Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Endpoint configuration for local access (Java Server SDK)
February 3, 2021
19:20, EET
Avatar
christopher_schmidt
Member
Members
Forum Posts: 5
Member Since:
May 19, 2020
sp_UserOfflineSmall Offline

Hi,

since an endpoint with security policy set to none can’t be considered save, we only support at least sign for endpoints on our server application. On the other hand, if I want to use the OPC UA interface internally on the host device (localhost), there is no need for TLS features (they even hurt performance-wise and complicate things). Basically I was wondering if it is possible to support “none” but only on localhost and provide more secure endpoints for external connections. Do you think there are options with the Server SDK?

Regards,
Christopher

February 4, 2021
11:35, EET
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

It is complicated to explain, so I’ll skip parts, but basically as far as I’m aware, not possible the way you would expect.

I would categorize it as a workaround-grade, but you can prevent a session to be made from a non-local address if it has the None mode. You can do that by attaching a SessionManagerListener to the SessionManager of the UaServer and throw (using StatusCodes.Bad_SecurityModeInsufficient for the StatusException) onCreateSession if the Session is tried to be made using None from a non-localhost remote via the given session parameter:

session.getChannel().getConnection().getRemoteAddress()

And check the messagesecuritymode from the channel + Session, but do note that a Session and transport layer security mode may differ (e.g. on opc.https the session is made with None or Sign, with the TLS layer providing the encryption and on Sign the app auth per ApplicationInstanceCertificates is done; on opc.tcp app auth and security for the transport layer is the same, there it would match).

However, it might not be obivious to the client why it is failing.

P.S.
Generally the issue is that there has been a long-open issue originally in the Stack that would enable network-interface-bound GetEndpoints results. That would be the correct way to do this in my opinion. SDK 4.x doesn’t have a “stack” anymore per se (see https://downloads.prosysopc.com/opcua/Prosys_OPC_UA_SDK_for_Java_4_Release_Notes.html#version-4-0-0), but the underlying logic is the same. We can implement this probably in a future version, depending how much it is asked (since we in general try to priorize those).

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
17 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 735

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1