In our earlier blog, we discussed how to connect a device using Azure IoT SDK to Azure IoT Hub. In this blog we’ll connect a KEPServerEX instance, deployed at a factory to the Azure IoT Hub.
KEPServerEX is the industry’s leading connectivity platform that provides a single source of industrial automation data to all of your applications. The platform design allows users to connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface — source
We’ll also use ThingWorx Manufacturing App in today’s discussion. This is not required to configure KEPServerEX. We’ll be using it just to simulate devices and control few device tag values.
PTC’s ThingWorx IIoT platform is designed for rapidly developing industrial IoT solutions, with the ability to scale securely from the cloud to the edge. — source
We’ll then connect the KEPServerEX (with IoT Gateway plugin) to Azure IoT Hub directly so, we can capture the events at the Azure cloud end.
Install & configure KEPServerEx & ThingWorx Manufacturing App
We’ll go to Kepware website and install the latest version of the KEPServerEX. Similarly we’ll install the ThingWorx Manufacturing App. The versions we’ll be using in this demo are — KEPServerEX-6.8.796.0 & ThingWorx-Manufacturing-Apps-8.4.0–00. We can refer the detailed steps from here.
Now we’ll select the connection, click on the View Connection Information icon and will note down the details.
Next, we’ll go to KEPServerEX, select the Project and open the Property Editor. We’ll update the ThingWorx connection information as noted earlier.
Once connected, we’ll find the KEPServerEX connection status becomes green in the ThingWorx application interface.
We’ll now download the simulator data from here and import the demo factory configuration into the ThingWorx.
Load simulator data into KepServerEX
Import Factory Simulator Controls
We’ll import the Factory Simulator Controls to turn on/off various simulator data and then import the tag data for the simulator.
Now, from the factory simulator control console screen, we’ll turn on the Machine Offline alert of the Asset_1–3_CNCMill.
Now if we go to the production KPIs screen, we’ll find amber status against the 1–3_CNCMill asset.
We can now say that, the ThingWorx application is properly configured with the KEPServerEX and the simulator data with controls are loaded into the ThingWorx.
Azure IoT Hub
We’ll reuse the Azure IoT Hub created in our previous blog. We’ll create a new device id for the KEPServerEX. We’ll also generate the Symmetric keys while creating the device.
Install Azure IoT Explorer
Next, we’ll download Azure IoT Explorer from here and install. We’ll copy the connection string from our IoT Hub.
We’ll open the Azure IoT Explorer tool, input the connection string and connect to the IoT Hub.
There are 3 authentication types we can follow to connect Azure IoT Hub: Symmetric key, X.509 Self-Signed & X.509 CA Signed certificate based authentication. In this blog, we’ll discuss connecting KEPServerEX with the first two options.
Symmetric key/SAS Token based connectivity
We’ll open the IoT Explorer, connect to the IoT Hub, select the device we’ve created earlier.
We will select the primary or secondary key as the Symmetric key, add expiration duration in minutes and press the ‘Generate’ button. We’ll copy the generated SAS token connection string.
Connect KEPServerEX to Azure IoT Hub
Next, we’ll open KEPServerEX, go to IoT Gateway and add a new agent. We’ll select MQTT Client as agent type.
In case port 8883 is blocked in the factory network, we can configure MQTT over Web Sockets over port 443, refer here.
Next, we’ll click on the newly created agent, go to the security option and add the following values:
Topic = devices/MyKEPServerEX/messages/events/deviceData
ClientId = MyKEPServerEX
User Name = MyIoTHubName.azure-devices.net/MyKEPServerEX/?api-version=2018-06-30
Password = The generated SAS token
For details, refer here.
Monitor the Events using Azure IoT Explorer
We’ll now go to the ThingWorx factory simulator control console screen. We’ll check if all of the alerts are set off.
We’ll right-click on the newly created agent, click on the New IoT Item or New IoT Items.
We’ll select the factory device, select the required tags, input other details as marked in the below screenshot and apply.
Once the above steps are done, we’ll go to the IoT Hub Explorer, select the device and Telemetry option. The events will start flowing as soon as we’ll add the desired production line tags from KEPServerEX.
Now, we’ll again go to the ThingWorx factory simulator control console screen and set Machine Offline as On.
As soon as we’ll go to the IoT Hub Explorer, we’ll find the following Online_Status tag value will be changed to false.
X.509 Self-Signed certificate based authentication
Next, we’ll see how we can use X.509 Self-Signed certificate based authentication instead of SAS token based authentication.
We’ll download and install the OpenSSL tool for Windows 64 from here. We’ll run the openssl.exe as an Administrator and execute the following command:
OpenSSL> req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
This will generate our root certificate and a private key.
Now, we’ll open the KEPServerEX service from the Windows system tray.
Import the certificate (.crt), private key (.key) and then it’ll ask for a password. Once input, we’ll find the successful certificate import message.
Once imported, we’ll copy the Thumbprint from the certificate.
We’ll go to the Azure IoT Hub, create a new IoT device with X.509 Self-Signed as authentication type and paste the Thumbprint copied from the previous step.
We’ll go back to the KEPServerEX, create a new agent under the IoT Gateway option.
Device Id = MyKEPServerEX509
Hostname = MyIoTHubName.azure-devices.net
URL = ssl://MyIoTHubName.azure-devices.net:8883
Topic = devices/MyKEPServerEX509/messages/events/deviceData
ClientId = MyKEPServerEX509
User Name = MyIoTHubName.azure-devices.net/MyKEPServerEX509/?api-version=2018–06–30
Password = HostName=MyIoTHubName.azure-devices.net;DeviceID=MyKEPServerEX509;x509=true
If we open the Property Editor, we need to ensure that the following two properties are set as:
TLS Version = v1.2
Client Certificate = Enable
Now, as soon as we’ll select the tags for the factory devices in the KEPServerEX, we’ll find the events received in the IoT Hub Explorer!
Points to note
- SAS token based security is less secure than X.509 certificate based security as the same token is stored at KEPServerEX (client) and IoT Hub end so, needs to be secured in both of the places.
- For an enterprise scenario, we should use X.509 CA Signed certificate rather than X.509 Self-Signed certificate.
- In practical factory cases, we’ll be using Azure IoT Edge to extend IoT Hub facility.
- Most of the cases, we’ll find that KEPServerEX instance is inside a factory private network along with the devices. KEPServerEX will connect to the IoT Hub through an IoT Edge (Edge will act as a transparent gateway).
In the next blog, we’ll discuss more on the Azure IoT Edge.