Siemens SIMATIC S7-400, CP 443-1 OPC UA Operating Instructions Manual

Download

Page 1

___________________

SIMATIC NET

S7-400 - Industrial Ethernet CP 443-1 OPC UA

Operating Instructions

01/2017

C79000

Preface

Application and functions

LEDs and connectors

Installation, connecting up, commissioning

Configuration and operation

Programming the OPC UA client blocks

Diagnostics and maintenance

Technical specifications

Approvals

Documentation references

-G8976-C427-02

Page 2

Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C427-02

Ⓟ

Legal information

Warning notice system

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

Qualified Personnel

personnel qualified

Proper use of Siemens products

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

Disclaimer of Liability

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

The product/system described in this documentation may be operated only by task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Note the following:

documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

for the specific

01/2017 Subject to change

Page 3

Preface

Validity of this manual

Legend:

①

X = placeholder for hardware product version

②

Firmware version

③

LEDs

④

Ethernet interface X1P1: 1 x 8-pin RJ-45 jack

⑤

Label with MAC address

This description contains information on the following product:

CP 443-1 OPC UA Article number 6GK7 443-1UX00-0XE0 Hardware product version 2 Firmware version V1.0.39

Communications processor for connection of the SIMATIC S7-400 to an OPC UA client and server

Figure 1 CP 443-1 OPC UA

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 4

Preface

Purpose of the manual

Required experience

Abbreviations/acronyms

New in this release

Replaced edition

Current manual release on the Internet

Cross references

This manual describes the properties of this device and shows application examples. The manual supports you when installing, connecting up and commissioning the device. The required configuration steps for the device are described. You will also find instructions for operation and information about the diagnostics options of the device.

To install, commission and operate the device, you require experience in the following areas:

● General electrical engineering

● Automation engineering / STEP 7

● OPC UA

This manual often uses the following abbreviations/acronyms:

●

The acronym is used instead of the full product name "CP 443-1 OPC UA".

●

Programming device (STEP 7 V5)

●

Engineering station (STEP 7 Professional)

● Configuration in STEP 7 Professional

● Setting the SYA bit when forwarding the time to the CPU

● Editorial revision

Release 07/2016

You will also find the current version of this manual on the Internet pages of Siemens Industry Online Support.

Link: (https://support.industry.siemens.com/cs/ww/en/view/21862/man)

In this manual there are often cross references to other sections.

To be able to return to the initial page after jumping to a cross reference, some PDF readers support the command <Alt>+<Left arrow>.

CP 443-1 OPC UA

4 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 5

Preface

Documentation and other literature

License conditions

Note Open source software

The product contains open source software. Read the license conditions for open source software carefully before using the product.

Firmware

Security information

The documentation for this device consists of these operating instructions.

You will find more information on configuring the CP here:

● Online help of STEP 7 V5.x

● Information system of STEP 7 Professional

● Manual /2/ (Page 133)

There among other things you will find information about the following topics:

– Initial addressing

– Downloading configuration data

– Web diagnostics

– STEP 7 special diagnostics

– Loading firmware

You will find an overview of further reading and references in the Appendix of this manual.

You will find license conditions in the following document on the supplied data medium:

● OSS_CP4431-OPCUA_86.pdf

The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks.

In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept.

Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 6

Preface

Recycling and disposal

SIMATIC NET glossary

Training, Service & Support

Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit Link: (http://www.siemens.com/industrialsecurity)

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under Link: (http://www.siemens.com/industrialsecurity).

The product is low in pollutants, can be recycled and meets the requirements of the WEEE directive 2012/19/EU "Waste Electrical and Electronic Equipment".

Do not dispose of the product at public disposal sites. For environmentally friendly recycling and the disposal of your old device contact a certified disposal company for electronic scrap or your Siemens contact.

Keep to the local regulations.

You will find information on returning the product on the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/view/109479891)

Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary.

You will find the SIMATIC NET glossary here:

● SIMATIC NET Manual Collection or product DVD

The DVD ships with certain SIMATIC NET products.

● On the Internet under the following address:

Link: (https://support.industry.siemens.com/cs/ww/en/view/50305045)

You will find information on training, service and support in the multilanguage document "DC_support_99.pdf" on the Internet pages of Siemens Industry Online Support:

Link: (https://support.industry.siemens.com/cs/ww/en/view/38652101)

CP 443-1 OPC UA

6 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 7

Preface ................................................................................................................................................... 3

1 Application and functions ...................................................................................................................... 11

2 LEDs and connectors ............................................................................................................................ 25

3 Installation, connecting up, commissioning ............................................................................................ 29

4 Configuration and operation .................................................................................................................. 35

1.1 Application .............................................................................................................................. 11

1.2 Communication services ......................................................................................................... 11

1.3 Security functions .................................................................................................................... 12

1.4 Other services and properties ................................................................................................. 14

1.5 Operating the CP in an H system ........................................................................................... 14

1.6 Performance data ................................................................................................................... 15

1.6.1 Configuration limits - hardware ............................................................................................... 15

1.6.2 Configuration limits - communication ...................................................................................... 16

1.7 Requirements for use.............................................................................................................. 17

1.7.1 CPUs ....................................................................................................................................... 17

1.7.2 Configuration ........................................................................................................................... 19

1.7.3 Programming .......................................................................................................................... 20

1.7.4 Web browser for access using HTTPS ................................................................................... 21

1.8 Configuration examples .......................................................................................................... 21

2.1 LEDs ....................................................................................................................................... 25

2.2 Power supply .......................................................................................................................... 28

2.3 Ethernet interface X1P1 .......................................................................................................... 28

3.1 Important notes on using the device ....................................................................................... 29

3.1.1 Safety requirements for installation ........................................................................................ 29

3.1.2 Notes on use in hazardous areas ........................................................................................... 29

3.1.3 Notes on use in hazardous areas according to ATEX / IECEx .............................................. 31

3.1.4 Notes on use in hazardous areas according to UL HazLoc ................................................... 31

3.1.5 Notices on use in hazardous areas according to FM ............................................................. 32

3.2 Installing and connecting up the CP ....................................................................................... 32

3.3 Commissioning the CP ........................................................................................................... 33

4.1 Controlling the mode ............................................................................................................... 35

4.2 Security recommendations ..................................................................................................... 35

4.3 Overview of the configuration ................................................................................................. 39

4.4 Access to process data of the CPU ........................................................................................ 39

4.5 Data types ............................................................................................................................... 40

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 8

Table of contents

5 Programming the OPC UA client blocks ................................................................................................ 79

4.6 Interface configuration ........................................................................................................... 43

4.6.1 Network settings..................................................................................................................... 43

4.6.2 Restart after detection of a duplicate IP address in the network ........................................... 44

4.7 Configuration of the CP in STEP 7 V5 ................................................................................... 45

4.7.1 "Addresses" tab ...................................................................................................................... 45

4.7.2 "SNMP" Tab ........................................................................................................................... 45

4.7.3 "Security" Tab ........................................................................................................................ 47

4.7.4 "Diagnostics" Tab ................................................................................................................... 48

4.7.5 "Web" Tab .............................................................................................................................. 49

4.7.6 "Time-of-day synchronization" tab ......................................................................................... 50

4.7.7 "Options" tab: Effects of protection levels .............................................................................. 52

4.7.8 "OPC UA" tab ......................................................................................................................... 53

4.7.9 Configuration in the SCT ........................................................................................................ 55

4.7.10 Handling certificates ............................................................................................................... 59

4.8 Configuration of the CP in STEP 7 Professional ................................................................... 60

4.8.1 "Options " parameter group ................................................................................................... 60

4.8.2 "Ethernet interface“ parameter group .................................................................................... 61

4.8.3 "OPC UA" parameter group ................................................................................................... 62

4.8.4 Parameter group "SNMP" ...................................................................................................... 62

4.8.5 "I/O addresses" parameter group .......................................................................................... 63

4.8.6 Security“ parameter group ..................................................................................................... 63

4.8.7 Security > "Time-of-day synchronization" .............................................................................. 64

4.8.8 Security > "SNMP" ................................................................................................................. 65

4.8.9 Security > "Web server" ......................................................................................................... 66

4.8.10 Security > "OPC UA" .............................................................................................................. 67

4.8.11 Security > "S7 communication" .............................................................................................. 72

4.8.12 Security > "Certificate manager" ............................................................................................ 73

4.8.13 Handling certificates ............................................................................................................... 73

4.9 Properties of the OPC UA server ........................................................................................... 76

5.1 Program blocks for the OPC UA client .................................................................................. 79

5.2 Time monitoring of the blocks ................................................................................................ 82

5.3 FB230 UA_Connect ............................................................................................................... 83

5.3.1 Function and call interface - UA_Connect ............................................................................. 83

5.3.2 Parameter - UA_Connect ....................................................................................................... 84

5.3.3 UDT751 UASessionConnectInfo ........................................................................................... 85

5.3.4 UDT752 UAUserIdentityToken .............................................................................................. 87

5.4 FB231 UA_NamespaceGetIndex ........................................................................................... 87

5.4.1 Function and call interface - UA_NamespaceGetIndex ......................................................... 87

5.4.2 Parameter - UA_NamespaceGetIndex .................................................................................. 88

5.5 FB232 UA_NodeGetHandleList ............................................................................................. 89

5.5.1 Function and call interface - UA_NodeGetHandleList ........................................................... 89

5.5.2 Parameter - UA_NodeGetHandleList ..................................................................................... 90

5.5.3 UDT753 UANodeID ............................................................................................................... 92

5.6 FB233 UA_NodeReleaseHandleList ...................................................................................... 92

5.6.1 Function and call interface - UA_NodeReleaseHandleList .................................................... 92

5.6.2 Parameter - UA_NodeReleaseHandleList ............................................................................. 93

CP 443-1 OPC UA

8 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 9

Table of contents

6 Diagnostics and maintenance ............................................................................................................. 119

7 Technical specifications ...................................................................................................................... 127

A Approvals ............................................................................................................................................ 129

B Documentation references .................................................................................................................. 133

Index................................................................................................................................................... 135

5.7 FB234 UA_Disconnect ............................................................................................................ 94

5.7.1 Function and call interface - UA_Disconnect .......................................................................... 94

5.7.2 Parameter - UA_Disconnect ................................................................................................... 95

5.8 FB235 UA_ReadList ............................................................................................................... 95

5.8.1 Function and call interface - UA_ReadList.............................................................................. 95

5.8.2 Parameter - UA_ReadList ....................................................................................................... 96

5.8.3 UDT754 UANodeAdditionalInfo .............................................................................................. 98

5.8.4 UDT755 UAIndexRange ......................................................................................................... 98

5.8.5 UDT757 UAAnyPointer ........................................................................................................... 99

5.8.6 UDT756 UATimeStamp ........................................................................................................ 101

5.9 FB236 UA_WriteList .............................................................................................................. 101

5.9.1 Function and call interface - UA_WriteList ............................................................................ 101

5.9.2 Parameter - UA_WriteList ..................................................................................................... 102

5.9.3 UDT754 UANodeAdditionalInfo ............................................................................................ 104

5.9.4 UDT755 UAIndexRange ....................................................................................................... 104

5.9.5 UDT757 UAAnyPointer ......................................................................................................... 105

5.10 Error numbers ....................................................................................................................... 107

6.1 Diagnostics options ............................................................................................................... 119

6.2 SNMP .................................................................................................................................... 120

6.3 Upload from device (to PG / ES) .......................................................................................... 122

6.4 Loading new firmware ........................................................................................................... 122

6.5 Memory reset / reset to factory defaults ............................................................................... 124

6.6 Replacing a module without a programming device ............................................................. 125

7.1 Technical specifications of the CP ........................................................................................ 127

7.2 Pinout of the Ethernet interface ............................................................................................ 128

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 10

Table of contents

CP 443-1 OPC UA

10 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 11

1.1

Application

1.2

Communication services

OPC UA

OPC UA server

OPC UA client

The CP is intended for operation in a SIMATIC S7-400 automation system.

Via its Ethernet interface (1 x RJ45) the CP allows the S7-400 to function as an OPC UA client and an OPC UA server.

The CP supports the following communication services:

The CP supports OPC UA according to the specification 1.02 and uses the binary protocol (UA Binary).

The CP can adopt the role of an OPC UA server and an OPC UA client.

●

– Synchronous reading and writing of data

– Asynchronous reading and writing of data

– Makes data available using OPC UA Data Access

– Monitoring variables (MonitoredItems) with the aid of Subscriptions

– Up to 10 sessions with OPC UA clients at the same time

– Hierarchical address browsing

The server function can be enabled or disabled in the configuration.

●

– Asynchronous reading and writing of data

– Setup of up to 5 sessions with OPC UA servers at the same time.

– The connection establishment with the OPC UA servers and the data transfer is

implemented using program blocks.

See section Programming the OPC UA client blocks (Page 79) for information on this.

The client function can be enabled or disabled in the configuration.

You will find the detailed configuration limits for the server and client function in the section Configuration limits - communication (Page 16).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 12

Application and functions

PG/OP communication

S7 routing

1.3

Security functions

Security

1.3 Security functions

For information on configuring the server and client function refer to the section Configuration of the CP in STEP 7 V5 (Page 45).

The CP supports the following specifications:

● IEC/TR 62541-1 (08-2012) OPC Unified Architecture - Part 1: Overview and Concepts

● IEC/TR 62541-2 (02-2009) OPC Unified Architecture - Part 2: Security Model

● IEC 62541-3 (08-2012) OPC Unified Architecture - Part 3: Address Space Model

● IEC 62541-4 (08-2012) OPC Unified Architecture - Part 4: Services

● IEC 62541-5 (08-2012) OPC Unified Architecture - Part 5: Information Model

● IEC 62541-6 (08-2012) OPC Unified Architecture - Part 6: Mappings

● IEC 62541-7 (09-2010) OPC Unified Architecture - Part 7: Profiles

● IEC 62541-8 (08-2012) OPC Unified Architecture - Part 8: Data Access

● PLCopen and OPC Foundation, OPC-UA Client Function Blocks for IEC 61131-3,

Release 1.0 (04-2014)

PG/OP communication (HMI connections) is released for the configuration of the CP.

As protection against unauthorized access, this type of communication can be blocked in the configuration.

S7 routing is supported by the CP.

As an option you can enable Security functions for the CP.

The Security functions listed below are integrated in STEP 7 Professional and are available when using STEP 7 V5 with the Security Configuration Tool (SCT). The SCT is called up in the STEP 7 configuration.

● NTP (secure)

For secure transfer during time-of-day synchronization

● SNMPv3

For secure transmission of network analysis information safe from eavesdropping

CP 443-1 OPC UA

12 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 13

Application and functions

1.3 Security functions

● Authentication using certificates

Authentication of the CP with OPC UA communications partners using certificates.

The check of the certificates of the communications partner that are exchanged during authentication can be set to different levels separately for the server and client function.

The CP supports the security profiles of the specification part 2, 4, 6, 7 und 12 of the OPC Foundation.

● Encryption and signing

The encryption of the OPC UA data can be configured for the following security profiles of the OPC UA specification:

– No security profile

– Basic128Rsa15

– Basic256

– Basic256Sha256

For the server the optional security procedures "Sign". "Encrypt" and "Sign and Encrypt" are available.

● Write protection

You can block write access to the data area of the CPU.

● Protection of the access to diagnostics data of the CP and blocking of S7 communication via the CP

You can block S7 connections via the CP and LAN access to the pages of the special diagnostics on the CP.

● Logging

To allow monitoring, events can be stored in log files that can be read out using the configuration tool or can be sent automatically to a Syslog server.

● User management

In user management you assign individual users a role. The individual roles provide specific rights for various services.

For further information, refer to section Security recommendations (Page 35).

You will find a description of the functions in the following sections:

● STEP 7 V5: Configuration in the SCT (Page 55)

● STEP 7 Professional: Security“ parameter group (Page 63)

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 14

Application and functions

1.4

Other services and properties

IP configuration

Time-of-day synchronization over Industrial Ethernet

Diagnostics

1.5

Operating the CP in an H system

Restrictions when operating CP in the H system

1.4 Other services and properties

●

The essential features of IP configuration for the CP:

– The CP supports IP addresses according to IPv4.

– Address assignment:

The IP address, the subnet mask and the address of the default router can be set in the configuration.

– DHCP: As an alternative, the IP address can be obtained from a DHCP server.

– DCP (Discovery and Configuration Protocol) is supported.

●

Time-of-day synchronization can be configured according to the following NTP method (Network Time Protocol):

– NTP

– NTP (secure)

If time-of-day synchronization via NTP is disabled. the CP can adopt the time from the station in SIMATIC mode.

