Log In
Register
Forum
Topic RSS
9:56, EET
February 23, 2012
Offline
I am evaluating your Prosys-OPC-UA-Java-SDK-Client-Server-Evaluation-1.3.0-3321 archive.
I tried to open a secure session from a simple OPC client to your java OPC UA server like this:
client part:
I generated a certificate and keys like this:
* Generate private key:
———-
> openssl genrsa -des3 -out privkey.pem 2048
* Generate self-signed PEM encoded certificate:
———-
> openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
* Convert private key to PKCS#12 format:
———-
> openssl pkcs12 -export -in cacert.pem -inkey privkey.pem -out privkey.pfx
And here after the java OPC UA client part:
Cert myClientCertificate = Cert.load(Test01.class.getResource("cacert.pem"));
PrivKey myClientPrivateKey = PrivKey.loadFromKeyStore(Test01.class.getResource("privkey.pfx"), "xxx");
KeyPair myClientApplicationInstanceCertificate = new KeyPair(myClientCertificate, myClientPrivateKey);
Client myClient = new Client(myClientApplicationInstanceCertificate);
EndpointDescription[] endpoints = myClient.discoverEndpoints("opc.tcp://remote_address_to_server_side:52520/OPCUA/SampleConsoleServer");
endpoints = EndpointUtil.selectByProtocol(endpoints, "opc.tcp");
endpoints = EndpointUtil.selectByMessageSecurityMode(endpoints, MessageSecurityMode.SignAndEncrypt);
endpoints = EndpointUtil.selectBySecurityPolicy(endpoints, SecurityPolicy.BASIC128RSA15);
endpoints = EndpointUtil.sortBySecurityLevel(endpoints);
EndpointDescription endpoint = endpoints[endpoints.length - 1];
SessionChannel mySession = myClient.createSessionChannel(endpoint);
mySession.activate();
Like this, I cannot connect. I get a “Asymmmetric Signature Verification fails” from server side without more explanations (even in DEBUG log level).
I can add that client runs under GNU/Linux Ubuntu 11.04 platform and the server runs under VVindows XP SP3 platform.
Would you be able to help me?
10:04, EET
December 21, 2011
Offline
poubelle2012 said
I am evaluating your Prosys-OPC-UA-Java-SDK-Client-Server-Evaluation-1.3.0-3321 archive.
I tried to open a secure session from a simple OPC client to your java OPC UA server like this:client part:
I generated a certificate and keys like this:
* Generate private key:
———-
> openssl genrsa -des3 -out privkey.pem 2048
The stack does not currently work with other than 1024 bit private keys.
Also, the OPCUA certificates require some additional fields, so you should use the methods of ApplicationIdentity to create a valid certificate for your Java application.
10:49, EET
February 23, 2012
Offline
I thank you for your very fast reply.
I have just tried to use your com.prosysopc.uaApplicationIdentity class in your com.prosysopc.ua.samples.SampleConsoleClient class
It genarates two files:
the PEM encoded private key in pem format: SampleConsoleClient.pem
the DER encoded certificate: SampleConsoleClient.der
Then, to use it, I convert these files like this:
* DER certificate to PEM certificate
> openssl x509 -in SampleConsoleClient.der -inform DER -out SampleConsoleClient.cert.pem -outform PEM
* PEM certificate + PEM private key to PKCS#12 PRIVKEY format:
> openssl pkcs12 -export -inkey SampleConsoleClient.pem -in SampleConsoleClient.cert.pem -out SampleConsoleClient.pfx
Then, my java code become:
Cert myClientCertificate = Cert.load(Test01.class.getResource("SampleConsoleClient.cert.pem"));
PrivKey myClientPrivateKey = PrivKey.loadFromKeyStore(Test01.class.getResource("SampleConsoleClient.pfx"), "opcua");
KeyPair myClientApplicationInstanceCertificate = new KeyPair(myClientCertificate, myClientPrivateKey);
Client myClient = new Client(myClientApplicationInstanceCertificate);
EndpointDescription[] endpoints = myClient.discoverEndpoints("opc.tcp://remote_address_to_server_side:52520/OPCUA/SampleConsoleServer");
endpoints = EndpointUtil.selectByProtocol(endpoints, "opc.tcp");
endpoints = EndpointUtil.selectByMessageSecurityMode(endpoints, MessageSecurityMode.SignAndEncrypt);
endpoints = EndpointUtil.selectBySecurityPolicy(endpoints, SecurityPolicy.BASIC128RSA15);
endpoints = EndpointUtil.sortBySecurityLevel(endpoints);
EndpointDescription endpoint = endpoints[endpoints.length - 1];
SessionChannel mySession = myClient.createSessionChannel(endpoint); // line 113
mySession.activate();
// etc...
