OPC UA to REST API: Kepware & Ignition Integration Guide 2025

Looking to integrate industrial data with modern web applications? Here's the gist: Kepware collects OPC UA data from industrial devices, while Ignition processes and shares it as REST APIs. Together, they bridge industrial systems with web tools like dashboards, mobile apps, and cloud analytics.

Key Takeaways:

1. Kepware acts as an OPC UA server, gathering and converting data from industrial devices.

2. Ignition connects to Kepware, organizes data into tags, and enables REST API creation using its WebDev module.

Steps to Success:

1. Set up Kepware to collect OPC UA data.

2. Configure Ignition to connect to Kepware and manage data.

3. Use Ignition's scripting tools (e.g., system.net.httpPost) or tools like DreamFactory to expose data as REST APIs.

4. Secure connections with encryption, certificates, and role-based access.

The guide also covers optimizing performance, troubleshooting connection issues, and ensuring security for production environments.

Let’s dive into the details to help you create reliable, secure, and scalable data pipelines.

Tutorial: Connecting RESTful Web Services to OPC DA, UA, Databases and more

Understanding OPC UA, Kepware, and Ignition

To fully grasp the integration process, it's essential to understand how OPC UA, Kepware, and Ignition work together in an industrial setting. Here's an overview of each component and its role in streamlining communication and data management.

What is OPC UA?

OPC UA, or Open Platform Communications Unified Architecture, is a protocol designed for secure, reliable communication between industrial devices. Whether you're dealing with PLCs, sensors, or HMIs, OPC UA enables seamless exchange of real-time data.

What sets OPC UA apart is its ability to transmit both data and metadata. For instance, it doesn't just provide a temperature reading - it also includes details about the sensor, its location, and the quality of the data. This added layer of information is invaluable for monitoring and diagnostics.

At its core, OPC UA operates on a client-server model. Servers make data available, while clients retrieve and use it. The protocol supports a wide range of data types, from basic numbers to complex structured data.

Security is a key feature of OPC UA. Through certificate-based authentication and encryption, it ensures that sensitive operational data remains protected, addressing one of the primary concerns in industrial environments.

While OPC UA sets the standard for communication, Kepware plays a critical role in gathering and formatting the data.

Kepware Overview

Kepware acts as a bridge between field devices and higher-level applications, functioning as an industrial connectivity platform. Its primary role is to convert various industrial protocols into a standardized OPC UA format.

Running as a Windows service, Kepware can connect to a wide range of devices simultaneously - everything from older serial-based equipment to modern Ethernet-capable devices. Its extensive driver library, which supports over 150 communication protocols, is one of its standout features.

When configured as an OPC UA server, Kepware makes the collected data accessible through standardized endpoints. It handles complex tasks like protocol conversion, connection management, and data buffering, so you don't have to deal with the intricate details of device communication.

Kepware also offers data transformation tools, allowing you to process raw device data before it's sent to clients. For example, you can scale, offset, or apply mathematical functions to the data, reducing the workload for downstream systems.

Ignition Overview

Ignition, developed by Inductive Automation, is a web-based SCADA platform that brings data acquisition, visualization, and reporting into one cohesive solution. It simplifies industrial data management by providing universal access and streamlined processing.

One of Ignition's standout features is its dual role as both an OPC UA client and server. This means it can pull data from sources like Kepware while also sharing data with other applications. This versatility makes it an excellent hub for integrating industrial systems.

The platform's Gateway serves as the central processing unit, managing database connections, tag organization, and web services. Ignition uses a tag-based system, assigning unique identifiers to each data point, which makes it easier to manage and retrieve data from multiple sources.

For web integration, Ignition offers WebDev modules, enabling the creation of custom web services and handling HTTP requests. Additionally, its support for JSON and XML formats allows industrial data to be shared in formats that are easy to use in web-based applications.

Setting Up the Environment

Getting your system ready with the right hardware, software, and configurations is a crucial step for connecting OPC UA data to REST APIs effectively.

System Requirements and Setup

Both Kepware and Ignition have specific system requirements, so it's important to ensure compatibility before proceeding.