For more information, refer to the section "Time-of-day synchronization" tab (Page 50).

●

With the following means and methods, you can obtain the diagnostics data of the CP or station:

– LEDs

– Web diagnostics ( only with HTTPS)

– STEP 7 (NCM S7 diagnostics / special diagnostics)

– SNMPv1 / SNMPv3

For SNMP see section SNMP (Page 120).

You will find more information on diagnostics in the section Diagnostics options (Page 119).

The CP 443-1 OPC UA can be operated in the H system.

CP 443-1 OPC UA

14 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 15

Application and functions

Operating the CP in an H system

CPs as servers in an H station

CPs as clients in an H station

1.6

Performance data

1.6.1

Configuration limits - hardware

Equipment of the S7 stations

Number of CPs per station

Number of supported CPUs per rack

1.6 Performance data

Note the following restrictions:

● The CP does not support H communication.

● The CP does not support redundancy mechanisms.

Each of the two redundant H CPUs has a CP plugged in which is assigned in each case to one of the two CPUs in the configuration ("General" tab).

Below the cases will be examined where the two CPs function as OPC UA server or as OPC UA client in the H station.

Each CP as OPC UA server only allows a client access to the data of its assigned CPU.

So that the client can handle the failure of one of the two H CPUs, the client must access the data of both CPs of the station (OPC UA server). A comparison of the redundant process data by the client must be made by the client application.

Both CPs as OPC UA clients access the data of a server.

Which data read from the currently active H CPU (redundancy master) is used must be implemented within the S7 user program via the UDT "UASessionConnectInfo".

In each S7-400 station, up to 14 CPs can be plugged in and configured, of which a maximum of one CP 443-1 OPC UA.

Depending on the system setup, several CPUs can be plugged in in the rack.

For OPC UA communication the CP 443-1 OPC UA can, however, only access the data areas of a single CPU. You assign the CPU to the CP in the configuration, see section "Addresses" tab (Page 45).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 16

Application and functions

1.6.2

Configuration limits - communication

OPC functions - OPC UA server

Number of connections to OPC UA clients

Number of items in the CPU data area

Number of supported subscriptions

Number of items per subscription

Memory depth for MonitoredItems

1.6 Performance data

In server mode the CP supports the following configuration limits:

●

Maximum of 10 connections to OPC UA clients

●

For the variables in the data area of the CPU to be written or read as items, the following maximum values apply:

– Maximum number: 64000 Items (symbols / variables)

– Maximum memory requirements 64000 bytes

The maximum memory area is divided among the variables used for OPC UA. As a consequence the following maximum configuration limits apply to the different data types of the variables:

– 64000 variables of the data type BOOL

– 64000 variables of the data type BYTE

– 32000 variables of the data type WORD

– 16000 variables of the data type DWORD

or a combination of the maximum values listed, for example:

– 32000 variables of the data type BYTE

+ 8000 variables of the data type WORD + 4000 variables of the data type DWORD

●

– Maximum of 5 subscriptions per session

– In total maximum of 50 subscriptions at the same time

●

– Maximum of 900 items per subscription

– Maximum of 45000 items over all subscriptions

●

Queue size 2

CP 443-1 OPC UA

16 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 17

Application and functions

OPC functions - OPC UA client

Number of sessions with OPC UA servers

Number of items/node handles

Further connection resources

TCP connections for HTTPS

PG/OP connections

1.7

Requirements for use

1.7.1

CPUs

Required S7-400 CPUs and firmware versions

Standard CPUs with PROFIBUS interface

Standard CPUs with PROFINET interface

1.7 Requirements for use

In client mode the CP supports the following configuration limits:

●

Up to 5 sessions with OPC UA servers at the same time

Per server one or more sessions can be set up at the same time.

●

In client mode the CP supports the following number of items:

In total max. 10000, of which:

– Read access: Maximum 10000

– Write access: Maximum 10000

The number of items to be read and written is divided up among the connected servers.

●

For HTTPS access, up to 30 TCP connection resources are available.

When necessary, these TCP connections are used by one or more Web browsers to display data of the CP.

●

– 2 connection resources for PG connections

– 10 connection resources for OP connections

The CP 443-1 OPC UA is released for operation with the following CPUs:

●

CPU 400 as of firmware version V5.3

CPUs with a firmware version <V5.3 must be upgraded.

●

CPU 400 as of firmware version V6.0 / V7.0

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 18

Application and functions

Fault tolerant CPUs

SIMATIC PCS 7 CPUs

CPU

Article number

As of firmware version

Standard CPUs

CPU 412-2

6ES7412-2XJ05-0AB0

V5.3

CPU 414-2

6ES7414-2XK05-0AB0

V5.3

6AG1412-2EK06-2AB0

CPU 412-2 PN

6ES7412-2EK07-0AB0

V7.0

CPU 414-3

6ES7414-3XM05-0AB0

V5.3

CPU 414-3 PN/DP

6ES7414-3EM05-0AB0

V5.3

6AG1414-3EM06-7AB0

CPU 414-3 PN/DP

6ES7414-3EM07-0AB0

V7.0

CPU 414F-3 PN/DP *)

6ES7414-3FM06-0AB0

V6.0

CPU 414F-3 PN/DP *)

6ES7414-3FM07-0AB0

V7.0

CPU 416-2

6ES7416-2XN05-0AB0

V5.3

CPU 416F-2 *)

6ES7416-2FN05-0AB0

V5.3

CPU 416-3

6ES7416-3XR05-0AB0

V5.3

6AG1416-3ES06-7AB0

CPU 416F-3 PN/DP *)

6ES7416-3FS06-0AB0

V6.0

CPU 416-3 PN/DP

6ES7416-3ES07-0AB0

V7.0

CPU 416F-3 PN/DP *)

6ES7416-3FS07-0AB0

V7.0

6AG1417-4XT05-4AB0

H CPUs

6AG1412-5HK06-7AB0

6AG1414-5HM06-7AB0

6AG1416-5HS06-7AB0

1.7 Requirements for use

●

CPU 400H as of firmware version V6.0.5

H-CPUs with a firmware version <V6.0.5 must be upgraded where possible.

●

SIMATIC PCS 7 CPU 410-5H as of firmware version V8.1

CPUs with a firmware version <V8.1 must be upgraded where possible.

Table 1- 1 Compatible CPUs

CPU 412-1 6ES7412-1XJ05-0AB0 V5.3

CPU 412-2 PN 6ES7412-2EK06-0AB0

CPU 414-3 PN/DP 6ES7414-3EM06-0AB0

CPU 416-3 PN/DP 6ES7416-3ES06-0AB0

CPU 417-4 6ES7417-4XT05-0AB0

CPU 417-4 6ES7417-4XT07-0AB0 V7.0

V6.0

V5.3

CP 443-1 OPC UA

18 Operating Instructions, 01/2017, C79000-G8976-C427-02

CPU 412-5H

CPU 414-5H

CPU 416-5H

)

6ES7412-5HK06-0AB0

)

6ES7414-5HM06-0AB0

)

6ES7416-5HS06-0AB0

V6.0.5

Page 19

Application and functions

CPU

Article number

As of firmware version

6AG1417-5HT06-7AB0

PCS 7 CPUs ***)

PCS7 CPU 410 Single

6ES7654-5C...-....

V8.1

PCS7 CPU 410 Redundancy

6ES7656-5C...-....

V8.1

PCS7 CPU 410 Redundancy

6ES7656-6C...-....

V8.1

* ** ***) In PCS 7 the CP is only released as an OPC client.

1.7.2

Configuration

STEP 7 configuration software

Security Configuration Tool (SCT)

Finding the components to be installed for the CP

1.7 Requirements for use

CPU 417-5H

PCS7 CPU 410 Single 6ES7654-6C...-.... V8.1

)

Fail-safe communication is not supported by the CP.

)

H communication is not supported by the CP.

To configure the CP, you require one of following configuration tools (alternatives).

● STEP 7 V5.5 + Service Pack 4 + ≥ HF10 + HSP 1104

● STEP 7 Professional V14 + Update 2

)

6ES7417-5HT06-0AB0

V6.0.5

For information on the OPC UA client function of the CP, see section Programming (Page 20)

If you use the security functions for the OPC UA server or client, you require the Security Configuration Tool (SCT) in STEP 7 V5. For the version, see below.

SCT is called in the configuration directly from within STEP 7 V5.

You can find the components on the Siemens Industry Online Support website at the following addresses:

● Service Pack 4 for STEP 7 V5.5

Link: (https://support.industry.siemens.com/cs/ww/en/view/93842624)

● Hotfix 10 for STEP 7 V5.5 SP 4

Link: (https://support.industry.siemens.com/cs/ww/en/view/109738871)

Hot fixes > HF10 can be used where available.

● HSP 1104 for STEP 7 V5.5 + SP 4 + HF10

Link: (https://support.industry.siemens.com/cs/ww/en/view/23183356)

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 20

Application and functions

Installation of the HSP In STEP 7 V5

1.7.3

Programming

Program blocks

Note Using current block versions

We recommend that you always use the latest block versions for all module types. You will find information on the current block versions and the current blocks for on the Internet at the following address:

Link: (

1.7 Requirements for use

● Update 2 for STEP 7 Professional V14

Link: (https://support.industry.siemens.com/cs/ww/en/ps/14673/dl)

● SCT V4.2

Link: (https://support.industry.siemens.com/cs/ww/en/view/109738442)

You can find the the current version and additional information on the Siemens Industry Online Support website at the following address:

Link: (https://support.industry.siemens.com/cs/ww/en/ps/15326)

Install the HSP in STEP 7 / HW Config with the "Options" > "Install Hardware Updates" menu command.

You will find further information in the STEP 7 online help (under "HSP" or "Hardware update"). After installing the HSP, close STEP 7. After restarting STEP 7, the CP is in the catalog of HW Config.

For the OPC UA client function there are program blocks available as the interface in your STEP 7 user program. For this you require:

● In STEP 7 V5

Update the block library "SIMATIC_NET_CP"

Link: (https://support.industry.siemens.com/cs/ww/en/view/109738487)

downloading

https://support.industry.siemens.com/cs/ww/en/ps/21862/dl)

● In STEP 7 Professional

Program blocks (instructions) in the folder "Communication > OPC UA"

To display the block directories open the program editor of STEP 7 for example by double-clicking on OB1 of the S7-400 CPU.

For programming, see section Programming the OPC UA client blocks (Page 79).

CP 443-1 OPC UA

20 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 21

Application and functions

Configuration tool for programming

1.7.4

Web browser for access using HTTPS

1.8

Configuration examples

1.8 Configuration examples

You program the user program of the CPU and the program blocks for the OPC UA client function in STEP 7. Refer to the information on the required STEP 7 version in the section Configuration (Page 19).

For access to the HTML pages on the CP via HTTPS (not HTTP) you require one of the following Web browsers, at least in the specified version:

● Microsoft Internet Explorer Version 10

● Mozilla Firefox Version 38.0.2

● Google Chrome Version 43

Below you will find examples of possible configurations of an S7-400 with CP 443-1 OPC UA.

The communications partner of the CP must always support OPC UA functions that are compatible with those of the CP 443-1 OPC UA.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 22

Application and functions

Logging process data as OPC UA server

1.8 Configuration examples

In this configuration as the OPC UA server, the CP makes manufacturing or process data from S7 stations available to a higher-level system.

Higher level systems can, for example, be PC stations with an OPC UA application, database systems or HMI systems from third-party manufacturers. They must support the OPC UA client service "Read".

Figure 1-1 CP 443-1 OPC UA as OPC UA server

CP 443-1 OPC UA

22 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 23

Application and functions

Forwarding of data from the manufacturing planning as OPC UA server and client

1.8 Configuration examples

In this configuration as the OPC UA server, the CP adopts setting data for manufacturing from a higher-level production control system. When necessary the manufacturing data can be preprocessed on the CPU.

As the OPC UA client, the CP then distributes the manufacturing data using the "Write" service. The production systems can be S7-400 stations or programmable controllers from third-party manufacturers.

Figure 1-2 CP 443-1 OPC UA as OPC UA server and client

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 24

Application and functions

Horizontal data exchange as OPC UA client and server

The CP in H systems

1.8 Configuration examples

In this configuration as OPC UA server and client, the CP exchanges data with other process stations or PC stations. The process stations can also be programmable controllers from third-party manufacturers that support the required OPC UA functions.

Figure 1-3 CP 443-1 OPC UA as OPC UA client and server

The CP 443-1 OPC UA can be operated in H systems. Note the special features and restrictions in section Operating the CP in an H system (Page 14).

CP 443-1 OPC UA

24 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 25

2.1

LEDs

LED name

Meaning

INTF

Internal error

EXTF

External error

BUSF

Bus fault

TXD

Frame traffic (sending) over Ethernet

RXD

Frame traffic (receiving) over Ethernet

SERVER

OPC UA server

CLIENT

OPC UA client

STOP

STOP mode

X1P1

Connection status of Ethernet port 1

Symbol Meaning

OFF

Flashing

any

The display on the front panel consists of the following LEDs that indicate the operating mode and communications status.

Figure 2-1 LEDs of the CP

The LEDs have the following meaning:

RUN RUN mode

Table 2- 1 Legend for the following tables

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 26

LEDs and connectors

INTF (red)

EXTF

(red)

BUSF

(red)

SERVER

(green)

CLIENT

(green)

RUN

(green

)

STOP

(yellow)

Meaning

Operating status

on the CP remain possible.

Error/fault states

not obtainable.

OPC UA configuration

2.1 LEDs

Table 2- 2 Operating statuses, errors/faults, OPC configuration, firmware update

Loading the firmware after power ON

- -

- - - - Duplicate IP address detected during CP operation.

- - -

- -

Starting up (STOP->RUN)

Running (RUN)

Stopping (RUN->STOP)

Stopped (STOP) In STOP mode, configuring and performing diagnostics

STOP with internal error or memory reset. (for example IP duplicate addressing detected during

startup of the CP in network) If the CP has a valid IP address, the following applies in

this status:

• The CPU or intelligent modules in the rack remain accessible using PG functions (over MPI or the ISO protocol).

• Access using SNMP or HTTPS is not possible.

RUN with external error. One or more partner devices are

• A duplicate IP address was detected after the CP was in the RUN status.

- - -

- - - -

CP 443-1 OPC UA

26 Operating Instructions, 01/2017, C79000-G8976-C427-02

• Difference in the transmission medium or the network settings between the configuration and the actual system

Module fault / system error

- - - OPC server enabled in the configuration

- - - OPC server disabled in the configuration

- - OPC client enabled in the configuration

- - OPC client disabled in the configuration

Page 27

LEDs and connectors

INTF (red)

EXTF

(red)

BUSF

(red)

SERVER

(green)

CLIENT

(green)

RUN

(green

)

STOP

(yellow)

Meaning

Firmware update

Web diagnostics.

(STOP LED and RUN LED flash alternately)

Communication status of the CP (TXD, RXD, X1P1)

LED

Display

Meaning

TXD (green)

RXD (green)

X1P1

receiving.

Module identification with flashing LED

2.2 Power supply

Firmware activation during startup:

- -

(green / yellow)

CP sending over Ethernet.

CP is receiving over Ethernet.

Port has no connection over Ethernet.

Existing connection of the port to Ethernet

LED flashes yellow (constant light green): Port is sending /

Permanent data traffic at the port

Loading using the Firmware Loader is active. Note: Does not apply to loading via the update center in

The firmware download was aborted.

With the help of Web diagnostics or the online functions of STEP 7, you can search for and identify the module in the rack. The options for this are as follows:

● In Web diagnostics

You click the "Flash" button in the update center.

● In STEP 7

You click the "Flash" button in the "Browse network" dialog

When the "Identify" or "Flash" button is clicked, the port LED X1P1 flashes briefly.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 28

LEDs and connectors

2.2

Power supply

2.3

Ethernet interface X1P1

Ethernet interface

2.2 Power supply

The CM is supplied with power from the backplane bus. It does not require a separate power supply.

The CP has an Ethernet interface (RJ-45 jack) complying with the gigabit standard IEEE 802.3ab. This supports autocrossing, autonegotiation and autosensing.

For special situations, each port can be set to a fixed mode manually using STEP 7, for example 10 or 100 Mbps half duplex / full duplex.

The pin assignment and other data relating to the Ethernet interface can be found in the section Technical specifications (Page 127).

CP 443-1 OPC UA

28 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 29

3.1

Important notes on using the device

Safety notices on the use of the device

3.1.1

Safety requirements for installation

WARNING

Safety requirements for installation

3.1.2

Notes on use in hazardous areas

WARNING

Safety requirements for installation

Note the following safety notices when setting up and operating the device and during all associated work such as installation, connecting up or replacing the device.

