OPC UA Integration Guide
Connect MaestroHub to industrial OPC UA servers for secure read, write, and browse operations across your production assets. This guide covers connection setup, function authoring, and pipeline integration.
Overview
The OPC UA connector gives you:
- Secure sessions with selectable security policies, message signing, and certificate trust
- Namespace-aware browsing to discover tags before wiring them into functions
- Low-latency read/write calls tuned for both cyclic polling and on-demand commands
- Centralized access control leveraging OPC UA user authentication and Maestro role-based access
Combine OPC UA reads with Modbus, MQTT, or REST nodes to blend shop-floor signals with enterprise data.
Connection Configuration
Creating an OPC UA Connection
From Connections → New Connection → OPC UA, configure the fields below:
OPC UA Connection Creation Fields
1. Profile Information
| Field | Default | Description |
|---|---|---|
| Profile Name | - | A descriptive name for this connection profile (required, max 100 characters) |
| Description | - | Optional description for this OPC UA connection |
2. OPC UA Server Configuration
| Field | Default | Description |
|---|---|---|
| Server Hostname | - | OPC UA server hostname or IP address (e.g., opcua.example.com) - required |
| Port | 4840 | OPC UA server port (1-65535) |
| Path | - | Optional server path (e.g., /opcua) |
Server URL Format
The full server URL is automatically constructed: opc.tcp://{hostname}:{port}{path}
Example: opc.tcp://opcua.example.com:4840/opcua
3. Security Configuration
3a. Security Policy and Mode
| Field | Default | Description |
|---|---|---|
| Security Policy | None | OPC UA security policy for message encryption - required |
| Security Mode | None | OPC UA security mode for message protection - required |
Security Policy Options
- None: No security
- Basic128Rsa15: Basic 128-bit RSA encryption
- Basic256: 256-bit encryption
- Basic256Sha256: 256-bit encryption with SHA-256 (recommended)
Security Mode Options
- None: No message protection
- Sign: Messages will be signed for integrity
- SignAndEncrypt: Messages will be signed and encrypted
Important Validation Rules
- When Security Policy is
None, Security Mode must also beNone. - When Security Policy is not
None, certificates are required.
3b. Certificates
(Only displayed when Security Policy is NOT None)
| Field | Default | Description |
|---|---|---|
| Client Certificate | - | Client certificate for server authentication (PEM format) |
| Client Private Key | - | Private key for client certificate (PEM format, required when certificate is provided) |
4. Authentication
| Field | Default | Description |
|---|---|---|
| Authentication Type | Anonymous | Authentication method for OPC UA server access - required |
| Username | - | OPC UA server username (required when Authentication Type is UsernamePassword) |
| Password | - | OPC UA server password (required when Authentication Type is UsernamePassword) |
Authentication Type Options
- Anonymous: No credentials required
- UsernamePassword: Requires both username and password
5. Connection Timeouts
| Field | Default | Description |
|---|---|---|
| Connection Timeout (seconds) | 30 | Maximum time to establish connection (1-300 seconds) |
| Request Timeout (seconds) | 5 | Maximum time to wait for server response (1-300 seconds) |
6. Session Configuration
| Field | Default | Description |
|---|---|---|
| Session Timeout (minutes) | 60 | OPC UA session timeout duration in minutes (0-1440, 0 = disabled, max 24 hours) |
| Reconnect Interval (seconds) | 1 | Interval for reconnection attempts in seconds (1-60, max 1 minute) |
7. Retry Configuration
| Field | Default | Description |
|---|---|---|
| Max Retries | 3 | Maximum number of retry attempts (0-10) |
| Retry Delay (milliseconds) | 500 | Delay between retry attempts in milliseconds (100-10000 ms, 100 ms - 10 s) |
8. Connection Labels
| Field | Default | Description |
|---|---|---|
| Labels | - | Key-value pairs to categorize and organize this OPC UA connection (max 10 labels) |
Example Labels
environment: production- Deployment environmentteam: automation- Responsible teamprotocol: opcua- Connection protocolregion: us-east-1- Geographical region
- Security Configuration: When Security Policy is set to anything other than
None, certificates become mandatory. - Certificate Validation: Private key is required when a client certificate is provided.
- Authentication: When Authentication Type is
UsernamePassword, both username and password fields become required. - Server URL: The system automatically constructs the full OPC UA server URL from hostname, port, and path.
