Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The StandardOPCUAService controller service provides the possibility for security connection with the OPC server. In the option Security Policy, different security policies could be selected. If an option other than None is chosen, the user must also provide information regarding other security properties.

Property NameDescription
Endpoint URLThe endpoint of the OPC-UA server. Typically in the form of opc.tcp://<IP or hostname>:<port>. Notice that this endpoint is just for service discovery. The returned endpoint URL is used for the connection. That means, if the OPC-UA server returns its hostname, but you do not have the hostname in your OS, the connection may fail. You should manually add the hostname of the OPC-UA server to the OS.
Security PolicyDifferent algorithms for signing and encrypting messages. If this option is set to None, the following options will not be in effect.
Security ModeWhat measure is taken to secure data. Signed: data are signed to protect integrity; SignedAndEncrypt: Signed and encrypt data to protect privacy.
Client Keystore LocationThe location of the keystore file (JKS type). Notice that the keystore should have one keypair entry (private key + certificate). If multiple exist, then the first one will be used. Also notice that the the key password should be the same as the keystore password.
Client Keystore PasswordThe password of the keystore (the key password should also be the same)
Require Server AuthenticationWhether to verify server certificate against the trust store. It is recommended to disable this option for easier testing, but enable it for production usage.
Trust Store LocationThe location of the keystore file (JKS type). Multiple certificates inside the trust store is possible.
Trust Store PasswordThe password of the keystore.
Auth PolicyChoose between "Anonymous" or using username-password for authentication.
UsernameOnly valid when Auth Policy is set to Username. The username for authentication.
PasswordOnly valid when Auth Policy is set to Username. The password for authentication.

Setting up secure connection with OPC UA server

  1. Generate a client keystore containing a self-signed certificate:

    Code Block
    keytool -genkey -keyalg RSA -alias nifi-client -keystore client.jks -storepass SuperSecret -keypass SuperSecret -validity 360 -keysize 2048
  2. Download the server certificate from the OPC UA server (let's name it server.der);

  3. Import the certificate into a JKS trust store:

    Code Block
    keytool -importcert -file server.der -alias opc-ua-server -keystore trust.jks -storepass 


  1. SuperSecret
  2. Reference this two keystores from the


  1. StandardOPCUAService property fields.


The ListOPCNodes processor will show the available nodes and their hierarchy relationship in the specified OPC UA server. This processor could be check what nodes we could retrieve data from. Besides, it could also be used in Nifi runtime to dynamically generate a list of nodes and pass it to GetOPCData, so that GetOPCData could get data dynamically according to our need. It has the following parameters:

Property NameDescription
OPC UA Servicethe StandardOPCUAService instance used for connection
Starting Nodesthe root node from which we start the search
Recursive Depththe maximum depth from the starting node to read, default is 0
Print Indentationwhether the nodes should be printed with indentation
Max Reference Per Nodethe maximum reference number per node query
Print Non Leaf Nodeswhether to print non-leaf nodes


The GetOPCData processor gets data from the OPC UA server according to a list of nodes. The list could come from a file in file system, or from the content of a flowfile. 

Property NameDescription
OPC UA Servicethe StandardOPCUAService instance used for connection
Return Timestampwhether the source timestamp, server timestamp or both should be return
Tag List Sourcethe source of the tag list, which specifies what nodes to get data from. It could be from a flowfile, or from a file in local file system
Default Tag List NameThe location of the tag list file
Aggregate Recordwhether to aggregate record with the same time stamp into one line


The SubscribeOPCNodes processor subscribe to OPC nodes according to a list of nodes. The list must come from a file in file system. Currently, dynamically changing the list of subscription is not supported.

Property NameDescription
OPC UA Servicethe StandardOPCUAService instance used for connection
Tag List File LocationThe location of the tag list file in the file system
Aggregate recordwhether to aggregate records with same timestamp into a single line. Good for data which come in batch
Notified when Timestamp changedwhether the data should be collected when only the timestamp, but not the value changes.