Configuring data acquisition using the OPC UA protocol

Kaspersky IoT Secure Gateway 100 receives data from equipment residing within the internal enterprise network over the OPC UA protocol, which is described by the OPC Unified Architecture specification. You can read about the OPC UA protocol specification on the developer's website. Kaspersky IoT Secure Gateway 100 supports OPC UA protocol version 1.04.

The None security profile in the Kaspersky IoT Secure Gateway 100 settings is the security profile that is most compatible with various types of industrial equipment for OPC UA connections.

When generating certificates for a connection between a client (Kaspersky IoT Secure Gateway 100) and the OPC UA server, make sure that the certificates comply with the following settings:

• The settings of keys and certificates are compliant with the selected security policy.
• DER or PEM format is used for certificates and client keys.
• For the client certificate, the Subject Alt Name field contains the value URI:urn:aprotech:KISG100:OpcUaClient.

Kaspersky IoT Secure Gateway 100 uses the following folders to store certificates and keys for a connection with an OPC UA server:

• /app/Core/pki/private/transfer/opc_ua/client/ – folder in the TGW-HW-IDS section of the SD card for storing OPC UA client keys.
• /app/Core/pki/certs/transfer/opc_ua/client/ – folder in the TGW-HW-IDS section of the SD card for storing certificates of the OPC UA client and OPC UA server.

You can configure the settings for receiving data from monitored objects over the OPC UA protocol in the OpcUaClientSettings-0.json configuration file.

To configure data acquisition using the OPC UA protocol:

1. Create an OpcUaClientSettings-0.json configuration file and put it in the folder /app/Core/config/transfer/opc_ua/client in the TGW-HW-IDS section of the SD card.

   All of the actions described next are performed within the OpcUaClientSettings-0.json file.

2. To correctly route data from industrial equipment to the MindSphere repository, specify the ID and name of the OPC UA client:
   1. In the mandatory id parameter, define the ID of the OPC UA client that will receive data from the OPC UA server (industrial facility). For example, "id": 0.
      

      The OPC UA client ID is assigned by the administrator when configuring data receipt. The value of this parameter must match the value of the receivingHubId parameter in the GuideSettings-0.json configuration file.

   2. In the mandatory name parameter, define the name of the OPC UA client that will receive data from the OPC UA server (industrial facility). For example, "name": "Kaspersky IoT Secure Gateway 100 OPC UA Client".
3. To make it easier to read the configuration, you can use the optional description parameter to enter a description of the OPC UA client that will receive data from the OPC UA server (industrial facility). For example, "description": "Collect data from CNC by Kaspersky IoT Secure Gateway 100".
4. To connect an OPC UA client to equipment, specify the OPC UA server address and port in the mandatory url parameter. For example, "url": "opc.tcp://192.168.177.7:4840".
5. Specify a time interval (in seconds) in the readingCycle parameter to define how frequently the gateway will read data. For example, "readingCycle": 1.
6. Configure the security settings in the mandatory security settings block:
   

   The OPC UA protocol provides the capability to establish a secure data transfer channel between the client and server by using encryption and authentication. Part 7 of the OPC UA standard provides a description of security profiles that can define the use of asymmetric and symmetric encryption algorithms, lengths of encryption keys, and data signature hash functions, for example. To transmit data over the OPC UA protocol in compliance with the required security specifications, you must complete the corresponding fields in the configuration file.

   1. In the mode parameter, indicate the security management mode for the connection of the client application that is being used on your OPC UA server. The following security management modes are available:
      • Sign means that the connection requires a digital signature for data.
      • SignAndEncrypt means that the connection requires both a digital signature and data encryption.
      • None means that the connection does not require a digital signature or data encryption. It is not recommended to use this mode because it does not ensure a secure connection between the OPC UA client and the OPC UA server.
      • Any means that the connection will use any of the listed modes that are supported by the server: Sign, SignAndEncrypt, None.
   2. In the policy field, specify the name of the security profile that is being used on your OPC UA server. The following security profile options are available:
      • Basic128Rsa15.
      • Basic256.
      • Basic256Sha256.
      • None.
      • Any means that any of the listed policies can be used (if supported by the server): Basic128Rsa15, Basic256, Basic256Sha256, None.
   3. For secure communication over OPC UA, you must create a private key and certificate and put them into the client and server configuration. To set up a secure connection over OPC UA, define the following settings in the clientPkiData settings block:
      • In the certificate field, specify the name of the certificate file for the OPC UA client. For example, "certificate": "client.crt".
      • In the privateKey field, specify the name of the private key file for the OPC UA client certificate. For example, "privateKey": "client.key".