The devices are "open equipment" according to the standard IEC 61010-2-201or UL 508 / CSA C22.2 No. 142. To fulfill requirements for safe operation with regard to mechanical stability, flame retardation, stability, and protection against contact, the following alternative types of installation are specified:

• Installation in a suitable cabinet.

• Installation in a suitable enclosure.

• Installation in a suitably equipped, enclosed control room.

The devices are "open equipment" according to the standard IEC 61010-2-201. To fulfill requirements for safe operation with regard to mechanical stability, flame retardation, stability, and shock-hazard protection, the following alternative types of installation are specified:

• Installation in a suitable cabinet.

• Installation in a suitable enclosure.

• Installation in a suitably equipped, enclosed control room.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 30

Installation, connecting up, commissioning

WARNING

EXPLOSION HAZARD

WARNING

Power supply

WARNING

EXPLOSION HAZARD

WARNING

EXPLOSION HAZARD

WARNING

3.1 Important notes on using the device

The device may only be operated in an environment with pollution degree 1 or 2 (see IEC 60664-1).

The device must not be opened.

The equipment is designed for operation with Safety Extra-Low Voltage (SELV) by a Limited Power Source (LPS).

This means that only SELV / LPS complying with IEC 60950-1 / EN 60950-1 / VDE 0805-1 must be connected to the power supply terminals. The power supply unit for the equipment power supply must comply with NEC Class 2, as described by the National Electrical Code (r) (ANSI / NFPA 70).

DO NOT CONNECT OR DISCONNECT EQUIPMENT WHEN A FLAMMABLE OR COMBUSTIBLE ATMOSPHERE IS PRESENT.

SUBSTITUTION OF COMPONENTS MAY IMPAIR SUITABILITY FOR CLASS I, DIVISION 2 OR ZONE 2.

When used in hazardous environments corresponding to Class I, Division 2 or Class I, Zone 2, the device must be installed in a cabinet or a suitable enclosure.

CP 443-1 OPC UA

30 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 31

Installation, connecting up, commissioning

3.1.3

Notes on use in hazardous areas according to ATEX / IECEx

WARNING

Requirements for the cabinet

WARNING

3.1.4

Notes on use in hazardous areas according to UL HazLoc

WARNING

EXPLOSION HAZARD

3.1 Important notes on using the device

To comply with EC Directive 94/9 (ATEX95) or the conditions of IECEx, this enclosure or cabinet must meet the requirements of at least IP54 in compliance with EN 60529.

If the cable or conduit entry point exceeds 70 °C or the branching point of conductors exceeds 80 °C, special precautions must be taken. If the equipment is operated in an air ambient in excess of 50 °C, only use cables with admitted maximum operating temperature of at least 80 °C.

Take measures to prevent transient voltage surges of more than 40% of the rated voltage. This is the case if you only operate devices with SELV (safety extra-low voltage).

DO NOT DISCONNECT WHILE CIRCUIT IS LIVE UNLESS AREA IS KNOWN TO BE NON-HAZARDOUS.

This equipment is suitable for use in Class I, Division 2, Groups A, B, C and D or nonhazardous locations only.

This equipment is suitable for use in Class I, Zone 2, Group IIC or non-hazardous locations only.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 32

Installation, connecting up, commissioning

3.1.5

Notices on use in hazardous areas according to FM

WARNING

EXPLOSION HAZARD

WARNING

EXPLOSION HAZARD

3.2

Installing and connecting up the CP

Rack / slots

Installing and connecting up the CP

Note Note the installation guidelines

When installing and connec

3.2 Installing and connecting up the CP

You may only connect or disconnect cables carrying electricity when the power supply is switched off or when the device is in an area without inflammable gas concentrations.

This equipment is suitable for use in Class I, Division 2, Groups A, B, C and D or nonhazardous locations only.

This equipment is suitable for use in Class I, Zone 2, Group IIC or non-hazardous locations only.

The equipment is intended to be installed within an ultimate enclosure. The inner service temperature of the enclosure corresponds to the ambient temperature of the module. Use installation wiring connections with admitted maximum operating temperature of at least 30 ºC higher than maximum ambient temperature.

The CP can be plugged into all racks with slots for P and K bus attachment.

With the exception of the slots reserved for the power supply, the CP can be operated in all slots with a P and K bus attachment.

When using the universal rack UR1 or UR2 as an expansion rack, a communication bus coupling is necessary!

Follow these steps:

1. Turn off the power supply to the station.

2. Fit in the CP onto the rack from the top and push in at the bottom.

ting up the CP note the instructions in the manual /3/ (Page 134).

CP 443-1 OPC UA

32 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 33

Installation, connecting up, commissioning

3.3

Commissioning the CP

Requirements

Commissioning

Initial addressing and downloading

3.3 Commissioning the CP

3. Secure the CP with screws.

4. Turn on the power supply.

5. Connect the CP to Industrial Ethernet via the RJ-45 jack.

For operation on the Ethernet network, not section Network settings (Page 43).

Result: The CP is installed in the rack and the interface has been networked.

Requirements for the full commissioning of the CP are as follows:

● Configuration

You have configured the CP in a STEP 7 project for the properties and services you want to use.

See section Configuration and operation (Page 35) for information on this.

● Programming

If you want to use the OPC client function of the CP, you need to have created and programmed the program blocks required for this on the CPU.

See section Programming the OPC UA client blocks (Page 79) for information on this.

Commissioning involves the following:

● The initial addressing of the CP via LAN (node initialization)

● Downloading configuration data via LAN

Use the diagnostic functions of the CP during commissioning and to analyze problems, see section Diagnostics options (Page 119).

To download, follow the steps outlined below:

Connect the CP to the PG for initial addressing and for downloading via the LAN.

The PG / PC requires a LAN attachment, for example via a CP 1613 or CP 1411 and must have the necessary software (for example the S7-1613 package or SOFTNET IE). The TCP/IP protocol must be installed. The protocol used must then be applied to the S7ONLINE access point.

You will find further details in the manual /2/ (Page 133).

If you assign the IP address to the CP via DHCP, note the information in the section "Options" tab: Effects of protection levels (Page 52).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 34

Installation, connecting up, commissioning

3.3 Commissioning the CP

CP 443-1 OPC UA

34 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 35

4.1

Controlling the mode

Changing the mode

STOP → RUN

RUN → STOP

4.2

Security recommendations

General

You can change the mode of the CP between RUN and STOP using STEP 7 or using STEP 7 special diagnostics.

During startup, the CP adopts configured and/or downloaded data in the work memory and then changes to RUN mode.

The CP changes to STOP (transitional phase with LED display "Stopping").

The reaction is as follows in STOP:

● Established connections (OPC UA) are terminated

● The following the functions are disabled:

– Time-of-day synchronization

● The following functions remain enabled:

– The configuration and diagnostics of the CP (system connections for configuration,

diagnostics, and PG channel routing are retained);

– Web diagnostics

Keep to the following security recommendations to prevent unauthorized access to the system.

● You should make regular checks to make sure that the device meets these recommendations and other internal security guidelines if applicable.

● Evaluate your plant as a whole in terms of security. Use a cell protection concept with suitable products.

● Do not connect the device directly to the Internet. Operate the device within a protected network area.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 36

Configuration and operation

Physical access

Network attachment

Security functions of the product

4.2 Security recommendations

● Keep the firmware up to date. Check regularly for security updates of the firmware and use them.

● Check regularly for new features on the Siemens Internet pages.

– Here you will find information on network security:

Link: (http://www.siemens.com/industrialsecurity)

– Here you will find information on Industrial Ethernet security:

Link: (http://w3.siemens.com/mcms/industrial-communication/en/ie/industrial-ethernet-

security/Seiten/industrial-security.aspx)

– You will find an introduction to the topic of industrial security in the following

publication:

Link: (http://w3app.siemens.com/mcms/infocenter/dokumentencenter/sc/ic/InfocenterLangu

agePacks/Netzwerksicherheit/6ZB5530-1AP020BA4_BR_Network_Security_en_112015.pdf)

Restrict physical access to the device to qualified personnel.

Do not connect the PC directly to the Internet. If a connection from the CP to the Internet is required, arrange for suitable protection before the CP, for example a SCALANCE S with firewall.

Use the options for security settings in the configuration of the product. These includes among others:

● Protection levels

– Configure a protection level of the CPU.

– Configure the protection level "Status-dependent".

● Security function of the communication

– Enable the Security functions of the CP (HW Config).

– Enable secure OPC UA communication via a Security profile (SCT).

– Disable access to the Web server of the CPU (CPU configuration) and on the CP

(SCT).

CP 443-1 OPC UA

36 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 37

Configuration and operation

Know-how protection of blocks (STEP 7 V5)

Know-how protection of blocks (STEP 7 Professional)

Passwords

4.2 Security recommendations

● Protection of the passwords of the OPC UA client program blocks

Protect the passwords stored in data blocks for the client blocks from being viewed. The procedure is described below.

● Logging function

Enable the function in the Security configuration and check the logged events regularly for unauthorized access.

You can prevent the contents of data blocks (e.g. passwords) being read out by protecting the block with the "KNOW_HOW_PROTECT" option. Follow the steps outlined below in STEP 7:

1. Select the DB in the block folder.

2. Open the block in the editor.

3. Close the block in the editor.

4. Generate a source from the block in the editor.

5. Select the source of the DB in the sources folder.

6. Open the source.

7. Insert an empty line in the header of the source and write "KNOW_HOW_PROTECT" in

this line.

8. Compile the source.

Result: The block is protected. You can recognize this by the padlock symbol in the block folder.

If you want to change parameters, for example a password, in a DB later, remember the following; The contents of a DB with know-how protection are no longer visible and can only be changed via the source or by direct assignment of parameters.

You will find information on the procedure in the STEP 7 information system under the keyword "Know-how protection".

● Define rules for the use of devices and assignment of passwords.

● Regularly update the passwords to increase security.

● Only use passwords with a high password strength. Avoid weak passwords for example

"password1", "123456789" or similar.

● Make sure that all passwords are protected and inaccessible to unauthorized personnel.

See also the preceding section for information on this.

● Do not use one password for different users and systems.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 38

Configuration and operation

Protocols

Secure and non-secure protocols

Table: Meaning of the column titles and entries

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication DHCP

67 (UDP)

Open

DCP

DCE server is enabled.

enabled.

OPC UA server port

4.2 Security recommendations

● Only activate protocols that you require to use the system.

● Use secure protocols when access to the device is not prevented by physical protection

measures.

The NTP protocol provides a secure alternative with NTP (secure).

The following table provides you with an overview of the open ports on this device.

●

Protocols that the device supports.

●

Port number assigned to the protocol.

●

– Open

The port is open at the start of the configuration.

– Closed

The port is closed at the start of the configuration.

●

– Open

The port is always open and cannot be closed.

– Open according to configuration

The port is open if it has been configured.

– Open (login, when configured)

As default the port is open. After configuring the port, the communications partner needs to log in.

●

Specifies whether or not the protocol authenticates the communications partner during access.

93 (UDP) Open Open No 135 (TCP) Open when the

CP 443-1 OPC UA

38 Operating Instructions, 01/2017, C79000-G8976-C427-02

4840 (or individually confgured) (TCP)

Open when the server is enabled.

Open after configuration (server) Yes, when security is

enabled.

Page 39

Configuration and operation

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication NTP

123 (TCP)

Closed

Open after configuration

HTTPS

SNMP

161 (UDP)

Open

Open after configuration

Yes (with SNMPv3)

4.3

Overview of the configuration

Configuration in STEP 7

Overview of configuration of the CP

4.4

Access to process data of the CPU

Process data in the memory areas of the CPU

Addressing the process values using symbols

4.3 Overview of the configuration

443 (TCP) Closed Open after configuration Yes

You configure the CP in STEP 7 V5 or STEP 7 Professional. You will find the required version in the section Configuration (Page 19).

1. Create a STEP 7 project.

2. Create the required S7-400 stations and networks.

3. Insert the suitable CPUs and the remaining required modules.

4. Insert the CPs in the relevant stations.

5. Configure the CPs.

The online help or the information system of STEP 7 supports you when doing this.

You will find special features of the configuration of the OPC UA functions and further specific properties of the CP described in the following sections.

The OPC UA client communication is handled using program blocks. See section Programming the OPC UA client blocks (Page 79) for information on this.

The process data that the CP makes available to the OPC UA services is located in the memory areas of the assigned CPU of the station in question.

The you will find the permitted memory areas of the CPU and the supported data types in the section Data types (Page 40).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

The process data to be transferred via the OPC UA services, can be addressed as symbols. Process data for the OPC UA services must be created as symbols in the symbol table of the CPU.

Page 40

Configuration and operation

Syntax of the symbol names

Configuration of PLC tags / symbols for OPC UA applications

4.5

Data types

Data types and memory areas

Note I/O areas

I/O areas are only supported by the OPC UA server.

I/O areas are supported only when configuring with STEP 7 V5.

4.5 Data types

The symbol name is included in the NodeID of an item as part of the identifier, see section Properties of the OPC UA server (Page 76).

For the names of symbols to be used for OPC UA, the ASCII characters no. 32 .. 126 (0x20 .. 0x7e) are permitted.

ASCII characters are converted to the format UTF-8 in the server application of the CP.

To be able to use PLC tags / symbols for OPC UA these are indicated as being "visible" (STEP 7 V5) or "can be reached from HMI/OPC UA" (STEP 7 Professional)

Each PLC tag configured with this attribute is included in the maximum supported configuration limits of the CP. Remember this particularly when configuring entire arrays.

The CP 443-1 OPC UA supports the data types listed below for process data.

The corresponding symbols on the CPU are permitted for the operand areas listed. The memory areas have the following abbreviations. The short forms in brackets are abbreviations depending on the mnemonics set (German/English).

● I = Process input image (E/I)

● Q = Process output image (A/Q)

● PI = I/O area inputs (PE/PI)

● PQ = I/O area outputs (PA/PQ)

● M = Memory bit

● DB = Data block / system data block / instance data block

CP 443-1 OPC UA

40 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 41

Configuration and operation

Size [bit], type

Area

Data type

Remark

Operand area of the CPU

SIMATIC S7

IEC 61131-3

OPC UA

Numbers

32 .. 255

UINT

UDINT

2147483648 .. DB

±1.175 495e-38 ..

3.402823e+38

Time and date

help of STEP 7.

D#1990-1-1 ..

(0 .. 65378)

TOD#0:0:0.0 ..

(0 .. 86399999)

2147483647)

Complex data types

help of STEP 7.

254 * 8

STRING *

STRING

String

Max. 254 bytes user data

data types

groups

* For the coding see below.

4.5 Data types

Table 4- 1 Data types

1 0 .. 255 BOOL BOOL Boolean 0 = false

1 .. 255 = true

8, UInt8 0 .. 255 BYTE BYTE,

USINT

8, UInt8 0 .. 255 CHAR CHAR Byte ASCII characters

16, UInt16 0 .. 65535 WORD WORD,

16, Int16 -32768 .. 32767 INT INT Int16 I, Q, PI, PQ, M,

32, UInt32 0 .. 4294967295 DWORD DWORD,

32, Int32

2147483647

32, Float

16, UInt16 0 .. 999 S5TIME TIME UInt16 SIMATIC time

16, UInt16

D#2168-12-31

DINT DINT Int32 I, Q, PI, PQ, M,

REAL REAL Float DB

DATE DATE UInt16 IEC date [d] DB

Byte I, Q, PI, PQ, M,

UInt16 I, Q, PI, PQ, M,

UInt32 I, Q, PI, PQ, M,

For the coding see online

I, Q, PI, PQ, M, DB

DB I, Q, PI, PQ, M,

32, UInt32

ARRAY * Multidimensional field of

UDT * User-defined data type

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

TOD#23:59:59.999

-24D_20H_31M_ 23S_648MS .. T#24D_20H_31M_ 23S_647MS

(-2147483648 ..

1990-1-1-0:0:0.0 .. 2089-12-3123:59:59.999

TIME_OF_ DAY (TOD)

TIME TIME UInt32 IEC time [ms] DB

DATE_AND_ TIME

TIME_OF_ DAY

DT DATE_ AND_TIM E

UInt32 Time of day [ms] DB

UInt32+ UInt32

Date and time of day For the coding see online

elementary or complex

for specific parameter

Page 42

Configuration and operation

Special features of complex data types

STRING

Special features of the OPC UA server

Special features of the OPC UA client

ARRAY

Special features of the OPC UA client

Special features of the OPC UA server

UDT

4.5 Data types

You will find a general description of the coding of the data types in the STEP 7 online help.

