Log In
Register
Forum
Topic RSS
3:22, EEST
August 11, 2015
Offline
I’m trying to connect to a (custom) Unified Automation SDK built server from my project using NONE, BASIC256 / BASIC128RSA15 sign & encrypt. While BASIC128RSA15 s&e (and #NONE) connections work easily, I can’t get the BASIC256 to work. I installed the “JCE Unlimited Strength Jurisdiction Policy Files” into the JRE. The error message below does not help much. Any idea what is missing in my code?
BTW, I can use “Prosys OPCUA Client” to the server with NONE, BASIC256 / BASIC128RSA15 sign & encrypt without any problem. Is it possible you can share the source code of Prosys OPCUA Client?
Caused by: com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://3.39.58.115:48010 [http://opcfoundation.org/UA/SecurityPolicy#Basic256,Sign] ServiceResult=BAD (0x80000000) “”
at com.prosysopc.ua.client.UaClient.createSecureChannel(UaClient.java:4770)
at com.prosysopc.ua.client.UaClient.connect(UaClient.java:808)
at com.ge.dspmicro.machineadapter.opcua.impl.OPCUAClientImpl.connect(OPCUAClientImpl.java:228)
… 43 more
Caused by: org.opcfoundation.ua.common.ServiceResultException: BAD (0x80000000) “”
at org.opcfoundation.ua.transport.tcp.io.TcpConnection$ReadThread.run(TcpConnection.java:763)
10:18, EEST
April 17, 2013
Offline
Hello Zhencai,
I’m sorry to hear that you are experiencing problems. You mentioned that the connection works with Prosys OPC UA Client. Have you tried connecting with the SampleConsoleClient, which is shipped together with the SDK? If the connection works with the SampleConsoleClient, then you can look at the source code easily.
Also, I would like to use this opportunity to promote new SDK versions. I assume that you are using the 2.1.2 version of the SDK because you mention the Jurisdiction Policy files. After the 2.1.2 version, there have been two releases of the SDK. Version 2.2.0 included security framework rework which means that the Jurisdiction Policy files are no longer used. For more details about release history, see: https://prosysopc.com/products/opc-ua-java-sdk/release-history/
Please let me know if you have more questions or comments.
3:54, EEST
August 11, 2015
Offline
Thank you, Heikki.
Yes, we use 2.1.2 SDK. The SampleConsoleClient can connect to the server with BASIC256 S&E without a problem. I checked the code of SampleConsoleClient. We have different way to create ApplicationIdentity instance as below. I appended the server side log as well. Any idea what’s missing in below code?
UaClient client = new UaClient(this.adapterConfig.getServerUri());
char[] keystorePassword = this.securityUtils.getDecryptedConfigProperty(this.servicePid, KEYSTORE_PASSWORD);
KeyStore keyStore = OPCUASecurityUtil.loadKeyStore(ROOT_FOLDER + this.config.keystorePath(),
keystorePassword, this.config.keystoreType());
Certificate cert = keyStore.getCertificate(this.config.keyAlias());
char[] keyPassword = this.securityUtils.getDecryptedConfigProperty(this.servicePid, KEY_PASSWORD);
Key privateKey = keyStore.getKey(this.config.keyAlias(), keyPassword);
client.setCertificateValidator(new OPCUACertificateValidator(ROOT_FOLDER + this.config.truststorePath(),
this.config.truststoreType(), this.securityUtils.getDecryptedConfigProperty(this.servicePid,
TRUSTSTORE_PASSWORD), false));
ApplicationDescription appDesc = new ApplicationDescription();
appDesc.setApplicationName(new LocalizedText(this.adapterConfig.getAppName()));
appDesc.setApplicationUri(this.adapterConfig.getAppUri());
appDesc.setProductUri(this.adapterConfig.getProductUri());
appDesc.setApplicationType(ApplicationType.Client);
ApplicationIdentity appId = new ApplicationIdentity(new Cert(cert), new PrivKey(
(RSAPrivateKey) privateKey));
appId.setApplicationDescription(appDesc);
client.setApplicationIdentity(appId);
client.setSecurityMode(this.securityMode);
client.setUserIdentity(new UserIdentity());
Below is the log on the server side:
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_OnNotify: Request
00:49:57.671Z|4|2288* [uastack] SecureStream – CheckInputHeaderType – OpenSecureChannel Service
00:49:57.671Z|4|2288* [uastack] ProcessOpenSecureChannelRequest: SID 0, SURI “http://opcfoundation.org/UA/SecurityPolicy#Basic256”
00:49:57.671Z|4|2288* [uastack] ProcessOpenSecureChannelRequest: Client certificate chain has 1 elements.