I get the following message in client side:
2857 INFO [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - /131.1.30.58:52520 Connecting 3033 INFO [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - /131.1.30.58:52520 Connected 3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - tokenLifetime: 3600000 3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - 0 Sending Request (rid=1)OpenSecureChannelRequest 3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - token=null 3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - SecureChannelId=0 SequenceNumber=1, RequestId=1 3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner - Asym ecryption: Total decrypted bytes: 128 3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner - Asym encryption: Offsets: 117 outputOffset: 1030 and index : 902 3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner - Asym ecryption: Total decrypted bytes: 128 3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner - Asym encryption: Offsets: 234 outputOffset: 1158 and index : 1019 3198 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier - SecurityPolicy in use: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 3198 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier - SecurityMode in use: SignAndEncrypt 3205 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier - Asym Signature Verify : OK 3222 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.io.TcpConnection - new token=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000) 3222 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - 9 Secure channel opened, SecureChannelId=9, TokenId=1 3222 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - RevisedLifetime: 3600000 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - serviceRequest: requests.size=1 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - 9 Sending Request (rid=2)CreateSessionRequest 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - pruneInvalidTokens: tokens(1)=[SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)] 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - tokens=[SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)] 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - getSecurityTokenToUse#1=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000) 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - getSecurityTokenToUse#2=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000) 3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection - token=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000) 3232 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - Message sent, requestId=2, secureChannelId=9 3319 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - Response: CreateSessionResponse 3320 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - BAD response: Bad_CertificateUntrusted (0x801A0000) "The Certificate is not trusted." Exception in thread "main" 3320 INFO [Blocking-Work-Executor-1] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp - 9 Closed ServiceFault: Bad_CertificateUntrusted (0x801A0000) "The Certificate is not trusted." Diagnostic Info: at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(SecureChannelTcp.java:371) at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(SecureChannelTcp.java:311) at org.opcfoundation.ua.application.Client.createSession(Client.java:162) at org.opcfoundation.ua.application.Client.createSession(Client.java:105) at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:275) at myopcuatest.Test01.main(Test01.java:113)
line 113 of Test01.main is the following one:
SessionChannel mySession = myClient.createSessionChannel(endpoint);
11:29, EET
December 21, 2011
Offline
poubelle2012 said
Yes, this is expected: you must accept the certificate in the server. In the Java SDK SampleConsoleServer, you do this by moving the certificate from the PKI/CA/rejected folder to PKI/CA/certs.
You can use the certificate in DER format as well for Cert.load().
13:47, EET
February 23, 2012
Offline
Jouni Aro said
poubelle2012 said
Yes, this is expected: you must accept the certificate in the server. In the Java SDK SampleConsoleServer, you do this by moving the certificate from the PKI/CA/rejected folder to PKI/CA/certs.
You can use the certificate in DER format as well for Cert.load().
Ok, it works well now!
It’s very kind of you to give as much attention to my questions. It has really helped me.
Most Users Ever Online: 1919
Currently Online:
26 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 727
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1