With the complex data types used by the OPC UA function of the CP. the special coding rules apply that are described below.

A STRING can contain a maximum of 254 characters.

ASCII characters from the range 32 (0x20) .. 255 (0xFF) are permitted.

Of these, the following characters are not permitted: 127 (0x7F), 129 (0x81), 141 (0x8D), 143 (0x8F), 144 (0x90), 157 (0x9D)

The characters are coded in the format UTF-8 in the OPC UA server of the CP.

With process data with the data type STRING that are referenced by the "UAAnyPointer", the data type "2" (BYTE) is specified.

As the repetition factor in the UAAnyPointer always select the maximum value of 256 (0x100); 254 for the user data + 2 for the header.

The client program blocks support only the transfer of one dimensional arrays from the memory area "DB".

The transfer of the data type "ARRAY of BOOL" is not supported by the client program blocks.

With a ARRAY of STRING, with the limits of the dimension of every string element the maximum length (256) must be specified "n" times, where "n" is the number of strings in the array.

The data type "ARRAY of BOOL" is readable in all cases.

The data type "ARRAY of BOOL" can only be written when the length is a multiple of 8.

You will find the structure of the UDTs required by the program blocks for the OPC UA client function in the description of the relevant block, see for example UDT757 UAAnyPointer (Page 99).

CP 443-1 OPC UA

42 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 43

Configuration and operation

Parameter types

4.6

Interface configuration

4.6.1

Network settings

Transmission speed

Automatic setting or individual network settings

Autocrossing mechanism

Note Manual configuration

If you have set the port to manual configuration and select the "Disable autonegotiation" option, the autocrossing mechanism is also dis an end device that does not have the autocrossing mechanism do not use a crossover cable.

STEP 7 special diagnostics and Web diagnostics display the network setting

4.6 Interface configuration

The parameter types "TIMER" and "COUNTER" are only supported for the OPC UA server of the CP.

If you want to use transmission speed 1 Gbps, leave the interface set to "Automatic setting".

The connection partner must also be configured with "1 Gbps full duplex" or with "Automatic setting". If the connection partner does not support gigabit Ethernet, the data will be transferred at the next lower speed (100 or 10 Mbps).

The port of the CP supports autosensing.

In normal situations, the basic setting ensures troublefree communication. You should only change this in exceptional situations.

If you create a manual configuration for the CP and disable the autonegotiation option, the automatic negotiation of the network settings (autonegotiation) is no longer effective. If, on the other hand, the communications partner works with autonegotiation, it is not certain that communication will be established.

With the integrated autocrossing mechanism of the interface, it is possible to use a standard cable for the connection between the CP and the PC/PG. A crossover cable is not necessary.

abled for the port. For this reason to connect

Diagnostics of the port settings for the CP described here is possible using the entries in the diagnostics buffer using SNMP, using special diagnostics, and the LED displays.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 44

Configuration and operation

Further notes:

4.6.2

Restart after detection of a duplicate IP address in the network

Behavior during operation (CP in RUN)

4.6 Interface configuration

You will find information on the currently used network settings here:

● In special diagnostics under the diagnostics object "Industrial Ethernet" in the "Network Connection" group box

● in STEP 7 with the menu command "PLC > Module Information"

● In Web diagnostics

● 10/100 Mbps network components without "autonegotiation"

If you use 10/100 Mbps network components that do not support "Autonegotiation", it is possible that you will have to set the mode manually.

● Fixed mode instead of "Automatic setting"

If for certain applications, you require fixed network settings instead of the automatic setting, you will need to match up the partner devices.

● No reaction to Autonegotiation query with manual configuration

Remember that if you configure the CP manually and the "Autonegotiation" option is disabled, it will not react to an autonegotiation query! As a result, a connected partner may not be able to set the required mode and communication will not be ideal.

● Recommendation: Load individual network settings only using MPI

If you modify the network settings in the properties dialog of the port ("Options" tab) using the "Transmission medium / Duplex" drop-down list, these changes will be adopted by the CP and activated when the configuration data is downloaded to the target system. In some situations, the device may then no longer be obtainable over Ethernet or the running load action is not completed due to configuration changes taking immediate effect and an inconsistent configuration is reported.

If you have set network properties manually we therefore recommend that you download configuration data to the S7 station over an MPI connection.

To save you timeconsuming troubleshooting in the network, the CP detects double addressing in the network.

If the CP detects double addressing on the network (new node with an IP address that has already been assigned), a message is generated in the diagnostics buffer and the bus fault LED lights up.

To acknowledge the bus fault LED in RUN mode, set the CP to STOP and then restart it.

After the device with the duplicate IP address has been removed from the network, the bus fault LED goes off automatically.

CP 443-1 OPC UA

44 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 45

Configuration and operation

Behavior when the CP starts up

4.7

Configuration of the CP in STEP 7 V5

4.7.1

"Addresses" tab

Assignment to the CPU

4.7.2

"SNMP" Tab

SNMP

SNMPv1

Type of access

Community string for authentication *)

Read access

public

*) Note the use of lowercase letters!

SNMPv3

4.7 Configuration of the CP in STEP 7 V5

If duplicate addressing is detected when the CP starts up, the CP remains in STOP. The bus fault LED is lit and a diagnostics buffer entry is generated. The CP only starts up after the duplicate addressing problem has been eliminated.

If you operate several CPUs in the station in which the CP 443-1 OPC UA is located, you need to assign the CP to a specific CPU.

To do this in the table "CPU assignment" select the CPU that the CP will be assigned to for OPC UA communication.

The CP supports the following SNMP versions:

●

Available with security functions disabled.

Note that with this read and write access to the module is possible. In this case, other settings are not possible.

In the presettings, the CP uses the following community strings to authenticate access to its SNMP agent via SNMPv1:

Read and write access private

Free configuration of the community strings is only possible if the security functions are enabled.

●

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Available only when security functions are enabled

The range of functions of the CP can be found in the section SNMP (Page 120).

Page 46

Configuration and operation

Configuration

"Enable SNMP"

"Start of SNMP configuration"

"Use SNMPv1"

"Use SNMPv3"

"Start of user administration"

4.7 Configuration of the CP in STEP 7 V5

Requirement for configuring the parameters described below is the activation of the security functions, see section "Security" Tab (Page 47).

If the security functions are enabled, you have the following selection and setting options.

If the option is enabled, communication via SNMPv1 is enabled on the device.

If the option is disabled, queries from SNMP clients are not replied to either via SNMPv1 or via SNMPv3.

To be able to make further settings, click the "Run" button under the following entry.

If you click the "Run" button, the SCT window for SNMP configuration opens.

●

Enables the use of SNMPv1 for the CP. The following community strings need to be sent along with access to the CP via SNMPv1.

– "Read community string"

The string is required for read access. Leave the preset string or configure a string.

– "Allow write access"

If the option is enabled write access to the CP is released and the corresponding community string can be edited.

– "Writing community string"

The string is required for write access and can also be used for read access. Leave the preset string or configure a string.

●

Enables the use of SNMPv3 for the CP. The following algorithms need to be configured for encrypted access to the CP via SNMPv3.

– "Authentication algorithm"

Select the authentication method to be used from the drop-down list.

– "Encryption algorithm"

Select the encryption method to be used from the drop-down list.

Note the information on security of the possible algorithms in the online help of the SCT.

If you click the "Run" button the SCT user management opens. There assign the role to the various users.

Below the properties of the roles you can see the rights list of the particular role, for example the various types of access using SNMP. For new roles, you can freely configure individual rights.

You will find information on users, roles and the password policy in the online help of the SCT.

CP 443-1 OPC UA

46 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 47

Configuration and operation

"Security" Tab

Enabling the Security functions

Requirement for configuring the Security functions

"Security configuration"

Enable security

Note Loss of the Security configuration

If you disable the "Activate security" check box again after saving a Security configuration, this has the

•

4.7 Configuration of the CP in STEP 7 V5

Configuration in the SCT (Page 55)

In this tab, you can enable the Security functions of the CP.

The enabling of the Security functions releases additional parameters in the following further tabs of the properties dialog.

● SNMP

● Web (The entire tab is blocked if the Security functions are siabled.)

● Time-of-day synchronization

● OPC UA

The Security Configuration Tool (SCT) is installed. You will find the required version in the section Configuration (Page 19).

If the option is disabled, the Security parameters in other tabs are disabled. As a result only non secure protocol variants (NTP, SNMPv1, HTTP) are supported.

To be able to make Security settings, select the "Enable security" check box. Result:

● The Security functions in the individual tabs become active.

● The "Edit" > "Security Configuration Tool" menu becomes active.

You configure further Security functions in the SCT.

following effects:

Alll theSecurity settings you have made are lost and you will need to make them again if

you enable the check box again.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

The CP is no longer displayed in the SCT. The settings for users and time-of-day synchronization that existed prior to enabling

Security are restored.

Page 48

Configuration and operation

Start of security configuration

Security settings in SCT

Relevant SCT tab

Time-of-day synchronization

Log settings

SNMP

OPC UA

Certificate validation

S7 communication

4.7.4

"Diagnostics" Tab

Requirement

4.7 Configuration of the CP in STEP 7 V5

If you click the "Run" button, the SCT opens.

Make the Security settings of the CP in the SCT in the flowing tabs:

●

Configuration of the server and parameters for NTP and NTP (secure).

●

Configuration of the parameters of SNMPv1 or SNMPv3

●

Configuration of

– Authentication of the OPC UA server

– Encryption of the data

– Write protection for the data areas of the CPU

●

Settings for checking the certificates

●

Settings for protecting access to diagnostics data and the backplane bus

For details, see section Configuration in the SCT (Page 55).

From the "Diagnostics" tab, you have the alternative of starting the following for the CP:

● Special diagnostics

● Web diagnostics

You will find more detailed information on the functions in the manual /2/ (Page 133).

Establish a physical connection between the programming device and the SIMATIC S7 station and set the PG/PC interface so that the CP is accessible. Further help is available in the "Set PG/PC Interface..." function (Start menu > Setting the PG-PC Interface).

CP 443-1 OPC UA

48 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 49

Configuration and operation

"Start of special diagnostics"

"Start of Web diagnostics"

"Access via"

Notes on Security configuration

4.7.5

"Web" Tab

Requirement

"Activate Web server"

4.7 Configuration of the CP in STEP 7 V5

When you click the "Run" button NCM Diagnostics is started as a separate program.

As an alternative to starting the program from the Properties dialog, open the program with:

Windows Start menu> Program group Siemens Automation > SIMATIC > STEP 7 > NCM S7 > Diagnostics

When you click the "Run" button the result of the module diagnostics is displayed in the Web browser. The content is supplied by the integrated HTTP server of the CP.

●

Select the interface via which the CP can be reached. The configured IP address of the CP is shown.

You can also enter an IP address.

● If the Security functions are disabled, the Web server of the CP is dsiabled.

If the Web server is enabled, the following applies:

● The data is transferred encrypted.

● The "Access to Web diagnostics" right must be activated for the user.

A requirement for the configuration and use of the Web functions of the CP is the activation of the Security functions.

The CP provides you with the functionality of a web server for access by means of a web browser. On these HTML pages you will find diagnostics information and service functions.

Enable this option in order to be granted access to these HTML pages. This enables port 443 (HTTPS) of the CP.

You will find more information on Web diagnostics in the manual /2/ (Page 133).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 50

Configuration and operation

"Options of Web diagnostics"

"Download firmware via Web"

"Reload of language files for the diagnostics displays via Web"

"Automatic update"

"Enable"

"Update interval"

"Security configuration"

"Allow access only via HTTPS"

"Start of user administration"

4.7.6

"Time-of-day synchronization" tab

Synchronization method

Note Recommendation for setting the time

If the infrastructure of your project allows, synchronization with a external clock at intervals of approximately 10 seconds is recomm between the internal time and the absolute time.

4.7 Configuration of the CP in STEP 7 V5

●

By enabling the option, the function for downloading the firmware of the CP from the download center is enabled in the Web server.

●

Diagnostics displays of the CP are shown in plain language in the Web diagnostics buffer. These displays are language speecific.

Enable the option, to enable the function for reloading missing language files from the download center in the Web server.

●

If the option is enabled, the CP updates the displayed Web pages regularly.

●

If the option is enabled, enter the interval here at which the CP updates the displayed Web pages.

Range of values: 1..999 s

●

If the option is enabled Web data is only transferred encrypted vai HTTPS. The option is enabled as default and cannot be disabled.

●

If you click the "Run" button the SCT user administration opens. In the rights administration, specify which users with which roles have access to the module via HTTPS.

For details, see section Configuration in the SCT (Page 55).

ended. This achieves as small a deviation as possible

CP 443-1 OPC UA

50 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 51

Configuration and operation

NAT configuration: Unsynchronized NTP server

Setting the SYA bit when synchronizing via NTP

4.7 Configuration of the CP in STEP 7 V5

The CP supports the following methods of time-of-day synchronization:

● SIMATIC mode

The SIMATIC mode cannot be configured.

If you leave the time-of-day synchronization via NTP disabled, the SIMATIC mode is enabled automatically on the CP. In this case, the CP can only adopt the time of day from the station.

Note that with the CP as OPC UA server when using the SIMATIC mode the time is not displayed as UTC but as the local time of the station.

● NTP

If the option is enabled and the Security functions disabled, the CP synchronizes its time of day via NTP.

When NTP is enabled, the CP as OPC UA server displays the time of day in the UTC format.

You configure the synchronization method, the local time zone of the station, the synchronization interval and the addresses of the NTP servers.

● NTP (secure)

If the security functions are enabled, the time of day can be synchronized via NTP (secure).

The secure method NTP (secure) uses authentication with symmetrical keys according to the hash algorithms MD5 or SHA-1.

If the "Accept time of day from non-synchronized NTP servers" option is enabled, the CP also accepts the time from NTP servers that are not synchronized with a stratum 16.

If the option is disabled, the response is as follows:

If the CP receives a time of day frame from an unsynchronized NTP server with stratum 16, the time of day is not set according to the frame. In this case, none of the NTP servers is displayed as "NTP master" in the diagnostics; but rather only as being "reachable".

If the time is forwarded to the CPU, with each time frame the CP sets bit 0 of the time status word (SZL-ID 132, index 8). The status bit indicates on the CPU whether the time is synchronized with the external time master.

If you evaluate the time status using SFC 51 "RDSYSST", configure a synchronization cycle shorter than 3 minutes. This avoids the status bit being reset cyclically by the CPU after 3 minutes if NTP servers are unreachable or not synchronized.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 52

Configuration and operation

"Security configuration"

"Expanded NTP configuration"

"Run..."

4.7.7

"Options" tab: Effects of protection levels

Module access protection on the CP

Protection levels of the CPU

Initialization of the CP / assigning an IP address using a different method

No PST with IP configuration using DHCP

4.7 Configuration of the CP in STEP 7 V5

If the security functions are enabled, further settings are possible.

●

Enable this option to be able to configure the security functions for time-of-day synchronization.

●

If you click the button, the SCT opens with the dialog box for NTP configuration. In this dialog box, NTP servers already created in STEP 7 are displayed that can also be edited there. You can also create and configure NTP servers of the type NTP (secure).

For details, see section Configuration in the SCT (Page 55).

With this option, you can protect the CP from accidental or unauthorized access. The following options can be selected in the drop-down list:

● Not locked

● Status-dependent

In this setting read access for diagnostic purposes is possible.

The following actions are only possible when either the CPU or the CP is in the STOP state:

– Changing the operating status of the CP (RUN → STOP)

– Resetting / memory reset

Note the additional restriction if a protection level of the CPU is enabled.

– Loading firmware using the Firmware Loader.

Further restrictions on access to the CP result from configuring a protection level for the CPU.

If you configure a protection level ≥ 2 in the configuration of the CPU ("Options” tab), this has

the following effects on the operation of the CP:

●

Using the Primary Setup Tool (PST) you can only assign an IP address to the CP once.

●

If you have configured the setting of the IP addresses of the CP from a DHCP server, you cannot assign an IP address to the CP with the Primary Setup Tool (PST).

CP 443-1 OPC UA

52 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 53

Configuration and operation

Resetting / memory reset

4.7.8

"OPC UA" tab

"Enable OPC UA server"

"Enable OPC UA client"

"Application name"

"Server settings"

"URL"

"URI of the application"

4.7 Configuration of the CP in STEP 7 V5

●

It is not possible to reset or to reset the memory of the CP.

Remove the protection level of the CPU to take this action.

In this tab, you enable the OPC UA server or client function of the CP. You also configure the parameters of the server function.

