Quickstart OPC UA server configuration

Tutorial video


Note: Tutorial videos are embedded from the Phoenix Contact Technical Support YouTube channel.  With playing an embedded YouTube video in this platform, you accept the YouTube Terms & Conditions.
Depending on your personal settings in the Cookie consent dialog you may have allowed cookies for marketing purposes which will remain on your device. The data gained through this will be used by YouTube to provide video suggestions and advertisements based on your browsing habits, and may be made available to other parties. 

How to 

If a controller features an integrated OPC UA server, it is displayed in the PLCnext Engineer software in the PLANT area → OPC UA. Here, you can configure the OPC UA server. The configuration is loaded to the controller as part of a PLCnext Engineer project and in form of a configuration file. It contains all parameters for setting the OPC UA server. All users of an OPC UA must authenticate themselves to the OPC UA server with a user name and a password. You can create a user via the WBM of the controller (see Web-based management (WBM)). In the course of this, you have to assign the necessary roles:

  • DataViewer
  • DataChanger
  • FileReader
  • FileWriter

It is highly recommended to make sophisticated use of the different user roles for access in different use cases, such as accessing the PLCnext device for programming, OPC UA access, PLCnext Engineer HMI etc. For further information on user roles, please refer to the User Authentication. In case an authentication fails, see Authentication failure handling.

With PLCnext Engineer, the following configurations are possible:

  • Defining the server endpoint URI:
    Define the name of the network node the eUA server is to use in the server URI and in the endpoint URL.
  • Defining which certificate the server should use:
    Download a dedicated certificate to the controller, use a self-signed certificate created by the controller or connect to a OPC UA Global Discovery server (GDS).
  • Visibility of variables and alarms for the OPC UA clients:
    Due to security reasons, the variables and ports of a program in PLCnext Engineer are set tonot visible by default.
    Visibility is set in your PLCnext Engineer project: In the PLANT area, open the OPC UA node and open the Basic settings. Via the  Visibility of variables drop-down list, you can set the visibility of variables for the OPC UA clients:
  • Privilege settings for data access:
    You can configure access of clients to the file system of the server. Read and write access for clients to selected folders and files in the file system of the server as well as creating additional directories and files are possible. Once this option is active, only PLCnext Technology users with a FileReader or FileWriter role can read or write files.
    The required roles are assigned to the user in the Web-based Management (WBM) of the controller (see User Authentication). 
    The OPC UA server always accesses the Linux file system as the plcnext_firmware Linux user. It makes no difference which firmware user you use to log in as the OPC UA client, or whether you have deactivated the user authentication. All the files and directories are created by theplcnext_firmware user.

For further information on configuring OPC UA in PLCnext Engineer, please refer to the help system embedded in the PLCnext Engineer user interface.


Accessing variables via OPC UA subscriptions

Values of PLC variables can be subscribed via OPC UA. For this, the OPC UA server uses the RSC service ISubscriptionService (see RSC GDS Services for details).

The OPC UA server can be configured to use different subscription kinds:

  • RealTime provides task-synchronous values but may increase the execution time of ESM tasks.
  • DirectRead collects the values by a separate task that also collects the values of global and component variables. So by configuring the subscription asDirectRead the collection of values does not increase the execution time of ESM tasks.

With RealTime setting, the subscription determines the related ESM task from the variable's instance path. The subscription instructs the related ESM task to collect the values of the variables. This ensures that all values which are calculated in the same task are collected in the same execution cycle of the ESM task, which means that the collected values are task synchronous. This is possible for all variables except global variables (IEC 61131-3), and for variables defined in a component instance. The values of global variables (IEC 61131-3) and component variables are not collected by an ESM task. The subscription creates a separate task which is executed cyclically with therevisedSamplingInterval (see OPC UA monitored item and subscription for details).

