new doc:opcua server

directory.json

@@ -585,6 +585,16 @@
               "path": "configuration/north-apps/DataStorage/api"
             }
           ]
+        },
+        {
+          "title": "OPC UA Server",
+          "path": "configuration/north-apps/opcua-server/overview",
+          "children": [
+            {
+              "title": "UaExpert 连接示例",
+              "path": "configuration/north-apps/opcua-server/uaexpert"
+            }
+          ]
         }
       ]
     },
@@ -1311,6 +1321,16 @@
               "path": "configuration/north-apps/DataStorage/api"
             }
           ]
+        },
+        {
+          "title": "OPC UA Server",
+          "path": "configuration/north-apps/opcua-server/overview",
+          "children": [
+            {
+              "title": "Connect to OPC UA Server using UaExpert",
+              "path": "configuration/north-apps/opcua-server/uaexpert"
+            }
+          ]
         }
       ]
     },

en_US/configuration/north-apps/opcua-server/overview.md

@@ -0,0 +1,69 @@
+# OPC UA Server
+
+OPC UA (OPC Unified Architecture) is a platform-independent, vendor-neutral industrial communication standard designed for reliable and secure data exchange in automation systems. OPC UA supports data modeling, events, historical data access, and method invocation, making it suitable for distributed scenarios from edge devices to the cloud.
+
+Neuron supports using OPC UA Server as a northbound application, allowing southbound device data to be exposed to upper-level systems or third-party clients via OPC UA services. Through the OPC UA Server, external systems can subscribe to data changes, read real-time points, and send control commands.
+
+## Add Application
+
+In **Data Collection -> North Apps**, click **Add Application** and select **OPC UA Server** to create an OPC UA Server node.
+
+## Application Configuration
+
+When creating an OPC UA Server application, you can configure the following parameters:
+
+| Parameter                                | Description                                                                                                                   |
+| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| **Host**                                 | The computer running the OPC UA server, default is 127.0.0.1.                                                                 |
+| **Port**                                 | The port the server binds to, default is 4840.                                                                                |
+| **Security Policy**                      | Supported security policies, including None, Basic256Sha256, Basic256, Basic256Rsa15, Aes128_Sha256_RsaOaep. Default is None. |
+| **Username and Password Authentication** | Enable username and password authentication, supports adding users, updating passwords, and deleting users.                   |
+| **Server Certificate**                   | Certificate and key (PEM) used by the server.                                                                                 |
+| **Trusted Certificate Authority**        | Upload trusted CA certificates(PEM).                                                                                          |
+| **Trusted Client Certificate**           | Upload client-generated certificates(PEM).                                                                                    |
+
+### Security and Certificates
+
+OPC UA strongly recommends enabling security policies and message encryption to prevent man-in-the-middle attacks and eavesdropping. Key points:
+
+- Use strong security policies (such as Basic256Sha256) and enable SignAndEncrypt mode on the client.
+- Add client certificates to the **Trusted Client Certificates** list to enable mutual TLS.
+- Enable username/password authentication.
+
+When Neuron starts the OPC UA Server for the first time, a self-signed certificate is generated. External clients may need to manually trust this certificate (e.g., import it into the trusted list in the UA client). Uploaded client certificates are trusted by default. Unknown client connections will have their certificates added to the untrusted list and require manual trust in the UI.
+
+### Naming and Mapping Rules
+
+Neuron maps tags (points) from southbound devices to OPC UA nodes. Mapping rules:
+
+- Each southbound node (e.g., modbus1) corresponds to an OPC UA Object node.
+- Groups are organized as child objects under the southbound node.
+- Tags are mapped to Variable nodes, with DataType mapped from Neuron's type to OPC UA types (Double, Int32, Boolean, String, etc.).
+
+All southbound nodes are under the NeuronEX node. NodeId follows the format `ns=1;s=[device].[group].[tag]`, e.g., `ns=1;s=modbus-tcp-1.group-1.temperature`, where ns=1 is the NeuronEX namespace.
+
+## Data Type Mapping
+
+| NeuronEX     | OPC UA        |
+| ------------ | ------------- |
+| INT8/UINT8   | Sbyte/Byte    |
+| INT16/UINT   | Int16/UInt16  |
+| INT32/UINT32 | Int32/UInt32  |
+| INT64/UINT64 | Int64/UInt64  |
+| FLOAT        | Float         |
+| DOUBLE       | Double        |
+| BIT/BOOL     | Boolean       |
+| STRING       | String        |
+| BYTES        | ByteString    |
+| ARRAY_INT8   | Array Sbyte   |
+| ARRAY_UINT8  | Array Byte    |
+| ARRAY_INT16  | Array Int16   |
+| ARRAY_UINT16 | Array Uint16  |
+| ARRAY_INT32  | Array Int32   |
+| ARRAY_UINT32 | Array Uint32  |
+| ARRAY_INT64  | Array Int64   |
+| ARRAY_UINT64 | Array Uint64  |
+| ARRAY_FLOAT  | Array Float   |
+| ARRAY_DOUBLE | Array Double  |
+| ARRAY_BOOL   | Array Boolean |
+| Json         | String        |

