GEI-100621 WorkstationST OPC DA Server · 2019-12-16 · • Permits browsing for non-EGD variables. This protocol works for Mark* VI, UC2000, and Mark VIe controllers. • Provides

GEI-100621P

WorkstationST OPC DA ServerInstruction GuideThese instructions do not purport to cover all details or variations in equipment, nor to provide for every possiblecontingency to be met during installation, operation, and maintenance. The information is supplied for informationalpurposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflectedherein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or tothe document itself at any time. This document is intended for trained personnel familiar with the GE products referencedherein.

Public Information – This document contains non-sensitive information approved for public disclosure.

GE may have patents or pending patent applications covering subject matter in this document. The furnishing of thisdocument does not provide any license whatsoever to any of these patents.

GE provides the following document and the information included therein as is and without warranty of any kind,expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness forparticular purpose.

For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE SalesRepresentative.

Revised: Dec 2019Issued: Feb 2006

© 2006 – 2019 General Electric Company.___________________________________* Indicates a trademark of General Electric Company and/or its subsidiaries.All other trademarks are the property of their respective owners.

We would appreciate your feedback about our documentation.Please send comments or suggestions to [email protected]

Public Information

mailto:[email protected]

Document UpdatesRevision Location Description

P OPC DA Client PrivilegesNew Chapter describing the Enable Client Security By User property,used to enable or restrict OPC DA or OPC UA user client privileges

N Live Data.csv File InterfaceAdded a new .csv file format column, updated the existing screenshot,and added a paragraph providing the variable name formats

Acronyms and AbbreviationsEGD Ethernet Global Data, a control network and communication protocol

CMP Command Message Protocol

Comm CoE Communication Center of Excellence

DA Data Access

DCOM Distributed Component Object Model

HMI Human-Machine Interface

HTTP HyperText Transfer Protocol

ICN Integrated Control Network

OOS Out-of-service

OPC A standard for data exchange in the industrial environment

PDH Plant Data Highway

SDB System Database

SDI System Data Interface

UDH Unit Data Highway

2 GEI-100621P GEI-100621 WorkstationST OPC DA ServerPublic Information

Contents1 Introduction.................................................................................................................................................42 Features ......................................................................................................................................................43 Variable Names ............................................................................................................................................53.1 Toolbox Variables through SDB.................................................................................................................53.2 ToolboxST Variables ...............................................................................................................................53.3 Data Update Rates ..................................................................................................................................63.4 Service Monitoring .................................................................................................................................73.5 OPC DA Server Variable Configuration ......................................................................................................8

4 ToolboxSTApplication ..................................................................................................................................95 Runtime Monitor Config Utility ......................................................................................................................96 OPC DA Client Privileges ............................................................................................................................ 137 Ethernet Global Data (EGD) ......................................................................................................................... 147.1 EGD Live Data..................................................................................................................................... 147.2 Produced Exchange Health ..................................................................................................................... 147.3 EGD Command Message Protocol ........................................................................................................... 157.4 Dynamic EGD Updates.......................................................................................................................... 157.5 Redundant EGD Produced Pages ............................................................................................................. 167.6 Produced Page Health ............................................................................................................................ 17

8 OPC Client Data Plug-in .............................................................................................................................. 219 SDI Data Plug-in ........................................................................................................................................ 2110 TCI Plug-in.............................................................................................................................................. 2111 Live Data.csv File Interface......................................................................................................................... 2212 Network Status Monitor ............................................................................................................................. 2413 Workstation Consumption by Proxy.............................................................................................................. 2513.1 Initial Variable List Add ....................................................................................................................... 2613.2 Switch from Primary to Secondary ......................................................................................................... 27

14 Alarm Attribute Plug-in.............................................................................................................................. 2815 Variable Mapping...................................................................................................................................... 2916 Configure DCOM ..................................................................................................................................... 2916.1 DCOM Default Properties..................................................................................................................... 3016.2 Default Access Permissions................................................................................................................... 3216.3 Windows Workgroups Example ............................................................................................................. 3516.4 Change OPC Server DCOM Settings ...................................................................................................... 4416.5 DCOM Security .................................................................................................................................. 45

17 EGD ICN Service with WorkstationST.......................................................................................................... 4717.1 Configure Network Connection with Multiple IPAddresses ........................................................................ 4817.2 Configure IPAddresses ........................................................................................................................ 51

18 Glossary of Terms ..................................................................................................................................... 53

Instruction Guide GEI-100621P 3Public Information

1 IntroductionOPC® is an industry standard for communication between vendors in an industrial environment. The non-profit OPCFoundation provides the specification for the standard, as well as programming proxy stubs for OPC. OPC Data Access (DA)is the standard for real time data. There are also standards for historical data, alarms, and events. The OPC server supportsOPC DA.

2 FeaturesThe OPC server is OPC DA 2.05 and 3, as well as Ethernet Global Data (EGD) 3.04 compliant. The OPC DA 2.05 and 3.0compliance is verified using the OPC Foundation Compliance Test Tool. It is a Class 4 EGD server, which means that it canrespond to EGD configuration HyperText Transfer Protocol (HTTP) requests, using all Communication Center of Excellence(CoE) .xml configuration formats (Class 3) and is able to adapt to EGD configuration changes to consumed EGD nodes(Class 4). It also:

• Supports Command Message Protocol (CMP) sending and receiving.• Produces EGD exchanges.• Consumes EGD exchanges from other EGD components.• Supports data plug-in features, including OPC DA client data plug-ins.

