Configuration settings
To configure the OPC UA extractor, you must edit the configuration file. The file is in YAML format, and the sample configuration file contains all valid options with default values.
You can leave many fields empty to let the extractor use the default values. The configuration file separates the settings by component, and you can remove an entire component to disable it or use the default values.
Sample configuration files
In the extractor installation folder, the /config
subfolder contains sample complete and minimal configuration files. The values wrapped in ${}
are replaced with environment variables with that name. For example ${COGNITE_PROJECT}
will be replaced with the value of the environment variable called COGNITE_PROJECT
.
The configuration file also contains the global parameter version
, which holds the version of the configuration schema used in the configuration file. This document describes version 1 of the configuration schema.
Not that it is not recommended to use the config.example.yml
as a basis for configuration files. This file contains all configuration options, which is both hard to read, and may cause issues. It is intended as a reference showing how each option is configured, not as a basis. Use config.minimal.yml
instead.
You can set up extraction pipelines to use versioned extractor configuration files stored in the cloud.
Minimal YAML configuration file
version: 1
source:
# The URL of the OPC-UA server to connect to
endpoint-url: 'opc.tcp://localhost:4840'
cognite:
# The project to connect to in the API, uses the environment variable COGNITE_PROJECT.
project: '${COGNITE_PROJECT}'
# Cognite authentication
# This is for Microsoft as IdP. To use a different provider,
# set implementation: Basic, and use token-url instead of tenant.
# See the example config for the full list of options.
idp-authentication:
# Directory tenant
tenant: ${COGNITE_TENANT_ID}
# Application Id
client-id: ${COGNITE_CLIENT_ID}
# Client secret
secret: ${COGNITE_CLIENT_SECRET}
# List of resource scopes, ex:
# scopes:
# - scopeA
# - scopeB
scopes:
- ${COGNITE_SCOPE}
extraction:
# Global prefix for externalId in destinations. Should be unique to prevent name conflicts.
id-prefix: 'gp:'
# Map OPC-UA namespaces to prefixes in CDF. If not mapped, the full namespace URI is used.
# Saves space compared to using the full URL. Using the ns index is not safe as the order can change on the server.
# It is recommended to set this before extracting the node hierarchy.
# For example:
# NamespaceMap:
# "urn:cognite:net:server": cns
# "urn:freeopcua:python:server": fps
# "http://examples.freeopcua.github.io": efg
ProtoNodeId
You can provide an OPC UA NodeId
in several places in the configuration file, these are YAML objects with the following structure:
node:
node-id: i=123
namespace-uri: opc.tcp://test.test
To find the node IDs we recommend using the UAExpert tool.
Locate the node you need the ID of in the hierarchy, the find the node ID on the right side under Attribute > NodeId. Find the Namespace Uri by matching the NamespaceIndex on the right to the dropdown on the left, in the node hierarchy view. The default value is No highlight.
Timestamps and intervals
In most places where time intervals are required, you can use a CDF-like syntax of [N][timeunit]
, for example 10m
for 10 minutes or 1h
for 1 hour. timeunit
is one of d
, h
, m
, s
, ms
. You can also use a cron expression in some places.
For history start and end times you can use a similar syntax. [N][timeunit]
and [N][timeunit]-ago
. 1d-ago
means 1 day in the past from the time history starts, and 1h
means 1 hour in the future. For instance, you can use this syntax to configure the extractor to read only recent history.
