Connect Kepware KEPServerEX through Azure IoT Edge to IoT Hub

TLDR: I’ve put together step-by-step instruction on how to leverage Kepware’s IoT Gateway as an MQTT-based “leaf IoT device” for IoT Edge.

I’ve gotten the request a few times from customers who leverage, or want to leverage Kepware for connectivity to their manufacturing equipment and then send that data to IoT Hub through Azure IoT Edge. 

Microsoft’s recommended solution is to leverage OPC-UA and our IoT Edge OPC-UA publisher.  OPC-UA is both a nice industrial protocol, but more importantly, offers a robust data format that plugs in nicely into other Azure services. 

However, in cases where customers either can’t, or don’t want to leverage OPC-UA, Kepware already published a nice technical note showing how to connect Kepware via MQTT directly to Azure IoT Hub via Kepware’s IoT Gateway and MQTT.  However, customers are interested in how to have the data flow through Azure IoT Edge to take advantage of the many nice edge-processing capabilities available.

So, based on the same principals as my “Connect MQTT client to Azure IoT Edge” post, I’ve put together step-by-step instruction on how to leverage Kepware’s IoT Gateway as an MQTT-based “leaf IoT device” for IoT Edge.

You can check out the instructions here.

Enjoy

S

4 thoughts on “Connect Kepware KEPServerEX through Azure IoT Edge to IoT Hub”

  1. Hi Steve,
    Thanks a lot for posting such valuable information and it’s really helpful . I have one query regarding connectivity from Kepware to IoT Edge in test environment. As per instruction, I have created “azure-iot-test-only.root.ca.cert.pem” using script provided by MSFT. But kepware is unable yto validate the certificates.

    1. I have already imported this “azure-iot-test-only.root.ca.cert.pem” cert in Kepware box through “mmc”.

    2. Do I need to store “azure-iot-test-only.root.ca.cert.pem” in Iot edge box as well ? Do i need to import this certificate in Iot edge box “mmc” as well ? Or do I need to provide the “azure-iot-test-only.root.ca.cert.pem” ‘s absolute path in IoT edge’s “config.yaml” file ?

    3. Also for test environment “Device CA certificate” and “Device CA private key” are required to be generated and configure in “config.yaml” file ?

    Thank you

    Regards
    DPNAIK

    1. Hi,

      Thanks for the comment. I’m sorry for the slow reply, but wordpress doesn’t alert me about comments :-(.

      to answer your questions:

      2) The azure-iot-test-only.root.ca.cert.pem does need to be stored on the IoT Edge box, on the file system, because as you note, you definitely need it for config.yaml. I don’t believe is has to be imported via the mmc, but it doesn’t hurt to try it. (I haven’t done a lot of IoT Edge on Windows, so I’m not quite as sure as I am with Linux)

      3) yes, the Device CA Certificate, and it’s Private Key (in PEM format) is required to be on the file system on the IoT Edge box and the paths to them specified in config.yaml

      One caveat/question that may help. One thing to note: whatever name you are using as the server name (i.e. the ssl://[iot edge box here]) in Kepware MUST match EXACTLY the ‘hostname’ parameter in config.yaml. Please double check that, as it’s a common issue.

      If you have a lot of trouble with it, drop me an email directly at steve.busby (at) microsoft.com and I can offer faster assistance (remove the spaces and replace the @.. just trying to beat the web bots..)

      –Steve

  2. Hi Steve,

    first of all, thank you for putting all that information together and in a very comprehensive way!

    We’re investigating what is the best and more secure way to connect KepServerEX (with IoT Gateway Plugin) to Azure IoT with KepServerEX running in a private factory network.

    According what is mentioned in the end of this link (https://medium.com/@cprosenjit/connecting-kepserverex-with-azure-iot-hub-5a1cd9df4bbf#:~:text=Connect%20KEPServerEX%20to%20Azure%20IoT%20Hub&text=input%20agent%20name%20%26%20type%20as,property%20bag%20(optional)%3E.) when KepServerEX is running in a isolated network we need to connect it to the IoT Hub through an IoT Edge (Edge will act as a transparent gateway). Is it correct? In that scenario could we just connect KepServerEX directly to Azure IoT Hub or we do need to have IoT Edge in the middle of the connection? What other considerations should I be aware of when deploying it?

    Thank you in advance!

    1. Hey Juan,

      I think the key to that question is how ‘private’ is ‘private’? :-). If that private network is not allowed any internet access at all, then yes, you will need to connect Kepware to IoT Hub *via* IoT Edge as a transparent gateway. If the private network is allowed internet access, and your company is willing to open the MQTTS port (8883) outbound from the KepServerEX box to the IoT Hub, then you can connect directly. IoT Hub can accept MQTTS traffic over WebSockets (port 443, which may already be open), but I don’t think KepServerEX can connect that way

      Generally, the three main considerations or reasons that you would want IoT Edge in between KepServerEX and IoT Hub are:
      – your KepServerEX is on a network that is not allowed Internet access (as you may be talking about here)
      – you want to do some edge ‘processing’ (such as filtering, aggregating, machine learning, etc) of the data before you send it to the cloud
      – you want to operate ‘offline’ when the internet is down. Plants are often located in places with unreliable internet. If Kepware is connected to IoT Edge, and the internet goes down, KepServerEX can continue to send messages to IoT Edge and it will “queue them up” to send up to IoT Hub when the Internet connection comes back up

      Hope this helps, and thanks again for the comment
      –Steve

Comments are closed.