This allows configuration of an internal OPC client to obtain variables at specified rates from another OPC DA server(s), andto make those variables available in the OPC DA server. The variables from this connection can be configured for anEGD-produced exchange.

Note Changes to configuration using the ToolboxST* application do not require a service restart, but are made through aWorkstationST* device download and requires the ToolboxST application to produce .xml files.

• Provides System Data Interface (SDI) for public, non-EGD variables.• Permits browsing for non-EGD variables. This protocol works for Mark* VI, UC2000, and Mark VIe controllers.• Provides configuration through system database (SDB).

A Runtime Monitor Config utility allows you to configure the OPC DA server, and to select EGD components from an SDB.The selected components are consumed by the OPC DA server.

Note The OPC DA server listens to EGD messages on the EGD port, which conflicts with older versions (prior to releaseV02.03.03C) of the EGD Integrated Control Network (ICN) service. Refer to the section EGD ICN Service withWorkstationST.


3 Variable NamesOPC clients connected to OPC DA servers can add groups, which are collections of variables with an associated update rate.A client can browse for the variable name using OPC DA 2.05 or 3.0. Once the client knows the variable name, the OPCclient adds the variable to a group. Variable names are defined by the EGD component and contained in that EGDcomponent’s produced data configuration file. The produced configuration file is an xml file published to the EGDConfiguration Server by the tool used to configure the EGD component. Tools that do not interact directly with the EGDConfiguration Server, but can interact with an SDB, can have their produced data configuration published to the EGDConfiguration Server by the Runtime Monitor Config utility included with the OPC DA server. Refer to the section RuntimeMonitor Config Utility.

3.1 Toolbox Variables through SDBThe variable names are determined by the user and the tool that produces the EGD configuration files. For the Control SystemSolutions (CSS toolbox) in a Mark VI or UC2000, typical variable names are Region1\Region2\Region3\variableName whereRegion2 and Region3 are optional. The SDB client used by the Runtime Monitor utility (and also used by ToolboxSTapplications for systems containing SDB-enabled external components) uses the SDB name but replace the backslash with adot. For example, G1\Variable would become G1.Variable when translated from an SDB.

3.2 ToolboxST VariablesVariable names in the ToolboxST application typically display in one of three ways:

• DeviceName.variable• DeviceName.program.variable• DeviceName.program.block.variable

Note With the release of the ToolboxST application version 4.0, a variable can be configured with an alias property (aliasname). This adds alias names to the OPC DA server browsable namespace.

The variable name in the OPC DA server is the same as the name used by the ToolboxST application.

Note When displaying public variables in a Mark VIe device, the device name at the start of the variable does not display.However, the device name displays when the variable is viewed from another component.


3.3 Data Update RatesWhen a client connects to the OPC DA server using an OPC DA 2.0 connection, the variable values in a group are updatedonce when the group goes active, and again when a variable changes. The update on change only contains the variables thatchanged since the last update. In addition, OPC DA 2.0 allows for a group deadband. When any variable changes by morethan that deadband, the variable is updated to the client. OPC DA 3.0 also allows a client to establish a deadband per variable.

The client requests an update rate when adding a group. The OPC DA server replies with the selected rate, which is theclosest multiple of the Maximum Client Rate configured in the WorkstationST OPC DA server tab, or in the Runtime MonitorConfig Options menu. For example, if the Maximum Client Rate is set to 100 ms and the client requests a rate of 80 ms, theclient is given a rate of 100. If the client requests 160 ms, the client is given a rate of 200 ms. The actual update rate of thevariables in a group depends on the rate that the variable is being updated to the OPC DA server. EGD variables are updatedat the EGD exchange rate. For SDI variables, the SDI live list is requested to the controller at the group rate.

In server performance testing:

• 5000 Boolean variables changed at 640 ms, and updated on one EGD exchange at 1000 ms• 10000 floating point variables changed at 32 ms, and updated on 40 EGD exchanges at 1000 ms• 100 floating point variables changed at 32 ms, and updated on one EGD exchange at 100 ms

The server maximum client connection rate was set to 10 ms and one client with one group was connected with a rate of 100ms. With the client connected, the OPC DA server used between 20 and 30 percent of a Pentium® 4 2.6 GHz CPU. Withoutthe client connected, the CPU utilization was around 10 percent.

3.3.1 EGD-consumed VariablesThe time stamp is the time from the component. The EGD protocol provides a time stamp in each produced exchange, whichis applied to all EGD-consumed variables.

3.3.2 SDI and OPC Client VariablesVariables that are read from SDI to a Mark VI, UC2000, or Mark VIe controller are marked with the time contained in theheader of the SDI live value update message.

Variables that are read from a remote OPC DA server using the OPC client live data plug-in are given the time stamp from theremote OPC DA server.


3.4 Service MonitoringThe WorkstationST component of the ToolboxST application provides configuration, monitoring, and control of the OPC DAserver. In addition, the OPC DA server Runtime Monitor application can be used to monitor and control the OPC DA server.The Runtime Monitor application can be used to configure the OPC DA server in applications without the ToolboxSTapplication.

➢➢ To open the GE OPC DA Server Monitor screen: from the Start menu, select Programs, GE ControlST, OPCDA Server, and GE OPC DA Server Monitor.


3.5 OPC DA Server Variable ConfigurationThe following diagram shows the variable configuration.


4 ToolboxSTApplicationToolboxST V02.0 or higher is used to configure the OPC DA server, which is a feature of the WorkstationST component.OPC DA server-owned variables are defined here, and optionally placed onto EGD. An OPC client feature allows for multipleOPC DA server connections to obtain variables from an alternate OPC DA server.