Using values from Azure Key Vault
The OPC UA extractor also supports loading values from Azure Key Vault. To load a configuration value from Azure Key Vault, use the !keyvault
tag followed by the name of the secret you want to load. For example, to load the value of the my-secret-name
secret in Key Vault into a password
parameter, configure your extractor like this:
password: !keyvault my-secret-name
To use Key Vault, you also need to include the key-vault
section in your configuration, with the following parameters:
Parameter | Description |
---|---|
keyvault-name | Name of Key Vault to load secrets from |
authentication-method | How to authenticate to Azure. Either default or client-secret . For default , the extractor will look at the user running the extractor, and look for pre-configured Azure logins from tools like the Azure CLI. For client-secret , the extractor will authenticate with a configured client ID/secret pair. |
client-id | Required for using the client-secret authentication method. The client ID to use when authenticating to Azure. |
secret | Required for using the client-secret authentication method. The client secret to use when authenticating to Azure. |
tenant-id | Required for using the client-secret authentication method. The tenant ID of the Key Vault in Azure. |
Example:
azure-keyvault:
keyvault-name: my-keyvault-name
authentication-method: client-secret
tenant-id: 6f3f324e-5bfc-4f12-9abe-22ac56e2e648
client-id: 6b4cc73e-ee58-4b61-ba43-83c4ba639be6
secret: 1234abcd
Configure the OPC UA extractor
OPC-UA extractor configuration
Parameter | Type | Description |
---|---|---|
version | integer | Version of the config file, the extractor specifies which config file versions are accepted in each version of the extractor. |
dry-run | boolean | Set this to true to prevent the extractor from writing anything to CDF. This is useful for debugging the extractor configuration. |
source | object | |
logger | object | Configure logging to console or file |
metrics | object | Configure logging to console or file |
cognite | object | Configuration for pushing data to Cognite Data Fusion (CDF) |
mqtt | object | Push data to CDF one-way over MQTT. This requires that the MQTT-CDF Bridge application is running somewhere with access to CDF. |
influx | object | Configuration for pushing to an InfluxDB database. Data points and events will be pushed, but no context or metadata. |
extraction | object | Configuration for general extraction options, such as data types, mapping, and filters. |
events | object | Configuration for extracting OPC UA events and alarams as CDF events or litedb time series |
failure-buffer | object | If the connection to CDF goes down, the OPC UA extractor supports buffering data points and events in a local file or InfluxDB. This is helpful if the connection is unstable, and the server does not provide its own historical data. |
history | object | Configuration for reading historical datapoints and events from the server |
state-storage | object | A local LiteDB database or a database in CDF RAW that store various persistent information between extractor runs. This is used to replace reading first/last data points from CDF, and also allows storing first/last times for events. Enabling this is highly recommended, and will be required in a future version of the extractor. |
subscriptions | object | A few options for subscriptions to events and data points. Subscriptions in OPC UA consist of Subscription objects on the server, which contain a list of MonitoredItems. By default, the extractor produces a maximum of four subscriptions: * DataChangeListener - handles data point subscriptions. * EventListener - handles event subscriptions. * AuditListener - which handles audit events. * NodeMetrics - which handles subscriptions for use as metrics. Each of these can contain a number of MonitoredItems. |
pub-sub | object | Configure the extractor to read from MQTT using OPC-UA pubsub. This requires the server pubsub configuration to be exposed through the Server object. You should consider setting subscriptions: data-points: false to avoid duplicate datapoints if this is enabled. |
high-availability | object | Configuration to allow you to run multiple redundant extractors. Each extractor needs a unique index. |
source
Global parameter.
Parameter | Type | Description |
---|---|---|
endpoint-url | string | The URL of the OPC UA server to connect to. In practice, this is the URL of the discovery server, where multiple levels of severity may be provided. The OPC UA extractor attempts to use the highest security possible based on the configuration. Example: opc.tcp://some-host:1883 |
alt-endpoint-urls | list | List of alternative endpoint URLs the extractor can attempt when connecting to the server. Use this for non-transparent redundancy. See the OPC UA standard part 4, section 6.6.2. We recommend setting force-restart to true . Otherwise, the extractor will reconnect to the same server each time. |
endpoint-details | object | Details used to override default endpoint behavior. This is used to make the client connect directly to an OPC UA endpoint, for example if the server is behind NAT (Network Address Translation), circumventing server discovery. |
redundancy | object | Additional configuration options related to redundant servers. The OPC UA extractor supports Cold redundancy, as described in the OPC UA standard part 4, section 6.6.2. |
reverse-connect-url | string | The local URL used for reverse connect, which means that the server is responsible for initiating connections, not the extractor. This lets the server be behind a firewall, forbidding incoming connections. You must also specify an endpoint-url , to indicate to the extractor where it should accept connections from. |
auto-accept | boolean | Set to true to automatically accept server certificates.If this is disabled, received server certificates will be placed in the rejected certificates folder (by default application_dir/certificates/pki/rejected ), and you can manually move them to te accepted certificates folder (application_dir/certificates/pki/accepted ). Setting this to true makes the extractor move certificates automatically.A simple solution would be to set this to true for the first connection, then change it to false .Warning: This should be disabled if the extractor is running on an untrusted network. Default value is True . |
username | string | OPC UA server username, leave empty to disable username/password authentication. |
