19:20, EET
May 19, 2020
Hi,
since an endpoint with security policy set to none can’t be considered save, we only support at least sign for endpoints on our server application. On the other hand, if I want to use the OPC UA interface internally on the host device (localhost), there is no need for TLS features (they even hurt performance-wise and complicate things). Basically I was wondering if it is possible to support “none” but only on localhost and provide more secure endpoints for external connections. Do you think there are options with the Server SDK?
Regards,
Christopher
11:35, EET
April 3, 2012
Hi,
It is complicated to explain, so I’ll skip parts, but basically as far as I’m aware, not possible the way you would expect.
I would categorize it as a workaround-grade, but you can prevent a session to be made from a non-local address if it has the None mode. You can do that by attaching a SessionManagerListener to the SessionManager of the UaServer and throw (using StatusCodes.Bad_SecurityModeInsufficient for the StatusException) onCreateSession if the Session is tried to be made using None from a non-localhost remote via the given session parameter:
session.getChannel().getConnection().getRemoteAddress()
And check the messagesecuritymode from the channel + Session, but do note that a Session and transport layer security mode may differ (e.g. on opc.https the session is made with None or Sign, with the TLS layer providing the encryption and on Sign the app auth per ApplicationInstanceCertificates is done; on opc.tcp app auth and security for the transport layer is the same, there it would match).
However, it might not be obivious to the client why it is failing.
P.S.
Generally the issue is that there has been a long-open issue originally in the Stack that would enable network-interface-bound GetEndpoints results. That would be the correct way to do this in my opinion. SDK 4.x doesn’t have a “stack” anymore per se (see https://downloads.prosysopc.com/opcua/Prosys_OPC_UA_SDK_for_Java_4_Release_Notes.html#version-4-0-0), but the underlying logic is the same. We can implement this probably in a future version, depending how much it is asked (since we in general try to priorize those).
Most Users Ever Online: 1919
Currently Online:
17 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 735
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1523
Posts: 6449
Newest Members:
rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1