en_US/configuration/north-apps/opcua-server/uaexpert.md

@@ -0,0 +1,42 @@
+# Using UaExpert to Connect to Neuron OPC UA Server
+
+This section demonstrates how to use UaExpert (a popular OPC UA client) to connect, trust certificates, subscribe to variables, and write values, to verify the Neuron OPC UA Server configuration.
+
+## 1. Install UaExpert
+
+Download and install UaExpert from the [Unified Automation official website](https://www.unified-automation.com/downloads.html).
+
+## 2. Add Northbound OPC UA Server
+
+1. Add a northbound OPC UA Server application, keep the default configuration, and click Submit.
+2. Enter the application configuration page, switch to authentication management, and enable security policy and username/password authentication.
+
+    ![p1](./assets/p1.png)
+3. Subscribe to southbound driver data.
+
+## 3. UaExpert Connection
+
+1. Open UaExpert, click the **+** button on the toolbar, double-click **Custom Discovery** -> **< Double click to Add Server... >**, enter the OPC UA Server address in the dialog, and click **OK** to add the address to the end of the list.
+
+    ![p2](./assets/p2.png)
+
+2. Expand the subnodes under the address, select the appropriate connection policy, set the username and password, and click `OK` to add the connection to the **Project** view in UaExpert.
+
+    ![p3](./assets/p3.png)
+
+3. In the left **Project** view, right-click the target OPC UA Server under **Servers**, and select **Connect** from the context menu. A server certificate verification page will pop up, where you can check if the server certificate matches the one shown in the northbound application, then trust the server certificate and continue.
+    ![p4](./assets/p4.png)
+
+4. Since this is an unknown client connection, the northbound OPC UA Server application will return a `BadCertificateUntrusted` error. You need to manually trust the certificate in the northbound application authentication page, then reconnect.
+    ![p5](./assets/p5.png)
+
+5. Expand the subnodes in the left **Address Space** view. In the right **Attributes** panel, you can see the node's address information, where **NamespaceIndex** is the namespace index and **Identifier** is the node ID.
+
+    ![p6](./assets/p6.png)
+
+## 4. Monitoring and Writing
+
+1. Drag subnodes from the **Address Space** view to the **Data Access View** to see the node's data type.
+    ![p7](./assets/p7.png)
+2. Modify the corresponding data point value on the southbound device and observe whether the subscribed node data changes.
+3. Double-click the `Value` item to write data and observe whether the southbound device data changes.

zh_CN/configuration/north-apps/opcua-server/overview.md

@@ -0,0 +1,72 @@
+# OPC UA Server
+
+OPC UA（OPC Unified Architecture）是一种平台无关、与厂商无关的工业通信标准，用于在工业自动化系统中进行可靠、安全的数据交换。OPC UA 支持数据建模、事件、历史数据访问和方法调用等丰富功能，适用于从边缘设备到云端的分布式场景。
+
+Neuron 支持将 OPC UA Server 作为北向应用，以便将南向设备的数据通过 OPC UA 服务暴露给上层系统或第三方客户端。通过 OPC UA Server，外部系统可以订阅数据变化、读取实时点位，以及下发控制命令。
+
+## 添加应用
+
+在**数据采集 -> 北向应用**，点击 **添加应用**，选择 **OPC UA Server** 类型来创建一个 OPC UA Server 节点。
+
+## 应用配置
+
+创建 OPC UA Server 应用时，可配置以下字段：
+
+| 字段                         | 说明                                                                                                           |
+| ---------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| **主机**                     | 指定运行 OPC UA 服务器的计算机，默认 127.0.0.1。                                                               |
+| **端口号**                   | 服务器绑定的端口号，默认 4840。                                                                                |
+| **安全策略**                 | 支持的安全策略列表，包括 None、Basic256Sha256、Basic256、Basic256Rsa15、Aes128_Sha256_RsaOaep。默认支持 None。 |
+| **用户名密码认证**           | 启用用户名和密码认证，支持新增用户，密码更新以及用户删除。                                                     |
+| **服务器端证书**             | Server 使用的证书和密钥（PEM）。                                                                               |
+| **受信任的证书颁发机构证书** | 支持上传受信任的证书颁发机构的证书（PEM）。                                                                    |
+| **受信任的客户端证书**       | 支持上传客户自己生成的证书（PEM）。                                                                            |
+
+### 安全与证书
+
+OPC UA 强烈推荐启用安全策略与消息加密来防止中间人攻击和窃听。配置要点：
+
+- 使用强加密的安全策略（如 Basic256Sha256），客户端启用 SignAndEncrypt 模式。
+- 将客户端证书加入 **受信任的客户端证书** 列表以启用双向 TLS。
+- 启用用户名密码认证。
+
+当 Neuron 首次启动 OPC UA Server 会生成自签名证书，外部客户端可能需要手动信任该证书（例如在 UA 客户端中将证书导入受信任列表）。
+主动上传的客户端证书默认受信任，陌生客户端连接，证书会加入非信任列表，需要在界面进行手动信任操作。
+
+### 命名与映射规则
+
+Neuron 会将南向设备中的点位（tag）映射为 OPC UA 的节点（Node）。映射规则如下：
+
+- 每个南向节点（例如 modbus1）对应一个 OPC UA 对象节点（Object）。
+- 组（group）作为子对象组织在南向节点下。
+- 点位（tag）映射为变量节点（Variable），变量的 DataType 根据 Neuron 中定义的数据类型映射到 OPC UA 类型（如 Double、Int32、Boolean、String 等）。
+
+所有南向节点都位于 NeuronEX 节点之下。NodeId 遵循 `ns=1;s=[南向设备名称].[组名称].[点位名称]` 规范，例如 `ns=1;s=modbus-tcp-1.group-1.temperature`，ns=1 代表 NeuronEX 的命名空间。
+
+## 数据类型映射
+
+
+| NeuronEX     | OPC UA        |
+| ------------ | ------------- |
+| INT8/UINT8   | Sbyte/Byte    |
+| INT16/UINT   | Int16/UInt16  |
+| INT32/UINT32 | Int32/UInt32  |
+| INT64/UINT64 | Int64/UInt64  |
+| FLOAT        | Float         |
+| DOUBLE       | Double        |
+| BIT/BOOL     | Boolean       |
+| STRING       | String        |
+| BYTES        | ByteString    |
+| ARRAY_INT8   | Array Sbyte   |
+| ARRAY_UINT8  | Array Byte    |
+| ARRAY_INT16  | Array Int16   |
+| ARRAY_UINT16 | Array Uint16  |
+| ARRAY_INT32  | Array Int32   |
+| ARRAY_UINT32 | Array Uint32  |
+| ARRAY_INT64  | Array Int64   |
+| ARRAY_UINT64 | Array Uint64  |
+| ARRAY_FLOAT  | Array Float   |
+| ARRAY_DOUBLE | Array Double  |
+| ARRAY_BOOL   | Array Boolean |
+| Json         | String        |
+

