location Tab
      • Determines where the DCOM will be run
      • Generally, should be set as ‘Run application on this computer’
    • image
    • The Security Tab
      • If default is selected, it will use the default settings set in the computer-wide default settings (set above)
    • image
    • The Identity Tab
      • Specifies what user account the application will run under when it is started. Descriptions of the options are as follows.
        • Interactive User:
          • A user running interactively on the desktop.
          • OR Application runs under the identity of the user who is currently logged on to the computer. This user's security credentials are used when the application is authenticated to access resources
        • Launching User:
          • The user that makes the initial connection request to an application thatQ is not running, but is launched.
          • OR application runs using the security context of the user who started the application (the launching user) so that the application can be authenticated in the domain.
          • The launching user may be the same as the interactive user
        • Specified User:
          • A specified user account on the PC. If the server is running as a service on a Windows XP or 2003 server OS, the account will not be able to be opened on the desktop.
          • OR application runs using the security context of the specified user account so that it can be authenticated in the domain
        • System Account:
          • Server application runs using the security context of the built-in System account (LOCAL SYSTEM)
          • This is the default for applications that are running as a service.
      • NOTE That not all OPC Servers are services. Some OPC Servers may be a simple windows application that is launced, e.g. the Yokogawa HIS OPC Server.
      • The identity has nothing to do with Impersonation. Identity is what is run on the server, impersonation is more on how to attribute the DCOM calls from the server
Open-Plant is a revolutionary Industrial IOT Platform software, used to create and deploy Industrial IT apps/solutions. It is an all-encompassing solution offering both back-end and front-end components i.e. the full stack. From our user's experience, creating and deploying Industrial IT apps became 10x faster and 10x less cost. We serve the mining, energy, oil & gas, construction and manufacturing industry. 

OPEN-PLANT PTY LTD

Perth, Australia

EMAIL

info@open-plant.com