Connect to OPCUA Server with Certificate | OPC UA Simulation ServerProsys Forum

Please consider registering
guest

Forum

OPC UA Simulation Server
sp_ArrowRight

Connect to OPCUA Server with Certificate

Topic RSS

Connect to OPCUA Server with Certificate

October 29, 2021
11:16, EEST

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

Hi,
I am trying to connect to OPC UA Server Simulator with an IoT OPCUA Agent from FIWARE which is a nodejs application.
I created a SSL certificate with this command

openssl req -x509 -days 365 -new -out client_certificate.pem -keyout client_private_key_encr.pem -config user-key.conf
openssl rsa -in client_private_key_encr.pem -out client_private_key.pem

Then put the client_certificate.pem and client_private_key.pem in side the IoT Agent (the OPC UA Agent)
client_certifcate.pem was also put into /home/trung/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs (the folder of CA certificates for OPC UA Server)

The OPCUA Server was set to generate counter simulated value in Object tab
I selected SignAndEncrypt with Basic256Sha256.

Result:
From the debug log: I got “Executed expiring daemon”.

So how do I connect the OPCUA Simulation Server with other agent ? Did I miss any important detail ?
Thank you.
Sorry for wrong post in OPC topic. I can not delete that one.

October 29, 2021
15:06, EEST

Jouni Aro

Moderator

Moderators

Forum Posts: 1026

Member Since:
December 21, 2011

Offline

Are you referring to the debug log of Simulation Server or FIWARE? I don’t recognise the message “Executed expiring daemon”

Anyway, the OPC UA Certificates have some special rules, as defined in

https://reference.opcfoundation.org/Core/docs/Part4/7.3/

Here are some instruction on how to create a proper certificate with openssl:

https://stackoverflow.com/questions/50328537/generate-certificate-for-opc-client

PS. I can delete the other message – no problem.

November 2, 2021
12:30, EET

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

I got both .pem and .der file so does it matter what file I use for PKI/CA/certs ? Tried with both did not give me the connection.
In my setting, this is the Connection Address: opc.tcp://HP:5001/UA/CarServer
Can you suggest the correct config file, please ? I got it like this:

“`
basicConstraints=CA:TRUE
authorityKeyIdentifier=keyid,issuer
keyUsage=dataEncipherment,keyEncipherment,nonRepudiation,digitalSignature,keyCertSign,cRLSign
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=URI:urn:HP:UA:CarServer
“`
I tried to connect to HP:5001 with this command `telnet HP 5001` but it failed.
With `telnet HP.local 5001` I can ping the port. Could this be the problem ? I am not sure which IP:PORT address Prosys Simulation used to connect with other application.

Thank you!

November 2, 2021
15:46, EET

Jouni Aro

Moderator

Moderators

Forum Posts: 1026

Member Since:
December 21, 2011

Offline

Can you make a connection without security (SecurityMode=None)?

November 2, 2021
16:12, EET

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

I tried with SecurityModes = SignAndEncrypt first and then None. Neither of them work for me.
`nslookup HP` where `HP` is my hostname in OPCUA gave me 192.168.50.167, which as my search was related to my wifi network. Could this be the cause ?

I found these IP as the ones with 5001 port set for the OPCUA Server but none of them matches 192.168.50.167 and it confuses me
LISTEN 0 50 [::ffff:130.230.180.30]:5001 *:* users:((“java”,pid=253129,fd=103))
LISTEN 0 50 [2001:708:310:176:88e6:4461:6f4a:79a8]:5001 [::]:* users:((“java”,pid=253129,fd=102))
LISTEN 0 50 [2001:708:310:176:a95f:dc44:dc7e:5919]:5001 [::]:* users:((“java”,pid=253129,fd=101))
LISTEN 0 50 [fe80::a26f:ad05:80c2:447d]%wlp2s0:5001 [::]:* users:((“java”,pid=253129,fd=100))
LISTEN 0 50 [::ffff:127.0.0.1]:5001 *:* users:((“java”,pid=253129,fd=99))
LISTEN 0 50 [::1]:5001 [::]:* users:((“java”,pid=253129,fd=98))
LISTEN 0 50 [::ffff:172.17.0.1]:5001 *:* users:((“java”,pid=253129,fd=94))