The ToolboxST application allows you to select consumed components for a WorkstationST computer. The EGD for thesecomponents is then consumed by the OPC DA server. The components can be external or ones configured by the ToolboxSTapplication. Data can be obtained from a SDB for an external component.

5 Runtime Monitor Config UtilityThe Runtime Monitor Config utility allows you to

• Configure the server• Start and stop the server• Monitor server status

The utility allows you to select a SDB, as well as a next-generation SDB. EGD components in the SDB can be selected. Youcan also add a network component to your SDB to represent the OPC DA server’s produced EGD exchanges. Once theconsumed EGD components from SDB are selected, a configuration build gets all variable data for each selected componentfrom the SDB, and places it into the EGD Configuration Server. The data from the EGD Configuration Server is then placedin the configuration files needed by the OPC DA server.

The utility also provides an executable, OpcServerCfg.exe, which allows for a command line configuration update. TheOpcServerCfg has the following command line arguments:

Argument Definition

/help Display this help

/build Bind the EGD configuration from SDB and EGD Configuration Server, buildconfiguration files needed by OPC DA Server Service and request service to readconfiguration (if no errors on bind)

/useWithErrors Request service to read configuration even if there are errors on bind


➢➢ To modify the configuration: From the Tools menu on the GE OPC DA Server Monitor screen, selectModifyConfiguration. If the SDB is enabled under Settings in the Options menu, the following window displays.


If the SDB is disabled under Settings in the Options menu, the following screen displays:

Select components to be built into the configuration. All audible EGD variables are placed in the OPC DA server. Variablesare audible if the EGD exchange on which they reside is being sent to a destination (broadcast, directed, or multicast) that theserver can hear.

Note The address and subnet mask settings should match a network adapter used by the OPC DA server computer.

The Producer Device Name displays in the lower-left corner of the window. If the producer information cannot be obtainedfrom the EGD Configuration Server, click the Edit PC Network Settings icon to change the settings for this computer. Forexample, if you wanted to consume an EGD component that was broadcasting a page to 172.20.255.255 on the network UnitData Highway (UDH), you could add a network in the Edit PC Network Settings dialog box, then enter the address, subnetmask, and network name to hear this broadcast (for example, 172.20.100.10 mask, 255.255.0.0 network name UDH).


The Build Configuration icon allows you to refresh selected SDB components, then put them into the EGD ConfigurationServer. All selected EGD Configuration Server components are then built into a consumed data file and placed into the OPCDA server’s configuration directory. If one of the selected components matches this producer component name, thatcomponent becomes the produced data for the server. The OPC DA server must be restarted to read this changedconfiguration.

Note If the EGD Generic Device editor is installed, the Launch Generic EGD Editor button displays.

➢➢ To view .xml files

1. In the OPC Server Devices list box, right-click a device.

2. Click the desired option.

➢➢ To remove a component from the EGD Configuration Server

1. In the Devices In EGD Config Server list box, right-click a device.

2. Click the desired option.


6 OPC DA Client PrivilegesBeginning with ControlST V07.07, the Enable Client Security By User property on the ToolboxST WorkstationSTComponent Editor OPC DA server feature tab is used to enable or restrict OPC DA or OPC UA user client privileges. Whenthis property is set to True (enabled) and depending on Users and Roles configuration settings, the server allows OPC DAclients access to browse for, read, and write variables. The following flow diagram illustrates these access privileges. Usersand Roles are configured using the Users and Roles tree view item in the System Information Editor.

OPC DA Client Privilege Flow Diagram


7 Ethernet Global Data (EGD)The OPC DA server has its own EGD server running, which handles the following:

• Consumption of EGD exchanges• Production of configured EGD exchanges• CMP Write commands to other EGD components• Processing of CMP messages from other EGD components• Responding to EGD Class 3 HTTP requests for configuration information• Auto adapting to configuration changes in consumed Class 3 or higher devices

7.1 EGD Live DataEGD exchanges from other components, such as Mark VIe, Mark VI, or UC2000 are received by the OPC DA server’s EGDserver, then made available for use by OPC clients. The exchanges must be on the same subnet if broadcast or multicast, ordirected to the computer running the OPC DA server.

EGD exchanges configured with variables owned by the OPC DA server are produced. The variables become writable OPCDA server variables.

7.2 Produced Exchange HealthA health timeout multiplier is applied to all OPC DA server-produced EGD exchanges. This multiplier, if greater than 0,determines the timeout when at least one variable on an exchange must be written to by an external OPC client. The timeoutis calculated as the exchange period times this multiplier. Exchanges driven by the OPC client data plug-in are markedhealthy.


7.3 EGD Command Message ProtocolCMP messages are typically used by an Human-machine Interface (HMI) to write setpoint values, as well as to set and clearBooleans to a controller. The OPC’s EGD server issues a CMP message to a consumed EGD variable when an OPC clientwrites to the variable. Any other EGD node can also send a CMP write to the OPC server’s produced exchange variables. Inthis case, the Write command sets the OPC DA server variable. If the variable is owned by the OPC client data plug-in, theWrite command is sent to the connected OPC DA server. If the variable has been subscribed to by an exterior OPC client, theclient receives an update of the variable’s value through the OPC On Data Change.

7.4 Dynamic EGD UpdatesConsumed EGD components occasionally undergo configuration changes, which result in a signature change on theexchange. Some components are capable of dynamic configuration changes. The OPC DA server attempts to keep its currentconfiguration.

If a configuration signature mismatch occurs, the OPC DA server requests a new configuration for the component with themismatch.

