Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Accessing the certificates in PKI folder
May 31, 2016
22:05, EEST
Avatar
Gajasri
Member
Members
Forum Posts: 6
Member Since:
May 25, 2016
sp_UserOfflineSmall Offline

The given example uses the certificates in PKI folder structure and for a certificate to be trusted it has to be manually moved to the trusted folder “certs”.
Is the folder structure the only way to access and validate the certificates ?

June 1, 2016
9:54, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

The PKI folder structure is widely used by OPC UA applications at the moment. Default option in the Prosys OPC UA Java SDK is to use PkiFileBasedCertificateValidator class to validate certificates.

If you would like to define completely different truststore type, you could implement UaCertificateValidator interface and then use your own implementation in client and server applications by setting it with

UaServer/UaClient.setCertificateValidator(validator);

On the other hand, if you want to use the PKI folder structure but you want to define your own certificate trust logic, please see CertificateValidationListener and PkiFileBasedCertificateListener classes.

December 14, 2016
16:43, EET
Avatar
Gajasri
Member
Members
Forum Posts: 6
Member Since:
May 25, 2016
sp_UserOfflineSmall Offline

Thank you Heikki Tahvanainen !

Kindly clarify on the following queries.
Now I have tried implementing a new folder structure with new validator class by implementing the UaCertificateValidator interface.
The following methods are to be overridden,

1. public StatusCode validateCertificate(ApplicationIdentity ai)
2. public StatusCode validateCertificate(Cert cert)
3. public StatusCode validateCertificate(ApplicationDescription ad, Cert cert)

I have set the validator to UaClient also.

The 1st method is invoked only once and the certificate is validated
The 2nd method is invoked twice but certificate is not loaded so it returns null
The 3rd method is not invoked at all

My queries are,
If only the 1st method is invoked once then the certificate validation happens only once, the 2nd method is invoked twice it means it is invoked both during secure channel creation and the session creation. According to OPC UA specifications the certificate validation happens during both secure channel creation and session creation. How to access only the certificate using Cert class for the 2nd method ?
I am trying to understand the PKI for OPC UA based application and a beginner, kindly correct me for any mistakes.

Error seen in the client side as follows,

com.prosysopc.ua.client.ConnectException: Failed to retrieve endpoints. The server is not available: opc.tcp://kumara:52520/OPCUA/SampleConsoleServer_TEST ServiceResult=Bad_UnexpectedError (0x80010000) “An unexpected error occurred.”
Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_UnexpectedError (code=0x80010000, description=”Bad_UnexpectedError (0x80010000) “An unexpected error occurred.””)

Demo version used is Prosys-OPC-UA-Java-SDK-Client-Server-Evaluation-2.2.2-638

Thank you
Gajasri

December 15, 2016
16:57, EET
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi Gajasri,

The methods PkiFileBasedCertificateValidator.validateCertificate(ApplicationIdentity ai) and PkiFileBasedCertificateValidator.validateCertificate(Cert cert) are basically convenience methods that do little else than call PkiFileBasedCertificateValidator.validateCertificate(ApplicationDescription ad, Cert cert). However, I understand that you have now made your own implementation of the UaCertificateValidator interface so I cannot know what your implementation does.

You are correct that certificate validation happens both during secure channel establishment and during session creation.

I’m not completely sure what you meant with your question, but I can tell you what should happen when a client tries to connect to a server:
1) Client creates a SecureChannel and does GetEndpoints request. In this step the secure channel will be created with security mode none and the PkiFileBasedCertificateValidator.validateCertificate(Cert cert) will be called with parameter value null. After the GetEndpoints request, client closes the SecureChannel associated with GetEndpoints request. Alternatively, client may skip this step 1 completely if it already knows the endpoint descriptions of the server.

2) Client creates a SecureChannel with selected security mode. So, here the client will actually send the correct certificate and the server will validate the information. If SecurityMode is None, then the PkiFileBasedCertificateValidator.validateCertificate will be called with parameter value null as in previous step.

3) Client creates a Session. Here again, the client’s certificate will be validated by the server. If SecurityMode is None, then the PkiFileBasedCertificateValidator.validateCertificate methods will not be called.

This example considers only what happens from the server point of view, but I hope that this helps you.

One thing to note is that if method PkiFileBasedCertificateValidator.validateCertificate(Cert cert) is called with Cert as null, then StatusCode.GOOD should be returned.

December 15, 2016
18:46, EET
Avatar
Gajasri
Member
Members
Forum Posts: 6
Member Since:
May 25, 2016
sp_UserOfflineSmall Offline

Thank you for the clarification.

The explanatory points are more clear to me now to understand the examples for client certificate validation in the server side.

I have one more doubt , in the given examples is the client certificate validated twice in the server side ? I saw the following output in the server side
————————————————————————————————————————————————————————————————-
activateAlarm: severity=500
null, urn:kumara:OPCUA:SampleConsoleClient_TEST

12/15/2016 22:11:01.541 INFO Certificate ’26EF139D609AFF2117262606B33398D35BBEA978′ added to trusted certificates.//// Is it the result of secure channel validation?