Note: Beware of the ESM task watchdog! While task-synchronous values offer some advantages for further processing in the OPC UA client, they can also have an effect on the execution time: The collection of the values requires CPU time which increases the execution time of the ESM task(s) involved. Normally this is irrelevant but if many variables are processed this may trigger the ESM task watchdog (especially if the ESM task watchdog is configured close to the task's regular execution time without an OPC UA client attached).

For more details on theSubscriptionKind parameter, see RSC ISubscriptionService .

DefaultSubscriptionKind settings

  • Up to firmware and PLCnext Engineer  releases 2020.0 LTS, the OPC UA configuration does not include the <SubscriptionKind> tag at all, so no configuration is possible. These versions use the <SubscriptionKind>RealTime
  • With firmware and PLCnext Engineer releases 2020.3 and 2020.6, the OPC UA server provides values that are synchronous to the ESM tasks, done by having the<SubscriptionKind> set toRealTime by default. Changes to the configuration can be done manually.
  • From firmware and PLCnext Engineer release 2021.0 LTS, the <SubscriptionKind> is set toDirectRead by default.  PLCnext Engineer provides a configuration option.
Firmware release OPC UA subscription configuration SubscriptionKind default value
up to 2020.0 LTS no configuration possible RealTime
2020.3 and 2020.6 manual configuration only RealTime
from 2021.0 LTS configuration by PLCnext Engineer 
or manually
(if the 2021.0 LTS project template is used)

Configuration by  PLCnext Engineer

Available only from firmware 2021.0 LTS or newer used with PLCnext Engineer 2021.0 LTS or newer on AXC F x152 controllers

Manual configuration

The configuration is done by editing the PCWE.opcua.config configuration file in the /opt/plcnext/Projects/PCWE/Services/OpcUa/ directory on the controller.

Note: This has to be repeated after each project download by PLCnext Engineer because manual changes will be overwritten with each download. To activate the configuration, perform a warm or cold start, or restart the firmware.
  • Add the<SubscriptionSettings> tag in the XML file, e. g. right before the<SecuritySettings> tag.
  • Insert (or change, if already present) the<SubscriptionKind> tag with the valueDirectRead orRealTime.

Example withDirectRead:


Recommendations for a better performance

Every monitored item will create a single request and firmware-internal a separate GDS subscription. Structuring those variables makes sense, but also structs are more or less transferred as single variable from the server, which means that there is one subscription for every element. Apart from this, most clients do not support struct elements.
A possible and performant alternative could be arrays. Every array is transferred as one item and will create also only one subscription.


//Same like single Variables
    MyUA_Struct : STRUCT
        Element1 : INT;
        Element2 : WORD;
        Element3 : REAL;
//Best OPC UA Performance
    arrElement1 : ARRAY[0..500] OF INT;
    arrElement2 : ARRAY[0..500] OF WORD;
    arrElement3 : ARRAY[0..500] OF REAL;

Be aware of the XML entities when editing XML configuration files: 
There are symbols in the XML code that cannot be represented as attribute values because they have a syntactical function.

For example, the characters < and > are used for opening and closing XML tags. To be able to use these characters as attribute values in their genuine meaning "less than" or "greater than", entities are required.

The following entities are predefined in the XML specification. Make sure to use these entities in attribute values to avoid XML parsing errors.

Character Entity
Ampersand (& &amp;
Single quote (') &apos;
Double quote (") &quot;
Less than (<) &lt;
Greater than (>) &gt;
Note: Strings are a very inefficient way to transfer messages (status or diagnostics). As the strings are often hard-coded, in most cases the use is not very beneficial for the overall application. Subsequent changes to messages and translations are very difficult and time consuming.
We recommend the use of identifiers (e.g. an int) which are resolved from the SCADA to a text string (most SCADA systems support this). This makes the communication more efficient, and makes changes and translations easier.

Summary of recommendations

  • Use arrays instead of single variables or structs.
  • Use the option DirectRead 
  • Use the slowest acceptable sample rate
  • Try to substitute strings with text identifiers.
  • Try to prevent single bool variables, combine bit information into word variables.



•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari • 
• Published/reviewed: 2022-09-14 • Revision 046 •