        The clientPkiData settings block must be completed even if the None value is set for the mode and policy fields.

   4. In the trustList field, specify the array that contains the names of trusted certificate files. For example, "trustList": ["server.crt"]. If the OPC UA server configuration prescribes the use of a custom trusted list, add the client certificate to the list of trusted certificates of the server. If certificate verification is not required, indicate the AllowAll value for this parameter.

   If you do not need to complete the mode, policy and clientPkiData settings blocks, define the null value for the security settings block. The security mode will be set to None in this case.

7. For OPC UA client authentication on the OPC UA server, provide the user account credentials for the connection in the mandatory userCredentials settings block:
   1. In the username field, enter the name of the user account for authorization on the OPC UA server.
   2. In the password field, enter the password of the user account for authorization on the OPC UA server.

   If you want to allow anonymous connection of the OPC UA client to the OPC UA server, define the null value in the userCredentials block. In this case, you do not need to fill in the username and password fields.

8. If you want to configure periodic forwarding of the health signal (heartbeat) of Kaspersky IoT Secure Gateway 100 to the Siemens MindSphere cloud platform, do the following:
   

   The architecture of Kaspersky IoT Secure Gateway 100 does not allow the use of standard tools for determining the operating status of a gateway in Siemens MindSphere. Whenever Kaspersky IoT Secure Gateway 100 is enabled but is not transmitting data from equipment to the Siemens MindSphere cloud platform, the cloud platform may assume that Kaspersky IoT Secure Gateway 100 is disabled. To support the capability to receive information about the current state of the connection to Kaspersky IoT Secure Gateway 100, there is a mechanism for sending a gateway health signal (heartbeat) to Siemens MindSphere at specific time intervals. This signal is generated by the OPC UA client. The delivery of this signal to the cloud notifies the cloud platform that the gateway is operational and that data is being correctly transmitted.

   1. Make sure that the Siemens MindSphere cloud platform has a data point configured for implementing the heartbeat transmission function.
   2. In the optional heartbeat settings block, define the following settings:
      • Enter the data node ID in the id field. For example, "id": 0.
      • Specify the data node name in the name field. For example, "name": "Heartbeat".
      • In the timeout field, specify the time period (in seconds) between the generation of heartbeat signals. For example, "timeout": 60. This field is optional. The default value for the time period between generated signals is 30 seconds.

   If you skip configuration of periodic heartbeat signal transmission or define "heartbeat": null, no heartbeat signals will be transmitted.

9. In the mandatory nodes settings block, specify the following parameters for each data node:
   1. Enter the data node ID in the id field.
   2. Specify the data node name in the name field.
      

      The ID and name of data nodes are required for building routes and transmitting data from industrial equipment to the MindSphere repository. In OPC UA, a data node is an element of the OPC UA data model identified by a unique id. An OPC UA client uses a node data update subscription to receive and relay this data according to the described routes.

   3. In the nodeId settings block, provide the following data:
      1. ID of the OPC UA server namespace in the ns (namespace index) field
      2. ID of the data node in the OPC UA server namespace The following options are available:
         • s (string identifier) – string value for the data node ID. For example, "nodeId": "ns=1;s=Variable temperature".
         • i (numeric) – numerical value for the data node ID. For example, "nodeId": "ns=2;i=2045".
10. Save the changes in the OpcUaClientSettings-0.json file.

The settings defined in the OpcUaClientSettings-0.json file will be applied the next time Kaspersky IoT Secure Gateway 100 is started.

Kaspersky IoT Secure Gateway 100 will receive data from industrial facilities within the internal enterprise network via the protocol that is described by the OPC Unified Architecture specification.

Page top