2:53, EEST
August 14, 2017
10:31, EEST
December 21, 2011
12:29, EEST
August 14, 2017
Hi, im using the internal OPC UA server of a Siemens S7-1500 plc Unit. I tested it with a sample Client in C# and it worked fine.
I use Eclipse and Java 8.
Here is the complete stack trace
Exception in thread “main” org.opcfoundation.ua.common.RuntimeServiceResultException: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:114)
at org.opcfoundation.ua.transport.tcp.io.TcpConnection.initialize(TcpConnection.java:376)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:273)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:246)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:640)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:555)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:370)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:345)
at org.opcfoundation.ua.examples.SampleClient.main(SampleClient.java:109)
Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:143)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:112)
… 8 more
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.X509CertInfo.(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:195)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at org.opcfoundation.ua.utils.CertificateUtils.decodeX509Certificate(CertificateUtils.java:193)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:136)
… 9 more
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:115)
at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:88)
at sun.security.x509.CertificateExtensions.(CertificateExtensions.java:78)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:702)
at sun.security.x509.X509CertInfo.(X509CertInfo.java:167)
… 15 more
17:13, EEST
December 21, 2011
18:13, EEST
August 14, 2017
18:51, EEST
December 21, 2011
This is a possible issue in JDK, which requires that there is only one extension of any type in the certificate. Also, for the same reason, I cannot generate such a certificate with Java to check it out.
And the reason for this is limitation is the RFC 3280 that specifies the usage of certificates:
https://www.ietf.org/rfc/rfc3280.txt
4.2 Certificate Extensions
…
A certificate MUST NOT include more than
one instance of a particular extension.
…
So, if you could find the certificate of the server from the trust store of the other client applications, please check it out yourself or send that by email, so that we can try to verify the issue. I don’t think that there is any way to overcome this, so you will need to contact the server manufacturer and tell them that they are using invalid certificates.
19:16, EEST
August 14, 2017
9:38, EEST
December 21, 2011
Yes, this is a very unfortunate interoperability issue. Apparently other development environments enable creation and usage of certificates that are invalid by the specification. And the Java environment seems to be very strict about this.
You should look for the certificate store of the client application, if you can locate the server certificate in there after accepting it. You will need to refer to the documentation of the client to locate it.
21:51, EEST
September 26, 2018
10:16, EEST
April 17, 2013
Hello,
We have an S7-1500 device for testing and demonstration purposes here at our offices. The above mentioned issue does not happen with our device, which reports
“ProductName=SIMATIC S7-1500 OPC UA, SoftwareVersion=V02.05.00” as its version. I tested this with our Java SDK version 3.1.6.
What Simatic firmware version and Prosys OPC UA Java SDK version are you using currently?
There’s no good way to attach pictures here to the forum. Please send any pictures or other large attachments by email to us at uajava-support prosysopc.com.
20:59, EET
September 26, 2018
Hello Heikki,
Sorry my reply is so late: I received an answer from Siemens and decided to wait for TIA Portal V15.1, which was now released.
Last week I installed V15.1, updated the firmware of my S7-1512 and also loaded a new certificate for OPCUA in the PLC. This helped: the I/O-error is gone.
Then, I updated my java SDK version to 1.8.0.172 (to fix the SSL handshake error) and installed the Siemens root certificate in my VM’s cacerts file. Now I can successfully connect!
Of course, now I run into novice problems. For instance, I have made a subscription to an UDT in an instance DB. I successfully get a notification when I change a bit in the UDT in the PLC, but: how do I get the values of all bits in the UDT? Is there an example of working with Structures and Arrays I can read?
Most Users Ever Online: 1919
Currently Online:
11 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 728
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1