password | string | OPC UA server password. |
x509-certificate | object | Specifies the configuration for using a signed x509 certificate to connect to the server. Note that this is highly server specific. The extractor uses the provided certificate to sign requests sent to the server. The server must have a mechanism to validate this signature. Typically the certificate must be provided by the server. |
secure | boolean | Set this to true to make the extractor try to connect to an endpoint with security above None . If this is enabled, the extractor will try to pick the most secure endpoint, meaning the endpoint with the longest of the most modern cipher types. |
ignore-certificate-issues | boolean | Ignore all suppressible certificate errors on the server certificate. You can use this setting if you receive errors such as Certificate use not allowed. CAUTION: This is potentially a security risk. Bad certificates can open the extractor to man-in-the-middle attacks or similar. If the server is secured in other ways (it is running locally, over a secure VPN, or similar), it is most likely fairly harmless. Some errors are not suppressible and must be remedied on the server. Note that enabling this is always a workaround for the server violating the OPC UA standard in some way. |
publishing-interval | integer | Sets the interval (in milliseconds) between publish requests to the server, which is when the extractor asks the server for updates to any active subscriptions. This limits the maximum frequency of points pushed to CDF, but not the maximum frequency of points on the server. In most cases, this can be set to the same as extraction.data-push-delay . If set to 0 the server chooses the interval to be as low as it supports. Be aware that some servers set this lower limit very low, which may create considerable load on the server. Default value is 500 . |
force-restart | boolean | If true , the extractor will not attempt to reconnect using the OPC UA reconnect protocol if connection is lost, but instead always create a new connection. Only enable this if reconnect is causing issues with the server. Even if this is disabled, the extractor will generally fall back on regular reconnects if the server produces unexpected errors on reconnect. |
exit-on-failure | boolean | If true , the OPC UA extractor will be restarted completely on reconnect. Enable this if the server is expected to change dramatically while running, and the extractor cannot keep using state from previous runs. |
keep-alive-interval | integer | Specifies the interval in milliseconds between each keep-alive request to the server. The connection times out if a keep-alive request fails twice (2 * interval + 100ms ). This typically happens if the server is down, or if it is hanging on a heavy operation and doesn't manage to respond to keep alive requests. Set this higher if keep alives often time out without the server being down. Default value is 5000 . |
restart-on-reconnect | boolean | If true , the OPC UA extractor will be restarted after reconnecting to the server. This may not be required if the server is the server is expected to not change much, and that it handles reconnects well. |
node-set-source | object | Read from NodeSet2 files instead of browsing the OPC UA node hierarchy. This is useful for certain smaller servers, where the full node hierarchy is known before-hand. In general, it can be used to lower the load on the server. |
alt-source-background-browse | boolean | If true , browses the OPC UA node hierarchy in the background when obtaining nodes from an alternative source, such as CDF Raw or NodeSet2 files. |
limit-to-server-config | boolean | Uses the Server/ServerCapabilities node in the OPC UA server to limit chunk sizes. Set this to false only if you know the server reports incorrect limits and you want to set them higher. If the real server limits are exceeded, the extractor will typically crash. Default value is True . |
browse-nodes-chunk | integer | Sets the maximum number of nodes per call to the Browse service. Large numbers are likely to exceed the server's tolerance. Lower numbers greatly increase startup time. Default value is 1000 . |
browse-chunk | integer | Sets the maximum requested results per node for each call to the Browse service. The server may decide to return fewer. Setting this lower increases startup times. Setting it to 0 leaves the decision up to the server. Default value is 1000 . |
attributes-chunk | integer | Specifies the maximum number of attributes to fetch per call to the Read service. If the server fails with TooManyOperations during attribute read, it may help to lower this value. This should be set as high as possible for large servers. Default value is 10000 . |
subscription-chunk | integer | Sets the maximum number of new MonitoredItems to create per operation. If the server fails with TooManyOperations when creating monitored items, try lowering this value. Default value is 1000 . |
browse-throttling | object | Settings for throttling browse operations. |
certificate-expiry | integer | Specifies the default application certificate expiration time in months. You can also replace the certificate manually by modifying the opc.ua.net.extractor.Config.xml configuration file. Note that the default values was changed as of version 2.5.3. Default value is 60 . |
retries | object | Specify the retry policy for requests to the OPC UA server. |
alt-endpoint-urls
Part of source
configuration.
List of alternative endpoint URLs the extractor can attempt when connecting to the server. Use this for non-transparent redundancy. See the OPC UA standard part 4, section 6.6.2.
We recommend setting force-restart
to true
. Otherwise, the extractor will reconnect to the same server each time.
Each element of this list should be a string.
endpoint-details
Part of source
configuration.
Details used to override default endpoint behavior. This is used to make the client connect directly to an OPC UA endpoint, for example if the server is behind NAT (Network Address Translation), circumventing server discovery.
Parameter | Type | Description |
---|---|---|
override-endpoint-url | string | Endpoint URL to override URLs returned from discovery. This can be used if the server is behind NAT, or similar URL rewrites. |
redundancy
Part of source
configuration.
Additional configuration options related to redundant servers. The OPC UA extractor supports Cold redundancy, as described in the OPC UA standard part 4, section 6.6.2.