Enable this option to enable the function of an OPC UA server on the CP.

Enable this option to enable the function of an OPC UA client on the CP.

You specify the remaining settings for the client function using the program blocks FB230 to FB236 of the library "SIMATIC_NET_CP" see section Programming the OPC UA client blocks (Page 79).

Name of the OPC UA application of the CP. The application name is required to identify the OPC UA name space of the station and must be unique within the project for every CP.

The default application name for the CP is:

Siemens:SIMATIC-S7-CP443-1:OPC-UA

Change the application name so that the name is unique for every CP in the STEP 7 project.

Here, you configure the parameters of the server application.

●

Display of the URL with the following parts: <Protocol part>://<IP address>:<Port number>

If obtaining the IP address via DHCP was enabled for the interface of the CP, the IP address displayed in the URL is replaced by <

dynamic

●

Display of the server URI of the CP with the following parts: <Protocol part>:<Application name of the server>:<Globally Unique Identifier (GUID)>

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 54

Configuration and operation

"Default port"

"Minimum sampling interval"

"Minimum supported publishing interval"

"Use symbols"

"All symbols"

"Configured symbols"

"Configure ..."

4.7 Configuration of the CP in STEP 7 V5

●

Here, you can change the port number of the application. As default port number 4840 is used, the standard TCP port for the OPC UA binary protocol.

Permitted port numbers are as follows:

– 2000 .. 4499

– 4501 .. 34963

– 34965 .. 49151

●

Here you set the minimum sampling interval at which the CP scans the process data of the configured CPU symbols. The sampling interval is limited to a minimum value of 100 milliseconds to reserve adequate time for other processes that access the CPU via the backplane bus of the station.

Range of values: 100 .. 65535 ms

Default setting: 500 ms

●

Here you set the minimum publishing interval that the server application of the CP should support. Lower values set by an OPC UA client are not taken into account.

Range of values: 100 .. 65535 ms

Default setting: 500 ms

Here, you specify the symbols of the CPU that the server application may access.

●

If you select this option, all symbols are available to the server application.

●

If you enable this option, only the configured CPU symbols are available to the server application. If the option is enabled, the "Configure" button becomes operable.

●

With this button you open the dialog for specifying the OPC-specific properties of the symbols to be used by the OPC UA server.

Here you can configure the following among other things for the individual symbols (variables):

– Visibility

Symbols without visibility are excluded from OPC applicationa.

– Access rights (read/write)

With the consistency check of STEP 7, you can recognize whether or not you have reached the maximum permitted number of sysmbols.

CP 443-1 OPC UA

54 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 55

Configuration and operation

"Security configuration"

"Start of the OPC UA security settings"

4.7.9

Configuration in the SCT

Setting security functions

Opening SCT fro STEP 7

"Time-of-day synchronization"

"Log settings"

4.7 Configuration of the CP in STEP 7 V5

●

With the "Run" button, you open the SCT dialog for configuring the Security functions of the server application.

For details, see section Configuration in the SCT (Page 55).

In the tabs of the SCT described below configure the Security functions of the CP.

The signing and encryption of the data frames are set differently for the server and client function of the CP:

● For the OPC UA server

In the "OPC UA" tab

● For the OPC UA client

In the connection information (UDT "UASessionConnectInfo") for the client program block "UA_Connect"

You should also note the special features of certificate validation, see below.

You open the SCT tabs described below using buttons in the various tabs of the STEP 7 properties dialog of the CP.

You also reach the SCT tabs if you open the SCT from HW Config:

1. "Edit" menu > "Security Configuration Tool"

2. Select the required CP in the offline view under the folder "All modules".

3. Select "Properties..." in the shortcut menu (right mouse button).

Here, NTP servers already created in STEP 7 are displayed that can also be edited there.

You can also create and configure NTP servers of the type NTP (secure).

The "Log settings" tab is displayed only if you have enabled the SCT option "Advanced mode".

Here you configure the logging functions for the Security properties of the CP.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 56

Configuration and operation

"SNMP"

"OPC UA"

Security profile

Security procedure of the server

4.7 Configuration of the CP in STEP 7 V5

The settings made here are downloaded to the station with the configuration data and take effect when the station starts up.

For information on authentication with a logging server, refer to the section Handling certificates (Page 59).

You can select whether you release the protocol version SNMPv1 or SNMPv3 for the CP.

For SNMPv1 you can assign the community strings and enable write access to the CP using SNMPv1.

For SNMPv3 specify the authentication and the encryption algorithm.

The tab is only available for CPs on which the OPC UA server function was enabled.

Here you specify the Security profiles and access options for the UA server of the CP.

●

– No security profile

The CP uses no procedure.

– Basic128Rsa15

This corresponds to the Security profile "Basic128Rsa15" of the OPC UA specification.

The CP uses signing and, if configured, 128-bit encryption.

– Basic256

This corresponds to the Security profile "Basic256" of the OPC UA specification.

The CP uses signing and, if configured, 256-bit encryption.

– Basic256Sha256

This corresponds to the Security profile "Basic256Sha256" of the OPC UA specification.

The CP uses signing and, if configured, 256-bit encryption using the hash algorithm SHA-256.

If you enable several options, then depending on the settings on the communications partner (client), the CP selects the profile with the the highest possible security.

●

– Sign

The CP only allows communication with signed frames.

– Sign and encrypt

The CP only allows communication with signed and encrypted frames.

CP 443-1 OPC UA

56 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 57

Configuration and operation

Anonymous access

Note No connection with disabled options

When the Security functions are enabled and read nor write access is enabled, with an anonymous login, no connection is established. It is also not possible to browse the address space.

In this case, a connection can only be established with a user name and

"Certificate validation"

Checking the certificate

No strict certificate validation

4.7 Configuration of the CP in STEP 7 V5

– Best possible procedure

Depending on the settings on the communications partner (client), the CP selects the procedure with the the highest possible security. This may be:

- Sign or

- Sign and encrypt

●

– Allow read access

– Allow write access

In this tab you set the options for checking the certificates of the communications partner. You can set the options for the UA client and UA server function of the CP separately.

●

The CP always checks the certificate of the communications partner.

The CP allows read access to the data of its OPC UA server.

The CP allows write access to the data of its OPC UA server.

for the option "Anonymous access" neither

password.

If the partner certificate is invalid or is not trustworthy, communication is aborted.

●

If the option is enabled, the CP allows communication in the following situations:

– The IP address of the communications partner is not identical to the IP address in its

certificate.

Note: The OPC UA server does not check the IP address of the communications partner (client).

– The use stored in the certificate (OPC UA client/server) differs from the function (OPC

UA client/server) of the communications partner.

– The current time on the CP is outside the period of validity of the partner certificate.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 58

Configuration and operation

Do not check period of validity

Special features for the client application

"S7 communication"

Disable S7 communication

Disable online diagnostics via LAN

"User management"

4.7 Configuration of the CP in STEP 7 V5

Regardless of these exceptions, to establish a connection, at least the following requirements must be met:

– The application URI sent by the requesting client must match the URI of the server

application of the CP.

– If the partner certificate is not trustworthy, the CP must at least have stored a self-

signed certificate of the partner.

– If the partner certificate was issued by several CAs, all CAs must be saved in the

certificate store of the CP.

●

If the option is enabled, the CP checks the certificate of the communications partner. The CP also allows communication in the following situation:

– The current time on the CP is outside the period of validity of the partner certificate.

If none of the options is enabled, no certificates are checked.

Note the information in the section Handling certificates (Page 59) on the establishment of communication.

If you use the client function of the CP, note the following:

The value of the parameter "CheckServerCertificate" that you programmed in the connection information (UASessionConnectInfo) for the client program block "UA_Connect" is overwritten by the settings for the certificate check in the SCT. If the client is to check the certificates of the communications partner (server), you can ignore the parameter in the UDT "UASessionConnectInfo". For the certificate check only the settings in the SCT tab "Certificate validation" are relevant.

In this tab you make the settings for S7 communication via the CP and for protecting LAN access to the pages of the S7 special diagnostics.

●

If the option is enabled, S7 communication via the CP is blocked.

If the option is enabled, access via LAN to the diagnostics pages of the S7 special diagnostics is blocked.

Apart from access via the STEP 7 tabs "SNMP" and "Web", you can access user management in the open SCT with the menu command "Options" > "User management...".

In user management you assign individual users a role. The individual roles provide specific rights for various services.

You will find information on individual parameters in the online help of the SCT.

CP 443-1 OPC UA

58 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 59

Configuration and operation

4.7.10

Handling certificates

Certificate for authentication

Opening SCT

Importing certificates of communications partners into STEP 7 / SCT

Exporting certificates for communications partners from SCT

4.7 Configuration of the CP in STEP 7 V5

If you have configured secure OPC UA communication with authentication for the CP in the "Security" tab, own certificates and certificates of the communications partner will be required for communication to take place.

All nodes of a STEP 7 project with enabled security functions are supplied with certificates. The Security Configuration Tool (SCT) is the certification authority of the STEP 7 project.

For the server and client application of the CP a common certificate is created. It is displayed in the SCT as "OPC UA client / server certificate of the module <CP name>". You see the use of the certificate when you display the certificate in the SCT and select "Enhanced key usage" in the "Details" tab of the certificate dialog.

If the CP communicates with non-Siemens partners when the security functions are enabled, the relevant certificates must be exchanged. You do this with the SCT.

Open the SCT in one of the following alternative ways:

● From the Windows Start menu: Siemens Automation > SIMATIC > Security > Security

Configuration Tool

● From STEP 7 / HW Config "Edit > Security Configuration Tool".

Open the certificate manager in the SCT with the menu "Options > Certificate manager".

Import the certificates of the communications partners from third-party vendors using the certificate manager of the SCT. Follow the steps outlined below:

1. Save the certificate in the file system of the connected PG/PC.

2. Open the SCT as described above.

3. Open the certificate manager of the SCT with "options" >"Certificate mananger".

4. Import the certificate from the file system of the PC with "Import".

You export the certificate of an S7 module for communications partners from third-party vendors using the certificate manager of the SCT. Follow the steps outlined below:

1. Open the certificate manager of the SCT with "options" >"Certificate mananger".

2. Export the certificate into the file system of the PC with "Export".

3. Transfer the certificate to the system of the third-part vendor.

If you use a logging server in your system, export the SSL certificate for the authentication of the CP from the SCT.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 60

Configuration and operation

No certificate when the Security functions are disabled.

Client: Communications partner (server) without turning off the certificate blocking list

Change certificate: Alternative applicant name

4.8

Configuration of the CP in STEP 7 Professional

4.8.1

"Options " parameter group

Module access protection

Protection level

4.8 Configuration of the CP in STEP 7 Professional

If the Security functions of the CP are disabled in the STEP 7 project, no certificate will be generated for the CP.

If you use the CP as an OPC UA server, check whether the UA clients you are using necessarily demand a certificate. In this case, you need to enable the Security functions of the CP in STEP 7.

If you configure the CP as OPC UA client without security functions the CP does not receive a certificate. If the CP as client is to to communicate with a server, on which the certificate blocking list cannot be turned off, no connection will be established. In this case you need to generate a self-signed certificate in the SCT.

The Security Configuration Tool (SCT) applies the properties "DNS name", "IP address", and "URI" from the parameter "Alternative applicant name" in the STEP 7 configuration data.

You can modify this parameter for an OPC UA certificate in the SCT certificate manager. To do this, select the corresponding certificate and call the shortcut menu "Renew certificate".

Properties modified in SCT for the "Alternative applicant name" are not applied to the STEP 7 project.

If you delete all of the "Alternative applicant name" properties in SCT, SCT then applies the corresponding data from the STEP 7 project.

With this option, you can protect the CP from accidental or unauthorized access. The following options can be selected in the drop-down list:

● Not locked

● Status-dependent

In this setting read access for diagnostic purposes is possible.

CP 443-1 OPC UA

60 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 61

Configuration and operation

Protection levels of the CPU

Initialization of the CP / assigning an IP address using a different method

No PST with IP configuration using DHCP

Resetting / memory reset

4.8.2

"Ethernet interface“ parameter group

Advanced options

Use IEC V2.2 LLDP mode

Keepalive connection monitoring

4.8 Configuration of the CP in STEP 7 Professional

The following actions are only possible when either the CPU or the CP is in the STOP state:

– Changing the operating status of the CP (RUN → STOP)

– Resetting / memory reset

Note the additional restriction if a protection level of the CPU is enabled.

– Loading firmware using the Firmware Loader.

Further restrictions on access to the CP result from configuring a protection level for the CPU.

If you configure write or read protection for the CPU ("Protection" parameter group) , this has the following effects on the operation of the CP:

●

Using the Primary Setup Tool (PST) you can only assign an IP address to the CP once.

●

If you have configured the setting of the IP addresses of the CP from a DHCP server, you cannot assign an IP address to the CP with the Primary Setup Tool (PST).

●

It is not possible to reset or to reset the memory of the CP.

Remove the protection level of the CPU to take this action.

Configure the Ethernet interface as usual.

●

If the option is enabled, the device uses LLDP in the IEC version V2.2 (PROFINET V2.2). Although the device supports a higher version of the protocol, you can make this setting for reasons of compatibility with other parts of the plant.

●

With this option, you monitor the connection to the communications partner.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 62

Configuration and operation

Time synchronization

4.8.3

"OPC UA" parameter group

OPC UA

4.8.4

Parameter group "SNMP"

SNMP

SNMPv1

Access to the SNMP agent in the CP

Community string for authentication in SNMPv1

Read access

public

*) Note the use of lowercase letters!

4.8 Configuration of the CP in STEP 7 Professional

● Security disabled

If the security functions are disabled, configure time-of-day synchronization of the CP at this point. If the CP cannot be synchronized with NTP, the SIMATIC method is used automatically.

● Security enabled

If security functions are enabled, you will find the parameter group under "Security". In this case in addition to NTP and the SIMATIC method, the secure method NTP (secure) can be configured.

For information on the configuration, refer to the section Security > "Time-of-day synchronization" (Page 64).

In this parameter group you configure the OPC UA server or client function of the CP.

If security functions are enabled, you will find the parameter group under "Security".

For information on the configuration, refer to the section Security > "OPC UA" (Page 67).

The CP supports the following SNMP versions:

●

Available with security functions disabled.

Note that with this read and write access to the module is possible. In this case, other settings are not possible.

The configuration of the community strings is only possible if the security functions are enabled.

The CP uses the following community strings to authenticate access to its SNMP agent via SNMPv1:

Read and write access private

CP 443-1 OPC UA

62 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 63

Configuration and operation

SNMPv3

Configuration

"Enable SNMP"

"I/O addresses" parameter group

Start address

4.8.6

Security“ parameter group

Security functions

Time-of-day synchronization

Log settings

SNMP

Web server

OPC UA

4.8 Configuration of the CP in STEP 7 Professional

●

Available only when security functions are enabled

For information on the configuring SNMPv3, refer to the section Security > "SNMP" (Page 65).

●

If the option is enabled, communication via SNMPv1 is enabled on the CP.

If the option is disabled, queries from SNMP clients are not replied to by the CP either via SNMPv1 or via SNMPv3.

SNMP (Page 120)

Here when necessary you can change the automatically assigned diagnostics address of the CP.

After enabling the security functions, the following parameter groups are available. The configuration is described in the following sections or in the information system of STEP 7.

●

Here you configure the logging functions for the security properties of the CP.

The settings made here are downloaded to the station with the configuration data and take effect when the station starts up.

For information on authentication with a logging server, refer to the section Handling certificates (Page 73).

●

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 64

Configuration and operation

S7 communication

Certificate manager

4.8.7

Security > "Time-of-day synchronization"

Synchronization method

Note Recommendation for setting the time

If the infrastructure of your project allows, synchronization with a external clock at intervals of approximately 10 seconds is recommended. This achieves as small a deviation as possible between the internal time and the absolute time.

4.8 Configuration of the CP in STEP 7 Professional

●

Via the local certificate manager, you can import and export certificates for the CP.

You will find help on the certificate manager in the STEP 7 information system ate following location: "Editing devices and networks >Configuring devices and networks >Configure networks > Industrial Ethernet Security > Configuring security > General > Managing certificates"

if the security functions are enabled, the CP supports the following methods of time-of-day synchronization:

● SIMATIC mode

The SIMATIC mode cannot be configured.

If you leave the time-of-day synchronization via NTP disabled, the SIMATIC mode is enabled automatically on the CP. In this case, the CP can only adopt the time of day from the station.

Note that with the CP as OPC UA server when using the SIMATIC mode the time is not displayed as UTC but as the local time of the station.