November 3, 2021
8:38, EET

Matti Siponen

Moderator

Members

Moderators

Forum Posts: 349

Member Since:
February 11, 2020

Offline

Hello,

I took a look at the user manual of IoTAgent and the default Endpoint seems to be opc.tcp://iotcarsrv:5001/UA/CarServer. The Endpoint you’re trying to use is opc.tcp://HP:5001/UA/CarServer which is not the default Endpoint for Simulation Server. Have you configured Simulation Server to use this Endpoint by editing Port and Server Name for UA TCP in the Endpoints tab? You will need to switch to Expert Mode in Options menu to see that tab.

Also, have you tried connecting to Simulation Server using other OPC UA Clients such as Prosys OPC UA Browser?

November 3, 2021
11:11, EET

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

Hi Matti,

It is nice that you had a look on the FIWARE component. Which file are you referring to, the docker-compose-external-server.yml or the AGECONF/config.properties file ?
Here is mine

`docker-compose-external-server.yml file`
“`
version: “3”

services:

iotage:
hostname: iotage
image: iotagent4fiware/iotagent-opcua:1.3.4
networks:
– hostnet
– iotnet
ports:
– “4001:4001”
– “4081:8080”
extra_hosts:
– “HP:192.168.50.167”
– “iotcarsrv:192.168.50.167”
depends_on:
– iotmongo
– orion
volumes:
– ./AGECONF:/opt/iotagent-opcua/conf
– ./certificates:/opt/iotagent-opcua/certificates
environment:
– IOTA_REGISTRY_TYPE=memory #Whether to hold IoT device info in memory or in a database
– IOTA_LOG_LEVEL=DEBUG # The log level of the IoT Agent
– IOTA_MONGO_HOST=iot_mongo # The host name of MongoDB
– IOTA_MONGO_DB=iotagent_opcua # The name of the database used in mongoDB
#comment if you mind using NGSI-ld
#- IOTA_CB_NGSI_VERSION=ld
#- IOTA_JSON_LD_CONTEXT=https://uri.etsi.org/ngsi-ld/v1/ngsi-ld-core-context-v1.3.jsonld #comment if you mind using NGSIv2
– IOTA_FALLBACK_TENANT=opcua_car
– IOTA_RELAX_TEMPLATE_VALIDATION=true

iotmongo:
hostname: iot_mongo
image: mongo:4.2
networks:
– iotnet
volumes:
– iot_mongo_data:/data/db
– iot_mongo_conf:/data/configdb

################ OCB ################

orion:
hostname: orion
#replace fiware/orion:latest with fiware/orion-ld:0.7.0 if you mind using NGSI-ld
image: fiware/orion:latest
#image: fiware/orion-ld:0.7.0
networks:
– hostnet
– ocbnet
ports:
– “1026:1026”
depends_on:
– orion_mongo
# add -forwarding if using NGSI-ld
#command: -statCounters -dbhost orion_mongo -logLevel INFO -forwarding
command: -statCounters -dbhost orion_mongo -logLevel INFO

orion_mongo:
hostname: orion_mongo
image: mongo:4.2
networks:
– ocbnet
ports:
– “27017:27017”
volumes:
– orion_mongo_data:/data/db
– orion_mongo_conf:/data/configdb
command: –nojournal

volumes:
iot_mongo_data:
iot_mongo_conf:
orion_mongo_data:
orion_mongo_conf:

networks:
hostnet:
iotnet:
ocbnet:
“`

and here is the content of `config.properties` in AGECONF

“`
## SOUTHBOUND CONFIGURATION (OPC UA)
namespace-ignore=2,7
endpoint=opc.tcp://HP:5001/UA/CarServer

## NORTHBOUND CONFIGURATION (ORION CONTEXT BROKER)
context-broker-host=orion
context-broker-port=1026
fiware-service=opcua_car
fiware-service-path=/demo

## AGENT CONFIGURATION
server-base-root=/
server-port=4001
provider-url=http://iotage:4001

device-registration-duration=P1M
device-registry-type=memory

log-level=INFO

namespaceIndex=3
namespaceNumericIdentifier=1000

# MONGO-DB CONFIGURATION (required if device-registry-type=mongodb)
mongodb-host=iotmongo
mongodb-port=27017
mongodb-db=iotagent
mongodb-retries=5
mongodb-retry-time=5

