SAP Digital Manufacturing (SAP DM) has automation capabilities that streamline manufacturing processes to increase productivity. It ensures seamless data and process connectivity between your shop floor and business applications. This enables end-to-end manufacturing processes from planning to execution involving physical devices.

In this blog, we will guide you step by step through the process of setting up shop floor connectivity to enable communication between your own tag-based OPC UA server and SAP DM using the Production Connector and the Cloud Connector. By the end, you’ll be able to use a production process in SAP DM to read tags from a device you created on your OPC UA server.

Demo Video: Read Tags with Production Process

Introduction

Using the Production Connectivity Model, you can connect your physical devices with various systems, such as SAP systems, shop floor systems, and 3rd party systems. Together, the Production Connector and the Cloud Connector enable the connection between shop floor systems and SAP DM through a safe, stable, and traceable data communication channel using Transport Layer Security (TLS). When issues occur, detailed logs are available for review. This way, your data and processes can support your business needs without unauthorized access to critical information, nor unwanted loss of production time.

Physical devices – machines, facilities, transportation, or other physical means that enable shop floor processes – are represented as assets with static properties (attributes) and changing properties (indicators) in SAP DM. This way, you can work with assets in SAP DM the same way you would handle physical devices in the real world. And with shop floor connectivity established, you can use production processes to integrate and fully automate manufacturing operations.

For example, an asset represents an oven in the physical world. It has attributes representing the physical properties of the oven and indicators representing the constantly changing temperature and pressure inside the oven. If you want to know the temperature of the oven, you can run a function to retrieve the indicator that represents the temperature from the asset. If you want to change the temperature, you can enter the target temperature as a set point for the indicator.

In this blog, you’ll create such an oven device on your OPC UA server and use a production process from SAP DM to read its temperature.

Prerequisites

Before you can connect your shop floor to SAP DM, you’ve got to ensure that ....

• You are a member of the subaccount where you have subscribed to SAP DM on the SAP Business Technology Platform (BTP)
• You’ve created a service key for your SAP DM service instance. For more information, refer to Prepare for API Integration.
• You’ve created a destination in the subaccount. For more information, refer to Create a Destination for System Communication and Integration.
• You’ve installed the Production Connector. For more information, refer to Installation of the Production Connector.
• You’ve installed the Cloud Connector. For more information, refer to Installing the Cloud Connector.
• You’ve installed KEPServerEX from Download the KEPServerEX demo. You only need to install it. Do not run it yet to start the initial setup.

Note: We use KEPServerEX in this blog to set up an OPC UA server as an example. We don’t recommend it for production usage.

Process Overview: You can complete this guide in six steps. Step 1 to 5 show how to connect the shop floor to SAP DM. Step 6 shows how to use this connectivity to retrieve information from the shop floor.

Step 1 – Configuration of the Production Connector

To begin, configure the Production Connector – the central on-premise middleware enabling communication between the shop floor and SAP DM.

Run the Control Center app of the Production Connector and as administrator. In the app, complete the following steps:

1. Add an administrator user.
   1. Choose Cloud Integration.
   2. On the User Configuration tab, choose the Authorized Users tab.
   3. Choose Add Local User to create a new user.
   4. Enter your name and ID. Your ID is provided by your identity provider. Typically, this is your e-mail address on your subaccount.
   5. In the Assigned Production Connector Roles section, select at least the roles Administrator, CertificateAdministrator, and PCoConfigurator to enable connection to SAP DM.
   6. Choose Save Changes in the top-left corner to save your configurations. For more information, refer to Adding an Administrator User.
2. Generate a server certificate.
   1. On the Server Security Settings tab, choose Generate Server Certificate.
   2. In the popup dialog, leave the default values unchanged and choose OK to generate a self-signed server certificate for test purposes. By default, the Common Name (CN) is the name of your device. Note: We don’t recommend using self-signed certificates for production scenarios. For more information on certificates, refer to Server Certificate.
3. Configure JWT validation.
   1. Retrieve the URL of the User Account and Authentication service (UAA Service) from your subaccount.
      1. In the SAP BTP Cockpit, go to the subaccount in which you’ve subscribed to SAP DM.
      2. Go to the Instances and Subscriptions section.
      3. On the Instances tab, select the service instance for your SAP DM system to open its detailed view.
      4. Navigate to the Service Keys section and choose a service key to open the Credentials dialog.
      5. Choose the Form view.
      6. In the uaa section, copy the URL value in the url field to your clipboard. Typically, the URL ends with “ondemand.com”
   2. In the Control Center app, go to the JWT Validation tab.
   3. Paste the URL that you copied into the URL of UAA Service field.
   4. Choose Validate UAA Service URL. This automatically fills the Key ID and Public Key field.