● NTP

If the option is enabled and the Security functions disabled, the CP synchronizes its time of day via NTP.

When NTP is enabled, the CP as OPC UA server displays the time of day in the UTC format.

You configure the synchronization method, the local time zone of the station, the synchronization interval and the addresses of the NTP servers.

● NTP (secure)

If the Security functions are enabled, the time of day can be synchronized using NTP (secure),

The secure method NTP (secure) uses authentication with symmetrical keys according to the hash algorithms MD5 or SHA-1.

CP 443-1 OPC UA

64 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 65

Configuration and operation

NTP configuration

Setting the SYA bit when synchronizing via NTP

4.8.8

Security > "SNMP"

SNMP

"Enable SNMP"

"Use SNMPv1"

"Use SNMPv3"

4.8 Configuration of the CP in STEP 7 Professional

You will find help on the parameters in the STEP 7 information system.

● NTP server

You configure the NTP servers in the table of NTP servers.

If you use "NTP (secure)", the servers of the type NTP (secure) that you configured in the global security settings are also displayed here.

● Accept time from non-synchronized NTP servers

If the option is enabled, the CP also accepts the time-of-day from non-synchronized NTP servers with stratum 16.

If the option is disabled, the response is as follows: If the CP receives a time-of-day frame from an unsynchronized NTP server with stratum 16, the time of day is not set according to the frame. In this case, none of the NTP servers is displayed as "NTP master" in the diagnostics; but rather only as being "reachable".

The range of functions of the CP for SNMP can be found in the section SNMP (Page 120).

If the security functions are enabled, you have the following selection and setting options.

●

If the option is enabled, communication via SNMP is released on the device. As default, SNMPv1 is enabled.

If the option is disabled, queries from SNMP clients are not replied to either via SNMPv1 or via SNMPv3.

●

Enables the use of SNMPv1 for the CP. For information on the configuration of the required community strings see below (SNMPv1).

●

Enables the use of SNMPv3 for the CP. For information on the configuration of the required algorithms see below (SNMPv3).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 66

Configuration and operation

SNMPv1

"Reading community string"

"Allow write access"

"Writing community string"

SNMPv3

"Authentication algorithm"

"Encryption algorithm"

User management

4.8.9

Security > "Web server"

"Web server"

Enable Web server on this module

4.8 Configuration of the CP in STEP 7 Professional

The community strings need to be sent along with queries to the CP via SNMPv1.

●

The string is required for read access.

Leave the preset string "public" or configure a string.

●

If the option is enabled write access to the CP is released and the corresponding community string can be edited.

●

The string is required for write access and can also be used for read access.

Leave the preset string "private" or configure a string.

Note the use of lowercase letters with the preset community strings!

The algorithms need to be configured for encrypted access to the CP via SNMPv3.

●

Select the authentication method to be used from the drop-down list.

●

Select the encryption method to be used from the drop-down list.

Note the information on security of the possible algorithms in the online help of the SCT.

In the user management that you will find in the global security settings, assign the various users their role.

Below the properties of the roles you can see the rights list of the particular role, for example the various types of access using SNMP. For new roles, you can freely configure individual rights.

You will find information on users, roles and the password policy in the information system of STEP 7.

The CP provides you with the functionality of a web server for access by means of a web browser. On these HTML pages you will find diagnostics information and service functions.

●

Enable this option in order to be granted access to these HTML pages. This enables port 443 (HTTPS) of the CP.

CP 443-1 OPC UA

66 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 67

Configuration and operation

"Settings for Web diagnostics"

Download firmware via web server

Download language file for diagnostic view via web server

"Automatic update"

Enable automatic updates

Update interval

4.8.10

Security > "OPC UA"

Application name

4.8 Configuration of the CP in STEP 7 Professional

You will find more information on Web diagnostics in the manual /2/ (Page 133).

●

By enabling the option, the function for downloading the firmware of the CP from the download center is enabled in the Web server.

●

Diagnostics displays of the CP are shown in plain language in the Web diagnostics buffer. These displays are language speecific.

Enable the option, to enable the function for reloading missing language files from the download center in the Web server.

●

If the option is enabled, the CP updates the displayed Web pages regularly.

●

If the option is enabled, enter the interval here at which the CP updates the displayed Web pages.

Range of values: 1..999 s

Here you configure the OPC UA server or client function of the CP.

Name of the OPC UA application of the CP. The application name is required to identify the OPC UA name space of the station and must be unique within the project for every CP.

The default application name for the CP is:

Siemens:SIMATIC-S7-CP443-1:OPC-UA

Change the application name so that the name is unique for every CP in the STEP 7 project.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 68

Configuration and operation

OPC UA server

General

Activate OPC UA server

Server URL

URI of the application

Load PLC tags of the CPU

All PLC tags

Only configured PLC tags

Server settings

Port

4.8 Configuration of the CP in STEP 7 Professional

●

Enable this option to enable the function of an OPC UA server on the CP.

The following parameters are displayed:

–

URL with the following parts: <Protocol part>://<IP address>:<Port number>

If obtaining the IP address via DHCP was enabled for the interface of the CP, the IP address displayed in the URL is replaced by <

–

Server URI of the CP with the following parts: <Protocol part>:<Application name of the server>:<Globally Unique Identifier (GUID)>

Here, you specify the PLC tags (symbols) of the CPU that the server application may access.

dynamic

●

If you select this option, all CPU tags are available to the server application.

●

If you enable this option, only the configured CPU tags are available to the server application.

You configure the PLC tags under the CPU: STEP 7 project navigation > Station > PLC tags

For the PLC tags enable the options "Accessible from HMI/OPC" and "Writable from HMI/OPC" to be able to use them for the OPC applications.

●

Here, you can change the port number of the application. As default port number 4840 is used, the standard TCP port for the OPC UA binary protocol.

Permitted port numbers are as follows:

– 2000 .. 4499

– 4501 .. 34963

– 34965 .. 49151

CP 443-1 OPC UA

68 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 69

Configuration and operation

Minimum sampling interval

Minimum publishing interval

Export

Security policy

Enable

Security profile

4.8 Configuration of the CP in STEP 7 Professional

●

Range of values: 100 .. 65535 ms

Default setting: 500 ms

●

Here you set the minimum publishing interval that the server application of the CP should support. Lower values set by an OPC UA client are not taken into account.

Range of values: 100 .. 65535 ms

Default setting: 500 ms

Here you can export the PLC tags configured for OPC UA as an XML file, for example to make them available to an OPC UA client.

●

Saves the PLC tags configured for OPC UA as an XML file in the file system of the ES.

Depending on the option enabled in "OPC UA server > Load PLC tags of the CPU" all or only the configured PLC tags are exported.

In the table you specify the Security profiles and access options for the UA server of the CP.

●

Select the required check box in the "Enable" column whose security policy the CP will use.

●

Here, select one or more options of the security procedure:

– No access

The CP does not use any security procedure.

– BasicXXX...

Required security procedure.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 70

Configuration and operation

Security profile

Security procedure

Anonymous access

Note No connection with the "No access" option

When the Securityfunctions are enabled and the option "No access" is enabled with an anonymous login, no connection is established. It is also not address space.

In this case, a connection can only be established with a user name and password.

4.8 Configuration of the CP in STEP 7 Professional

The security policy is a combination of one of the following security profiles and a security procedure.

●

– No security profile

– Basic128Rsa15

This corresponds to the Security profile "Basic128Rsa15" of the OPC UA specification.

The CP uses signing and, if configured, 128-bit encryption.

– Basic256

This corresponds to the Security profile "Basic256" of the OPC UA specification.

The CP uses signing and, if configured, 256-bit encryption.

– Basic256Sha256

This corresponds to the Security profile "Basic256Sha256" of the OPC UA specification.

The CP uses signing and, if configured, 256-bit encryption using the hash algorithm SHA-256.

If you enable several options, then depending on the settings on the communications partner (client), the CP selects the profile with the the highest possible security.

●

– Sign

The CP only allows communication with signed frames.

– Sign and encrypt

The CP only allows communication with signed and encrypted frames.

●

– No access

The CP allows no access to the data of its OPC UA server.

– Read-only

The CP allows read access to the data of its OPC UA server.

– Read and write

The CP allows write access to the data of its OPC UA server.

CP 443-1 OPC UA

70 Operating Instructions, 01/2017, C79000-G8976-C427-02

possible to browse the

Page 71

Configuration and operation

Certificate validation

Check certificates

No strict certificate validation

Do not check period of validity

OPC UA client

4.8 Configuration of the CP in STEP 7 Professional

Here you set the options for checking the certificates of the communications partners for the UA server function of the CP.

●

The CP always checks the certificate of the communications partner.

If the partner certificate is invalid or is not trustworthy, communication is aborted.

●

If the option is enabled, the CP allows communication in the following situations:

– The IP address of the communications partner is not identical to the IP address in its

certificate.

Note: The OPC UA server does not check the IP address of the communications partner (client).

– The use stored in the certificate (OPC UA client/server) differs from the function (OPC

UA client/server) of the communications partner.

– The current time on the CP is outside the period of validity of the partner certificate.

Regardless of these exceptions, to establish a connection, at least the following requirements must be met:

– The application URI sent by the requesting client must match the URI of the server

application of the CP.

– If the partner certificate is not trustworthy, the CP must at least have stored a self-

signed certificate of the partner.

– If the partner certificate was issued by several CAs, all CAs must be saved in the

certificate store of the CP.

●

If the option is enabled, the CP checks the certificate of the communications partner. The CP also allows communication in the following situation:

– The current time on the CP is outside the period of validity of the partner certificate.

If none of the options is enabled, no certificates are checked.

Note the information in the section Handling certificates (Page 73) on the establishment of communication.

●

Enable this option to enable the function of an OPC UA client on the CP.

You specify the remaining settings for the client function using the program blocks FB230 to FB236 of the library "SIMATIC_NET_CP" see section Programming the OPC UA client blocks (Page 79).

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 72

Configuration and operation

Certificate validation

Note Special features for the client application

If ignore the parameter in the UDT "UASessionConnectInfo". For the certificate check only the settings made here are relevant.

"Use symbols"

4.8.11

Security > "S7 communication"

S7 communication

Disable S7 communication

Note No loading if S7 communication is disabled

If S7 communication is disabled, you can no longer l

Disable diagnostics via LAN

4.8 Configuration of the CP in STEP 7 Professional

For information on the certificate validation, refer to the relevant table of the OPC UA server above.

the client is to check the certificates of the communications partner (server), you can

With the consistency check of STEP 7, you can recognize whether or not you have reached the maximum permitted number of symbols.

Here you make the settings for S7 communication via the CP and for protecting LAN access to the pages of the S7 special diagnostics.

●

If the option is enabled, S7 communication via the CP is blocked.

oad the station via the CP.

If the option is enabled, access via LAN to the diagnostics pages of the S7 special diagnostics is blocked.

CP 443-1 OPC UA

72 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 73

Configuration and operation

4.8.12

Security > "Certificate manager"

Assignment of certificates

4.8.13

Handling certificates

Certificate for authentication

Note No certificate with security functions disabled.

If the security functions of the CP ar generated for the CP.

4.8 Configuration of the CP in STEP 7 Professional

If you use OPC UA communication with authentication for the CP, you need to import certificates of the communications partner into the STEP 7 project and download them to the CP with the configuration data:

1. If applicable import the third-party certificates of all communications partners using the

certificate manager in the global security settings.

2. Then assign the certificates of all its communications partners to the CP using the table

below the local security settings of the CP.

In this table also include the certificates of communications partners whose certificates were generated in the same STEP 7 project.

For a description of the procedure, refer to the section Handling certificates (Page 73).

If you have configured secure OPC UA communication with authentication for the CP, own certificates and certificates of the communications partner will be required for communication to take place.

All nodes of a STEP 7 project with enabled security functions are supplied with certificates. The STEP 7 project is the certification authority.

e disabled in the STEP 7 project, no certificate will be

For the server and client application of the CP a common certificate is created. It is displayed as follows (alternatives) in STEP 7 in "Global security settings > Certificate manager > Device certificates".

● OPC UA client certificate of the module <CP name>

● OPC UA server certificate of the module <CP name>

● OPC UA client- / server certificate of the module <CP name>

The issuer, validity, use of the certificate (service/application) and the use of a key are shown in the tale. You can call up further information about the certificate by selecting the certificate in the table and selecting the shortcut menu "Show".

The "Device certificates" table also shows all other certificates generated by STEP 7 and all imported certificates.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 74

Configuration and operation

Import third-party certificates from communications partners

Assign certificates locally

Exporting certificates for applications of third-party vendors (e.g. logging server)

4.8 Configuration of the CP in STEP 7 Professional

If the CP communicates with non-Siemens partners when the security functions are enabled, the relevant certificates of the communications partners must be exchanged. To do this, follow the steps below:

1. Import third-party certificates from communications partners

⇒ Global security settings of the project (certificate manager)

2. Assign certificates locally

⇒ Local security settings of the CP ("Certificate manager" table)

These two steps are described in the next two sections.

Import the certificates of the communications partners of third-party vendors using the certificate manager in the global security settings. Follow the steps outlined below:

1. Save the third-party certificate in the file system of the PC of the connected ES.

2. In the STEP 7 project open the global certificate manager:

Global security settings > Certificate manager

3. Open the "Trusted certificates and root certification authorities" tab.

4. Click in a row of the table can select the shortcut menu "Import".

5. In the dialog that opens, import the certificate from the file system of the ES into the STEP 7 project.

To be able to use an imported certificate for the CP, you need to specify it in the "Security" parameter group of the CP. Follow the steps outlined below:

1. In the STEP 7 project select the CP.

2. Navigate to the parameter group "Security > Certificate manager".

3. In the table, double-click on the cell with the entry "<Add new>".

The "Certificate manager" table of the Global security settings is displayed.

4. In the table. select the required third-party certificate and to adopt it click the green check mark below the table.

The selected certificate is displayed in the local table of the CP.

Only now will the third-party certificate be used for the CP.

For communication with applications of third-party vendors, the third-party application generally also requires the certificate of the CP.

CP 443-1 OPC UA

74 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 75

Configuration and operation

Certificate for logging server

CP as UA server: The communications partner (client) requires a certificate

CP as UA client: Communications partner (server) without turning off the certificate blocking list

Change certificate: Subject Alternative Name

4.8 Configuration of the CP in STEP 7 Professional

You export the certificate of the CP for communications partners from third-party vendors in much the same way as when importing (see above). Follow the steps outlined below:

1. In the STEP 7 project open the global certificate manager:

Global security settings > Certificate manager

2. Open the "Device certificates" tab.

3. In the table select the row with the required certificate (here the OPC UA certificate) and

select the shortcut menu "Export".

4. Save the certificate in the file system of the PC of the connected ES.

Now you can transfer the exported certificate of the CP to the system of the third-party vendor.

If you use a logging server in your system, export the SSL certificate for the authentication of the CP on the server.

If you use the CP as an OPC UA server and leave the security functions disable, check whether the UA clients you are using demand a certificate. If the communications partner (client) demands a certificate, you will need to enable the security functions of the CP in STEP 7.

STEP 7 adopts the properties "DNS name", "IP address", and "URI" from the parameter "Subject Alternative Name" (Windows: "Alternative applicant name") from the STEP 7 configuration data.

You can change this parameter of an OPC UA certificate in the certificate manager of the global security settings. To do this, select the OPC UA certificate in the table of device certificates and call the shortcut menu "Renew". Properties of the parameter "Subject Alternative Namer" changed in STEP 7 are not adopted by the STEP 7 project.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 76

Configuration and operation

4.9

Properties of the OPC UA server

Identification characteristics of the server.

NodeID - Identifier

Subscriptions

4.9 Properties of the OPC UA server

Below you will find the most important identification characteristics of the OPC UA server of the CP.

● Namespace index

The CP as UA server makes the namespace index 3 available.

● Namespace

Example of the name space of the CPU symbols in the S7-400 with CP 443-1 OPC UA:

http://www.siemens.com/simatic-classic-s7-opcua

● Application name

The name of the server application preset by STEP 7 is:

Siemens:SIMATIC-S7-CP443-1:OPC-UA

The name must must e adapted for every CP in the STEP 7 project individually (unique).

● Server URL

The URL consists of the following parts:

● URI of the application

The server URL of the CP consists of the following parts:

Example: urn:Siemens:SIMATIC-S7-CP443-1:OPC-UA:<GUID>

● Port number of the application

Default port number: 4840

For configuring the parameters refer to the section "OPC UA" tab (Page 53).