ApplicationDescription: ApplicationDescription
ApplicationUri=urn:kumara:OPCUA:SampleConsoleClient_TEST
ProductUri=urn:prosysopc.com:OPCUA:SampleConsoleClient_TEST
ApplicationName=() SampleConsoleClient_TEST@kumara
ApplicationType=ApplicationType
name=Client
ordinal=1
GatewayServerUri=null
DiscoveryProfileUri=null
DiscoveryUrls=null
, urn:kumara:OPCUA:SampleConsoleClient_TEST

12/15/2016 22:11:01.978 INFO Certificate ’26EF139D609AFF2117262606B33398D35BBEA978′ added to trusted certificates. // Is this the result of session validation?

12/15/2016 22:11:01.978 INFO Session created: SampleConsoleClient_TEST Session1 (ID=ns=1;g=61905d3d-46af-49c8-a749-256b94fa5870 Token=i=56320307 Channel=(SecureChannelId=2 State=Open URL=opc.tcp://kumara:52520/OPCUA/SampleConsoleServer_TEST SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 RemoteAddress=/192.168.42.175:53851))
onValidate: userIdentity=Type=Anonymous
12/15/2016 22:11:02.103 INFO Session activated: SampleConsoleClient_TEST Session1 (ID=ns=1;g=61905d3d-46af-49c8-a749-256b94fa5870 Token=i=56320307 Channel=(SecureChannelId=2 State=Open URL=opc.tcp://kumara:52520/OPCUA/SampleConsoleServer_TEST SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 RemoteAddress=/192.168.42.175:53851))
inactivateAlarm
——————————————————————————————————————————————————————–
Client side output

* Connections will close after 120 minutes

Select the security mode to use.
(n=None,s=Sign,e=SignAndEncrypt)
s
Connecting to opc.tcp://kumara:52520/OPCUA/SampleConsoleServer_TEST
12/16/2016 00:49:34.088 INFO Reading application certificate from C:\Users\karthi\Documents\NetBeansProjects\OPCUA_Original\PKI\CA\private\SampleConsoleClient_TEST@kumara.der
12/16/2016 00:49:34.103 INFO Reading private key from keystore C:\Users\karthi\Documents\NetBeansProjects\OPCUA_Original\PKI\CA\private\SampleConsoleClient_TEST@kumara.pem
12/16/2016 00:49:35.182 INFO HTTPS certificate loaded from PKI\CA\private\SampleConsoleClient_TEST@kumara_https.der
12/16/2016 00:49:35.182 INFO HTTPS private key loaded from PKI\CA\private\SampleConsoleClient_TEST@kumara_https.pem
Using SecurityPolicy http://opcfoundation.org/UA/Se…..ic128Rsa15

*** The Server Certificate : // Is it the validation of server certificate received from GetEndpoints response or CreateSession Response ?

Subject : O=Sample Organisation, CN=SampleConsoleServer_TEST@kumara
Issued by : O=Sample Organisation, CN=SampleConsoleServer_TEST@kumara
Valid from: Wed Dec 14 23:49:57 IST 2016
to: Sun Dec 13 00:49:57 IST 2026

* The Certificate is self-signed.

Note: If the certificate is not OK,
you will be prompted again, even if you answer ‘Always’ here.

Do you want to accept this certificate?
(A=Always, Y=Yes, this time, N=No)
(D=Show Details of the Certificate)
Y
12/16/2016 00:51:10.044 INFO Certificate ‘0A1B2623DBA7FC5DC73DFB6E64AEB51BFAF2EFED’ added to rejected certificates.

ServerState changed from Unknown to Running

ServerStatus: ServerStatusDataType: ServerStatusDataType
StartTime=12/15/16 19:19:15.8960000 GMT
CurrentTime=12/15/16 19:21:10.0750000 GMT
State=ServerState
name=Running
ordinal=0
BuildInfo=BuildInfo
ProductUri=urn:prosysopc.com:OPCUA:SampleConsoleServer_TEST
ManufacturerName=Prosys PMS Ltd
ProductName=SampleConsoleServer_TEST
SoftwareVersion=1.1
BuildNumber=1
BuildDate=12/14/16 20:33:08.2510000 GMT
SecondsTillShutdown=0
ShutdownReason=null

*** Connected to: opc.tcp://kumara:52520/OPCUA/SampleConsoleServer_TEST

*** Current Node: Root: FolderType (ID: i=84)
——————————————————————————————————————————————————————–

Kindly clarify the questions seen in the above output and also brief when the server certificate is validated in the client side in the example programs ?
Why CA private key files are also loaded ?

Now I have implemented the validator correctly for two conditions, one for cert value (null) and one for cert value(not null), validator works fine for server side.

Thanks again !

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
10 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 737

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1524

Posts: 6450

Newest Members:

fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1