For more information, such as retrieving the URL of UAA Service without access to the SAP BTP cockpit, refer to Settings for JWT Validation.

The steps above describe the necessary configuration for our example. For extra details, refer to Settings in the Control Center of the Production Connector.

Step 2 – Assisted Configuration of the Cloud Connector

To use the Production Connector with SAP DM, you must configure the Cloud Connector. In this blog, we’ll configure the Cloud Connector using the Assisted Configuration in the Control Center of the Production Connector.

1. In the Control Center app of the Production Connector, go to Server Security Settings tab.
2. Choose Assisted Configuration to start the dialog and follow its instructions. The following steps describe a basic first-time setup for a new Cloud Connector.
3. Log on to the Cloud Connector with the initial user data.                                                                                                                                                                             
4. Choose Trust.                                                                                                                                                                                                                               
5. Select Set Up Integration with the Cloud Connector to fully set up a new Cloud Connector.
6. Add the subaccount on which SAP DM is running. You can find the Region and Subaccount ID in the SAP BTP Cockpit. You can name your own Location ID and Display Name.                                                                                             
7. Use the default suggested values for mapping of virtual system to internal system and continue.
8. Create the Cloud Connector System Certificate. For this test scenario, create a self-signed certificate.
9. In the Cloud Connector Certificate section and the Production Connector Certificate section, choose Trust Certificate.
10. Choose Save Summary as File to save your configuration. You’ll need the Location ID, Internal Host, and Virtual Host for subsequent configurations in SAP DM.                                                                        

For more information, refer to Assisted Configuration of the Cloud Connector.

Step 3 – Configuration of your OPC UA Server

After installing KEPServerEX, run the KEPServerEX 6 Configuration app and complete the initial setup guide following its instructions. Make sure to configure the Administrative Credentials to access the OPC UA Configuration app later.

After the initial setup, a runtime is created and started as a service by default. It contains an example project with example channels. In this runtime, complete the following steps:

1. Create your channel, device, and tags.
   1. On the left side, select Connectivity and choose New Channel to create a new channel. In this blog, we’ll create a channel of Simulator type and call it “My Channel”. Keep everything else as default. 
   2. Select your channel and choose New Device to create a new device. In this blog, we’ll call it “Oven”. Keep everything else as default.
   3. Select your device and choose New Tag to create a new tag. In this blog, we’ll create these two tags:

      Name	Description	Address	Data Type	Client Access	Scan rate
      uom	Unit of measure	S0001	String	Read/Write	100
      temperature	Temperature of the oven	K0001	Float	Read/Write	100

      Result:

      

2. Complete the OPC UA configuration.
   1. On the left side, select Project and choose Properties to open the Property Editor.
   2. Select OPC UA, set Server Interface > Enable to Yes.
   3. In this blog, we’ll use the anonymous user authentication method to later connect the OPC UA server. Therefore, it’s necessary to set Client Sessions > Allow anonymous login to Yes.
   4. Choose OK.                                                                                                                                                                            
   5. Run the OPC UA Configuration app as administrator. Enter “Administrator” as the username and the password you configured for Administrative Credentials.
   6. On the Server Endpoints tab, select the URL containing your computer device name and check Enabled. Note down this server endpoint URL as you will need it later.
   7. Choose Edit. In the TCP Connection section, select Default in the Network Adapter field. In the Security Policies section, select Basic256Sha256.
   8. Choose OK.                                                                                                                                                                                 
   9. In the Instance Certificates tab, export the server certificate for later use.
   10. Go back to the KEPServerEX Configuration app, choose Runtime > Reinitialize in the top-left corner to utilize the configurations you just made.
3. Create a new inbound rule to enable remote OPC UA client access. Note: This is required for a Windows device to allow incoming connections from the intranet.
   1. Run the Windows Defender Firewall with Advanced Security app and select Inbound Rules on the left side.
   2. On the right side, choose New Rule to create a new rule in a guided dialog.
   3. Change the following settings while keeping everything else as default:

      Field	Value
      Rule Type	Port
      Protocol and Ports > Specific local ports	<The series of number at the end of your endpoint URL after the colon> In this blog’s example, the port is 49320.
      Profile	Check Domain and Private Uncheck Public
      Name	<Name of your choice> In this blog, we’ll name it “OPC UA Server Interface (Kepware)”

   4. Choose Finish. In the list of inbound rules, you should find your newly created rule.                                         

Step 4 – Onboard Systems in the Configure Production Connectivity app in Digital Manufacturing  

After you’ve configured the Production Connector, the Cloud Connector, and your OPC UA server, you can onboard them in SAP DM to establish shop floor connectivity.

Log on to SAP DM using your user (your e-mail for which you used to add an administrator in the Production Connector in step 1). Open the Configure Production Connectivity app and complete the following steps:

1. Add the Cloud Connector.
   1. In the Cloud Connector tab, choose Create.
   2. Enter a name of your choice and the location ID that you saved at the end of step 2.
   3. Choose Create.
2. Add the Production Connector.
   1. In the Production Connector tab, choose Create.
   2. Enter the following values:

      Field	Value
      Name	<A name of your choice>
      Internal Host	<The internal host that you saved at the end of step 2>
      Cloud Connector	<The cloud connector you just created>
      Production Connector Virtual Host URL	<The virtual host that you saved at the end of step 2>

   3. Choose Test Connection to verify if the connection has been established.
   4. Choose Create. The Production Connector instance is created in SAP DM and linked to the Cloud Connector. If the Cloud Connector is running, the status should display Connected.
   5. On the Certificates tab, generate a certificate for Cloud to Production Connector Certificate, Production Connector to Cloud Certificate (X.509 OAuth), and Internal Production Connector Certificate.
   6. Choose Refresh in the top right corner.
3. Add your OPC UA Server.
   1. In the Shop Floor Systems tab, choose Create > OPC UA Server > Create OPC UA Server.
   2. Enter the following values:

      Field	Value
      Name	<A name of your choice>
      Linked Production Connector	<The cloud connector you just created>
      OPC Server Endpoint URL	<The endpoint URL you noted down in step 3-2>
      Security Policy	Basic256Sha256
      Security Mode	SignAndEncrypt
      Binary Encoding	YES
      Certificate Type	Generate Certificate
      Identify Certificate By	Subject
      Send Certificate Chain	NO
      Authentication Method	Anonymous

   3. Choose Create and Submit.
   4. Create a new deployment group and choose Save. The status displays Awaiting Deployment.
   5. Choose your deployment group in the Deployment Group field to open the Deploy Shop Floor Elements app.
   6. Choose Deploy > Deploy and Activate. The deployment should be successful, but the activation fails because trust is not established. The agent instance Default Operations displays status Stopped.                                                                                                                                                    
4. Establish trust between server and client.
   1. In the OPC UA Configuration app’s Trusted Clients tab, you can see a new untrusted client certificate. It was sent by SAP system and rejected by KEPServerEX. Select the client certificate and choose Trust.                                                                                                                                                
   2. Go back to the KEPServerEX Configuration app, choose Runtime > Reinitialize to utilize the change you just made.
   3. In the Control Center app, choose Certificate Overview > Trusted Certificates.
   4. Select a random Store Path to open a folder for trusted certificates.
   5. Navigate to the ProdCon\CertificateStores\UA Applications\certs folder and check if it contains the server certificate you exported in step 3-2-i. It should have a name like “+KEPServerEX+UA Server+ [2199482A8A57F7889A03B54FB9342284C8C76E49].der”. If not, paste in the exported server certificate.
   6. Check in the ProdCon\CertificateStores\RejectedCertificates folder that it doesn’t contain a version of this certificate.
5. Restart agent instance.
   1. Go back to the Configure Production Connectivity app in SAP DM and select your OPC UA Server.
   2. In the Agent Instances section, select the Default Operations instance and choose Start. If it fails, refer to Connectivity Issues.                                                                                                                         

For more information, refer to Configure Production Connectivity.

Step 5 – Creating and Connecting an Asset

You’ve set up connection between your OPC UA server with SAP DM. Now you can create an asset in SAP DM that stands for the “Oven” you’ve created in step 3. The asset’s indicators will connect to the tags “uom” and “temperature”.