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched securechannel found!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched SecureChannel 0x046AE308 with id 0 refs 1!
00:49:57.671Z|4|2288* [uastack] SecureListener – PolicyManager_IsValidSecurityPolicy: Searched security policy found!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ValidateCertificate: success
00:49:57.671Z|4|2288* [uastack] ProcessOpenSecureChannelRequest: Client Certificate validated! (0x00000000)
00:49:57.671Z|4|2288* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: SecureChannel open certificate verification request!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_AcquireChannel: SecureChannel 0x046AE308 with id 0 refs 2!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureStream_AppendInput: Appending buffer at index 0 with data 0x0470AFD0!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureStream_DecryptInputBuffer: Could not decrypt message!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureStream_DecryptInputBuffer: Decryption of message failed with 0x80000000!
00:49:57.671Z|4|2288* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: unknown SecureChannel event!
00:49:57.671Z|3|2288* UaServer_EndpointCallback: Unknown Endpoint event!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: Searched SecureChannel 0x046AE308 with id 0 refs 1!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: Searched SecureChannel 0x046AE308 with id 0 refs 0!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched securechannel found!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched SecureChannel 0x046AE308 with id 0 refs 1!
00:49:57.671Z|4|2288* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: SecureChannel closed!
00:49:57.671Z|3|2288* UaServer_EndpointCallback: SecureChannel 0 closed! [status=0x80000000]
00:49:57.671Z|6|2288* –> SessionManager::secureChannelDeleted EndpointIndex = 0, SecureChannelId = 0
00:49:57.671Z|6|2288* <– SessionManager::secureChannelDeleted – did not find the SecureChannelId
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ProcessRequest: Closing channel due error 0x80000000!
00:49:57.671Z|4|2288* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: Searched SecureChannel 0x046AE308 with id 0 refs 0!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpListener_ReadEventHandler: Process Request returned an error (0x80000000)!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpListener_SendErrorMessage: to 3.39.78.38:49362 (socket 44CB3E8) with StatusCode 0x80000000
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpStream_Flush: Flush no. 1 with 5000 max flushes and final flag 1!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpStream_Flush: Messagelength is 16! Last Call!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpStream_Flush: Buffer emptied!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpListener_ReadEventHandler: Closing socket (0x00000000)!
00:49:57.671Z|4|2288* [uastack] OpcUa_TcpListener_CloseConnection: Connection 01150003 is being closed with status 0x00000000
11:03, EEST
April 17, 2013
Offline
Hello Zhencai,
Thanks for the information. Something in the certificate creation causes the certificates to work with other security policies but fail with BASIC256. Can you tell more about how the certificates are created?
It’s good to know that the connection works with SampleConsoleClient – that helps to narrow the problem to the client side application. To be sure: can you confirm that this error shows up also if you use SampleConsoleServer as the server application?
1:37, EEST
August 11, 2015
Offline
Hi Heikki,
We use Java keytool to create the certificate in the startup script.
keytool -genkey \
-keystore “$PREDIX_MACHINE_HOME/$OPCUA_KEYSTORE_PATH” \
-alias dspmicro \
-storepass $KEYPASS \
-keypass $KEYPASS \
-keyalg RSA \
-sigalg SHA256withRSA \
-keysize 2048 \
-storetype JKS \
-validity 3650 \
-dname “CN=dspmicro, OU=Predix, O=GE L=San Ramon, S=CA, C=US”
I did not try SampleConsoleServer since I tried two OPCUA servers, one from Prosys and another from other company. My program throws the exactly same exception. So it should be the client issue, not the server issue.
