Protocols

Secure, Cross-Vendor Industrial Interoperability

Ignition OPC UA Setup: Industrial Communication Standard

Complete Ignition OPC UA setup guide for industrial communication. Configure the built-in OPC UA server and client, establish secure connections to PLCs and DCS systems, and enable cross-vendor data exchange with certificate-based security.

Overview

OPC UA (Unified Architecture) is the modern, platform-independent standard for secure industrial data exchange. Ignition OPC UA setup is straightforward thanks to the built-in OPC UA server and client that ship with every Ignition installation, enabling seamless communication with PLCs, DCS systems, and third-party OPC UA servers like Kepware or Unified Automation.

Whether you need to connect Siemens S7-1500 PLCs with native OPC UA, aggregate data from multiple Kepware servers, or expose Ignition tag data to MES platforms, the Ignition OPC UA setup covers every scenario. The built-in certificate management ensures encrypted, authenticated connections across your entire industrial network.

Key Benefits

Built-in OPC UA server and client in every Ignition installation
Certificate-based security with automatic trust management
Cross-vendor PLC connectivity without additional middleware
Historical Data Access (HDA) for time-series retrieval
Seamless tag browsing and automatic data type mapping

OPC UA Communication Architecture

Ignition acts as both an OPC UA client and server, enabling it to consume data from third-party OPC UA servers like Kepware while simultaneously exposing its own tag namespace to external systems.

┌───────────────┐     ┌────────────────┐     ┌──────────────┐
│  Siemens PLC  │────▶│   OPC UA       │     │   Ignition   │
│  (OPC UA)     │     │   Server       │────▶│   OPC UA     │
└───────────────┘     │  (Kepware)     │     │   Client     │
┌───────────────┐     └────────────────┘     └──────┬───────┘
│  AB PLC       │────▶       │                      │
│  (EtherNet/IP)│            │               ┌──────┴───────┐
└───────────────┘     ┌──────┴───────┐       │   Ignition   │
                      │   Ignition   │       │   Tag        │
                      │   OPC UA     │◀──────│   Provider   │
                      │   Server     │       └──────────────┘
                      └──────────────┘

Configuration Steps

Step 1: Enable and Configure the OPC UA Server

The first step in your Ignition OPC UA setup is enabling the built-in OPC UA server. Navigate to the Ignition Gateway configuration page, then to OPC UA > Server Settings. Configure the endpoint URL, bind address, and security policies. The server starts automatically and exposes all Ignition tags through the OPC UA address space.

# Ignition Gateway > Config > OPC UA > Server Settings
# ─────────────────────────────────────────────────────
# Endpoint URL:     opc.tcp://ignition-server:62541
# Bind Address:     0.0.0.0
# Security Policies:
#   - Basic256Sha256 (recommended)
#   - Aes128_Sha256_RsaOaep
#   - None (development only)
# Message Security:
#   - Sign
#   - SignAndEncrypt (recommended for production)

# Verify the OPC UA server is running via scripting:
server_state = system.opc.getServerState("Ignition OPC UA Server")
print("OPC UA Server State: %s" % server_state)
# Expected output: RUNNING

Step 2: Add OPC UA Client Connections

Connect Ignition to external OPC UA servers such as Kepware, Siemens PLCs with built-in OPC UA, or other third-party servers. In the Gateway configuration, navigate to OPC Connections > Servers and add a new OPC UA connection. Specify the discovery URL, security mode, and authentication credentials.

# Ignition Gateway > Config > OPC Connections > Servers
# ─────────────────────────────────────────────────────
# Connection Name:    Kepware_Production
# Discovery URL:      opc.tcp://kepware-server:49320
# Security Policy:    Basic256Sha256
# Message Security:   SignAndEncrypt
# Authentication:     Certificate (or Username/Password)

# For Siemens S7-1500 native OPC UA:
# Discovery URL:      opc.tcp://192.168.1.10:4840
# Security Policy:    Basic256Sha256
# Username:           OpcUaClient
# Password:           ********

# Verify connection status via scripting:
servers = system.opc.getServers()
for server in servers:
    state = system.opc.getServerState(server)
    print("Server: %s | State: %s" % (server, state))

Step 3: Configure Certificate Security

OPC UA security relies on X.509 certificates for authentication and encryption. During your Ignition OPC UA setup, manage certificates through the Gateway configuration under OPC UA > Security. Trust incoming client certificates, export the Ignition server certificate for import into third-party systems, and configure certificate validation policies for production environments.

# Ignition Gateway > Config > OPC UA > Security
# ─────────────────────────────────────────────────────
# Certificate Management:
#   - Server Certificate:   Auto-generated on first start
#   - Trusted Clients:      Quarantined until approved
#   - Rejected Certificates: Moved to rejected folder

# Certificate file locations (Linux):
# /usr/local/bin/ignition/data/opcua/server/security/
#   ├── pki/
#   │   ├── trusted/certs/        # Trusted client certificates
#   │   ├── rejected/certs/       # Rejected certificates
#   │   └── issuers/certs/        # CA certificates
#   └── server.pfx                # Server certificate keystore

# Export server certificate for Kepware trust:
# Gateway > OPC UA > Security > Export Server Certificate

# Programmatically check OPC UA connection security:
import system.opc
connection = "Kepware_Production"
state = system.opc.getServerState(connection)
print("Connection: %s | State: %s" % (connection, state))

Step 4: Browse and Map OPC UA Tags

With the OPC UA connections established, browse the remote server address space to discover available nodes. In the Ignition Designer, use the OPC Browser panel to navigate the tag tree, then drag and drop nodes to create Ignition tags. Configure scan classes for optimal polling rates and enable tag history for time-series data collection.