1. Create an asset and its indicators.
   1. Open the Manage Assets app and choose Create. In this blog, we’ll name the asset “Oven”.
   2. Select Equipment in the Node Type field.
   3. Choose Save.
   4. Choose Edit. You can add indicators in the Attributes and Indicators tab.
   5. Type in the Asset Type field to create a new type. We’ll create the type “oven_data”.
   6. Choose Create > Structure to create a structure “inside” that groups the indicators.
   7. Select the square in front of “inside” and choose Create > Indicator to create an indicator. Create the two indicators “uom” of type String and name “temperature” of type Numeric.
   8. Choose Save.                                                                                                                                                                                                      
2. Connect the indicators to the tags on your OPC UA server.
   1. Open the Manage Asset Connectivity app and select the asset “Oven” to open its details.
   2. In the Shop Floor System tab, choose Add.
   3. Select your OPC UA server and choose OK to add it.
   4. In the Structures tab, expand the “inside” node by choosing the > icon to display the indicators.
   5. Choose Connect at the end of an indicator to link a tag.
   6. Choose your OPC UA server in the Shop Floor System field, a list of channels on your server display in the Items section.
   7. Navigate to the corresponding tag and select it. In this blog, for the indicator “uom”, navigate to “My Channel” > “Oven” > “uom”. For the indicator “temperature”, navigate to “My Channel” > “Oven” > “temperature”. 
      Result:                                                                                                                                                                                                                                                                    

For more information, refer to Asset Model.

Step 6 – Read Asset Indicators Using a Production Process

Your “Oven” on your OPC UA server now has a digital twin on SAP DM. You can read its tags using the built-in service “Read Indicators” provided by SAP DM services.

1. Create a production process to read indicators.
   1. Open the Design Production Processes app and choose Create to create a production process design that groups your production processes.
   2. Open your design and choose Create to create a production process. Name it “ProdConCheck” and choose Cloud as the Runtime Type. Check Visible to Production Connector / Plant Connectivity Runtime.
   3. Choose Editor to open the Editor tab.
   4. Drag a Start, Read Indicators, and an End element to the canvas. You can find “Read Indicators” by searching under Services and Processes. “Read Indicator” is located under the DMC_Cloud > Built-in Services node.
   5. Use the arrow icon to connect the elements in the following order: Start → Read Indicators → End.
   6. Choose the Read Indicators element. The configuration panel appears on the right side.
   7. Under the Output tab, choose Add. Choose the asset “Oven” and your OPC UA server. Check the “uom” and “temperature” indicators and choose Select.
   8. Choose Save All.
   9. Choose Quick Deploy > Deploy and Activate.                                                                                                    

      For more information, refer to Design Production Processes.

2. Change tag values and run the production process to read tags.
   Demo Video: Read Tags with Production Process
   
   1. In the KEPServerEX Configuration app, choose Tools > Launch OPC Quick Client.
   2. In the OPC Quick Client dialog, choose My Channel.Oven.
   3. Select My Cannel.Oven.uom and choose Tools > Item > Synchronous Write. In the Write Value field, enter “Celsius” and choose OK.
   4. Select My Cannel.Oven.temperature and choose Tools > Item > Synchronous Write. In the Write Value field, enter “98” and choose OK.                                                                          
   5. In your production process in SAP DM, choose Run.                                                             
   6. Open the Monitor Production Processes app and select the process instance you just ran, ProdConCheck#1, to see its details.
   7. Select the second step Read Indicators and choose Process Parameters View.
      
   8. The tag values are displayed under Output Parameters - Read Indicators.                                           

🎊You did it! You’ve set up the Production Connector, Cloud Connector, and your OPC UA server and onboarded them in SAP DM, enabling connection to devices on the shop floor using the asset model. Shop floor connectivity is the basis for many automation processes. By completing this process, you've successfully taken the first crucial step toward transforming your manufacturing operations.

Next Steps

In the following blogs in our series, we’ll showcase how to use the connectivity to automate manufacturing processes.

For more information, refer to the user assistance for SAP Digital Manufacturing on the SAP Help Portal.

Do you like this blog? Feel free to tell us what you think in the comments. We appreciate your feedback.

Or, if you have any questions, please check the SAP Community Q&A Area, or comment down below.