For Kepware (KEPServerEX), you'll need a Windows-based system. Supported versions include:

-Windows 11 (v6.12.325)

-Windows Server 2022 (v6.12.325)

-Windows Server 2019 (v6.7.1046)

-Windows 10 IoT Enterprise (v6.7.1046)

-Windows Server 2016 (v6.1.601)

-Windows 10 (v5.19.467)

-Windows Server 2012 (v5.11.250)

-Windows 8 (v5.11.250).

Keep in mind that Windows Server 2025 hasn’t been officially validated for KEPServerEX as of January 16, 2025, though no compatibility issues have been flagged yet. Additionally, if you’re using Hardware Key licensing, be aware of potential errors when running on Windows 11 or Windows Server 2022.

For Ignition, the platform offers more flexibility. Its latest version (v8.3.0, released September 16, 2025) supports:

-Windows Server 2016/2019/2022/2025

-Windows 10/11

-macOS (13+)

-Linux (e.g., Ubuntu 22.04 and 24.04).

Ignition requires at least a dual-core processor and supports databases like Microsoft SQL Server, Oracle, MySQL, MariaDB, PostgreSQL, and any database with a JDBC driver. Choose a database that aligns with your infrastructure and performance needs.

Network setup is another key factor. Ensure your firewall allows communication on required ports, especially port 49320, which is Kepware's default OPC UA server port. Plan your network layout to reduce latency between Kepware, Ignition, and connected devices.

Once the system is ready, you can move on to installing and configuring Kepware.

Installing and Configuring Kepware

Installing Kepware is a foundational step for enabling data communication. Follow the instructions in either the Kepware+ Installation Guide or the ThingWorx Kepware Server Install Guide. During installation, you’ll set up credentials, which are essential for configuration and testing. Local access to the Kepware Server is required for licensing and specific setup tasks.

To configure OPC UA settings, locate the KEPServerEX icon in your system tray or desktop, right-click, and select "OPC UA Configuration". You’ll need to log in using the credentials you created during installation.

In the OPC UA Configuration Manager, focus on these key areas:

Endpoint Configuration: The default local endpoint is
opc.tcp://localhost:49320, while the network endpoint is
opc.tcp://[YourIPAddress]:49320.

Security Settings: Implement certificate-based authentication for secure data exchange. Generate or import certificates to ensure both Kepware and Ignition can authenticate each other - this step is critical in production environments.

Channel and Device Setup: Create channels for the communication protocols you’re using and add devices to represent your field equipment. Once configured, these devices will be accessible through the OPC UA server.

Test your setup by browsing the OPC UA server locally. Verify that the devices and data points appear in the proper hierarchy.

With Kepware configured, you’re ready to set up Ignition to connect securely.

Installing and Configuring Ignition

Ignition simplifies configuration with its web-based interface, making it easier to connect to Kepware compared to traditional SCADA systems.

Start by downloading and installing Ignition for your operating system. The installation process sets up the Gateway, which acts as the central hub for data processing and communication.

Once installed, access the Gateway Configuration through your web browser at http://localhost:8088. Navigate to the OPC UA Connections section, and create a new connection pointing to your Kepware server. Use the endpoint URL, such as opc.tcp://[KepwareServerIP]:49320.

To ensure smooth authentication, match the certificates in Ignition with the security settings you configured in Kepware. This alignment is key for establishing a secure connection.

As your system grows, plan your tag organization carefully. Ignition uses a tag-based structure where each data point from Kepware is assigned a unique identifier. A well-thought-out naming convention will help maintain order as more devices are added.

If you intend to create custom web services for REST API functionality, enable the WebDev modules. These modules handle HTTP requests and support JSON and XML formats, which are essential for converting OPC UA data into REST endpoints.

Finally, test the connection by browsing the OPC UA server from within Ignition. The device hierarchy and data points should match what you configured in Kepware. Use the Gateway logs during testing to identify and resolve any issues before deploying the setup in a production environment.

Connecting Kepware and Ignition

Once both systems are set up, the next step is linking Kepware's OPC UA server with Ignition's OPC UA client. This connection acts as a bridge, enabling smooth data exchange between your industrial devices and modern applications.

