Getting Failed to create session channel | OPC UA SDK for JavaProsys Forum

Please consider registering
guest

Forum

OPC UA SDK for Java
sp_ArrowRight

Getting Failed to create session channel

Topic RSS

Getting Failed to create session channel

August 21, 2019
20:32, EEST

dipankar.invi@gmail.com

Member

Members

Forum Posts: 16

Member Since:
December 6, 2018

Offline

Below is the DEBUG log I got while the error happened.
Here the only difference I see is the slash(‘/’) at the end of the EndPointUrl . Can it be a reason for the error ???

** I have removed the IP address from EndPointURL rest is as it was.

2019-08-21 14:03:54,557 ERROR [org.o.u.a.Client ] – The endpoint received from GetEndpoints is not in the endpoints of CreateSessionResponse. Endpoint=EndpointDescription: EndpointDescription
EndpointUrl=opc.tcp://:48031
Server=null
ServerCertificate=null
SecurityMode=MessageSecurityMode
name=None
ordinal=1
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#None
UserIdentityTokens=class org.opcfoundation.ua.core.UserTokenPolicy[3]
[0]=UserTokenPolicy
PolicyId=0
TokenType=UserTokenType
name=Anonymous
ordinal=0
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=null
[1]=UserTokenPolicy
PolicyId=1
TokenType=UserTokenType
name=UserName
ordinal=1
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2]=UserTokenPolicy
PolicyId=2
TokenType=UserTokenType
name=Certificate
ordinal=2
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
TransportProfileUri=http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary
SecurityLevel=0

2019-08-21 14:03:54,559 ERROR [org.o.u.a.Client ] – GetEndpoints returned endpoints=[EndpointDescription: EndpointDescription
EndpointUrl=opc.tcp://:48031
Server=null
ServerCertificate=null
SecurityMode=MessageSecurityMode
name=None
ordinal=1
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#None
UserIdentityTokens=class org.opcfoundation.ua.core.UserTokenPolicy[3]
[0]=UserTokenPolicy
PolicyId=0
TokenType=UserTokenType
name=Anonymous
ordinal=0
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=null
[1]=UserTokenPolicy
PolicyId=1
TokenType=UserTokenType
name=UserName
ordinal=1
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2]=UserTokenPolicy
PolicyId=2
TokenType=UserTokenType
name=Certificate
ordinal=2
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
TransportProfileUri=http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary
SecurityLevel=0
]
2019-08-21 14:03:54,559 ERROR [org.o.u.a.Client ] – CreateSessionResponse endpoints=[EndpointDescription: EndpointDescription
EndpointUrl=opc.tcp://:48031/
Server=null
ServerCertificate=null
SecurityMode=MessageSecurityMode
name=None
ordinal=1
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#None
UserIdentityTokens=class org.opcfoundation.ua.core.UserTokenPolicy[3]
[0]=UserTokenPolicy
PolicyId=0
TokenType=UserTokenType
name=Anonymous
ordinal=0
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=null
[1]=UserTokenPolicy
PolicyId=1
TokenType=UserTokenType
name=UserName
ordinal=1
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2]=UserTokenPolicy
PolicyId=2
TokenType=UserTokenType
name=Certificate
ordinal=2
IssuedTokenType=null
IssuerEndpointUrl=null
SecurityPolicyUri=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
TransportProfileUri=http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary
SecurityLevel=0
]

August 22, 2019
10:05, EEST

Bjarne Boström

Moderator

Moderators

Forum Posts: 1026

Member Since:
April 3, 2012

Offline

Yes, that would cause it to fail as they must be exactly the same. The check was added in order to pass the compliance tests. If you trust the server, you could set UaClient.setValidateDiscoveredEndpoints(false) to disable the check.

The specification mentions 1.04 Part 4 section 5.6.2.1 for the CreateSession description:
“The Server returns its EndpointDescriptions in the response. Clients use this information to
determine whether the list of EndpointDescriptions returned from the DiscoveryEndpoint matches
the Endpoints that the Server has. If there is a difference then the Client shall close the Session
and report an error.”

This is a security-check, as the Discovery Service Set can be accessed without a Session thus it doesn’t use message security.

August 22, 2019
10:12, EEST

dipankar.invi@gmail.com

Member

Members

Forum Posts: 16

Member Since:
December 6, 2018

Offline

Hi Bjarne,

Thanks for the response.
I want to understand how a opc client connects to opc ua server step by step . Is there any documentation or pdf to which I can look into other than the docs which comes with OPC specification like you mentioned in the last comment ?

Thanks,
Dipankar

August 22, 2019
12:20, EEST

dipankar.invi@gmail.com

Member

Members

Forum Posts: 16

Member Since:
December 6, 2018

Offline

Hi Bjarne,

Does the exact match applicable to alphabetic cases as well ? For example : opc.tcp://test-pc-4:48031 and opc.tcp://TEST-pc-4:48031 , will this get passed ?

Thanks,
Dipankar

August 22, 2019
14:25, EEST

Bjarne Boström

Moderator

Moderators

Forum Posts: 1026

Member Since:
April 3, 2012

Offline

The client tutorial in the ‘tutorial’ folder of the SDK (downloaded) package maybe, however it is from the SDK’s point of view and the point of the SDK is to make it easy so it is not in that much details.

Generally I would say the specification is probably the best place to look, even if it seems daunting at first. Probably best to start with Part 1, then you could jump to Part 4 section 4&5 for the service sets, Discovery, SecureChannel and Session Service Sets. Basically all that is done when you call UaClient.connect().

Also that would not pass, as it is not the same. In practice any difference should be a server bug. Basically the purpose of the check is to make sure it actually was the endpoints the server sent, not some rogue actor manipulating messages on the network. But as a note if you see differences that some parameters might be null, per the serverEndpoints return parameter in the 5.6.2.2 (1.04 Part 4): “It is recommended that Servers only include the server.applicationUri, endpointUrl, securityMode, securityPolicyUri, userIdentityTokens, transportProfileUri and securityLevel with all other parameters set to null. Only the recommended parameters shall be verified by the client.”

August 23, 2019
10:02, EEST

dipankar.invi@gmail.com

Member

Members

Forum Posts: 16

Member Since:
December 6, 2018

Offline

Thanks for the detailed explanation. Smile

All RSS

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
12 Guest(s)

Currently Browsing this Page:
1 Guest(s)