Introduction

This topic describes tips you can use to better operate the BMENUA0100 module.

Impact of Using UaExpert as the OPC UA Client

If you are using UaExpert as the OPC UA client to read data values, note that UaExpert increments the CurrentSubscriptionCount by a value of 1 for each instance of UAExpert.

NOTE: The CurrentSubscriptionCount item is related to the server itself, and is not to be mistaken for the session-related item CurrentSubscriptionsCount.

Data Dictionary Acquisition Time and MAST Period

The time required to load the collection of variables in the data dictionary depends in on the number of data dictionary items and the configured MAST period. For an application that requires the OPC UA server in the BMENUA0100 module to monitor a number approaching the maximum of 100000 items – in this case 990000 items – the following results were observed and may be instructive.

For a standard (non-safety) application:

MAST Period

Observed Data Dictionary Acquisition Time

20 ms

23 s

100 ms

46 s

200 ms

74 s

For a safety application:

MAST Period

Observed Data Dictionary Acquisition Time

25 ms

15 s

200 ms

72 s

Configuring Subscriptions with More Than 30,000 Monitored Items

If you intend to create one or more subscriptions, which collectively include more than 30,000 monitored items, configure each subscription in the respective OPC UA client with a Life Time Count value of 300 seconds, which represents the Maximum Subscription Lifetime value the OPC UA server in the BMENUA0100 module can support.

Using GPOs / LGPOs

Schneider Electric recommends that you manage certificates on a host PC by means of one of the following tools available from the Windows™ operating system:

  • Group Policy Objects (GPOs) to perform centralized management of user settings in a centralized Active Directory environment, or

  • Local Group Policy Objects (LGPOs) for distributed management of user settings for individual PCs.

In either case, using GPOs or LGPOs can help prevent unauthorized access to your PC and its applications, for example, by a hacker who seeks to inject its own certificate onto your PC to be included on the BMENUA0100 authorized user whitelist. Use of GPOs and LGPOs disables access to the Windows Microsoft Management Console (MMC), and supports implementation of only the whitelist configured by the software, thereby helping to prevent a hacker from adding to the OPC UA server a self-signed certificate from a hacker masquerading as a valid OPC UA client.

Applying MMC Group Policy Management

Schneider Electric recommends that you manage certificates using the tools provided by Microsoft Windows™ to help prevent an intruder from adding unauthorized certificates to the PC, or modifying self-signed certificates of an OPC UA client. If left unmanaged, an intruder could include unauthorized certificates to the BMENUA0100 whitelist managed by the security administrator.

These tools include group policy management policies applied by the Group Policy Object (GPO), a plug-in of the Microsoft Management Console (MMC). Design your polices so that they disable access to the Windows MMC, and allow access only to entries in the Whitelist configuration that are properly added by the software.

OPC UA Client Lock-Out

When connecting an OPC UA client that has an assigned user name to the OPC UA server embedded in the BMENUA0100 module, the user account policy settings of the BMENUA0100 are applied. For example, if the number of Maximum login attempts is reached or exceeded, the OPC UA client cannot log in (BadInternalError) for the time set as the Account locking duration.

Activating Network Services Using Only an IPv6 Connection

The BMENUA0100 module supports the use of only IPv6 for IP addressing and communication. With only IPv6 activated, the CPU to CPU Data Flows and Control Expert Data Flows to Device Network network services are not be available. These services are supported only by IPv4.

However, it is still possible to enable these features in the Settings > Network Services web page. If these services are enabled when only IPv6 is activated, these services (CPU to CPU and CE to Device Network) will appear as being ON in the Home page, but in fact they will not be activated.

Only the Control Expert Data Flows to CPU only data flow filtering feature is supported by IPv6 communication. In this case, with only IPv6 communication activated, the Home page will correctly show CE to CPU only as being ON.

BOOLs Seen as BYTEs in CPU Data Structures

In BMENUA0100 OPC UA server, each element of the ePAC DDT is assigned to a byte in the CPU, even if it is defined as a BOOL or an EBOOL in the BMENUA0100. Using the OPC UA protocol, a client can globally read or write a BOOL or EBOOL member of a BMENUA0100 instance in the CPU DDT, with a valid byte value other than 0 or 1 (for example, 255). It is recommended to design your application to write or read BOOL or EBOOL values of only 0 or 1, as only these values are valid in the BMENUA0100.