## DATATYPE MAPPING OPCUA –> NGSI
OPC-datatype-Number=Number
OPC-datatype-Decimal128=Number
OPC-datatype-Double=Number
OPC-datatype-Float=Number
OPC-datatype-Integer=Integer
OPC-datatype-UInteger=Integer
OPC-datatype-String=Text
OPC-datatype-ByteString=Text
#END DATATYPE MAPPING OPCUA –> NGSI

## SESSION PARAMETERS
requestedPublishingInterval=10
requestedLifetimeCount=1000
requestedMaxKeepAliveCount=10
maxNotificationsPerPublish=100
publishingEnabled=true
priority=10

#SubscriptionsStrategy
uniqueSubscription=false

## MONITORING PARAMETERS
samplingInterval=1
queueSize=10000
discardOldest=false

## SERVER CERT E AUTH
securityMode=SignAndEncrypt
securityPolicy=Basic256Sha256
userName=charm
password=TAU2021

#securityMode=SIGNANDENCRYPT
#securityPolicy=1Basic256
#password=password1
#userName=user1

#api-ip=192.168.13.153

## ADMINISTRATION SERVICES
api-port=8080

## POLL COMMANDS SETTINGS
polling=false
polling-commands-timer=1000
pollingDaemonFrequency=20000
pollingExpiration=200000

## AGENT ID
#agent-id=age01_
#entity-id=age01_Car # used only during tests

## CONFIGURATION
#configuration=#api

## CHECK TIMER POLLING DEVICES
checkTimer=2000
“`

The point is that I have set Endpoint as `opc.tcp://HP:5001/UA/CarServer` -> what we have in the OPCUA Server

I have tried with UA Expert and I can connect to the Server

November 3, 2021
13:29, EET

Matti Siponen

Moderator

Members

Moderators

Forum Posts: 349

Member Since:
February 11, 2020

Offline

Hello,

I have simply seen these instructions: https://github.com/Engineering-Research-and-Development/iotagent-opcua/blob/master/docs/user_and_programmers_manual.md but I have not used the application. I just wanted to make sure that you have configured a correct address in Simulation Server.

Have you tried using Wireshark to capture packets sent between IoTAgent and Simulation Server? See https://www.prosysopc.com/blog/opc-ua-wireshark/ for instructions on how to capture OPC UA communication with Wireshark.

November 4, 2021
12:10, EET

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

Yes, I have tried with Wireshark and also implemented what was in the blog post above so here is the result:
– No OPCUA connection or packet, red-color in search field of Wireshark
– When I focus on only `tcp.port==5001`, I got initially 1 packet to `192.168.50.167` which was IP of my local named as HP from above. After that there are only [TCP Retransmission] until timeout error
For example the first packet received from port 5001 is:
112 13.301053351 130.230.180.30 192.168.50.167 TCP 74 36778 → 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2375562019 TSecr=0 WS=128
Then it came with repeated packets like this:
115 14.304119390 130.230.180.30 192.168.50.167 TCP 74 [TCP Retransmission] 36778 → 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2375563022 TSecr=0 WS=128

November 4, 2021
12:42, EET

Matti Siponen

Moderator

Members

Moderators

Forum Posts: 349

Member Since:
February 11, 2020

Offline

Hello,

Please verify that 192.168.50.167 is the IP that Simulation Server has bound itself to. You can check its log for “Endpoint bound to:” message that lists the IPs and ports it has bound itself to. In general, you should try using IP addresses instead of hostnames in your Client configuration.

You can also try pinging the IP address Simulation Server has bound itself to.

November 12, 2021
13:18, EET

trung van

Member

Members

Forum Posts: 7

Member Since:
October 27, 2021

Offline

Hi,
It is in fact the IP resolved by default of my `HP` – local hostname was not correct. I checked LISTEN IP and ports with netstats command then overwrote the hostname with my newly found IP in all configure files. After all these steps, it works.
Thank you for your support.

All RSS

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
35 Guest(s)

Currently Browsing this Page:
1 Guest(s)