All posts by vogler

Allgemein, Frankenstein

Automation Gateway with Apache IoTDB…

The Frankenstein Automation Gateway can now write OPC UA tag values to the Apache IoTDB. Did some rough performance tests with 50 OPC UA servers and one IoTDB… the IoTDB is pretty impressive fast. Also the data model and terminology is interesting and it seems to fit good to a hirarchical structure in OPC UA.

In this lab I have connected 50 OPC UA servers (based on a .NET OPC UA server example) to Frankenstein. Each OPC UA server publishes 1000 tags of different type, so in summary we have 50000 tags connected to Frankenstein. The publish rate can be adjusted by setting an OPC UA tag. Sure, we do that via GraphQL over Frankenstein. On my commodity hardware I ended with writing about 250Khz to the IoTDB with an CPU load of ~200%. So, I assume the IoTDB is able to handle much more value changes per second.

Figured out that one DB Logger inside of Frankenstein roughly is able to handle 100000 events per second. We can spawn multiple DB Logger for scalabilty. Vert.X can then use multiple cores (Vert.X calls this pattern the Multi-Reactor Pattern to distinguish it from the single threaded reactor pattern).

Just to note: there is only a memory buffer implemented, so if the DB is down, then the values will be lost if the buffer runs out of space. But I think to handle such situations it would make sense to put Apache Kafka between the Gateway and the Database.

GraphQL Query to set the simulation interval:

query ($v: String) {
  Systems {
    opc1 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc2 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc3 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc4 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc5 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc6 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc7 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc8 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    opc9 { Demo { SimulationInterval { SetValue(Value: $v) } } }
    ...
  }
}
Query Variables: {"v": "250"}
Allgemein

Let’s Encrypt Certificate with WinCC OA on Windows

This is a manual way to get and use Certificates from Letsencrypt with the Webserver (ULC UX) in WinCC Open Architecture. You have to update the certificate manually before it expires.

  • Temporarily configure IIS (HTTP) to get a new certificate via WIN-ACME
  • Download Win-ACME, it is a Letsencrypt Client for Windows + IIS
  • Set “PrivateKeyExportable” to TRUE! in settings.json of Win-ACME!
  • Execute Win-ACME wacs.exe and follow the instructions for fist setup.
  • Execute wacs.exe --renew --baseuri https://acme-v02.api.letsencrypt.org/ to renew a certificate.

  • Export Root Certificate as PEM:
  • Save Root Cert as root-cert.pem to the WinCC OA project config directory.

  • Export the Host Certificate with “certlm”
  • Convert Certificate from PFX to Certificate and Private-Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out keyfile-encrypted.key
openssl rsa -in keyfile-encrypted.key -out privkey.pem
=> Save to config/privkey.pem

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out certificate.pem
=> Save to config/certificate.pem
Allgemein

MQTT and GraphQL Gateway for OPC UA

Here is an OPC UA gateway with which you can access your OPC UA values via MQTT and GraphQL (HTTP). If you have an OPC UA server in your PLC, or a SCADA system with an OPC UA server, you can query data from there via MQTT and GraphQL (HTTP). In addition, the gateway can also log value changes from OPC UA nodes in an InfluxDB. The archived values can then also be queried via GraphQL.

Open-source

Runs anywhere: Linux, Windows, Mac, …

Example MQTT Client:

Example MQTT Topics:

opc/unified/node/1/16.687.1.0.0.0
opc/unified/node:Value/1/16.687.1.0.0.0
opc/unified/node:Pretty/1/16.687.1.0.0.0
opc/unified/path/Tags/HMI_Tag_3
opc/oa/node:Value/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:value/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:Json/2/ExampleDP_Float.ExampleDP_Arg1
opc/oa/node:json/2/ExampleDP_Float.ExampleDP_Arg1

Example GraphQL Queries:

Here are some Videos/Demos:

WinCC Unified

Enable OPC UA Server in WinCC Unified

In the TIA Portal you have to enable “Operate as OPC Server” in the Runtime Settings of your project. Download and restart the runtime, and then the OPC UA Server is listening on opc.tcp://localhost:4890.

You need to have a user which has a role with the OPC-UA read and write access permission.

When you try to connect with a client the client will send the certificate to the server and typically the certificate is rejected by the server. To trust the certificate you have to move the certificate from the “Rejected” folder to the “Trusted” folder.

C:\Program Files\Siemens\Automation\WinCCUnified\bin\PKI\Rejected\certs

C:\Program Files\Siemens\Automation\WinCCUnified\bin\PKI\Trusted\certs

WinCC Unified

How to disable security in WinCC Unified OPC UA Server…

Caution! Don’t do this in a productive environment!

Add a security police “None” to the OPC UA configuration file.

On Windows you can find the file here: “C:\Program Files\Siemens\Automation\WinCCUnified\bin\OpcUaServerRTIL.xml”

<SecurityProfileUris>
<SecurityProfile>
<ProfileUri>http://opcfoundation.org/UA/SecurityPolicy#None</ProfileUri>
<Enabled>true</Enabled>
</SecurityProfile>
...
</SecurityProfileUris>
Allgemein

Mount Disk Image on Linux

If you have created a backup of a disk with dd:

dd if=/dev/sdb of=image.img bs=4096

then you can create loop back devices with partitions:

losetup -f -P ./image.img 
losetup -a

then you can mount partition:

mount /dev/loop0p1 /mnt/disk

Another hint: Copy files with tar so that permissions and users are persevered:

tar cf - . | (cd /destination; tar xvf -)

tar cf - . | ssh root@server2 "tar xf - -C /destination/"

WinCC Unified

How to view remote traces with RTILtraceViewer from a SIMATIC HMI Unified Comfort Panel…

First you have to enable the Trace forwareder on the panel

Then you have to start a tool on the host where you have installed TIA with Unified (change IP to your Panel IP):

"c:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceTool.exe" -mode receiver -host 192.168.210.128 -tcp

Then you can start the trace viewer on the PC:

"C:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceViewer.exe"

Allgemein

How to enable remote docker API…

Create a file “override.conf” in /etc/systemd/system/docker.service.d

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376

Reload and restart the Docker daemon:

systemctl daemon-reload
systemctl restart docker.service

Now you can connect for example the Siemens Industrial Edge Publisher to the Docker engine and create a Industrial App from images on your Docker host.