Connecting with certificate results in "bad connection" | OPC UA SDK for JavaProsys Forum

Please consider registering
guest

Forum

OPC UA SDK for Java
sp_ArrowRight

Connecting with certificate results in "bad connection"

Topic RSS

Connecting with certificate results in "bad connection"

January 24, 2022
15:46, EET

eidelmany

Member

Members

Forum Posts: 3

Member Since:
January 24, 2022

Offline

I’m trying to connect my Android application to a OPC server. I’m using a PKI file which I have verified that I can connect using that file through dataFEED OPC UA Client by Softing. I’m able to connect using anonymous and username/password but certificate is giving me issues.

Getting the following error:
com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://10.249.xx.xx:4840 [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign] ServiceResult=Bad_ConnectionClosed (0x80AE0000) “The network connection has been closed.”

Caused by: com.prosysopc.ua.stack.common.ServiceResultException: Bad_ConnectionClosed (code=0x80AE0000, description=”Connection closed (graceful)”)
Caused by: java.io.EOFException

0x80AE0000 = “BasConnectionClosed” which is just a generic error that doesn’t tell me what the problem is.

Any ideas on what could be causing this?

ApplicationDescription description = new ApplicationDescription();
description.setApplicationName(new LocalizedText(appName + “@localhost”));
description.setApplicationType(ApplicationType.Client);

File pfx = new File(“” + “dataFEEDOpcUaClient.pfx”);

ApplicationIdentity identity = ApplicationIdentity.loadOrCreateCertificate(description, “dataFEEDOpcUaClient”, “”, pfx, true);
identity.setApplicationDescription(description);
identity.setOrganisation(appName);
connect(address, identity, 60000, mode, objectNodeName, rtu, null, null)
.subscribe(emitter::onComplete, emitter::onError);

private Completable connect(String serverAddress, ApplicationIdentity identity, long timeout, SecurityMode mode, String objectNodeName, String rtu, String userName, String password) {
connected = true;
return Completable.create(emitter -> {
if (!clients.containsKey(objectNodeName) || clients.get(objectNodeName) == null) {
clients.put(objectNodeName, new RTUClient(updateInterval, objectNodeName, listener, nodeDao));
}
RTUClient client = clients.get(objectNodeName);
if (!client.getClient().isConnected()) {
client.getClient().setAddress(serverAddress);
client.getClient().setApplicationIdentity(identity);
client.getClient().setTimeout(timeout);
client.getClient().addServerStatusListener(new RTUServerStatusListener());
client.getClient().setSecurityMode(mode);
if (userName != null && password != null) {
client.getClient().setUserIdentity(new UserIdentity(userName, password));
}
try {
client.getClient().connect();
collectVariableNodes(objectNodeName, rtu, client).subscribe(emitter::onComplete);
} catch (Exception e) {
emitter.tryOnError(e);
}
}
}).subscribeOn(Schedulers.io())
.doOnComplete(() -> System.out.printf(LogMessages.CONNECTION_SUCCESS, TAG, rtu, objectNodeName))
.doOnError(error -> System.out.printf(LogMessages.CONNECTION_ERROR, TAG, rtu, objectNodeName, error.getLocalizedMessage()));
}

January 25, 2022
16:18, EET

Bjarne Boström

Moderator

Moderators

Forum Posts: 1026

Member Since:
April 3, 2012

Offline

Hi,

I cannot know what your “RTUClient” class does. Does it just hold the UaClient in a field or does it something special?

Please try first run the SampleConsoleClient pretty much “as is” and check differences to your code.

I believe there was some issues with private key passwords on Android, if you have one, please try without, if that is an option for you.

Also, normally we have used .der format for public keys and .pem for private keys, you could try converting. Though, in general you should not use the keys of another client, but create own keys per client (it looks a lot like you try to use the “dataFEED OPC UA Client by Softing” keys).

February 4, 2022
15:08, EET

eidelmany

Member

Members

Forum Posts: 3

Member Since:
January 24, 2022

Offline

“RTUClient” is just a helper class doing some over the overhead.

I have tried running SampleConsoleClient and at first I was getting the same error. I was able to make some adjustments and after adding the .der file to the OPC server so that the connection can be trusted I’m getting this error:

com.prosysopc.ua.SessionActivationException: Failed to initialize User Identity Token: Bad_IdentityTokenRejected (code=0x80210000, description=”Anonymous UserTokenType is not supported”) ServiceResult=Bad_IdentityTokenRejected (0x80210000) “The user identity token is valid but the server has rejected it.”
Caused by: com.prosysopc.ua.stack.common.ServiceResultException: Bad_IdentityTokenRejected (code=0x80210000, description=”Anonymous UserTokenType is not supported”)
The server supports the following user tokens:
Certificate

February 4, 2022
15:23, EET

Matti Siponen

Moderator

Members

Moderators

Forum Posts: 346

Member Since:
February 11, 2020

Offline

Hello,

Since the description for the ServiceResultException is “Anonymous UserTokenType is not supported”, it would imply that the Server doesn’t support connecting with anonymously. Were you attempting to connect with Anonymous UserTokenType?

To use a certificate as a UserIdentity, you will need to construct a UserIdentity instance using either new UserIdentity(Cert certificate, PrivKey privateKey) or new UserIdentity(File certificateFile, File privateKeyFile, String privateKeyPassword) and then have your UaClient to use it with UaClient.setUserIdentity(UserIdentity userIdentity). Note, that it is up to the Server whether or not it accepts the certificate.

March 26, 2022
13:59, EET

eidelmany

Member

Members

Forum Posts: 3

Member Since:
January 24, 2022

Offline

You’re correct, the problem was with the way I was using UserIdentity. I was able to get SampleConsoleClient .java to connect using a certificate. I then tried to migrate it into my Android application but I’m now getting the same error as before:

com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://10.249.xx.xx:4840 [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign] ServiceResult=Bad_ConnectionClosed (0x80AE0000) “The network connection has been closed.

I’m not sure why, the code base is exactly the same its just being compiled on Android. Other types of authentication (anonymous and username/password) still work.

I have attached my two SampleConsoleClient (renamed to be CertConnection) in this GitHub repo. The ‘Script’ directory is the SampleConsoleClient that I modified and it works fine. The other directory is the SampleConsoleClient that worked that I slightly modified to work in Android but I get the above error message.

https://github.com/yaron-e/opcUA

Thank you for helping!

March 29, 2022
11:04, EEST

Matti Siponen

Moderator

Members

Moderators

Forum Posts: 346

Member Since:
February 11, 2020

Offline

Hello,

We don’t debug code posted at this forum for errors.

If the code is working elsewhere but not on Android, it could be that BouncyCastle libraries are used on Android instead of the correct SpongyCastle libraries. In addition to the libraries in the “lib” folder of the SDK distribution, libraries in the “lib-android” folder of the SDK distribution must be used when working on Android. Let the libraries from “lib-android” folder overwrite the libraries from “lib” folder in your project.

If using the correct libraries doesn’t solve the issue, can you provide a full stack trace that lead to com.prosysopc.ua.client.ConnectException?

All RSS

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
19 Guest(s)

Currently Browsing this Page:
1 Guest(s)