OPC Server connection issue - The URI specified in the ApplicationDescription does not match the URI in the certificate | OPC UA SDK for JavaProsys Forum

Please consider registering
guest

Forum

OPC UA SDK for Java
sp_ArrowRight

OPC Server connection issue - The URI specified in the ApplicationDescription does not match the URI in the certificate

Topic RSS

OPC Server connection issue - The URI specified in the ApplicationDescription does not match the URI in the certificate

November 6, 2019
13:39, EET

Jeremy Morgan

Member

Members

Forum Posts: 15

Member Since:
November 6, 2019

Offline

Hi All,
I am trying to establish connection to a Kepware OPC server from a Linux server using the same code that has worked OK with other Kepware servers.

The connection type is a secure signed Basic 128-bit. Key files have been exchanged; trusted on the Kepware server, and moved from ‘rejected’ folder to ‘certs’ folder on the client.

I am using PkiDirectoryCertificateStore and DefaultCertificateValidator.

I get the exception below, which complains about the URI in the certificate:

com.prosysopc.ua.client.ConnectException: Failed to create session channel to server: : opc.tcp://130.24.216.132:49320 [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign] ServiceResult=Bad_CertificateUriInvalid (0x80170000) “The URI specified in the ApplicationDescription does not match the URI in the certificate.”
at com.prosysopc.ua.client.UaClient.r(SourceFile:5178)
at com.prosysopc.ua.client.UaClient.connect(SourceFile:865)
at com.harfordcontrol.server.central.tags.opc.connection.OpcServerConnectionEngine$OpcServerConnectionEstablisher.run(OpcServerConnectionEngine.java:257)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ServiceFault:ServiceFault
responseHeader=ResponseHeader
timestamp=DateTime
value=132174505369163158
requestHandle=UnsignedInteger
value=0
serviceResult=StatusCode
value=-2145976320
serviceDiagnostics=DiagnosticInfo
eF=null
eG=null
eH=null
eI=null
eJ=null
eK=null
eL=null
eM=null
eN=null
stringTable=class java.lang.String[0]
additionalHeader=null

at com.prosysopc.ua.stack.transport.impl.AsyncResultImpl.waitForResult(SourceFile:282)
at com.prosysopc.ua.stack.transport.tcp.io.SecureChannelTcp.serviceRequest(SourceFile:869)
at com.prosysopc.ua.stack.transport.tcp.io.SecureChannelTcp.serviceRequest(SourceFile:808)
at com.prosysopc.ua.stack.application.Client.createSession(SourceFile:576)
at com.prosysopc.ua.client.UaClient.r(SourceFile:5121)
… 9 more

It’s not clear which end of the connection has the issue. i.e whether the OPC server is rejecting my certifcate or whether my client is rejecting the server’s certificate.

One thing I did notice is that the applicationUri in the ApplicationDescription has not replaced the ‘localhost’ placeholder with the hostname of the machine, so if I log the contents of the ApplicationDescription I get the following:

780-r16141 [2019-11-05 18:02:11,195] INFO OpcServerConnectionEngine ApplicationDescription=ApplicationDescription:ApplicationDescription
applicationUri=urn:localhost:UA:CentralOpcClient
productUri=urn:.com:UA:CentralOpcClient
applicationName=LocalizedText
text=CentralOpcClient
ag=en
applicationType=ApplicationType
Client gatewayServerUri=null
discoveryProfileUri=null
discoveryUrls=null

I wondered if the ‘localhost’ in the applicationUri was causing the mismatch and certificate rejection?

Any thoughts?

November 8, 2019
13:00, EET

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Hi,

The ‘localhost’ most likely is the issue. One of the cert checks (defined in the OPC UA Specification) is that the ApplicationUri in the certificate must match the ApplicationUri of the ApplicationDescription. In this case it would seem the server is the one rejecting the cert. The server might have some override option for these cases.

In some cases the hostname resolution cannot get the hostname correctly, in which case it will currently default to ‘localhost’. However, assuming you use the methods of ApplicationIdentitity.loadOrCreateCertificate taking the ApplicationDescription, the same string should end up in both places, which makes this a bit weird. Still it is somewhat an error as the ApplicationUris should be globally unique (or at least within the network they communicate).

At least in some cases this has been resolved by making sure /etc/hosts line for the 127.0.0.1 looks something like:

127.0.0.1 localhost.localdomain localhost your_hostname_here

P.S.
Technically you could get the same error code also as part of the client validating the server’s certificate (for the same reason), assuming you rejected it in a DefaultCertificateValidationListener (or if none was added, as the uri check is one of the compulsory checks). However in that case you would see a ServiceException with message “Invalid server certificate” (which probably is not best option, but is what you would currently see).

November 11, 2019
17:32, EET

Jeremy Morgan

Member

Members

Forum Posts: 15

Member Since:
November 6, 2019

Offline

Hi,
Thanks for the info. This is a RHEL 6 server by the way.

I fixed the hostname in the ApplicationUri by setting the short and full hostnames names in /etc/hosts e.g.