Note For Class 3 devices, data retrieval is attempted from the device. If that fails, a retrieval is attempted from the EGDConfiguration Server.

Changes to a component’s configuration that do not effect the EGD exchange are still sometimes required by the OPC DAserver or some other feature of the WorkstationST application. For example, a configuration may be downloaded to a MarkVIe component with new alarm information or data logging information. Mark VIe components have the application minorrevision on the status page for the R, S, and T controllers. Mark VIe components also have the Dynamic Data Recorder(DDR) revision on the default EGD page for R, S, and T controllers. The OPC DA server monitors the EGD variable valuesfor MinorRevisionX (X = R, S, or T) and DDRRevisionX. When the OPC DA server’s revision (kept in the EGD symbol tablefor each component) does not match at least one of the R, S, or T revisions, the OPC DA server requests a configurationupdate for the EGD symbol table for that component.


7.5 Redundant EGD Produced PagesWorkstationST EGD Produced Pages can be configured with primary or secondary redundancy. A primary redundancy sendsthe Produced Page if the page’s data source is healthy. (Refer to the section Produced Page Health). A secondary ProducedPage is sent by another WorkstationST computer if the primary Produced Page is not heard for three periods. Typically aconsumer of an EGD Produced Page declares the page unhealthy if the page is not received after five periods. If thesecondary redundancy again detects the production of the primary page, data production is stopped. Like the primary, thesecondary producer sends the page if the page’s data source is healthy.

Note The period, which is user-configured as an exchange on a page, is the rate at which the exchange is sent.

➢➢ To show redundancy: From the WorkstationST Component Editor EGD tab, select the Produced Page tocheck.

From the Property Editor , the Redundancy level displays and can be changed from the drop-down list.


7.6 Produced Page HealthEach Produced Page contains WorkstationST variables. A data source for the variable values can be an OPC DA clientconnected to the WorkstationST OPC DA server, an OPC DA server connected to the WorkstationST OPC DA client, or a .csv file watched by the WorkstationST .csv file watcher.

Health Timeout Multiplier can be configured for each Produced Page. If the health timeout multiplier is greater than 0, andat least one page variable is written by a data source within the timeout multiplied by the page period, the page is sent by theprimary producer (or the secondary if the primary is not producing). A flag allows the first variable in the page (the one atoffset 0.0) to be the only variable monitored to determine the data source health.


OPC DA Client Page Health indicates the health of the Produced Page, which is sent if the OPC DA client is connected toits configured OPC DA server and the server’s status is healthy.


Primary produced page configuration is a page configured as primary in the WorkstationST component EGD page.

Secondary produced page configuration is a page configured as secondary in the WorkstationST component. Thesecondary must be configured with the same page name as the primary page.

The data source variables (typically OPC DA server client-driven variables) must be present in the secondary WorkstationSTcomponent, but it is not necessary to configure the EGD Produced Page layout in the secondary. At runtime, the secondaryadapts to certain primary configuration changes such as data type and offset changes to primary variables. When variables areadded or deleted from the primary, they must also be added to the secondary and downloaded, to allow the data source todrive them.


The following example displays variables defined in the OPC DA server tab to be written by an external OPC DA client.

With the release of ControlST software suite V04.05, the Client Driven Variables item was moved to the new Variables taband renamed WorkstationST Variables as displayed in the following figure.

The WorkstationST OPC DA server provides EGD and other data to OPC DA clients. If redundant data must be sent tomultiple OPC DA clients, multiple WorkstationST computers can be configured and each OPC DA client can connect to adifferent WorkstationST OPC DA server. The OPC DA client must determine page health and select the best source.


8 OPC Client Data Plug-inFor system configurations requiring data from a third-party OPC DA server, the OPC client data plug-in can be configured toconnect to, and obtain data from, the third-party OPC DA server. OPC clients connect to servers using Groups, which are listsof variables updated at a configured rate. The ToolboxST application allows a WorkstationST component to be configured forOPC client connections to external OPC DA servers. Groups can be added and variables added per group. Variables areselected by browsing the OPC DA server.

9 SDI Data Plug-inAn SDI data plug-in is provided for variables that are not needed for control, but might be needed for diagnostics or tuneup.All named variables are added to the EGD Configuration Server’s EGD symbol table. These variables are then added to theOPC DA server for OPC client browsing. When a client adds a variable that is not on EGD, but is available through SDI, anSDI connection is made to the controller and live data is updated until the OPC client disconnects or removes the OPC groupor variable. An SDI server provides access to any OPC DA server-owned variable through the SDI protocol.

10 TCI Plug-inIf the Mark V feature in a WorkstationST component is enabled, then it starts the GeCssTci System Service to communicatewith Mark V controllers. The OPC DA server uses the TCI data plug-in to communicate with the GeCssTci System Service toretrieve the list of variables in the Mark V controllers and to exchange real time data and commands. There are no additionalconfiguration steps required for this plug-in. The Mark V feature creates the required symbol table automatically from theMark V configuration files. This plug-in also makes Mark V communication status available in the Additional Informationsection of the OPC DA server in the WorkstationST Status Monitor.


11 Live Data.csv File InterfaceThe WorkstationST application allows you to read and save variable live values in a .csv file. The OPC DA server tabcontains a CSV To Live Data option in the Tree View that configures the OPC DA server to read and monitor one or more .csv files for live variable values.

When the OPC DA server is started, and whenever the specified .csv file is changed, the live values are read and set to thevariables specified in the .csv file. The variables can be any writable variables to which the WorkstationST has access. Forexample, a client-driven variable can be defined and put onto an EGD Produced Page. This variable’s value is then updatedfrom the .csv file values. Any errors display in the Component InfoView Status tab.

