In the TIA Portal you have to enable “Operate as OPC Server” in the Runtime Settings of your project. Download and restart the runtime, and then the OPC UA Server is listening on opc.tcp://localhost:4890.
You need to have a user which has a role with the OPC-UA read and write access permission.
When you try to connect with a client the client will send the certificate to the server and typically the certificate is rejected by the server. To trust the certificate you have to move the certificate from the “Rejected” folder to the “Trusted” folder.
C:\Program Files\Siemens\Automation\WinCCUnified\bin\PKI\Rejected\certs
C:\Program Files\Siemens\Automation\WinCCUnified\bin\PKI\Trusted\certs