- Session Management: Session timeout can be disabled by setting it to 0, but this is not recommended for production environments.
- Retry Behavior: The system will attempt reconnection based on the reconnect interval and will retry failed operations according to the retry configuration.
- Default Port: The standard OPC UA port is 4840.
- Timeout ranges: All timeout values must be within their specified ranges to ensure proper operation.
Function Builder
Creating OPC UA Functions
After saving the connection, author reusable OPC UA functions:
- Open Functions → New Function
- Choose OPC UA Read, Write, or Browse as the function type
- Select the OPC UA connection profile you configured
- Define target nodes, payload mappings, and execution options
Create reusable read, write, and browse operations for OPC UA assets
Read Function
Purpose: Read values from specific OPC UA nodes. Configure node identifiers, data types, and request timeouts with full OPC UA protocol support for real-time data collection.
Configuration Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Namespace Index | Number | Yes | - | OPC UA namespace index (0-65535) |
| Node Identifier | String | Yes | - | OPC UA node identifier with type prefix. Examples: i=123 (numeric), s=StringId (string), g=550e8400-e29b-41d4-a716-446655440000 (GUID), b=SGVsbG8gV29ybGQ= (byte string) |
| Request Timeout (seconds) | Number | No | 5 | Maximum time to wait for server response (1-60 seconds) |
Use Cases: Sensor data reading, process variable monitoring, device status checking, real-time data collection
Write Function
Purpose: Write values to specific OPC UA nodes. Configure node identifiers, value types, and write operations with full OPC UA protocol support for control operations.
Configuration Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Namespace Index | Number | Yes | - | OPC UA namespace index (0-65535) |
| Node Identifier | String | Yes | - | OPC UA node identifier with type prefix. Examples: i=123 (numeric), s=StringId (string), g=550e8400-e29b-41d4-a716-446655440000 (GUID), b=SGVsbG8gV29ybGQ= (byte string) |
| Value to Write | Object | Yes | - | Value to write to the OPC UA node (supports parameters). Example: {"temperature": ((value)), "timestamp": "((now))"} |
| Request Timeout (seconds) | Number | No | 5 | Maximum time to wait for server response (1-60 seconds) |
Use Cases: Setpoint configuration, control command sending, parameter updates, device control operations
Browse Function
Purpose: Browse the OPC UA node structure and discover references. Explore node hierarchies, find child nodes, and discover the complete node tree with configurable depth limits.
Configuration Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Namespace Index | Number | Yes | 0 | OPC UA namespace index (0-65535) |
| Node Identifier | String | Yes | - | OPC UA node identifier to browse. Examples: i=84 (Root folder - standard root node), i=85 (Server object), i=2253 (ServerStatus), s=MyCustomNode (string identifier) |
| Request Timeout (seconds) | Number | No | 10 | Maximum time to wait for server response (1-60 seconds) |
Use Cases: Node structure exploration, device capability discovery, server information browsing, hierarchical data navigation
Using Parameters
Parameters follow the ((parameterName)) syntax and appear in the function editor panel.
| Configuration | Description | Example |
|---|---|---|
| Type | Coerce runtime values into OPC UA data types | number, string, boolean, datetime, buffer |
| Required | Enforce presence of the parameter | Required / Optional |
| Default Value | Provide fallback values for unattended runs | 0, false, NOW() |
| Description | Help field to capture node purpose | "Target furnace temperature in °C" |
Configure parameter validation, defaults, and descriptions for OPC UA calls
Pipeline Integration
Use the OPC UA connection functions you create here as nodes inside the Pipeline Designer to coordinate machine data with the rest of your production flow. Drag in the read, write, or browse node, bind its parameters to upstream outputs or constants, and tune retries or error branches so operators get the right context at the right moment.
If you are planning broader orchestration, review the Connector Nodes page for guidance on where OPC UA nodes fit within multi-system automation patterns.
OPC UA node with function selection, connection, and parameter bindings
Common Use Cases
Real-Time Equipment Monitoring
Poll temperature, vibration, or energy tags cyclically and forward the results to MQTT, REST, or historian targets for central visibility.
Command and Control
Trigger setpoint updates, mode changes, or alarm acknowledgements based on business rules or operator actions, with MaestroHub logging command details, operators, and timestamps for complete audit trails.