We’re running FactoryTalk MES 10.0 and just added a new Allen-Bradley ControlLogix PLC to our assembly line. The OPC UA connection keeps failing with handshake timeout errors. I’ve verified the endpoint URL matches our standard format and the PLC is reachable on the network.
The error in MES logs shows:
OPC UA Handshake failed: SecurityPolicyUri mismatch
Endpoint: opc.tcp://192.168.10.45:4840
Timeout after 15000ms
I’ve added the device to the MES device list through the shop floor control module configuration, but I’m not sure if the certificate trust chain is properly configured between MES and the new PLC. Our existing PLCs work fine, so I must be missing something in the setup process for new devices. This is blocking production data collection from the new line.
Checked the certificate manager - you’re right, the PLC cert is sitting in the rejected folder. I can see it listed there with the thumbprint matching the PLC. Do I just move it to trusted, or is there a proper acceptance procedure I should follow?
Don’t just move it manually. Use the MES certificate management interface to properly accept it. Right-click the rejected certificate and select ‘Trust Certificate’. This ensures the certificate chain gets validated and the trust relationship is recorded in the MES configuration database. After accepting, you’ll need to restart the OPC UA connector service for the changes to take effect. I’ve seen manual moves cause issues with certificate revocation checks later.
Also worth mentioning - if you’re going to be adding more PLCs regularly, consider setting up certificate auto-trust for your internal network range. We configured a policy that auto-trusts certificates from 192.168.10.0/24 subnet where all our PLCs live. Saves time and reduces these trust issues. Just make sure your network security team is okay with it first, since it does reduce the security layer a bit.