If CSV Uses New Format is True, the .csv file format is a variable name with a value on each line, for example:

Var1, 3.7

Var2, true

Var3, 4.5

If CSV Uses New Format is False, the .csv file format is one line of variable names and a second line of data values, forexample:

Var1,Var2,Var3

3.7,true,4.5

The utility LiveVarsToCsv.exe, which is in the GeCssOpcServer installation folder, is used to read a snapshot of live valuesand write them to an output .csv file. The command line utility’s syntax is as follows:

LiveVarsToCsv [options] <varCfgFileName |

var1,var2,var3...> <outputFileName>


Where options are:

/opcClient - use an OPC client to the WorkstationST live data core, otherwise an SDI connection is used by default.

/host="name" - an optional host name. If not specified, local host is used.

/Horiz - Without this option, the output format has one line of comma separated variables and a second line with commaseparated values. With this option the output format has one line per variable with name, value and optional extended data.

/Extended - Additional information is appended to the variable column or row.

/Header - Includes a column header line. This option is only used when the /Horiz option is used.

/SeparateDateTimeColumns - Creates two columns for the variable's time stamp rather than one combined date/time column.This is only valid when used with the /Horiz option /AdditionalColumns=col,val which allows the inclusion of a columnheader(s) col with value val. For example, if you use:

/AdditionalColumn=Area,Train1, another column with a header text of Area and column values of Train1, would be appendedto the output. Multiple columns/values can be specified (for example Area,Train1,Customer,GE). This is only valid whenused with the /Horiz option /ColumnOrder=list which allows the order of the columns to be specified. The list is a commaseparated list of column header names.

Valid header names are:

Name, Value, Type, Time Stamp,Units,Description, Second Language Description.

If the /SeparateDateTimeColumns options was specified, Date and Time are also valid column headers.

If the /AdditionalColumns option was used, the headers specified are also valid for the ColumnOrder list. This is only validwhen used with the /Horiz option.

If the argument following the options is a valid file path, the file is expected to contain a list of variables, one per line withoptional comma separated columns for scale, offset and a translated output name (see an example below). Otherwise, theargument following the options can be a list of comma-separated variable names.

Example varCfgFile format:

# Comments are allowed anywhere in the file if preceded by a ‘#’

var,scale,offset,translatedName

G1.Celcius,1.8,32,G1.Farenheit

Example using advanced options:

LiveVarsToCsv /Horiz /Extended /Header /SeparateDateTimeColumns /AdditionalColumns="Plant Area,Train1"

/ColumnOrder="Area,Name,Value,Date,Time,Description,Units,Second Language Description" var1,var2,var3 outputfile.csv

This utility can be used with the WorkstationST Task Scheduler to provide periodic writing of .csv data.


12 Network Status MonitorThe Network Status Monitor Client, when enabled in a WorkstationST configuration, provides live data values for the currentnetwork status through the OPC DA server. The following is the variable name form;

<workstationDeviceName>.NetMonitor.<otherDevice>.<networkName>.varname

The Booleans available include the following:

• Error• Warning• Online

In addition to the network monitor variables, each WorkstationST computer and MarkVIe controller provides a default_Status page on EGD. The WorkstationST computer monitors the variables on the _Status page and provides their live valuesto OPC DA clients.

The ToolboxST application uses an SDI live connection to obtain live values from the WorkstationST OPC DA server. A newlive updated status message provides the ToolboxST application access to the above network status. Using this list betweenthe ToolboxST application and a local WorkstationST computer does not create any additional network traffic. The OPC DAserver obtains the status information through EGD updates of _Status pages and from the Network Status Monitor Clientfeature.


13 Workstation Consumption by ProxyAworkstation can be configured to consume a device through another workstation which consumes the device locally throughthe TCI interface (Mark V), or through EGD. The following diagram shows the data flow for clients requesting variablesconsumed by proxy.


13.1 Initial Variable List Add


13.2 Switch from Primary to Secondary


14 Alarm Attribute Plug-inOPC DA clients can now subscribe to additional alarm attributes of a variable. This feature is enabled on the WorkstationSTComponent Editor OPC DA tab. When enabled, the following attributes are available:

Attribute DescriptionAlarmAckCmd If the variable is an alarm, write to this attribute to acknowledged the alarm.AlarmAckNeeded True if the variable is an alarm and the alarm needs to be acknowledged.AlarmActive True if the variable is an alarm and the alarm is active.AlarmConfigured True to indicate the variable is configured for an alarm.AlarmIsOutOfSvc True when an alarm is currently out-of-serviceAlarmIsShelved True when an alarm is currently shelved.AlarmLocked True if the variable is an alarm and the alarm is locked.AlarmOutOfSvcEnabled True if out-of-service has been enabled for this system using the ToolboxSTsystem overview.AlarmPriority The priority for the alarm. Analog alarm priority can be changed based on the alarm level.AlarmResetCmd If the variable is an alarm write to this attribute to reset the alarm.AlarmResetNeeded True if the variable is an alarm and the alarm can be reset.AlarmShelvingEnabled True if shelving is enabled for this alarm. Shelving is enabled for a ToolboxSTsystem in the

properties in the system overview and additionally each variable’s alarm shelving can beenabled.

