OPC UA Client
This page documents the client route (
OPCUA)—the broker connects to a remote OPC UA server and reads or writes device data over MQTT. To expose MQTT topics to OPC UA clients instead (SCADA, UaExpert, PLCs connect to the broker), see OPC UA Server.OPCUA route enables communication with OPC UA servers, providing a standardized, cross-platform protocol for industrial automation. It supports multiple authentication modes, security policies, and both NodeId and BrowsePath addressing.
Basic Syntax
Connection Configuration
OPCUA_CONFIG Parameters
OPC UA server endpoint URL (e.g.,
opc.tcp://localhost:4840).Authentication mode:
0- Anonymous (no authentication)1- Username/Password2- Certificate
Username for authentication (required if AUTH_MODE is 1).
Password for authentication (required if AUTH_MODE is 1).
Enable security mode. Default: false.
Security policy level:
0- None1- Basic128Rsa152- Basic2563- Basic256Sha2564- Aes128_Sha256_RsaOaep5- Aes256_Sha256_RsaPss
Message security mode:
0- None1- Sign2- SignAndEncrypt
Root directory for the four-folder PKI store (
own, issuer, trusted, rejected). Defaults to the OPC Foundation layout under local application data. Set an explicit path—and mount it as a volume in Docker—so certificates persist across restarts. See Certificate Management.Path to a PKCS#12 (
.pfx) or PEM client certificate used when AUTH_MODE is 2. The broker loads it, adopts its application URI, and stores it under PKI_DIR/own. When omitted, a self-signed certificate is auto-generated on first connect.Path to the private key PEM file when
CLIENT_CERT_PATH points to a certificate-only PEM. Not needed for PKCS#12 bundles.Password for the PKCS#12 bundle or encrypted private key. Use
GET SECRET—never hard-code passwords in route definitions.Automatically accept untrusted server certificates. Default: false. For production, leave false and trust the server certificate explicitly—see Certificate Management.
Suppress nonce validation errors. Default: false.
Connection timeout in milliseconds. Default: 90000.
Security Configuration
- Anonymous (No Security)
- Username/Password
- Certificate Authentication
For development or trusted networks:
Certificate Management
A secured OPC UA client connection requires two certificates that trust each other: the broker’s application instance certificate (channel security and, withAUTH_MODE 2, user identity) and the server’s certificate (must be in your trusted store). For server-side trust workflows, see OPC UA Server.
PKI directory layout
Both client and server routes store certificates in four folders underPKI_DIR:
| Folder | Holds | File form |
|---|---|---|
own | This application’s certificate (own/certs) and private key (own/private) | *.der + *.pfx |
issuer | Trusted CA / issuer certificates for chain validation | *.der |
trusted | Trusted peer certificates—the server you accept goes here (trusted/certs) | *.der |
rejected | Certificates seen during a handshake but not yet trusted | *.der |
Where certificates live
WhenPKI_DIR is not set, it defaults to %LocalApplicationData%/OPC Foundation/pki:
| OS | Default path |
|---|---|
| macOS | ~/Library/Application Support/OPC Foundation/pki |
| Linux | $XDG_DATA_HOME/OPC Foundation/pki or ~/.local/share/OPC Foundation/pki |
| Windows | %LOCALAPPDATA%\OPC Foundation\pki |
Inspecting and exporting certificates
Certificates are plain files you can inspect withopenssl:
own/certs/*.der). The private key (own/private/*.pfx) never leaves the broker.
Auto-generated client certificate
WithAUTH_MODE 2 and no CLIENT_CERT_PATH, the broker auto-generates a self-signed certificate (CN=CorefluxBroker_OpcUaClient, O=Coreflux) in PKI_DIR/own on first connect:
An application instance certificate must carry an application URI in its Subject Alternative Name. The OPC UA stack matches certificates by that URI and rejects certificates without one.
Supply your own client certificate
Use a certificate from your PKI viaCLIENT_CERT_PATH. Generate it with a mandatory URI SAN:
- Generate certificate
- Reference in route (PKCS#12)
- Reference in route (PEM)
Trust the server’s certificate
Required whenUSE_SECURITY true and AUTO_ACCEPT_UNTRUSTED_CERTIFICATES false:
Deploy the route
The first handshake fails and the server’s certificate is written to
PKI_DIR/rejected/certs.WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES true.
Get the broker trusted by the server
ForAUTH_MODE 2, the server must trust the broker’s client certificate:
Add to the server's trust list
Import
broker-client.pem (or the .der) into the server’s trusted certificate store—via its PKI trusted folder or vendor certificate manager.Rotation and renewal
- Auto-generated certificates — Delete files in
PKI_DIR/own/certsandPKI_DIR/own/private, then reconnect; the broker regenerates a new self-signed certificate. - Supplied certificates — Replace the
.pfx/PEM file, remove the old copy fromPKI_DIR/own, and redeploy. Re-distribute the new public certificate to the server’s trust list before the old one expires. - Plan rotation before expiry—an expired application instance certificate fails the handshake.
Verify the connection
After mutual trust is configured, confirm the route connects:$SYS/Coreflux/Command. A response with "success": true means the certificate-authenticated session is established.
NodeId Addressing
OPC UA uses NodeIds to identify variables. The format is:ns=<namespace>;s=<identifier> or ns=<namespace>;i=<numeric_id>
| Format | Example | Description |
|---|---|---|
| String identifier | ns=2;s=Channel1.Device1.Tag1 | Most common, human-readable |
| Numeric identifier | ns=2;i=1234 | More efficient, used by some servers |
| GUID identifier | ns=2;g=12345678-1234-1234-1234-123456789012 | Globally unique identifiers |
Finding NodeIds
Use an OPC UA browser tool (like UaExpert, Prosys OPC UA Browser, or similar) to explore the server’s address space and find the correct NodeIds.BrowsePath Mode
For servers that support it, you can use symbolic paths instead of NodeIds:Enable BrowsePath mode - treat all TAG addresses as browse paths instead of NodeIds.
