As part of the Edge Xpert distribution, IOTech provides an Open Platform Communications - Unified Architecture (OPC-UA) Device Service. This allows Edge Xpert to read data from OPC-UA devices and to issue commands.

The OPC-UA Device Service provides a means of integrating OPC-UA device services with Edge Xpert. For more information about OPC-UA, refer to the OPC Foundation’s website.

The Edge Xpert OPC-UA Device Service is based on open62541, a well-used open source implementation of the IEC-62541 OPC-UA standard.

The OPC-UA Device Service supports the following key features:

  • Support for encrypted connections. For further information, see Encrypted Connections
  • Support for a private key and certificate pair when using the Basic128Rsa15 or Basic256Sha256 encryption levels. For further information, see Key/Certificate Pair
  • Multiple secure connections, each using a different certificate by defining the certificate file and private key to be used during device provisioning
  • Reading data from OPC-UA nodes
  • Writing data to nodes on an OPC-UA server

The OPC-UA Device Service supports the following data types:

  • Boolean
  • String
  • UInt8, UInt16, UInt32, UInt64
  • Int8, Int16, Int64
  • Float32
  • Float64
  • DateTime


The OPC-UA Device Service can be embedded with Edge XRT. For further information on implementing Edge XRT with a Device Service, see Edge XRT.

Encrypted Connections

The OPC-UA Device Service also supports signed and encrypted connections with the following security levels:

Key/Certificate Pair

You can provide the key / certificate pair, as .der files, in the /keys directory within the container. To generate a private key and certificate, enter the following commands:

openssl req -subj "/C=UK/ST=Newcastle/L=Newcastle/O=IoTech/OU=edgex-device-opcua/CN=www.iotechsys.com" -x509 -days 365 -nodes -newkey rsa:1024 -keyout private_key.pem -out certificate.pem
openssl x509 -inform PEM -outform DER -in certificate.pem -out certificate.der
openssl rsa -inform PEM -outform DER -in private_key.pem -out private_key.der

If several key/certificate pairs are provided, the specific certificate and key to use can be specified during device provisioning, allowing different devices to use different key/certificate pairs. If not specified during device provisioning, the certificate defaults to certificate.der and the private key defaults to private_key.der.

The key/certificate pair persisists for the life of the container.

Any server that you connect to must set the certificate used by the Device Service as trusted.

The docker-compose.yml file contains an example bind mount. To use this, you must uncomment the example code.

OPC-UA Attributes

The device profile defines what resources are available on a particular device. The following profile attributes can be defined in the YAML file:

Required Profile Attributes
Attribute Description
nodeID The identifier of the node in the OPC-UA server
nsIndex The index of the node in the OPC-UA server
browsePath The name of a child node qualified with a namespace URI
IDType The data type used for the nodeID attribute
startNode The starting node for the translation. If set, this overrides the RootNode specified for the device in the TOML file
monitored Allows the monitoring of defined nodes within a remote server using OPC-UA subscriptions. Set to True to enable monitoring. For further information, see Subscriptions

For further information on the use of the nodeID, nsIndex, browsePath, IDType and startNode attributes when specifying the node for a deviceResource, see Discovering the nodeID of a Node.


OPC-UA subscriptions allow the monitoring of nodes within a remote server.

Subscriptions are set up when a new connection is made to the remote OPC-UA server. This generally occurs when the first GET or PUT command is issued to the Device Service.

Each connection sets up a distinct Subscription Item, which can contain one or more Monitored Items. When a Monitored item changes on the server, the server is responsible for notifying subscribed Device Services of the change. When the OPC-UA Device Service is notified of a change, it returns the new value for the Monitored Item in a POST command to Edge Xpert.

To set a deviceResource as a Monitored Item, set the monitored atribute to True in the device profile, as shown in the following extract:

- name: Counter1
  description: "A Simulated Counter"
    { nodeID: "Counter1" , nsIndex: "5", IDType: "STRING", monitored: "True" }
          { type: "Uint32", readWrite: "R" }
          { type: "String", readWrite: "R", defaultValue: "String" }

OPC-UA Examples

The Browse Service can be used to browse the namespace of an OPC-UA server and find notes that might be of interest. The following example shows how to enable this service:

The TranslateBrowsePathsToNodeIds service can be used to discover the nodeID when you know the position of the Node in the Server Node tree. The following example shows how to use this service:

The following examples illustrate how the OPC-UA Device Service can be used:

The following example shows how to test the setup for any of the methods:

These examples use the Prosys OPC-UA Simulation Server, which can be downloaded from https://www.prosysopc.com/products/opc-ua-simulation-server and assume that the Prosys Simulation Server is running with the default configuration, as illustrated below:

Prosys Simulation Server

These examples assume that the Edge Xpert services are running with at least the --xpert-manager and --device-opc-ua parameters. A suitable command would be as follows:

edgexpert up --xpert-manager --device-opc-ua