Creating the OPC UA Connection

To start, open Ignition's Gateway Configuration interface. Head to OPC Connections > OPC UA and click Create new OPC UA Connection. Assign a clear, descriptive name like "Kepware_Production_Line" to make it easy to identify, especially in larger setups.

In the Endpoint URL field, input the address of your Kepware server. If both systems are on the same machine, use opc.tcp://localhost:49320. For networked setups, replace "localhost" with the Kepware server's IP address, such as opc.tcp://192.168.1.100:49320.

For security, choose Basic256Sha256 or Aes256_Sha256_RsaPss as the Security Policy for production environments. While you can use the None option for testing, avoid it when working with production data.

Certificate management plays a crucial role in secure OPC UA communication. When you first connect, Kepware and Ignition will exchange certificates, which may initially land in their respective Rejected folders. You'll need to manually move these certificates to the Trusted folders. In Kepware's OPC UA Configuration Manager, go to Trusted Clients and add Ignition's certificate. Similarly, in Ignition's Gateway, navigate to OPC UA > Security and trust Kepware's certificate.

If credentials are required, ensure they are entered correctly. For anonymous connections, leave these fields empty, but only use this approach in secure, isolated networks.

Once everything is configured, click Save and test the connection. A successful connection will show a green indicator and a status of Connected. If the connection fails, check the logs under Status > Logs for error details. For troubleshooting, refer to the next section.

Fixing Connection Problems

Connection issues between Kepware and Ignition often boil down to a few common problems:

Certificate Issues: Errors like "Bad_SecurityChecksFailed" or "Bad_CertificateUntrusted" in the logs suggest certificate trust problems. Double-check certificate placements and restart both Kepware and Ignition services to apply changes.

Network Problems: Timeout errors or messages like "Bad_ConnectionRejected" often point to network issues. Ensure port 49320 is open on your firewall and that no network devices are blocking OPC UA traffic.

Security Policy Mismatches: If Ignition's security settings don’t align with Kepware's, the connection will fail. Verify the enabled security policies in Kepware's OPC UA Configuration Manager under Server Settings and ensure they match Ignition's configuration.

Authentication Errors: "Bad_UserAccessDenied" errors indicate incorrect credentials. Double-check the username and password, including case sensitivity and any domain prefixes.

Resource Constraints: If multiple clients are connected, resource limitations could cause intermittent drops. Monitor system performance and adjust connection limits if necessary.

For deeper insights, enable verbose logging on both systems. Once issues are resolved, follow the security measures outlined below to maintain a secure connection.

Security Best Practices for Connections

After establishing a stable connection, securing it should be a top priority. Proper certificate handling, as described earlier, is a key step.

Consider isolating your Kepware and Ignition systems in a dedicated VLAN or DMZ to enhance security. This aligns with the Purdue Model (ANSI/ISA 95) guidelines.

OPC UA provides built-in security features like encryption, digital signatures, and user authentication to ensure data integrity and confidentiality. Always enforce the Principle of Least Privilege by granting only the minimum access necessary. Instead of using administrative accounts, create dedicated service accounts for Ignition's OPC UA connections. If possible, implement role-based access control to assign specific permissions to each client.

Encryption is essential for production environments. Configure the Ignition Gateway to use HTTPS for its web interface and ensure all OPC UA connections use encrypted security policies. Avoid using SecurityPolicy.None in systems handling sensitive data.

Enable detailed logging to monitor connection attempts, authentication events, and data access patterns. Regularly review these logs for unusual activity or repeated authentication failures.

Adopt a multi-layered defense strategy by combining network firewalls, secure application configurations, timely software updates, and staff training. Establish clear incident response protocols and periodically test your backup and recovery processes.

Schedule regular security reviews to identify vulnerabilities. Check certificate validity, user permissions, and network access controls. Keep Kepware and Ignition updated with the latest patches, and stay informed about potential threats by following vendor security bulletins.

With a secure connection in place, you can now leverage OPC UA data to create REST APIs that integrate effortlessly with modern web applications and cloud services.