Root path for browsing when USE_BROWSE_PATH is enabled. Default: Objects.
BrowsePath Example
Data Types
| Data Type | OPC UA Type | Description |
|---|---|---|
BOOLEAN / BOOL | Boolean | True/False value |
SBYTE / SINT | SByte | Signed 8-bit integer |
BYTE / USINT | Byte | Unsigned 8-bit integer |
INT16 / INT / WORD | Int16 | 16-bit integer |
UINT16 / UINT | UInt16 | Unsigned 16-bit integer |
INT32 / DINT | Int32 | Signed 32-bit integer |
UINT32 / UDINT / DWORD | UInt32 | Unsigned 32-bit integer |
INT64 / LINT | Int64 | Signed 64-bit integer |
UINT64 / ULINT / LWORD | UInt64 | Unsigned 64-bit integer |
FLOAT / FLOAT32 / REAL | Float | 32-bit floating point |
DOUBLE / FLOAT64 / LREAL | Double | 64-bit floating point |
CHAR | Char | Single character |
WCHAR | WChar | Wide character |
TIME | Time | Time duration |
DATE | Date | Date value |
TOD | TimeOfDay | Time of day |
STRING | String | Unicode string (configurable STRING_SIZE) |
TAG Configuration
Complete TAG Example
TAG Parameters
Address Configuration
Address Configuration
OPC UA NodeId (e.g.,
ns=2;s=MyVariable or ns=2;i=1234) or BrowsePath if USE_BROWSE_PATH is enabled.OPC UA data type:
BOOLEAN, BYTE, INT16, UINT16, INT32, UINT32, INT64, UINT64, FLOAT, DOUBLE, STRING.Indicates if the value is an array. Default: false.
Value Transformation
Value Transformation
Filtering
Filtering
Publishing
Publishing
Event-Based Operations
For on-demand OPC UA operations (not polling), use the EVENT syntax. Publish a message to SOURCE_TOPIC to trigger the operation; the route executes it and publishes the result to DESTINATION_TOPIC.Supported Operations
| Operation | Description | Query Parameters |
|---|---|---|
READ | Read a node value on demand | node_id, data_type |
WRITE | Write a value to a node | node_id, data_type, value |
Query Parameters
| Parameter | Description | Example |
|---|---|---|
operation | Operation type: READ or WRITE | READ |
node_id | OPC UA NodeId (string or numeric) | ns=2;i=2, ns=2;s=Process.Temp |
data_type | OPC UA data type | INT32, FLOAT, DOUBLE, STRING |
value | Value to write (WRITE only) | 42, 23.5, "hello" |
Read Example
Read a node value on demand:Write Example
Write a FLOAT value to a node on demand:Complete Examples
- Basic Connection
- Secure Connection
- BrowsePath Mode
- Array Values
- Kepware Connection
- Combined (Cyclic + On-Demand)
Simple OPC UA connection with anonymous access:
Security Best Practices
Use Encryption in Production
Use Encryption in Production
Always enable security for production deployments:
Don't Auto-Accept Certificates
Don't Auto-Accept Certificates
In production, properly configure certificate trust:Move server certificates from
PKI_DIR/rejected/certs to PKI_DIR/trusted/certs during commissioning. See Certificate Management.Use Strong Authentication
Use Strong Authentication
Prefer username/password or certificate authentication over anonymous:
Troubleshooting
Connection Timeout
Connection Timeout
- Verify endpoint URL is correct
- Check firewall allows TCP port (usually 4840)
- Ensure server is running and accessible
- Try increasing TIMEOUT value
Security Rejection
Security Rejection
- Verify security policy matches server configuration
- Server certificate not trusted — Move it from
PKI_DIR/rejected/certstoPKI_DIR/trusted/certs, or setAUTO_ACCEPT_UNTRUSTED_CERTIFICATES truefor testing only - Supplied certificate ignored — Reissue with a
subjectAltName=URI:...SAN; certificates without an application URI are rejected - Server rejects client certificate — Export the broker’s public cert from
PKI_DIR/own/certsand add it to the server’s trust list - Certificate regenerates every restart — Set
PKI_DIRto a persistent volume (especially in Docker) BadCertificateUriInvalid— Regenerate the certificate or set a stable application URI in the SAN
Route with CLIENT_CERT_PATH fails to start
Route with CLIENT_CERT_PATH fails to start
- Verify the file path is correct and readable by the broker
- Check
CLIENT_CERT_PASSWORDmatches the PKCS#12 bundle or encrypted key - For a split PEM (certificate and key in separate files), set
CLIENT_KEY_PATH - The broker log names the failing file—check it for the exact cause
NodeId Not Found
NodeId Not Found
- Use OPC UA browser to verify correct NodeId
- Check namespace index (ns=) is correct
- Verify node exists in server’s address space
- Try BrowsePath mode if NodeId is unclear
Authentication Failed
Authentication Failed
- Verify username and password
- Check user has appropriate permissions
- Ensure AUTH_MODE matches server requirements
Incorrect Values
Incorrect Values
- Verify DATA_TYPE matches server variable type
- Check IS_ARRAY setting for array values
- Verify SCALING and OFFSET calculations
Next Steps
OPC UA Server Route
Expose MQTT topics as OPC UA nodes for SCADA and OT clients.
ADS (Beckhoff)
Connect to TwinCAT systems.