XXX.XXX.XXX.XXX hostname.domain hostname

I removed the HOSTNAME entry from /etc/sysconfig/network.

I removed the local OPC certificates and re-created them; and then trusted the certificate on the Kepware server. However, I am still getting the same error as before.

It doesn’t really make sense; and, as you say, it is the same method (ApplicationIdentity.loadOrCreateIssuerCertificate) that creates and loads the certificate.

Is there any way I can tell what the hostname is that has been used in the local public certificate that Prosys has created? There doesn’t seem to be anything readable in the .der or .pem files that have been generated.

Any other ideas gratefully accepted!

November 12, 2019
13:42, EET

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Hmm… strange

If you first run the following test to ensure we actually get it:

  @Test
  public void outputHostname() throws Exception {
    System.out.println("hostname(+domain if here is):" + ApplicationIdentity.getActualHostName());
    System.out.println("hostname only:" + ApplicationIdentity.getActualHostNameWithoutDomain());
  }

(‘localhost’ and/or ‘domainname’ in ApplicationUri + ApplicationName would be replaces with the first one, ‘hostname’ would replace with the second one)

The Cert is a standard X509 cert, the “Subject Alternative Name” URL field would be the one to match ApplicationURI. Operating systems usually should have some way to show this, e.g. on windows, you should be just able to doubleclick it open and see a Certificate window to show the details. Something like the following should work in terminal, assuming openssl is available (usually should):

openssl x509 -inform der -in <path_to_the_.der_file> -text -noout

then find line “X509v3 Subject Alternative Name:”

P.S.
If that fails for some reason, just as a test can you just enter the hostname directly to the ApplicationURI and see if it works that way.

November 12, 2019
18:51, EET

Jeremy Morgan

Member

Members

Forum Posts: 15

Member Since:
November 6, 2019

Offline

Thanks Bjarne.

I deployed the test code you gave on the server in question, and it gives the expected output for the ApplicationIdentity methods, so there is no issue there.

I downloaded the generated .der file onto a Windows PC and opened it with double-click (Certificate window). There is no ‘Subject Alternative Name’ entry in the certificate (showing ‘ALL’ option), so maybe this is the cause of the problem?

November 13, 2019
10:50, EET

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Probably yes. However, could you doublecheck that it was the equivalent .der file vs. the cases that worked (or was this the same one for those as well?). This is getting really weird..

One theoretical case would be if you selected incorrect .der file (e.g. in SimulationServer’s PKI/CA/private there would have been also the CA (which we use for the https cert), this would not contain the Subject Alternative Name part (here Key Usage would include e.g. Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)).

Assuming the above was not the case, next I would just try with connecting with SampleConsoleClient instead. If it works directly, then some part of your code is different. If it fails then at least we could check if the cert generation did work correctly or not.

P.S.
Additionally I need to ask what is the SDK version you are using? Also that you are using the BouncyCastle (if SDK is 4.x, then this would be the case, previously there was a fallback option which used the private sun api of the jre) + Java version and vendor? And BouncyCastle version if different than came with the SDK?

November 14, 2019
15:09, EET

Jeremy Morgan

Member

Members

Forum Posts: 15

Member Since:
November 6, 2019

Offline

On the server with the problem, the certificate would have been trusted directly from the Kepware config (the certificate appears automatically) i.e. there is no need to copy it over manually, so less/no chance of an error.

We are using Prosys 4.0.0-774, and one thing that is worth mentioning is that we are using BouncyCastle 1.56 instead of 1.60. This is because the application is deployed in Wildfly and there was a clash with Wildfly’s own internal version of Bouncy Castle. The system is running on Oracle JRE 8.

The Kepware server with the connection problem is V6.5 Build 829. The one that works is V5.18 Build 662.

I checked the certificate on an local system that is connecting securely to our own local Kepware server without any issues (the V5.18), and that doesn’t have a ‘Subject Alternative Name’ entry either. It is using exactly the same software and JRE.

For the time being I have made the connection using Username/Password and SecurityMode set to NONE.

I did try to test with the Prosys Client on a local Windows PC but wasn’t sure how to generate the Certificates.

November 14, 2019
16:59, EET

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Then I would guess the check wasn’t as part of the V5.18 and has been added later to be more compliant. However it seems the issue with the ‘Subject Alternative Name’ has been around then longer, just that the server hasn’t being complaining about it.

For the sampleconsoleclient example, assuming you have javac+java in PATH, it would start from the .bat/sh (it would compile it first and then start), it will create the certificates automatically when first needed in connecting, they will appear in the PKI folder (which is then created) next to the scripts. This is the simplest way, otherwise you might need to create a project e.g. in Eclipse (see the getting started tutorial) and export it e.g. as runnable jar etc.

For https://www.prosysopc.com/products/opc-ua-browser/ the certs will be in ‘user.home’\.prosysopc\prosys-opc-ua-browser\PKI instead (after you have started the application for the first time).

All RSS

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
28 Guest(s)

Currently Browsing this Page:
1 Guest(s)