Converting OPC UA Data to REST APIs

Once you've established the Kepware-Ignition connection, the next step is transforming OPC UA data into REST API endpoints. This process connects traditional OPC UA systems with modern web technologies, making it easier to integrate with cloud platforms, mobile apps, and analytics tools. Here's how to map the data and automate API generation for this purpose.

Mapping OPC UA Data to REST Endpoints

The success of converting OPC UA data into REST APIs hinges on effective data mapping. After connecting to Ignition, you'll have access to OPC UA tags. These tags represent real-time data from industrial devices, like temperature readings, pressure levels, motor speeds, or production counts.

Start by identifying the OPC UA tags that hold the most value - these are typically the ones that change frequently or represent critical process variables. For instance, in a manufacturing setup, tags like Line1.Temperature, Line1.Pressure, and Line1.ProductionCount might be essential for monitoring.

Plan your API structure around how the data will be consumed. Organize endpoints logically, such as by equipment or data type (e.g., /api/equipment/line1/temperature). A clear structure makes the APIs more user-friendly for developers.

Also, consider grouping related tags into single API calls. For example, instead of making multiple requests for temperature and pressure data, a single call could return both values. This reduces network traffic and improves efficiency.

Once your mapping is complete, you can use tools like DreamFactory to automate the creation of REST APIs.

Using DreamFactory for Automated REST API Generation

DreamFactory simplifies the process of creating REST APIs from OPC UA data by eliminating the need for manual coding. It automatically generates secure, well-documented RESTful endpoints from your data sources.

After connecting DreamFactory to your Ignition system, it can expose OPC UA data as REST APIs with full CRUD (Create, Read, Update, Delete) capabilities. This means you can interact with your data programmatically without building APIs from scratch.

Security is a key feature of DreamFactory. It uses role-based access controls, API key management, and OAuth integration to ensure only authorized users can access specific data points. Additionally, it enforces data integrity by securing connections and managing permissions.

Another advantage is the automatic generation of Swagger API documentation. This documentation includes parameter descriptions, response formats, and example requests, and it updates automatically whenever you modify your API structure.

Step-by-Step Example: Converting OPC UA Data

Here’s a practical example of how to expose Kepware OPC UA data as REST APIs using Ignition’s scripting tools. In this case, we'll send temperature data from a manufacturing line to an external system.

1. Create a Project Library:
In Ignition Designer, set up a project library called "RestAPI." This will house reusable functions for sending OPC UA data to REST endpoints.

2. Develop a Data-Sending Function:
Write a function using system.net.httpPost to send data. Attach this function as a tag change script for real-time updates. The function should include parameters such as the OPC UA tag value, equipment identifier, and timestamp. Additionally, configure the target REST API system with an API token for secure data transfer.

3. Map OPC UA Tags to API Parameters:
Assign OPC UA tags to API fields. For example, if the REST API expects parameters like machineId, attributeId, and value, extract the machine ID from the tag path, assign a predefined attribute ID for temperature, and pass the current tag value.

4. Configure Gateway Scripting:
In Ignition's Gateway Settings, set the Gateway Scripting Project property to point to your project. This ensures that tag change scripts can access your library functions seamlessly.

5. Test and Validate:
Check Ignition logs and the target REST API system to verify that temperature changes are reflected externally. Simulate network issues to ensure your scripts handle errors gracefully.

The system.net.httpPost method is crucial for REST API interactions within Ignition. Make sure your HTTP requests are properly formatted, with the correct headers, authentication tokens, and JSON payloads to match your target API's requirements.

Building Scalable and Secure Integration

After setting up RESTful API generation, the next step is to focus on creating an integration that can handle industrial-scale data while maintaining strong security. Manufacturing environments produce massive amounts of data, and ensuring this data is processed efficiently and securely is critical. Here's a breakdown of how to implement security measures, optimize performance, and maintain a reliable system.