AlarmState The alarm state text for an alarm variable.AlarmSymbolKey A string representing the alarm symbol to be used for this alarm. BQ = Bad quality or alarm

client not connected to alarm server. OO = out-of-service. AS = Shelved alarm.<alarmClass>AU = active unacknowledged for specified class. <alarmClass>AUB = activeunacknowledged for specified class (class configured to blink). <alarmClass>AA = activeacknowledged for specified class. <alarmClass>alarmClass>NA = returned to normal andacknowledged for specified class. <alarmClass>NU = returned to normal andunacknowledged for specified class.

AlarmText The alarm text for an alarm variable.AlarmTimeStamp The device time stamp for an alarm variable.


15 Variable MappingWhen configured on the WorkstationST Component Editor Variables tab, any variable in WorkstationST OPC DA or OPCUA server’s namespace can be cyclically moved to any other variable. There is a configuration setting for the rate at whichthe mapping occurs. The following rules apply:

• The destination variable must be writable. (Note, if the destination variable is a writable consumed EGD data point or apoint in an external OPC DA or OPC UA server, the consumed EGD device or external OPC UA/DA server may limitthe rate at which writes are allowed. If the rate is reached, you should see write errors in the OPC UA or OPC DA serverdetail logs.)

• This feature is implemented in the OPC UA server if the UA server has been enabled. Otherwise it is implemented in theOPC DA server.

• The data type must match between the source and the destination of each mapped variable.

16 Configure DCOMThe Distributed Component Object Model (DCOM) utility allows components to communicate across network boundariesbut is also involved with client to server interaction on the same computer. DCOM is configured for both the server and clientcomputers using dcomcnfg.exe.

Note The DCOM utility resides in the Windows System32 directory.

➢➢ To start the DCOM utility

1. From the Windows Start menu select All Programs, Accessories, and Run.

2. In the Run dialog box, type dcomcnfg.exe, and click OK. The Component Services window displays:


16.1 DCOM Default Properties

Note This does not apply to computers using Windows workgroups. Refer to the section Windows Workgroups Example.

DCOM must be configured to allow the client user access to the server computer, and the server user access to the clientcomputer. The server user is the system account on the server computer. Adding DOMAIN\ComputerName into the accesspermissions allows access by the server to the client.

➢➢ To configure default properties: from the Component Services screen, right-clickMy Computer and selectProperties.


From the My Compu ter Proper t ies dialog box Defau lt Proper t ies tab, click to select Enab le Dis tr ibu ted COM on th is compu ter.

Click OK .

This configuration is the default. The Default Authentication Level on the client computer should either match, or be morerestrictive than the authentication level on the server. When a DCOM connection is attempted, the higher of the two levels isused. If the server is configured for Connect level, and the client is configured for None, the client is rejected. Thisauthentication process occurs before any other DCOM security is checked.


16.2 Default Access PermissionsThe Default Access Permissions allow a remote client to communicate with the server. Communication between the clientand the server is required for connecting, adding OPC groups, and browsing variables. The client computer must allow accessby the server for live values to be updated.

Note Windows defaults the access permissions to allow access for both system and self. To allow any client to connect, youmust add Interactive with Allow Access permissions to the Default Access permissions.

The server is configured to run as a service and, by default, runs as a system. To receive live data updates, the client computermust allow the system account from the server computer remote access.

➢➢ To edit the Default Access Permissions

From the My Compu ter Proper t ies dialog box , click the COM Secu r i ty tab.

In the Access Permiss io nssection, click Ed it Defau lt to display the Access Permiss io n dialog box .


Click Add to display the Selec t Users , Comp u ters, Serv ice Accoun ts, o r Group s dialog box .

Click Ob jec t Types to display the Ob jec t Types dialog box .

Note: If the computers are in a domain, you can add Object Types of Computer. If the computers are in a workgroup, this feature is not available.


Click to select Compu ters.

Click OK .

Enter the computer name and click Check Names to verify the computer exists in the domain .

Enter your credentials if prompted.

Click OK .

In the above example, the computer named Corsair contains the OPC server. Corsair is added with access to this computer.

Add the same computer setting to the Limits for Access, Limits for Launch and Activation, and to Default for Launch andActivation. Repeat this procedure for both Client and Server computers.

If the logon was changed to a different user, add the user computer rather than the server computer. Refer to theWorkstationST OPC AE Server Instruction Guide (GEI-100624), the section Changing the OPC AE Server DCOM Settings.


16.3 Windows Workgroups ExampleThis section describes the settings required to connect a DCOM client running as the System account to a DCOM serverrunning as the system account on a remote computer. Services run as the system account.

Note The System user is not the same as the Administrator user.

When a client running as System tries to connect to another computer in a workgroup, that client has no network credentials.If the computers were in the same Windows domain, the client System user can be identified, but when using workgroups, theremote server computer cannot identify the client user. Under these conditions, the client is seen by the server as AnonymousLogon user.

Note Permissions must be applied to the server computer to allow the client to communicate to the server (connect, browse,read, write). For the server to respond with data change notifications, the settings must be applied to the client computer.

Ensure that the Authenticate Users as Themselves local security policy has been set correctly.

Both the computers must be in the same workgroup and have an identical account and password on each. This commonaccount is the account under which the OPC DA client runs. This account should be included in the Default Access andDefault Launch and Activation Privileges with Remote Access enabled.

The default properties of the computer are left as the Windows default. For information on running dcomcnfg.exe andchanging computer properties. Refer to the WorkstationST OPC AE Server Instruction Guide (GEI-100624), the sectionConfiguring DCOM.


16.3.1 Set Security Limits and Defaults

➢➢ To set security limits


2. In the Run dialog box enter dcomcnfg.exe and click OK. The Component Services window displays.

3. from the Component Services screen, right-clickMy Computer and select Properties.