zh_CN/configuration/north-apps/opcua-server/uaexpert.md

@@ -0,0 +1,49 @@
+
+# 使用 UaExpert 连接 Neuron OPC UA Server
+
+本节演示如何使用 UAExpert（一个常用的 OPC UA 客户端）连接、信任证书、订阅变量和写入值，以验证 Neuron 中的 OPC UA Server 配置正确。
+
+## 1. 安装 UaExpert
+
+在 [Unified Automation 官方网站](https://www.unified-automation.com/downloads.html)，下载并安装 UaExpert。
+
+## 2. 新增北向 OPC UA Server
+
+1. 新增北向 OPC UA Server 应用，保持默认配置，点击提交。
+2. 进入应用配置页面，切换到认证管理，开启安全策略和用户名密码认证。
+
+     ![p1](./assets/p1.png)
+3. 订阅南向驱动数据。
+
+
+## 3. UaExpert 连接
+
+1. 打开 UaExpert 软件，点击工具栏 **+** 按钮， 双击 **Custom Discovery** -> **< Double click to Add Server... >**， 在弹出的对话框中填写 OPC UA Server 的访问地址，点击 **OK** 后地址会被添加到列表末尾。
+
+    ![p2](./assets/p2.png)
+
+2. 完全展开访问地址下的子节点，选择合适的连接策略和设置用户名密码，点击 `OK` 提交，连接会被添加到 UaExpert 的 **Project** 视图中。
+
+    ![p3](./assets/p3.png)
+
+3. 在左侧 **Project** 视图中右键点击 **Servers** 下的目标 OPC UA Server，在弹出菜单中选择 **Connect** 连接目标服务器。此时会弹出服务器证书验证页面，可以查看服务器证书是否和北向应用显示一致，然后进行信任服务器证书操作以及继续。
+    ![p4](./assets/p4.png)
+
+
+4. 此时因为是陌生客户端连接，北向 OPC UA Server 应用会返回 `BadCertificateUntrusted` 错误，需要去北向应用认证操作页面进行手动信任操作，然后再连接即可正常连接。
+    ![p5](./assets/p5.png)
+
+5. 展开左侧 **Address Space** 视图中的子节点，可在右侧 **Attributes** 中看到对应的节点的地址信息，其中 **NamespaceIndex** 为 **名字空间索引**，**Identifier** 为 **节点 ID**。
+
+    ![p6](./assets/p6.png)。
+
+## 4. 监控与写入
+
+1. 拖动 **Address Space** 视图中的子节点到 **Data Access View** 视图，可以看到该节点的数据类型。
+    ![p7](./assets/p7.png)。
+2. 修改南向对应数据点位数据，观察订阅节点数据是否变化。
+3. 在 `Value` 项双击，写入数据，观察南向设备数据是否变化。
+
+
+
+