Security Best Practices

Industrial systems are often exposed to unique cybersecurity risks, especially when connected to critical infrastructure. To mitigate these risks, consider the following:

Role-Based Access Control (RBAC) and API Keys: Use RBAC to assign precise permissions to users. For example, maintenance technicians might only need read-only access to monitor equipment, while process engineers may require broader access. DreamFactory's built-in RBAC system allows you to set up detailed permissions for each API endpoint, automatically enforcing these restrictions. Additionally, generate unique API keys for each application or user group and rotate them regularly. Store these keys securely using environment variables or dedicated key management tools instead of embedding them in your code.

Secure Communications: Enforce TLS 1.3 for all REST API traffic and use robust encryption for OPC UA protocols. This ensures data is protected during transmission.

Network Segmentation: Isolate industrial systems from corporate networks using VLANs and properly configured firewalls. This minimizes the risk of unauthorized access and makes it easier to monitor and control traffic between systems.

Optimizing Performance for IoT Workloads

Once security is in place, the focus shifts to performance. Industrial IoT systems often need to handle thousands of data points every minute, so efficiency is key.

Caching: Use in-memory caching to store frequently accessed data temporarily. This reduces the load on your database and speeds up response times.

Data Aggregation and Batching: Instead of sending individual REST API calls for every small data update, group multiple updates into a single request. This reduces network overhead and improves throughput.

Connection Pooling: Reuse database and API connections instead of creating new ones for each request. Adjust connection pool sizes based on your server's capacity and typical load patterns.

Query Optimization: Efficiently retrieve time-series data by using indexing and data partitioning strategies. This is especially helpful when analyzing large datasets for production trends.

Load Balancing: Distribute API requests across multiple servers using application load balancers. This prevents any single server from becoming overwhelmed and ensures traffic is managed based on server capacity and responsiveness.

Monitoring and Maintenance

To keep your integration running smoothly, continuous monitoring and proactive maintenance are essential.

Integrated Logging and Alerts: Use tools like DreamFactory with an ELK stack to monitor performance and detect issues. Set up automated alerts for critical metrics such as API response times, error rates, and server resource usage. Implement log retention policies that balance storage costs with compliance requirements.

Performance Baselines: Establish baselines for key metrics and regularly review them to identify and address performance issues before they escalate.

Regular Maintenance Tasks: Review system logs periodically to spot recurring problems. Update API documentation whenever endpoints or data structures change. For managing large time-series datasets, automate archiving strategies to move older data to cost-effective storage while keeping recent data accessible for real-time operations. Archiving intervals should align with your operational and compliance needs.

Security Audits: Conduct regular security evaluations to ensure your integration remains secure. This includes reviewing user permissions, rotating API keys, updating security certificates, and assessing network configurations for vulnerabilities. Document these audits to meet industry security standards.

Version Control: Use tools like Git to track configuration changes. This makes it easy to roll back to previous versions if issues arise, ensuring system stability. This is particularly useful for managing changes to Ignition projects, Kepware configurations, and API definitions.

Conclusion

Bringing OPC UA and REST APIs together using tools like Kepware and Ignition is reshaping how industrial data is managed and shared. This guide has outlined the key steps - from setting up your environment and securing connections to transforming OPC UA data into REST endpoints and creating scalable integrations. These practices lay the groundwork for a reliable and flexible industrial data framework.

By pairing Kepware’s OPC UA server capabilities with Ignition’s SCADA tools, and leveraging DreamFactory for automated API creation, the process of integrating industrial data becomes far more efficient, cutting down on manual coding and simplifying workflows.

However, success hinges on a few critical factors: implementing secure network segmentation, encrypted communications, and well-designed role-based access controls to safeguard your systems. To handle the high volume of manufacturing data, performance tweaks like caching, batching, and connection pooling are essential for smooth operations.

Ongoing monitoring and maintenance play a vital role in avoiding disruptions. Regular security checks, performance evaluations, and automated data archiving can help maintain system stability. For better oversight, integrating the ELK stack with DreamFactory offers robust logging and alerting features, ensuring you can address potential issues before they escalate.

With these steps outlined, this integration strategy supports both scalability and security, making it adaptable to the ever-changing demands of industrial automation. Whether you're working with a single production line or an entire facility, the combination of OPC UA and REST APIs bridges the gap between traditional manufacturing systems and modern industrial IoT solutions.

FAQs