--- title: "Creating an OPC-UA Device" description: "Configure a connection to an OPC-UA server" source_url: https://ai-ops.com/docs/devices/creating-opc-ua --- # Creating an OPC-UA Device After [creating a device](https://ai-ops.com/docs/devices/creating-getting-started.md) with the **OPC-UA** protocol, you'll land on its **Configuration** tab. This is where you provide the connection details Koios needs to communicate with your OPC-UA server. ## Configuration Fields ### Endpoint URL The OPC-UA endpoint address of the server you want to connect to. - **Required** - Format: `opc.tcp://hostname:port` or `opc.tcp://hostname:port/path` - Example: `opc.tcp://192.168.1.100:4840` Instead of typing the endpoint manually, you can use the **Browse** button to discover OPC-UA servers on your network. The browser lists available servers and their endpoints, and you can select one to auto-populate this field along with the security settings. See [Server Discovery](#server-discovery) below. ### Security Mode Controls whether messages between Koios and the OPC-UA server are signed, encrypted, or neither. | Mode | Description | |------|-------------| | **None** | No signing or encryption — fastest, but no message protection | | **Sign** | Messages are signed to detect tampering, but not encrypted | | **Sign & Encrypt** | Messages are both signed and encrypted — most secure | - **Default:** None - When set to **None**, the Security Policy is automatically disabled and locked to None. Change the Security Mode first if you need a specific policy. ### Security Policy The cryptographic algorithm used for signing and encryption. Only available when Security Mode is set to **Sign** or **Sign & Encrypt**. | Policy | Description | |--------|-------------| | **None** | No cryptographic policy (only available with Security Mode: None) | | **Basic128Rsa15** | Legacy policy — use only for older servers that don't support newer options | | **Basic256** | Moderate security — widely supported | | **Basic256Sha256** | Strongest option — recommended when available | - **Default:** None ### Authentication Type How Koios authenticates with the OPC-UA server. | Type | Description | |------|-------------| | **Anonymous** | No credentials required — the server allows unauthenticated access | | **Username/Password** | Authenticate with a username and password | - **Default:** Anonymous When set to **Username/Password**, two additional fields appear: - **Username** — the account to authenticate as - **Password** — the password for the account. Credentials are stored in the Koios database — ensure your Koios instance is properly secured. ### Timeout (seconds) How long Koios waits for the OPC-UA server to respond before giving up. - **Default:** 30 seconds - **Minimum:** 1 second A higher timeout is useful for servers on slow or unreliable networks. For most connections, the default of 30 seconds provides sufficient margin for servers with large address spaces. ## Server Discovery The OPC-UA configuration includes a built-in **server browser** that helps you discover servers and endpoints on your network without typing URLs manually. ### How to Use the Browser 1. Click the **Browse** button on the Configuration tab 2. Enter the hostname and port (or a direct URL) of the OPC-UA server or Local Discovery Server (LDS) 3. Koios will discover all OPC-UA servers available at that address ### Step 1: Connect Enter the connection details to start discovery: - **Hostname + Port** — enter them separately and Koios builds the URL - **Direct URL** — enter a full `opc.tcp://...` URL if you know it The browser uses the device's configured timeout for discovery requests. ### Step 2: Select a Server The browser lists all OPC-UA servers found at the address. Each server shows: - **Application Name** — the human-readable name of the server application - **Application URI** — the unique identifier for the server - **Application Type** — the type of OPC-UA application (Server, Client, etc.) - **Discovery URLs** — endpoints where the server can be reached - **Product URI** — identifies the software product Select the server you want to connect to. ### Step 3: Select an Endpoint Each server exposes one or more endpoints with different security configurations. The browser shows: - **Endpoint URL** — the connection address - **Security Mode** — None, Sign, or Sign & Encrypt - **Security Policy** — the cryptographic algorithm - **Supported Authentication** — which token types the endpoint accepts (Anonymous, Username/Password) You can filter the endpoint list by security mode or security policy to find the configuration you need. When you select an endpoint, Koios automatically populates: - Endpoint URL - Security Mode - Security Policy - Authentication Type ## After Configuration Once you've filled in the connection settings: 1. **Save** the configuration 2. **Enable the device** — flip the enable switch to start scanning. Koios will attempt to connect on its next scan cycle and report any errors on the device's detail page. You can also click **Test** to perform a one-time connection attempt without enabling. 3. **Add tags** — browse the server's node tree to find and add data points (see [Creating an OPC-UA Tag](https://ai-ops.com/docs/tags/creating-opc-ua.md)) If you're using a security mode other than **None**, the OPC-UA server must trust Koios's client certificate before it will accept a connection. The first connection attempt will fail until the certificate is trusted — see [OPC-UA Certificates](https://ai-ops.com/docs/protocols/opc-ua-certificates.md) for details on establishing trust.