The identifier of the NodeIDs is formed by the server application from the name of the CPU and the symbol name:

CPU name

>.<

Symbol name

For the number of subscriptions supported by the CP as OPC UA server, see section Configuration limits - communication (Page 16).

The data management of the subscriptions is stored in the RAM of the CP. This means that failures of the data network do not have any further consequences.

CP 443-1 OPC UA

76 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 77

Configuration and operation

Connection abort

Deadband

Speed of the data transfer

Note Speed of the data transfer

Where possible read and write tags in in data blocks block by block per DB to achieve a higher speed.

4.9 Properties of the OPC UA server

If there is power down, all data and connection information of subscriptions is lost. After restarting the server, the client needs to re-establish the connection and set up the subscriptions again.

If a connection between the CP as UA server and an OPC UA client aborts, the session is retained according to the OPC specification.

When monitoring items for the "DataChangeFilter" the OPC UA server of the CP uses the parameter type "AbsoluteDeadband".

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 78

Configuration and operation

4.9 Properties of the OPC UA server

CP 443-1 OPC UA

78 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 79

5.1

Program blocks for the OPC UA client

Overview of the program blocks for the OPC UA client function

FB230 UA_Connect

FB231 UA_NamespaceGetIndex

FB232 UA_NodeGetHandleList

FB233 UA_NodeReleaseHandleList

The program blocks (FBs) listed below are available in the following block library for the OPC UA client function of the CP.

● STEP 7 V5 : SIMATIC_NET_CP

Use the blocks on the CPU.

● STEP 7 Professional : Communication > OPC UA

Display of the block directories after opening the program editor (double-click on OB1 of the S7-400 CPU)

Some blocks require special user data types (UDTs) that you will find in the following below the relevant program block. The UDTs are available as pre-assembled data types in the block library “SIMATIC_NET_CP“. Copy the UDTs from the block library to the block folder of the CPU of the station that uses the CP as an OPC UA client.

●

Establishes a connection for a session with an OPC UA server.

– UDT751 UASessionConnectInfo

Contains connection information for the block parameter "SessionConnectInfo".

– UDT752 UAUserIdentityToken

Contains the data of the user authentication for the block parameter "UserIdentityToken".

For its function, UA_Connect also requires an SFC51.

●

Fetches the name space index of a name space URI.

●

Registers nodeIDs on the connected server and fetches the node handles in the form of a list.

– UDT753 UANodeID

Contains the parameters for identifying the target node for the block parameter "NodeID".

●

Releases the node handles of the used list on the server.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 80

Programming the OPC UA client blocks

FB234 UA_Disconnect

FB235 UA_ReadList

FB236 UA_WriteList

Additionally required system functions SFC

Creating the SFCs in STEP 7 V5

5.1 Program blocks for the OPC UA client

●

Terminates the connection of a current session with an OPC UA server.

●

Using the list of node handles, reads the data from nodes of the connected server.

– UDT754 UANodeAdditionalInfo

Specifies the item attribute and the index range for the block parameter "NodeAddInfos".

– UDT755 UAIndexRange

Specifies the start and end index for the block parameter "IndexRange”.

– UDT756 UATimeStamps

Contains the time stamps of the elements of the data area of the block parameter “Variables”.

– UDT757 UAAnyPointer

References the memory area of the CPU in which the process data for the block

parameter “Variables” will be stored.

●

Using the list of node handles, writes data to nodes of the connected server.

– UDT754 UANodeAdditionalInfo

Specifies the item attribute and the index range for the block parameter "NodeAddInfos".

– UDT755 UAIndexRange

Specifies the start and end index for the block parameter "IndexRange”.

– UDT757 UAAnyPointer

References the memory area of the CPU in which the process data for the block parameter “Variables” is stored.

For the full functionality of the program blocks for the OPC UA client the following system functions are required:

● BLKMOV / SFC20

● TIME_TCK / SFC64

For its function, UA_Connect also requires:

● LGC_GADR / SFC49

● RDSYSST / SFC51

In addition to the required program block copy the SFCs from the standard block library to the block container of the CPU and supply the parameters of the SFCs.

CP 443-1 OPC UA

80 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 81

Programming the OPC UA client blocks

Creating the SFCs in STEP 7 Professional

Calling the program blocks and their interaction

Note General notes on the program blocks and instance DBs

Each program block must be called cyclically until the status parameter “Done” or "Error"

changes to 1.

Within a session only a single block can be called at any one time. Different blocks can only be processed one after a

In the properties of the instance DBs of the FBs listed above, always enable the option "Non Retain" so that the data of the instance DBs is correctly initialized after STOP > START (SIMATIC Manager > select block > shortcut menu "Obje tab).

5.1 Program blocks for the OPC UA client

1. Create the system functions by opening an organization block in the block directory of the

CPU, for example OB1.

2. In the block catalog that is displayed by opening OB1, expand the corresponding block

group.

You will find the SFCs in the following block folders:

– BLKMOV (SFC20): "Simple instructions" group > "Move" folder

– TIME_TCK (SFC64): "Extended instructions" group > "Date and time" folder

– LGC_GADR (SFC 49): "Extended instructions" > "Addressing" folder

– RDSYSST (SFC 51): "Extended instructions" group > "Diagnostics" folder

3. Drag the SFCs to the network of the organization block and supply the parameters of the

SFCs.

nother in a session.

ct properties" > "General -Part 2"

With UA_Connect you establish a connection from the CP as OPC UA client to a UA server and open a session. The block must be called for every connection to a UA server. When necessary for more than one connection to a UA server, the block can be called more than once with different Instance DBs. You can use this, for example, to read via one connection and to write via another connection or to read or write different data via multiple connections.

For connections to more than one UA server, the UA_Connect block must be called several times with different input parameters. As a UA client, the CP can establish connections to up to five UA servers.

To query the name space index of a name space URI of the UA server, call a UA_NamespaceGetIndex within a session. To query multiple name space URIs you can call the block more than once with different input parameters.

UA_NodeGetHandleList. The block is called separately with suitable information at the “NodeIDs” input parameter for each target node.

Following this you can use the blocks UA_ReadList und UA_WriteList to read and write the data of the items. You can call these two blocks as often as necessary within a session.

To create a handle list as preparation for the read and write services call up

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 82

Programming the OPC UA client blocks

5.2

Time monitoring of the blocks

Parameters for the time response of the blocks

Timeout

SessionTimeout

5.2 Time monitoring of the blocks

Figure 5-1 Calling the client program blocks and their interaction

If the connection is no longer required, release the handles on the server again using the block UA_NodeReleaseHandleList. This deletes the handles on the server.

The connection is terminated with UA_Disconnect and the session is ended.

To control and monitor the time response of the program blocks, the the following three parameters are available:

● Timeout

Input parameter in all blocks for the OPC UA client

● SessionTimeout

Input parameter in the block UA_Connect

● MonitorConnection

Input parameter in the block UA_Connect

Since the parameters influence the running of the OPC UA communication as a whole, below notes on these parameters precede the block description.

With this input parameter you monitor every block call. If a block call cannot be completed within the configured maximum permissible time, the status parameter "Error" is set to 1 and processing aborted.

With this input parameter you monitor the duration of a session without data traffic without the block "UA_Disconnect" being called to terminate a connection.

CP 443-1 OPC UA

82 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 83

Programming the OPC UA client blocks

MonitorConnection

5.3

FB230 UA_Connect

5.3.1

Function and call interface - UA_Connect

Function of the block

5.3 FB230 UA_Connect

The minimum value of SessionTimeout" is 30 seconds. If the value is exceeded, the connection is terminated.

The parameter allows a server to to reduce bound resources if the client does not use the session for a longer period of time.

An adequate time, however, ensures that the session is not terminated immediately if, for example, data cannot be transferred immediately due to network disruptions.

The value of "SessionTimeout" should generally be higher than the values of "Timeout" for the "UA_Connect" blocks used.

With this input parameter the status of a connection without data traffic is checked. When this connection monitoring time elapses, a frame is sent to check the status of the connection to the server.

So that when there is no data traffic and the reaction of the connection monitoring time does not terminate the session immediately using the "SessionTimeout" parameter it is recommended that you select a value for "MonitorConnection" that is ´lower than half of "SessionTimeout".

With the block you establish a connection from the CP as OPC UA client to a UA server and open a session.

As the target address, you specify the URL of the UA server at the "ServerEndpointUrl”

parameter.

You store the connection information at the "SessionConnectInfo” parameter in a data block.

For its function, UA_Connect also requires SFC49 and SFC51. Copy the SFCs from the standard block library to the UA_Connect in the block container of the CPU and supply the parameters of the SFCs.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 84

Programming the OPC UA client blocks

Call interface

5.3.2

Parameter - UA_Connect

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning

processing of the block.

ters

er). Only IPv4 addresses are permitted.

sionConnectInfo (Page 85).

is used.

rameter.

5.3 FB230 UA_Connect

Figure 5-2 Call interface in FBD representation

The following table explains the formal parameters of the program block.

Table 5- 1 Parameters of the block UA_Connect

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

ServerEndpointUrl IN STRING Max. 254 charac-

SessionConnectInfo IN UDT See “Meaning” Connection information, see UDT751 UASes-

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

ConnectionHdl OUT DWORD 1 .. 5 Unique identifier of an established connection

Done OUT BOOL 0, 1 Status parameter for block processing

Busy OUT BOOL 0, 1 Status parameter for block processing

Address (URL) of the connection partner (serv-

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

It is required by other blocks as an input pa-

• 0: Block execution aborted, not yet complet- ed or not yet started

• 1: Block processing completed without er- rors

• 0: Block not being processed

• 1: Block currently executing

CP 443-1 OPC UA

84 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 85

Programming the OPC UA client blocks

Parameter

Declaration

S7 data type

Range of values

Meaning

block again.

5.3.3

UDT751 UASessionConnectInfo

UASessionConnectInfo

Parameter

S7 data type

Range of values

Meaning tionHdl">

Config by STEP 7.

The parameter is inserted by STEP 7.

5.3 FB230 UA_Connect

Error OUT BOOL 0, 1 Error code

• 0: No error

• 1: An error has occurred. See "" parameter

"ErrorID".

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

For the significance of the numbers, refer to the section Error numbers (Page 107).

Note: If the error code B000F002 is output, the OPC UA session is not yet established. Call the

The following table shows the meaning of the connection information for the parameter "SessionConnectInfo" of the UA_Connect block.

Table 5- 2 Parameters of UA_ConnectUDT UASessionConnectInfo

SessionName STRING 0 .. 254 char-

acters

ApplicationName STRING 0 .. 254 char-

acters

SecurityMsgMode WORD 0 .. 3 Security process

SecurityPolicy WORD 0 .. 4 Securityprofile

CertificateStore STRING 0 .. 254 char-

acters

Name of the session If the string remains empty, the following is

entered by the system as the session name: <Connection>+<decimal value of "Connec-

The parameter is given the application name of the CP (OPC UA client) configured In HW

• 0 = Best possible procedure

• 1 = No security process

• 2 = Authenticate

• 3 = Authenticate and encrypt

• 0 = Best possible security profile

• 1 = No security profile

• 2 = Basic128Rsa15

• 3 = Basic256

• 4 = Basic256Sha256

Certificate store of the CP (OPC UA client)

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 86

Programming the OPC UA client blocks

Parameter

S7 data type

Range of values

Meaning The parameter is inserted by STEP 7.

The parameter must not be left empty.

Note

are enabled by the configuration of the CP.

this transport profile is supported.

UAUserIdentityToken (Page 87).

"Addresses" tab.

value 1200000 (20 minutes) is used.

5.3 FB230 UA_Connect

ClientCertificateName

ServerUri STRING 0 .. 254 char-

CheckServerCertificate

TransportProfile WORD 1 1 = UATP_UATcp

STRING 0 .. 254 char-

acters

BOOL 0, 1 Comparison (check) of the certificate sent by

Name of the client certificate

Server address (URI) that is also stored in the server certificate.

Example: urn:<ApplicationName>:GUID

the server with the server certificate stored in the certificate store of the client CP:

• 0 = No check

• 1 = Check

The settings of this parameter are overwritten by the security settings in the configuration. If you enable the check (1) but the security functions are disabled in the configuration of the CP, connection establishment is aborted with an error message. Recommendation: Leave the parameter at the default setting (0) since the security functions

According to the PLCopen specification, only

UserIdentityToken UDT See “Meaning” Data of the user authentication, see UDT752

VendorSpecificParameter

SessionTimeout TIME 30000 ..

WORD See “Meaning” Entry of the logical address of the CP 443-1

OPC UA. You will find this in STEP 7 properties dialog of the CP as an input address in the

Maximum time that a session remains estab-

86 400 000

lished when there is no data traffic (milliseconds).

If the value is exceeded, the session (connection) is aborted. In this case, you will need to re-establish the connection by calling UA_Connect.

If you program values outside the permitted range of values (30 seconds ... 1 day) the

CP 443-1 OPC UA

86 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 87

Programming the OPC UA client blocks

Parameter

S7 data type

Range of values

Meaning Default setting: 15000 (15 seconds)

0 = no or unknown LocaleID.

5.3.4

UDT752 UAUserIdentityToken

UAUserIdentityToken

Parameter

S7 data type

Range of values

Meaning server.

acters

5.4

FB231 UA_NamespaceGetIndex

5.4.1

Function and call interface - UA_NamespaceGetIndex

Function of the block

5.4 FB231 UA_NamespaceGetIndex

MonitorConnection TIME 5000 ..

LocaleIDs ARRAY[1..5]

The following table shows the meaning of the user authentication data that supplies the UserIdentityToken parameter of the UDT "UASessionConnectInfo".

Table 5- 3 Parameters of UDT UAUserIdentityToken

UserIdentity TokenType

Connection monitoring time (milliseconds)

86 400 000

Examples:

of String[6]

WORD 0, 1 0 = No authentication

en-US, de-DE, zh-CHS ...

Time without data traffic after which the client checks the connection to the server by sending a frame.

Optional language and regional identifier acc. to RFC 3066.

1 = Authentication When the communications partner (server)

demands authentication with a user name and password, set this parameter to 1 and the two following according to the requirements of the

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

TokenParam1 STRING 1 .. 254 char-

TokenParam2 STRING 1 .. 254 char-

User name

Password

With the block you fetch the name space index of the name space URI of the connected UA server.

Page 88

Programming the OPC UA client blocks

Call interface

5.4.2

Parameter - UA_NamespaceGetIndex

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning

changed.

ConnectionHdl

DWORD

1 .. 5

Connection identifier supplied by UA_Connect

opcua

is used.

and specified by the OPC Foundation.

5.4 FB231 UA_NamespaceGetIndex

Figure 5-3 Call interface in FBD representation

The following table explains the formal parameters of the program block.

Table 5- 4 Parameters of the block UA_NamespaceGetIndex

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

processing of the block. As long as Execute = 1, the other input parameters cannot be

NamespaceUri IN STRING Max. 254 charac-

ters

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

NamespaceIndex OUT WORD 0 .. 65535 Output of the name space index of the name

Specifies the address (name space URI) of the target server

Example of the name space of the CPU symbols in the S7-400 with CP 443-1 OPC UA: http://www.siemens.com/simatic-classic-s7-

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

space specified by the "NamespaceUri" parameter.

The namespace indexes 0 and 1 are reserved

CP 443-1 OPC UA

88 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 89

Programming the OPC UA client blocks

Parameter

Declaration

S7 data type

Range of values

Meaning

section Error numbers (Page 107).

5.5

FB232 UA_NodeGetHandleList

5.5.1

Function and call interface - UA_NodeGetHandleList

Function of the block

5.5 FB232 UA_NodeGetHandleList

Done OUT BOOL 0, 1 Status parameter for block processing

• 0: Block execution aborted, not yet complet-

ed or not yet started

• 1: Block processing completed without er-

rors

Busy OUT BOOL 0, 1 Status parameter for block processing

• 0: Block not being processed

• 1: Block currently executing

Error OUT BOOL 0, 1 Error code

• 0: No error

• 1: An error has occurred. See "" parameter

"ErrorID".

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

For the significance of the numbers, refer to the

With the block, you register nodeIDs on the connected UA server.

The UA server returns the handles. These are output by the block with the "NodeHdls" parameter. You access the items of the node handles with the blocks "UA_ReadList" and "UA_WriteList" at their input parameter "NodeHdls".

The nodeIDs of the target server that you specify in the "NodeIDs" input parameter must be known to you. You store these in a UDT "UANodeIDs".

The number of target nodes at the input parameter "NodeIDCount" is always 1 so you need to call the block separately for each nodeID

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 90

Programming the OPC UA client blocks

Call interface

5.5.2

Parameter - UA_NodeGetHandleList

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning

processing of the block.

