Gates

A Gate represents a communication protocol or specific connectivity service, e.g. ADS, OPC UA, MQTT, AWS IoT or Microsoft Azure IoT Hub. Each Gate is configured with parameters that are specific for the corresponding Gate type.

A Beckhoff ADS device represents either a TwinCAT 2/3 or a Beckhoff BC device. ADS is the common Beckhoff communication protocol and can be used to access many parts of the TwinCAT system. The most common application scenarios for TC3 IoT Data Agent involve access to a TwinCAT 2/3 PLC, C++, TcCOM modules or the I/O process image, which is done via ADS.

When configuring an ADS gate, the following settings are required by the TC3 IoT Data Agent to access the underlying ADS device:

Setting	Description
AmsNetId	AmsNetId of the target device, e.g. 127.0.0.1.1.1 for the local device.
AdsPort	AdsPort of the target device, e.g. 801 (TwinCAT 2 PLC) or 851 (TwinCAT 3 PLC)
IoMode	Specifies how the TC3 IoT Data Agent should communicate with the ADS device. The following options can be set: Direct: accesses every symbol with a separate ADS command. Mandatory for BC controllers but increases ADS traffic Batched: accesses symbols batched into an ADS sum command, which optimizes ADS traffic and can be used for TwinCAT 2 and 3 PLC or C++ runtimes

Setting

Description

AmsNetId

AmsNetId of the target device, e.g. 127.0.0.1.1.1 for the local device.

AdsPort

AdsPort of the target device, e.g. 801 (TwinCAT 2 PLC) or 851 (TwinCAT 3 PLC)

IoMode

Specifies how the TC3 IoT Data Agent should communicate with the ADS device. The following options can be set:

Direct: accesses every symbol with a separate ADS command. Mandatory for BC controllers but increases ADS traffic
Batched: accesses symbols batched into an ADS sum command, which optimizes ADS traffic and can be used for TwinCAT 2 and 3 PLC or C++ runtimes

OPC UA

OPC UA is a standardized, industrial, client/server communication protocol and adopted by many vendors for different use cases. The TC3 IoT Data Agent can access OPC UA server devices to connect variables (so-called “nodes”) on those devices with IoT services.

When configuring an OPC UA gate, the following settings are required by the TC3 IoT Data Agent to access the underlying OPC UA device:

Setting	Description
Server URL	The OPC UA Server URL, e.g. opc.tcp://localhost:4840
Security policy	The OPC UA security policy that the TC3 IoT Data Agent should use during connection establishment with the OPC UA server
Security mode	The OPC UA message security mode that the TC3 IoT Data Agent should use during connection establishment with the OPC UA server
Authentication mode	The OPC UA authentication mode that the TC3 IoT Data Agent should use during connection establishment with the OPC UA server

MQTT

MQTT can be used for connecting to a generic message broker, e.g. Mosquitto, HiveMQ or similar broker types.

Setting	Description
Broker address	The IP address or hostname of the MQTT message broker
Port	MQTT specifies port 1883 for unencrypted communication and 8883 for encrypted communication
ClientId	A numeric or string-based value that identifies the client. Depending on the message broker type, this ID should be unique
Authentication mode	Specifies if the TC3 IoT Data Agent should authenticate to the broker by using a username/password combination
TLS mode	Specifies if TLS should be used to secure the communication channel to the message broker. Note that the message broker also needs to support TLS in order for this to work. Different options are available for TLS: CA certificate: Only uses the CA certificate for server authentication Client certificate: Uses a client certificate for mutual client/server authentication PSK: Used a common PSK-Identity and PSK-Key that is known to the message broker and the client

Microsoft Azure IoT Hub

With Azure IoT Hub the Microsoft Azure cloud platform offers a connectivity service in the cloud that provides bi-directional communication, device security and automatic scalability. In the TC3 IoT Data Agent, the IoT Hub can be configured as a special gate type.

Setting	Description
HostName	URL of the Azure IoT Hub instance
DeviceId	DeviceId of the device that has been created on the IoT Hub configuration website
SharedAccessKey	Either the primary or secondary device key that has been generated together with the device on the IoT Hub configuration website
CA file	CA file that is used for server authentication. At the time writing this article, three certificates are in play during the server authentication, which form part of the certificate chain and are linked together. Root CA: Baltimore CyberTrust Root Intermediate CA: Baltimore CyberTrust Wilcard certificate During the initial TLS handshake, only the first two are sent by the server to the client. The client will normally only validate the Root CA of the chain and will determine if it is trusted. In order to acquire the CA file for the Root CA, you can open the Windows certificate store (certmgr.msc), browse to the trusted root authorities and export the Baltimore CyberTrust Root certificate.

AWS IoT

With AWS IoT the Amazon Web Services cloud platform offers a message broker service in the cloud that provides bi-directional communication, device security and automatic scalability. In the TC3 IoT Data Agent, AWS IoT is configured as a regular MQTT gate. However, some special MQTT settings have to be configured to successfully connect to an AW IoT instance.

Setting	Description
Broker address	The URL of the AWS IoT instance
Port	Port 8883 for encrypted TLS communication is mandatory
ClientId	Can be set to anything but needs to be unique. Typically this could be the AWS IoT thing name.
Authentication mode	Set to “No authentication”. Authentication on AWS IoT is done via the TLS client certificate.
TLS mode	Automatically set to “Client certificate” by the configurator. Select path to CA file, client certificate file and client key file. These are the files that can be generated and downloaded on the AWS IoT configuration website.