Log In
Register
Forum
Topic RSS
17:54, EEST
July 15, 2020
Offline
Hello,
I am trying to create a simple client in java to read data from opc-ua server.
I am using version 4.3.0 of the java sdk.
I have bot a Certificate (.dem) and a Private Key (.pem) given by the upc-ua server installer. I have already tried to connect to the opc-ua server using uaxpert client (serving to the connection the .dem and the .pem files) and it was successful.
Now I need to create a client in java for reading the data from the opc-ua server. I have red the manual about the certificate, but I couldn’t understand what to do. Could I have some support please?
12:02, EEST
Moderators
February 11, 2020
Offline
Hello,
What exactly is it that you don’t understand? In general, this forum is for answering questions related to the Prosys OPC UA SDK for Java and not for general advice related to developing application with the SDK.
18:12, EEST
July 15, 2020
Offline
Hello,
my problem is that on the manual called “Prosys_OPC_UA_SDK_for_Java_Client_Tutorial.pdf” (which I found in the sdk I bought), in chapter “6.1.2. Application Instance Certificate” and chapter “6.1.3. Issuer Certificate”, it is explained how to create a self-signed certificate. Quoting: “On the first run, it creates the certificate and the private key
and stores them in the files SampleConsoleClient@hostname_keysize.der and SampleConsoleClient@hostname_keysize.pem respectively”. And so on.
I don’t need to create my certificate and private key.
I have received the a certificate (file .der) and a private key (file .pem) by the company that installed the manufacturing machine that uses the opc-ua server.
I need to use those two file to connect to the opc-ua server using java in order to read the data of the manufacturing machine.
The procedure of connecting to an opc-ua server using existing certificate and private key is not explained in the user manual (as far as I understood). Is there any other manual which explains this ? Or, is there any code sample?
10:19, EEST
April 3, 2012
Offline
Hi,
I assume in this case those certs would be signed by a CA cert operated in whatever environment the server is. Then using those certs would cause the server app to trust it automatically. However if not then it is odd, as typically the private key should never be transmitted from the device that made it, though then the server has to trust them all (this has been the typical case, with sometimes CA certs being used). Though with the Global Discovery Server thingy might change this.
Anyway, you have 2 options (or more maybe, but at least these)
One would be just to make the app as-is per the tutorial and then rename the .der + .pem you received as the same name that the app would create. Note that the private key password must match in this case (or you must make a way to enter that somehow).
Second is just to load the .der as com.prosysopc.ua.stack.transport.security.Cert and .pem as com.prosysopc.ua.stack.transport.security.PrivKey with the static methods in those classes. The you can just construct the ApplicationIdentity by one of it’s constructors taking in those. Note that you must set the ApplicationDescription via the setter in that case.
18:35, EEST
July 15, 2020
Offline
Hello,
I’ve tried the second option you suggested.
Indeed, here is the code I wrote:
File certFile = new File(“bihlerOpcUaVC1Client [3FF47E159FB52B67FDD23EBA3145E83BA0FC1367].der”);
File privKeyFile = new File(“bihlerOpcUaVC1Client [3FF47E159FB52B67FDD23EBA3145E83BA0FC1367].pem”);
Cert cert = Cert.load(certFile);
PrivKey privKey = PrivKey.load(privKeyFile, null);
final PkiDirectoryCertificateStore certStore = new PkiDirectoryCertificateStore();
final DefaultCertificateValidator validator = new DefaultCertificateValidator(certStore);
validator.setValidationListener(validationListener);
uaClient.setCertificateValidator(validator);
UserIdentity userIdentity = new UserIdentity(cert, privKey);
uaClient.setUserIdentity(userIdentity);
private static DefaultCertificateValidatorListener validationListener = new DefaultCertificateValidatorListener() {
@Override
public ValidationResult onValidate(Cert certificate, ApplicationDescription applicationDescription, EnumSet passedChecks) {
return ValidationResult.AcceptPermanently;
}
};
Once I call the function connect() of the uaClient, I get the following error:
[localhost-startStop-1] INFO com.prosysopc.ua.stack.cert.PkiDirectoryCertificateStore – Certificate ’89A703B8A5C0B69C67715453B13FFED5165B6E3F’ added to rejected certificates.
com.prosysopc.ua.ServiceException: Invalid server certificate ServiceResult=Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.” Diagnostics=Diagnostic Info: Invalid server certificate
I’ve tried to execute the code in debug and I’ve noticed that it never passes through the function onValidate of the validationListener.
What is missing?
8:39, EEST
Moderators
February 11, 2020
Offline
Hello,
In your code, you’re using the loaded certificates as the Client’s UserIdentity. I can’t see you setting the ApplicationIdentity, but if your code is based on the tutorial, then that should’ve been set properly elsewhere. If you wish to use the certificates provided to you in an X509IdentiyToken, then this is the correct way to do it. However, if you wish to use them as your Client application’s Application Instance Certificate, then you would need to use ApplicationIdentity(Cert certificate, PrivKey privateKey) to create an ApplicationIdentity instance using your Cert and PrivKey. The difference between the two is that UserIdentity represents a user while ApplicationIdentity represents the application itself.
Bad_CertificateChainIncomplete StatusCode implies that validating a certificate failed due to its issuer being either invalid or missing. If you’re using certificates that aren’t self-signed, you will need to include the whole certificate chain up to the self-signed CA certificate in either trusted certificates (PKI/CA/Certs). Note, that this is just the path used in samples and your application might use different path for the store.
If you’re using the DefaultCertificateValidator as your Client’s certificate validator, then it won’t call onValidate unless the certificate is valid. Since validating the certificate is failing with Bad_CertificateChainIncomplete, the onValidate method won’t be called.
Most Users Ever Online: 518
Currently Online:
18 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
hbrackel: 135
pramanj: 86
Francesco Zambon: 81
rocket science: 77
Ibrahim: 76
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
fred: 41
Member Stats:
Guest Posters: 0
Members: 681
Moderators: 16
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1467
Posts: 6261
Newest Members:
graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.comModerators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5
Administrators: admin: 1