From the COM Secu r ity tab , in the Access Permiss ionssection, click Ed it L imits to display the Access Permiss ion dialog box .


Verify the Allow check boxes for both L ocal and Remote Access are selected for each user or group.

Note If ANONYMOUS LOGON is not on the list of Group or user names, refer to the section Add an Anonymous User toadd it.

Repeat these steps for Edit Default in Access Permissions, Edit Limits and Edit Default in Launch and ActivationPermissions, verifying that all Allow check boxes are selected for each user or group.


16.3.2 Add Anonymous UserThe OPCEnum service provided by the OPC Foundation does not include the ANONYMOUS LOGON, so it must be addedto the Launch and Access permissions in the OPCEnum Properties dialog box. This change does not require a restart. Thesettings take effect the next time the OPCEnum service is started. For information on changing an individual DCOM server’ssettings, refer to the WorkstationST OPC AE Server Instruction Guide (GEI-100624), the section Changing the OPC ServerDCOM Settings.

➢➢ To add users and permissions


2. In the Run dialog box enter dcomcnfg.exe and click OK. The Component Services window displays.

3. From the Component Services window, expand the DCOM Config folder.

O pc Enu m disp lays a f t er t he W orksta t ionST app l ica t ion is inst a l led.

Right -cl i ck O pc Enum and select Pr ope r t i es t o d isp lay t he O pc Enum Pr ope r t i es dia log box.


From the Secu r ity tab, the default setting for Launch and Act ivat ion Permiss ions is Customize.

Click Ed it to display theLaunch and Act ivat ionpermission dialog box.


Click Add to display the Selec t Users, Compu ters, Serv ice Accoun ts, o r Groupsdialog box .

In the text box, enter anonymous logon and click OK .

The Launch and Act ivat ion Permiss ion dialog box changes to display ANONYMOUS LOGON in the Group o r u ser names tex t box.


Select ANONYMOUS LOGON .

Select the Allow checkboxes for Local and Remo te L aunchand Lo cal and Remo te Ac t ivat ion .

Click OK .


To set Access Permiss ions and Con f igu rat ion Permiss ions, return to the OpcEnum Proper t ies dialog box Secu r ity tab and repeat the previous three steps for each section.


16.4 Change OPC Server DCOM SettingsThe default settings for the OPC DA server process are normally adequate. However, if you want the OPC DA server to runas a user other than system, select the Control Panel, Administrative Tools, and Services tool to modify the Logon As (user).This setting is made during installation and installing a new version runs the service as the default system account again.

Note If you change the Logon As setting, you must also change the DCOM identity setting to match.

➢➢ To change the GeCssOpcServer identity

1. From the Component Services screen Tree View, expand Console Root, Component Services, Computers,and DCOM Config.

2. Right-click the GeCssOpcServer item and select Properties to display the GeCssOpcServer Properties dialogbox.

3. Click the Identity tab, verify that the option The system account (services only) is selected and click OK.


16.5 DCOM SecurityThe information in the following sections is an excerpt from www.opcfoundation.org.

16.5.1 AbstractOPC server vendors have two approaches to networking:

• The client can connect to a local server to use the existing proprietary network scheme. This approach will commonly beused by vendors who are adding OPC capability to an existing distributed product.

• The client can connect to the desired server on a target machine, then use DCOM for networking. This approach may beused in conjunction with the above approach.

Using DCOM for remote OPC client/server communications is necessary for cross-vendor interoperability. Consequently,there are several issues that surface in the design, development, implementation, and deployment of distributed(DCOM-enabled) OPC components.

DCOM can make distributed applications secure without any security-specific coding or design in either the client or thecomponent. Just as the DCOM programming model hides a component's location, it also hides the security requirements of acomponent. The same (existing or off-the-shelf) binary code that works in a single-machine environment, where security maybe of no concern, can be used in a distributed environment in a secure fashion.

DCOM achieves this security transparency by letting developers and administrators configure the security settings for eachcomponent. Just as the Windows NT File System lets administrators set access control lists (ACLs) for files and directories,DCOM stores Access Control Lists for components. These lists simply indicate which users or groups of users have the rightto access a component of a certain class. These lists can easily be configured using the DCOM configuration tool(DCOMCNFG) or programmatically using the Windows NT registry and Win32® security functions.

Whenever a client calls a method or creates an instance of a component, DCOM obtains the client's current usernameassociated with the current process (actually the current thread of execution). Windows NT guarantees that this usercredential is authentic. DCOM then passes the username to the machine or process where the component is running. DCOMon the component's machine then validates the username again using whatever authentication mechanism is configured andchecks the access control list for the component (actually for the first component run in the process containing thecomponent).

If the client's username is not included in this list (either directly or indirectly as a member of a group of users), DCOMrejects the call before the component is ever involved. This default security mechanism is completely transparent to both theclient and the component and is highly optimized. It is based on the Windows NT security framework, which is probably one ofthe most heavily used (and optimized!) parts of the Windows NT operating system: on each and every access to a file or evento a thread-synchronization primitive like an event or semaphore, Windows NT performs an identical access check. The factthat Windows NT can still compete with and beat the performance of competing operating systems and network operatingsystems shows how efficient this security mechanism is.

There are three main issues: authentication, launch (activation) permission, and access (call) permissions, which all operatemore or less independently of each other.

The first thing Windows NT does is to authenticate the user (as in the figure above). Whether or not this is done depends onthe authentication level defined in DCOMCNFG. This level is specified by both the client and server machines: the serverspecifies the minimum required authentication level for incoming calls (any call that comes in below this is automaticallyrejected via E_ACCESSDENIED), and the client specifies it’s required authentication level for each interface call. COMautomatically uses the higher of the two settings. More information on these settings can be found in the HELP file forDCOMCNFG.