10:59, EEST
December 21, 2011
Offline
Your certificate is at least missing the SubjectAlternativeNames field, which is compulsory for the OPC UA certificates. Therefore, we recommend that you use the methods in org.opcfoundation.ua.utils.CertificateUtils to generate and store the certificate and keys: createApplicationInstanceCertificate, saveKeyPairToProtectedStore, loadKeyPairFromProtectedStore
With keytool, you should be able to generate the Subject Alternative Names as well, using ‘-ext san=uri:’ Additionally, you may need to define all the DNS/IP addresses that the server is running at (if your application is an UA server). Use ‘-ext san=dns:’ or ‘-ext san=ip:’
However, we haven’t used keytool much ourselves, so I am not 100% certain if that’s enough. Therefore, the utility methods in the UA stack are safer for this. The UA specification regarding the certificate details has been changing a bit regarding these alternative fields. See OPC UA Spec. Part 6, 6.2.2 for details.
https://opcfoundation.org/developer-tools/specifications-unified-architecture
11:07, EEST
December 21, 2011
Offline
Since you can connect with Basic128, it does sound strange though that the server would not accept the same cert with Basic256.
1:32, EEST
August 11, 2015
Offline
I generated the key to add SAN to specify the OPCUA server hostname and ip address. But I got the same exception. We cannot use org.opcfoundation.ua.utils.CertificateUtils to generate the certificate since we have all keys (including opcua key) managed in one script. Any other suggestion? Is it possible that someone in Prosys looks into the issue? In a java application it is very common to use keytool to generate the key. Thank you.
keytool -genkey \
-keystore “$PREDIX_MACHINE_HOME/$OPCUA_KEYSTORE_PATH” \
-alias dspmicro \
-storepass $KEYPASS \
-keypass $KEYPASS \
-keyalg RSA \
-sigalg SHA256withRSA \
-keysize 2048 \
-storetype JKS \
-validity 3650 \
-dname “CN=dspmicro, OU=Predix, O=GE L=San Ramon, S=CA, C=US” \
-ext san=dns:SFO1200021427B.logon.ds.ge.com,ip:3.39.58.115
16:51, EEST
April 17, 2013
Offline
Hello Zhencai,
As Jouni mentioned, we haven’t used keytool much ourselves. However, using the keytool to generate OPC UA certificates is something that is interesting to test. We will report the results as soon as we find something worth reporting.
15:36, EEST
April 17, 2013
Offline
Hello,
I have now tested this issue and at the moment I’m not able to reproduce the error. I generated the certificate with the following keytool command:
Then I modified the SampleConsoleClient to retrieve the ApplicationIdentity from the keystore:
After this, I can connect normally to the SampleConsoleServer with all available security policies (BASIC128RSA15, BASIC256 and BASIC256SHA256).
So, it seems that this issue is probably not related to the usage of the keytool. I am using the latest version of the SDK.
I understand that you have already installed the JCE Unlimited Strength Jurisdiction Policy files. However, these files would still be the most obvious explanation. That would explain why the BASIC128RSA15 works and BASIC256 doesn’t work.
Could you test if this issue happens to you also with the latest SDK release? If it happens to you also with the latest release, then there must be something wrong with the SDK that we just cannot reproduce at the moment.
10:41, EET
March 16, 2017
Offline
As many newer OpcUa server reject the certificate when ‘Key Usage’ and ‘Enhanced Key Usage’ extensions are missing, the commandline should be extended with parameter -ext KU and -ext EKU
Most Users Ever Online: 1919
Currently Online:
12 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 738
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1524
Posts: 6451
Newest Members:
rickyjuarez140, jonathonmcintyre, fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCibModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1