Parameter | Type | Description |
---|---|---|
service-level-threshold | integer | Servers above this threshold are considered live. If the server drops below this level, the extractor will switch, provided monitor-service-level is set to true . Default value is 200 . |
reconnect-interval | string | If using redundancy, the extractor will attempt to find a better server with this interval if service level is below threshold. Format is as given in Timestamps and intervals. Default value is 10m . |
monitor-service-level | boolean | If true , the extractor will subscribe to changes in ServiceLevel and attempt to change server once it drops below service-level-threshold .This also prevents the extractor from updating states while service level is below the threshold, letting servers inform the extractor that they are not receiving data from all sources, and history should not be trusted. Once the service level goes back above the threshold, history will be read to fill any gaps. |
x509-certificate
Part of source
configuration.
Specifies the configuration for using a signed x509 certificate to connect to the server. Note that this is highly server specific. The extractor uses the provided certificate to sign requests sent to the server. The server must have a mechanism to validate this signature. Typically the certificate must be provided by the server.
Parameter | Type | Description |
---|---|---|
file-name | string | Path to local x509-certificate |
password | string | Password for local x509-certificate file |
store | either None , Local or User | Local certificate store to use. One of None (to use a file), Local (for LocalMachine) or User for the User store. Default value is None . |
cert-name | string | Name of certificate in store. Required to use store Example: CN=MyCertificate |
node-set-source
Part of source
configuration.
Read from NodeSet2 files instead of browsing the OPC UA node hierarchy. This is useful for certain smaller servers, where the full node hierarchy is known before-hand. In general, it can be used to lower the load on the server.
Parameter | Type | Description |
---|---|---|
node-sets | list | Required. List of nodesets to read. Specified by URL, file name, or both. If no name is specified, the last segment of the URL is used as file name. File name is where downloaded files are saved, and where the extractor looks for existing files. Note that typically, you will need to define all schemas your server schema depends on. All servers should depend on the base OPC UA schema, so you should always include https://files.opcfoundation.org/schemas/UA/1.04/Opc.Ua.NodeSet2.xml Example: [{'file-name': 'Server.NodeSet2.xml'}, {'url': 'https://files.opcfoundation.org/schemas/UA/1.04/Opc.Ua.NodeSet2.xml'}] |
instance | boolean | If true , the instance hierarchy is not obtained from the server, but instead read from the NodeSet2 files. |
types | boolean | If true , event types, reference types, object types, and variable types are obtained from NodeSet2 files instead of the server. |
node-sets
Part of node-set-source
configuration.
List of nodesets to read. Specified by URL, file name, or both. If no name is specified, the last segment of the URL is used as file name. File name is where downloaded files are saved, and where the extractor looks for existing files.
Note that typically, you will need to define all schemas your server schema depends on. All servers should depend on the base OPC UA schema, so you should always include https://files.opcfoundation.org/schemas/UA/1.04/Opc.Ua.NodeSet2.xml
Each element of this list should be a configuration specifying a node set file.
Parameter | Type | Description |
---|---|---|
file-name | string | Path to nodeset file. This is either the place where the downloaded file is saved, or a previously downloaded file. |
url | string | URL of publicly available nodeset file. |
Example:
[{'file-name': 'Server.NodeSet2.xml'}, {'url': 'https://files.opcfoundation.org/schemas/UA/1.04/Opc.Ua.NodeSet2.xml'}]
browse-throttling
Part of source
configuration.
Settings for throttling browse operations.
Parameter | Type | Description |
---|---|---|
max-per-minute | integer | Maximum number of requests per minute, approximately. |
max-parallelism | integer | Maximum number of parallel requests. |
max-node-parallelism | integer | Maximum number of concurrent nodes accross all parallel requests. |
retries
Part of source
configuration.
Specify the retry policy for requests to the OPC UA server.
Parameter | Type | Description |
---|---|---|
timeout | either string or integer | Global timeout. After this much time has passed, new retries will not be created. Set this to zero for no timeout. Syntax is N[timeUnit] where timeUnit is d , h , m , s or ms . Default value is 0s . |
max-tries | integer | Maximum number of attempts. 1 means that only the initial attempt will be made, 0 or less retries forever. Default value is 5 . |
max-delay | either string or integer | Maximum delay between attempts, incremented using exponential backoff. Set this to 0 for no upper limit. Syntax is N[timeUnit] where timeUnit is d , h , m , s or ms . Default value is 0s . |
initial-delay | either string or integer | Initial delay used for exponential backoff. Time between each retry is calculated as min(max-delay, initial-delay * 2 ^ retry) , where 0 is treated as infinite for max-delay . The maximum delay is about 10 minutes (13 retries). Syntax is N[timeUnit] where timeUnit is d , h , m , s or ms . Default value is 500ms . |
retry-status-codes | list | List of additional OPC-UA status codes to retry on. In additional to defaults. Should be integer values from http://www.opcfoundation.org/UA/schemas/StatusCode.csv, or symbolic names as shown in the same .csv file. |