Once the user has been authenticated, two additional types of security are defined in DCOM: activation security(permissions) and call security (permissions).

Activation security controls which classes a client is allowed to launch and retrieve objects from, and is automatically appliedby the Service Control Manager of a particular machine. Upon receipt of a request from a remote client to activate an object,the Service Control Manager of the machine checks the request against activation setting information stored within it’sregistry.


The HKEY_LOCAL_MACHINE\Software\Microsoft\OLE key’s DefaultLaunchPermission named value sets the machine-widedefault access control list (ACL) to specify who has access to classes on the system. For class-specific activation settings(which take precedence over the default setting), the HKEY_CLASSES_ROOT\APPID\{…} key’s LaunchPermission namedvalue contains data describing the class’s ACL. These keys are set initially when NT is installed, and can be modified bydcomcnfg.exe.

Call security provides the security mechanism on a per-call basis that validates inter-object communication after aconnection between a client and server has been established. Call security services are divided into three categories:

16.5.2 General Functions Called by Both Clients and Servers

• New interfaces on client proxies• Server-side functions and call-context interfaces

The HKEY_LOCAL_MACHINE\Software\Microsoft\OLE key’s DefaultAccessPermission named value sets the machine-widedefault access control list (ACL) to specify who has access to classes on the system. For class-specific activation settings(which take precedence over the default setting), the HKEY_CLASSES_ROOT\APPID\{…} key’s AccessPermission namedvalue contains data describing the class’ ACL. These keys are set initially when NT is installed and can be modified bydcomcnfg.exe.

DCOM Overview


17 EGD ICN Service with WorkstationSTThe ICN service prior to V02.03.01 opened the EGD receiving port and the CMP receiving port by binding a socket to theport for IPADDRESS.ANY without setting the reuse socket address flag. This meant that once the ICN service started, noother process could bind a socket and receive EGD messages. Likewise, ICN service could not bind its sockets if anotherprocess bound a socket to them first.

To allow multiple EGD processes to co-exist, version V02.03.01 and later of the ICN service bind the EGD sockets using anunique address. The WorkstationST application, and the controller simulator products use this same technique for binding theEGD sockets.

Note For new applications, when assigning IP addresses, the computer network connection's primary IP address should beassigned to the WorkstationST computer. Other processes can use secondary addresses. It is important for the WorkstationSTcomputer to have the first address if it has been configured to produce EGD containing read/writable variables. If theWorkstationST computer is not producing EGD, or is not producing any read/writable variables, this note does not apply.


17.1 Configure Network Connection with Multiple IPAddressesWindows allows multiple IP addresses to be assigned to a network adapter. Each EGD process must have its own uniqueaddress or addresses. To configure a network connection with multiple addresses, use the advanced settings in the IPconfiguration for a network.

Note In order for the EGD Command messages to be correctly routed, it is necessary for the primary (first) networkconnection address to be the WorkstationST computer address.

➢➢ To configure a network connection with multiple addresses




17.2 Configure IPAddressesThe addresses entered in the CSS toolbox Turbine HMI component for the PDH and UDH networks become bind addressesin the icn.ini file used by the ICN service. ICN Service attempts to bind a socket to each address. Any addresses that failcreate an error entry in the Windows event log. If all addresses fail, the service stops.


➢➢ To configure addresses for a WorkstationST component

1. From the ToolboxST System Editor, open aWorkstationST component.

2. From the General tab, add one or more Network Adapters.

When a download occurs, the EGD server portion of WorkstationST computer attempts to bind to the specified addresses.


18 Glossary of TermsBind - To establish the correspondence between the data in an exchange and variables in a component.

Bind/Build - To bind the configuration for each consumed exchange and create/update the configuration for any producedexchange.

Collection - More formally, an EGD Collection. Is a group of components that constitutes a formal subset of the componentsparticipating in a particular EGD installation. This arbitrary grouping allows users to subdivide the system to make some taskseasier.

Consume - To receive an EGD data message (exchange).

Consumer - An EGD node configured to receive an EGD data message.

EGD - A mechanism that provides access to global data between nodes supporting the EGD protocol.

Exchange - An EGD data message consisting of a header and a body of data. The header contains the producer ID and theexchange ID that uniquely identifies the message. The body of data is a block of bytes in a format agreed upon by theproducer and all consumers.

Feature - An element of the WorkstationST runtime system, which can be optionally enabled through ToolboxST. Examplesinclude OPC Server, Recorder, and Alarm Viewer.

Global Data - A concept in which multiple controllers on a network can share information by exchanging portions of theirlocal memory with peer controllers.

OPC - A standard for data exchange in the industrial environment. The OPC foundation provides specifications for variousOPC standards such as OPC DA (Data Access) and OPC AE (Alarm and Event).

Produce - To send an EGD data message (exchange).

Producer - The EGD node configured to send data messages. The source of the data samples for an exchange.

Refresh - To bind the configuration for each consumed exchange for a particular consumed component.

Runtime - Software stored in the controller’s Flash memory that converts application code (pcode) to executable code.

Unbound Variables - Variables required by a consumer that were not found in the producer configuration during the bind.

Public Information

Documents

GEI-100621 WorkstationST OPC DA Server · 2019-12-16 · • Permits browsing for non-EGD variables. This protocol works for Mark* VI, UC2000, and Mark VIe controllers. • Provides