Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
override GetEndPoints service
December 20, 2021
17:04, EET
Avatar
francescozambon
Member
Members
Forum Posts: 9
Member Since:
December 20, 2021
sp_UserOfflineSmall Offline

Hello,

I’m a newbie to the OPC UA / Prosys OPC UA Java SDK world and I’m having some problems configuring the server.

I understood that it is not possible to start the server without first setting the ApplicationIdentity.
The ApplicationIdentity requires a certificate as a mandatory parameter but I cannot use it:
https://forum.prosysopc.com/forum/opc-ua-java-sdk/server-without-certificates/

I am using the method:
ApplicationIdentity.loadOrCreateCertificate
to create an ApplicationIdentity, but when the OPC UA client tries to connect i get the BadCertificateUntrusted error because the server is using a self-signed certificate.

I cannot install the Self-Signed Certificate as a Trusted Root CA and i cannot change the client settings.

As a workaround i had thought to delete the ServerCertificate parameter from the GetEndPointsResponse payload in order to skip the certificate check performed by the client.

Is it possible to modify the GetEndPoints service response sent by the server?

I am using prosys-opc-ua-java-sdk-client-server-3.1.2-488.

Thanks,
Francesco

December 21, 2021
10:37, EET
Avatar
francescozambon
Member
Members
Forum Posts: 9
Member Since:
December 20, 2021
sp_UserOfflineSmall Offline

UPDATE

prosys-opc-ua-java-sdk-client-server depends on:
opc-ua-stack lib (https://github.com/OPCFoundation/UA-Java-Legacy)

I modified the class:
/opc-ua-stack/src/main/java/org/opcfoundation/ua/application/Server.java
row: 490

desc.setServerCertificate (ByteString.valueOf (keypair.getCertificate (). getEncoded ()));

EndpointDescription desc = new EndpointDescription();
desc.setEndpointUrl( ep.getEndpointUrl() );
desc.setSecurityMode( msm );
desc.setSecurityLevel( UnsignedByte.valueOf(securityLevel) );
desc.setSecurityPolicyUri( securityPolicyUri );
desc.setServer( ap );

// TEST ServerCerticate
// desc.setServerCertificate(ByteString.valueOf(keypair.getCertificate().getEncoded() ));

and now the client connects successfully

December 21, 2021
13:13, EET
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 726
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

As an SDK-level API user, you should basically not interact with the “stack” at all, expect when something from it was in the public APIs of the SDK (our mistake 10 years ago, but hard to fix without breaking half of the methods, so it has not been done). Also SDK 4.x does not depend on “the stack” anymore. Also doing anything in the old legacy “stack” would in general assume the user to know exactly what they are doing, effectively being an “OPC UA Expert”. Not something you should be doing if you have just started OPC UA.

Also, please note that the “Stack” is basically discontinued as reads on the README on (https://github.com/OPCFoundation/UA-Java-Legacy) :
“This repository is provided by OPC Foundation as legacy support for an Java version for OPC UA. It will not receive further features and updates.”

In general I would recommend updating to SDK 4.x due to the fixes we have made during the years, https://downloads.prosysopc.com/opcua/Prosys_OPC_UA_SDK_for_Java_4_Release_Notes.html. It has also received security fixes. Also any updates or fixes we would do for the SDK would be on top of the current 4.x version.

Please note that doing that edit in the stack 3.x dependend would be completely unsupported by us and basically then you are outside of our help. Like, great if it helps you, but a real fix would be to fix the client side to ignore the certificate. In OPC UA 1.01 Servers did always send a certificate and 1.01 Clients might not work if they do not. Later version Clients should ignore the cert if they see it (i.e. if they do not need it). Also, you will need the certificate even in NONE if you need to support any other userauth method than Anonymous (i.e. basically no auth/users), as it is used to transmit the secrects as encrypted.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
17 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 113

pramanj: 86

ibrahim: 74

kapsl: 57

rocket science: 52

gjevremovic: 49

Xavier: 42

fred: 41

TimK: 41

Fransua33: 39

Member Stats:

Guest Posters: 0

Members: 1743

Moderators: 17

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1206

Posts: 5137

Newest Members:

LimaomoT, eulaallcot, brain7955241817, barbaravillalobo, widallet, erminovski, etsuko73u61420, donnyblaxland, DonaldHAp, kelvin6887

Moderators: Jouni Aro: 918, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 726, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 24, Teppo Uimonen: 21, Markus Johansson: 36, Niklas Nurminen: 0, Matti Siponen: 163, Lusetti: 0

Administrators: admin: 1