ConnectionHdl

DWORD

1 .. 5

Connection identifier supplied by UA_Connect

deIDs". The number of must be 1.

refer to section UDT753 UANodeID (Page 92).

is used.

5.5 FB232 UA_NodeGetHandleList

Figure 5-4 Call interface in FBD representation

The following table explains the formal parameters of the program block.

Table 5- 5 Parameters of the block UA_NodeGetHandleList

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

NodeIDCount IN WORD 1 Number of elements in the data area von "No-

NodeIDs IN ARRAY of

UDT

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

See “Meaning” Structure of the parameters of the target node

of the OPC server. The number of nodeIDs (1) must be identical to

the number at the output parameter "NodeHdls".

For information on the structure of the UDT,

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

CP 443-1 OPC UA

90 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 91

Programming the OPC UA client blocks

Parameter

Declaration

S7 data type

Range of values

Meaning

"UA_WriteList" blocks.

section Error numbers (Page 107).

5.5 FB232 UA_NodeGetHandleList

NodeHdls OUT ARRAY of

DWORD

Done OUT BOOL 0, 1 Status parameter for block processing

Busy OUT BOOL 0, 1 Status parameter for block processing

Error OUT BOOL 0, 1 Error code

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

0 .. 4 294 967 295 Array of the handles that the OPC UA server

assigns as the reply to the client's query. The handles serve to uniquely identify the item on the server.

The handles remain valid until they are released by calling the UA_NodeReleaseHandleList block, in other words become invalid.

When a session is terminated, the CP cancels all registered node handles of this session.

The parameter is used for the input parameter "NodeHdls" of the "UA_ReadList" and

• 0: Block execution aborted, not yet complet-

ed or not yet started

• 1: Block processing completed without er-

rors

• 0: Block not being processed

• 1: Block currently executing

• 0: No error

• 1: An error has occurred. See "" parameter

"ErrorID".

For the significance of the numbers, refer to the

NodeErrorIDs OUT ARRAY of

DWORD

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

See “Meaning” Contains the error numbers for all elements of

the data area of "NodeIDs". For the significance of the numbers, refer to the

Page 92

Programming the OPC UA client blocks

5.5.3

UDT753 UANodeID

UANodeID

Parameter

S7 data type

Range of values

Meaning NamespaceIndex

WORD

0 .. 65535

Index of the name space of the server

5.6

FB233 UA_NodeReleaseHandleList

5.6.1

Function and call interface - UA_NodeReleaseHandleList

Function of the block

5.6 FB233 UA_NodeReleaseHandleList

The following table shows the meaning of the parameters of UANodeID to identify the target node on the OPC UA server. UANodeID supplies the parameter "NodeIDs" of the UA_NodeGetHandleList" block.

Table 5- 6 Parameters of UDT UANodeID

Identifier STRING Max. 254 Specifies the nodeID in the name space index. IdentifierType WORD 1 .. 2 Specifies the format and the area of application

(generally the server) of the node ID. Supported types:

• 1: UAIdentifierType_String String identifiers distinguish upper and lower case.

• 2: UAIdentifierType_Numeric Numeric identifier

With the block you release the node handles of the current session on the connected UA server. This deletes the list.

The input parameter "NodeHdls" references the data block to which the handles of the output parameter "NodeHdls" of the "UA_NodeGetHandleList" block are written.

The number of handles at the input parameter "NodeHdlCount" is always 1 so you need to call the block separately for each handle.

CP 443-1 OPC UA

92 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 93

Programming the OPC UA client blocks

Call interface

5.6.2

Parameter - UA_NodeReleaseHandleList

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning / remarks

processing of the block.

ConnectionHdl

DWORD

1 .. 5

Connection identifier supplied by UA_Connect

"NodeHdls". The number of must be 1.

is used.

5.6 FB233 UA_NodeReleaseHandleList

Figure 5-5 Call interface in FBD representation

The following table explains the formal parameters of the program block.

Table 5- 7 Parameters of the block UA_NodeReleaseHandleList

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

NodeHdlCount IN WORD 1 Number of elements in the data area von

NodeHdls IN ARRAY of

DWORD

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

Done OUT BOOL 0, 1 Status parameter for block processing

Busy OUT BOOL 0, 1 Status parameter for block processing

0 .. 4 294 967 295 Array of the IDs of the handles to be canceled.

If execution of the block is successful, the handles are canceled on the server and therefore become invalid.

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

• 0: Block execution aborted, not yet complet- ed or not yet started

• 1: Block processing completed without er- rors

• 0: Block not being processed

• 1: Block currently executing

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 94

Programming the OPC UA client blocks

Parameter

Declaration

S7 data type

Range of values

Meaning / remarks

DWORD

data area of "NodeHdls".

5.7

FB234 UA_Disconnect

5.7.1

Function and call interface - UA_Disconnect

Function of the block

Call interface

5.7 FB234 UA_Disconnect

Error OUT BOOL 0, 1 Error code

• 0: No error

• 1: An error has occurred. See "" parameter

"ErrorID".

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

For the significance of the numbers, refer to the section Error numbers (Page 107).

NodeErrorIDs OUT ARRAY of

See “Meaning” Contains error codes for all elements of the

With the block you terminate an existing connection between the CP as OPC UA client and a UA server. This ends the existing session.

Figure 5-6 Call interface in FBD representation

CP 443-1 OPC UA

94 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 95

Programming the OPC UA client blocks

5.7.2

Parameter - UA_Disconnect

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning

processing of the block.

ConnectionHdl

DWORD

1 .. 5

Connection identifier supplied by UA_Connect

is used.

section Error numbers (Page 107).

5.8

FB235 UA_ReadList

5.8.1

Function and call interface - UA_ReadList

Function of the block

5.8 FB235 UA_ReadList

The following table explains the formal parameters of the program block.

Table 5- 8 Parameters of the block UA_Disconnect

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

Done OUT BOOL 0, 1 Status parameter for block processing

• 0: Block execution aborted, not yet complet- ed or not yet started

• 1: Block processing completed without er- rors

Busy OUT BOOL 0, 1 Status parameter for block processing

• 0: Block not being processed

• 1: Block currently executing

Error OUT BOOL 0, 1 Error code

• 0: No error

• 1: An error has occurred. See "" parameter

"ErrorID".

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

For the significance of the numbers, refer to the

With the block you read data from the connected UA server.

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 96

Programming the OPC UA client blocks

Call interface

5.8.2

Parameter - UA_ReadList

Block parameters

Parameter

Declaration

S7 data type

Range of values

Meaning

processing of the block.

ConnectionHdl

DWORD

1 .. 5

Connection identifier supplied by UA_Connect

read. The number of must be 1.

of the "UA_NodeGetHandleList" block.

UANodeAdditionalInfo (Page 98).

5.8 FB235 UA_ReadList

You program the attributes to be read in a UDT "UANodeAdditionalInfo" that is referenced by the input parameter "NodeAddInfos".

The handles required at the input parameter "NodeHdls" are read from array of the output parameter "NodeHdls" of the "UA_NodeGetHandleList" block.

The number of nodeIDs at the input parameter "NodeIDCount" is always 1 so you need to call the block separately for each target node.

Figure 5-7 Call interface in FBD representation

The following table explains the formal parameters of the program block.

Table 5- 9 Parameters of the block UA_ReadList

Execute IN BOOL 0, 1 A rising edge 0 → 1 at the parameter starts

NodeHdlCount IN WORD 1 Number of elements in the target area to be

NodeHdls IN ARRAY of

DWORD

1 Array of the handles of the target nodes (items)

of the OPC UA server. The handles are read from array of the output parameter "NodeHdls"

NodeAddInfos IN ARRAY of

CP 443-1 OPC UA

96 Operating Instructions, 01/2017, C79000-G8976-C427-02

UDT

See “Meaning” Specifies the attribute of the items to be read

and the index range. For information on the structure of the UDT, see UDT754

Page 97

Programming the OPC UA client blocks

Parameter

Declaration

S7 data type

Range of values

Meaning

is used.

data, refer to the section Data types (Page 40).

section Error numbers (Page 107).

UATimeStamp (Page 101).

5.8 FB235 UA_ReadList

Timeout IN TIME 5000 .. 120000 Maximum time for establishing the connection

in milliseconds. If the value is exceeded, processing of the block is aborted with error number B0007001.

If a value is entered outside the permitted range, the default value of 60000 (60 seconds)

Variables IN_OUT ARRAY

[1..1] of UDT

Done OUT BOOL 0, 1 Status parameter for block processing

Busy OUT BOOL 0, 1 Status parameter for block processing

Error OUT BOOL 0, 1 Error code

ErrorID OUT DWORD See “Meaning” Output of the error number when "Error" = 1.

NodeErrorIDs OUT ARRAY of

DWORD

See “Meaning” Reference to the data to be read. For infor-

mation on the structure of the UDT, see UDT757 UAAnyPointer (Page 99).

For the supported data types of the process

• 0: Block execution aborted, not yet complet- ed or not yet started

• 1: Block processing completed without er- rors

• 0: Block not being processed

• 1: Block currently executing

• 0: No error

• 1: An error has occurred. See "ErrorID"

parameter.

For the significance of the numbers, refer to the

See “Meaning” Contains error numbers for all elements of the

data area of "Variables". For the significance of the numbers, refer to the

TimeStamps OUT ARRAY

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

[1..1] of UDT

See “Meaning” Contains time stamps for all elements of the

data area of "Variables". For information on the structure of the UDT, see UDT756

Page 98

Programming the OPC UA client blocks

5.8.3

UDT754 UANodeAdditionalInfo

UANodeAdditionalInfo

Parameter

S7 data type

Range of values

Meaning

supported.

UAIndexRange (Page 98).

5.8.4

UDT755 UAIndexRange

UAIndexRange

Parameter

Data type

Range of values

Meaning StartIndex

WORD

0 .. 65535

Index as of which reading will take place.

EndIndex

WORD

0 .. 65535

Index up to which reading will take place.

5.8 FB235 UA_ReadList

Specifies the attribute of the item and the index range for the block parameter "NodeAddInfos".

Table 5- 10 Parameters of UDT UANodeAdditionalInfo

AttributeID WORD 13 Attribute of the items Only attribute 13

(UAAI_Value) for the value of the item is

IndexRangeCount WORD 0 .. 1 Number of index ranges

The value is unimportant with elementary data types.

For items data type ARRAY the following applies:

• 0: A single index The entire array is read/written

• 1: A subsection of an array defined by "IndexRange".

IndexRange UDT See “Meaning” Area of the array for the parameter In-

dexRangeCount. For information on the structure of the UDT, see UDT755

Specifies the start and end index for the block parameter "IndexRange”.

Table 5- 11 Parameters of UDT UAIndexRange

CP 443-1 OPC UA

98 Operating Instructions, 01/2017, C79000-G8976-C427-02

Page 99

Programming the OPC UA client blocks

Rules:

Example of assigning "StartIndex" and EndIndex" with arrays.

5.8.5

UDT757 UAAnyPointer

UAAnyPointer

Parameter

S7 data type

Range of values

Meaning

SyntaxID

WORD

The value for the syntax ID is always 10.

online help.

zero in "memArea".

5.8 FB235 UA_ReadList

If IndexRangeCount = 1 is used, the following rules apply to programming the index range:

● StartinIndex and EndIndex must be assigned.

● For access to more than one element the StartIndex must be lower than the EndIndex.

If this is not the case, this causes an error with the number 80360000.

● If you want to read a single element of an array, enter the same value for the StartIndex and EndIndex.

● To be able to access all elements of the array, the StartIndex and EndIndex must be assigned based on the total number of elements of the array.

If values are specified outside the size of the array, this causes an error with the number

80370000.

From an array with a size of 10 elements (no. 1 .. 10) the elements 3 to 5 need to be read. The two indexes are programmed as follows:

● StartIndex = 2 (element no. 3)

● EndIndex = 4 (element no. 5)

The UDT "UAAnyPointer" is referenced by the "Variables" parameter of the program block.

The UDT references the memory area of the process data in the CPU. To do this process data in the operand areas "inputs" or "outputs" must be copied to a data block.

Store the UDT in a data block.

Table 5- 12 Parameters of UDT UAAnyPointer

DataType WORD See “Meaning” Data type of the target node For the range

of values see below, table "Coding of the data type".

RepetitionFactor WORD 0 .. 65535 Repetition factor

For further information, refer to the STEP 7

DB_Number WORD 0 .. 65535 Number of the data block (DB)

CP 443-1 OPC UA Operating Instructions, 01/2017, C79000-G8976-C427-02

Enter either the number of a DB or a memory area. If you specify a DB, enter a

Page 100

Programming the OPC UA client blocks

Parameter

S7 data type

Range of values

Meaning

area".

"Meaning"

BitOffset

WORD

0 .. 7

Bit offset in the specified memory area

Data type

Hexadecimal code

S7 data type

Description

b#16#01

BOOL

Bit

b#16#02

BYTE

Byte (8 bits)

b#16#03

CHAR

Character (8 bits)

b#16#04

WORD

Word (16 bits)

b#16#05

INT

Integer (16 bits)

b#16#06

DWORD

Word (32 bits)

b#16#07

DINT

Integer (32 bits)

b#16#08

REAL

Floating-point number (32 bits)

b#16#09

DATE

Date

b#16#0B

TIME

Time

b#16#0C

S5TIME

Data type S5TIME

(DT)

b#16#02 *

STRING

Character string

Memory area

5.8 FB235 UA_ReadList

MemArea WORD See “Meaning” Memory area

Enter either the number of a DB or a memory area. If you specify a memory area, enter a zero in "DB_Number".

For the range of values of the memory area see below, table "Coding of the memory

ByteOffset WORD Depends on the

memory area, see

Byte offset in the specified memory area, as of which the data is accessed.

The following table explains the coding of the data type in the "DataType" parameter of the UDT UAAnyPointer.

Table 5- 13 Coding of the data type

b#16#0A TIME_OF_DAY (TOD) Time of day

b#16#0E DATE_AND_TIME

The string uses the lower-level data type BYTE. Refer to the special features in the section

Data types (Page 40).

The following table explains the coding of the memory area in the "MemArea" parameter of the UDT UAAnyPointer.

CP 443-1 OPC UA

100 Operating Instructions, 01/2017, C79000-G8976-C427-02

Date and time (64 bits)

Siemens SIMATIC S7-400, CP 443-1 OPC UA Operating Instructions Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Legal information

Preface

Table of contents

Application

Communication services

1.3 Security functions

Operating the CP in an H system

1.4 Other services and properties

Configuration limits - hardware

1.6 Performance data

Configuration limits - communication

CPUs

1.7 Requirements for use

Configuration

Programming

Web browser for access using HTTPS

1.8 Configuration examples

LEDs

Ethernet interface X1P1

2.2 Power supply

Important notes on using the device

Safety requirements for installation

Notes on use in hazardous areas

Notes on use in hazardous areas according to ATEX / IECEx

Notes on use in hazardous areas according to UL HazLoc

Notices on use in hazardous areas according to FM

3.2 Installing and connecting up the CP

3.3 Commissioning the CP

Controlling the mode

Security recommendations

Access to process data of the CPU

4.3 Overview of the configuration

4.5 Data types

Network settings

4.6 Interface configuration

Restart after detection of a duplicate IP address in the network

"Addresses" tab

"SNMP" Tab

4.7 Configuration of the CP in STEP 7 V5

"Security" Tab

"Diagnostics" Tab

"Web" Tab

"Time-of-day synchronization" tab

"Options" tab: Effects of protection levels

"OPC UA" tab

Configuration in the SCT

Handling certificates

"Options " parameter group

4.8 Configuration of the CP in STEP 7 Professional

"Ethernet interface“ parameter group

"OPC UA" parameter group

Parameter group "SNMP"

"I/O addresses" parameter group

Security“ parameter group

Security > "Time-of-day synchronization"

Security > "SNMP"

Security > "Web server"

Security > "OPC UA"

Security > "S7 communication"

Security > "Certificate manager"

Handling certificates

4.9 Properties of the OPC UA server

Program blocks for the OPC UA client

5.2 Time monitoring of the blocks

Function and call interface - UA_Connect

5.3 FB230 UA_Connect

Parameter - UA_Connect

UDT751 UASessionConnectInfo

UDT752 UAUserIdentityToken

Function and call interface - UA_NamespaceGetIndex

5.4 FB231 UA_NamespaceGetIndex

Parameter - UA_NamespaceGetIndex

Function and call interface - UA_NodeGetHandleList

5.5 FB232 UA_NodeGetHandleList

Parameter - UA_NodeGetHandleList

UDT753 UANodeID