# In Ignition Designer > OPC Browser Panel
# ─────────────────────────────────────────────────────
# 1. Select the OPC server connection (e.g., Kepware_Production)
# 2. Browse the address space tree:
#    └── Objects
#        └── Channel1
#            └── Device1
#                ├── Tag_Temperature    (Float)
#                ├── Tag_Pressure       (Double)
#                └── Tag_Status         (Boolean)
# 3. Drag tags to the Tag Browser to create OPC tags

# Programmatic tag browsing:
server = "Kepware_Production"
results = system.opc.browse(server, "")
for node in results:
    print("Node: %s | Type: %s" % (node.getDisplayName(), node.getNodeClass()))

# Read OPC UA values directly:
values = system.opc.readValues(server, [
    "[Kepware_Production]Channel1.Device1.Tag_Temperature",
    "[Kepware_Production]Channel1.Device1.Tag_Pressure"
])
for val in values:
    print("Value: %s | Quality: %s" % (val.getValue(), val.getQuality()))

# Configure scan class for optimized polling:
# Tag Editor > OPC Scan Class: Default (1000ms)
# For fast-changing values: 100ms or 250ms
# For slow-changing values: 5000ms or 10000ms

Key Features

Built-in OPC UA Server

Every Ignition installation includes a fully compliant OPC UA server that automatically exposes all gateway tags, enabling third-party systems such as MES platforms, historians, and other SCADA clients to read and write Ignition data without additional licensing.

Certificate-Based Security

The Ignition OPC UA setup supports X.509 certificate authentication with Basic256Sha256 encryption, signed and encrypted message modes, and automatic certificate quarantine for untrusted clients. Production-grade security without external PKI infrastructure.

Historical Data Access (HDA)

Retrieve time-series historical data from OPC UA servers that support the Historical Access profile. Combine OPC HDA with Ignition Tag Historian to build a comprehensive historical data repository spanning multiple data sources and time ranges.

Cross-Vendor Compatibility

Connect to any OPC UA compliant device or server regardless of manufacturer. From Siemens S7-1500 with native OPC UA to Allen-Bradley through Kepware, Beckhoff TwinCAT, and Schneider Electric controllers, the Ignition OPC UA client handles vendor-specific implementations transparently.

Use Cases

Manufacturing

Multi-Vendor PLC Integration

A manufacturing plant running Siemens, Allen-Bradley, and Schneider PLCs uses Ignition OPC UA setup to unify all PLC data into a single tag namespace. Kepware serves as the OPC UA aggregation server for legacy PLCs, while newer Siemens S7-1500s connect directly via their native OPC UA server, eliminating protocol silos and reducing integration complexity.

Pharmaceutical

MES Data Exchange

A pharmaceutical company exposes production batch data from Ignition via its built-in OPC UA server to a third-party MES platform. The MES reads recipe parameters, production counts, and quality metrics in real time, while writing work order instructions and setpoints back to Ignition for operator display and PLC dispatch.

Water & Utilities

Brownfield System Modernization

An aging water treatment facility migrates from a legacy OPC DA/COM-based SCADA to Ignition while maintaining connectivity to existing Kepware and Matrikon OPC servers. The Ignition OPC UA setup leverages OPC UA wrappers around legacy DA servers, enabling a phased migration without production downtime or complete PLC reprogramming.

Technologies

OPC UA Server

Ignition's built-in OPC UA server exposes the entire tag namespace and supports DA (Data Access), HDA (Historical Data Access), and AC (Alarms & Conditions) profiles for comprehensive data sharing.

OPC UA Client

The Ignition OPC UA client connects to any compliant OPC UA server, supporting automatic endpoint discovery, session management, subscription-based data change notifications, and reconnection with data buffering.

Kepware

PTC Kepware KEPServerEX acts as an OPC UA aggregation server for legacy protocols such as Modbus, Allen-Bradley DF1, and Siemens S5. Ignition connects to Kepware via OPC UA for unified access to hundreds of device drivers.

Siemens OPC UA

Siemens S7-1500 and S7-1200 PLCs include a native OPC UA server, enabling direct connection from Ignition without intermediate gateway software. Configure the PLC OPC UA server in TIA Portal and connect Ignition as a client.

Unified Automation

Unified Automation provides OPC UA SDKs and servers used across the industry. Their UaExpert client is an essential diagnostic tool for testing and validating OPC UA server configurations before connecting Ignition.

Frequently Asked Questions

Find answers to common questions about this integration.

No. The OPC UA server and client are built into the Ignition platform and included with every standard license at no additional cost. You can connect to unlimited OPC UA servers and expose unlimited tags through the built-in server without any per-connection or per-tag fees.

When Ignition first connects to Kepware, both systems quarantine each other's certificates. In Ignition, go to Gateway > Config > OPC UA > Security > Quarantined Certificates and trust the Kepware certificate. In Kepware, navigate to OPC UA Configuration Manager > Trusted Clients and move the Ignition certificate from rejected to trusted. Restart both OPC UA services after trusting certificates.

Ignition can handle hundreds of thousands of OPC UA tags on properly sized hardware. Performance depends on scan rate configuration, network latency, and server resources. Best practices include using appropriate scan classes (1s for fast data, 5-10s for slow-changing values), enabling subscription-based updates instead of polling where supported, and distributing high tag counts across multiple OPC connections.

Yes. The recommended migration path is to first install an OPC UA wrapper on your existing OPC DA server (most vendors like Kepware and Matrikon offer built-in UA wrappers). Then add the new OPC UA connection in Ignition alongside the existing DA connection. Use Ignition's tag import/export feature to remap tag OPC paths from the DA server to the UA server. This approach allows parallel operation during migration and rollback capability if issues arise.

Ready to Get Started?

Contact our team of experts to discuss your integration needs and get a customized solution.

Get in Touch View All Integrations