Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Error in Selecting security mode
March 16, 2017
12:57, EET
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Hi,

I can able to connect to the simulation server via normal security mode i.e client.setSecurityMode(SecurityMode.NONE);
If I try to use the security function like(Sign &Encr, Sign) in client its shows NullPointerError.

Security function(Sign &Encr, Sign) works fine when I connect SampleConsole Client and the ConsoleServer.

Exception in thread “min” java.lang.NullPointerException: localApplicationInstanceCertificate is null
at org.opcfoundation.ua.transport.security.SecurityConfiguration.(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.TcpConnection.initialize(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(Unknown Source)
at org.opcfoundation.ua.application.Client.createSecureChannel(Unknown Source)
at com.prosysopc.ua.client.UaClient.o(Unknown Source)
at com.prosysopc.ua.client.UaClient.connect(Unknown Source)
at com.prosysopc.ua.samples.client.Historical_data.main(Historical_data.java:32)

But everything works fine with (SecurityMode.NONE). I am looking for some help in this!
Regards

March 17, 2017
11:51, EET
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

hi,

I even tried by connecting my SampleconsoleClient with prosys simulation server, It is connecting if I select the security mode as None, but if I choose the security mode to Sign or Sign&Encry it’s showing the following error.

Select the security mode to use.
(n=None,s=Sign,e=SignAndEncrypt)
s
Connecting to opc.tcp://peter:53530/OPCUA/SimulationServer
Using SecurityPolicy http://opcfoundation.org/UA/Se…..ic128Rsa15
com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://peter:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign] ServiceResult=Bad_SecurityChecksFailed (0x80130000) “An error occurred verifying security.”
Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_SecurityChecksFailed (code=0x80130000, description=”Bad_SecurityChecksFailed (code=0x80130000, description=”An error occurred verifying security.”)”)

I don’t know where I am going wrong. looking for your help!!

Regrads

March 17, 2017
15:04, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

You have to make the server trust your client’s certificate. In SimulationServer you do this in the Certificates tab.

March 17, 2017
15:54, EET
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Hi Jouni Aro,

Now I see what’s the problem, thanks for the help. I made my server to trust my Client and its working fine.

Thanks for the reply.

March 17, 2017
17:46, EET
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

hi, Jouni,

I still have the error which I posted first. what I did is I manually make the rejected certificates to trust in the server as you mentioned.
the console client is able to connect to the server but the program which I developed can’t able to connect.

Looking for your help!!

March 27, 2017
16:24, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

hi,

can anyone help me with this error!
i have the same error as i mentioned above.

Exception in thread “min” java.lang.NullPointerException: localApplicationInstanceCertificate is null
at org.opcfoundation.ua.transport.security.SecurityConfiguration.(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.TcpConnection.initialize(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(Unknown Source)
at org.opcfoundation.ua.application.Client.createSecureChannel(Unknown Source)
at com.prosysopc.ua.client.UaClient.o(Unknown Source)
at com.prosysopc.ua.client.UaClient.connect(Unknown Source)
at com.prosysopc.ua.samples.client.Historical_data.main(Historical_data.java:32)

looking for your help.
Regards

March 31, 2017
17:08, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

The error message states that “localApplicationInstanceCertificate is null”.

You mentioned in the first post that “Security function(Sign &Encr, Sign) works fine when I connect SampleConsole Client “.

So, it sounds like there’s something wrong with the application instance certificate of your client application. How are you creating the ApplicationIdentity in your client? You can look at the SampleConsoleClient.initialize method for example.

April 7, 2017
20:42, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Hi Heikki,

I solved this problem (“localApplicationInstanceCertificate is null). Now I can create the certificate as my consoleClient creates, I manually trusted the certificates in the simulation server.For Https the code works. when I tried to connect with tcp it shows the following error!

04/07/2017 20:16:46.548 INFO Reading application certificate from C:\Users\peter\workspace\OPCua\PKI\CA\private\tk3.der
04/07/2017 20:16:46.554 INFO Reading private key from keystore C:\Users\peter\workspace\OPCua\PKI\CA\private\tk3.pem
04/07/2017 20:16:48.528 INFO HTTPS certificate loaded from PKI\CA\private\tk3_https.der
04/07/2017 20:16:48.539 INFO HTTPS private key loaded from PKI\CA\private\tk3_https.pem
04/07/2017 20:16:51.190 INFO Certificate ‘A1BB7AAB953B4B6C677451A3E14BE0B2679169D3’ added to rejected certificates.

Exception in thread “main” com.prosysopc.ua.ServiceException: Invalid server certificate ServiceResult=Bad_SecurityChecksFailed (0x80130000) “An error occurred verifying security.” Diagnostics=Diagnostic Info:
Invalid server certificate
at com.prosysopc.ua.client.UaClient.connect(Unknown Source)
at com.prosysopc.ua.samples.client.Uaclient.main(Uaclient.java:36)

I even copied the certificate from rejected folder to certs folder.As of now, I am using.BASIC128RSA15_SIGN for security mode. Looking for your help.

April 10, 2017
12:34, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

The line

04/07/2017 20:16:51.190 INFO Certificate ‘A1BB7AAB953B4B6C677451A3E14BE0B2679169D3’ added to rejected certificates.

tells that the client application does not trust the server certificate.

I think the problem is very simple: you mentioned that “I even copied the certificate from rejected folder to certs folder.”

When you copy the file, it will still reside in the rejected folder. You need to move the file, so that it will only reside in certs folder.

Also, please see the MyCertificateValidationListener example in the SDK package. This shows an example on how you can prompt the user for validation, if necessary.

April 12, 2017
13:33, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Hi Heikki,

sorry being silly, i didn’t get this part.
I have moved the certificate from rejected folder to certs, but this time a new error came which is

Failed to create secure channel to server: : opc.tcp://Peter-PC.mshome.net:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign] ServiceResult=Bad_SecurityChecksFailed (0x80130000) “An error occurred verifying security.”

I self-trusted the certificates in the server, and there is no certificate in rejected folder. I would like you to check my code, I might make some mistake

final PkiFileBasedCertificateValidator validator = new PkiFileBasedCertificateValidator();
client.setCertificateValidator(validator);
validator.setValidationListener(validationListener);

//*** Application Description is sent to the server
ApplicationDescription appDescription = new ApplicationDescription();
appDescription.setApplicationName(new LocalizedText(“tk3″+ “Peter-PC.mshome.net”));
appDescription.setApplicationUri(“urn:Peter-PC.mshome.net:UA:”+”tk3”);
appDescription.setProductUri(“urn:prosysopc.com:UA:”+”tk3”);
appDescription.setApplicationType(ApplicationType.Client);
//ApplicationIdentity
final ApplicationIdentity identity = ApplicationIdentity.loadOrCreateCertificate(appDescription,”Sample Organisation”, “opcua”,
privatePath,issuerCertificate,keySizes,true); // i kept the issuerCertificate and Keysize as null;

//Create the HTTPS certificate.
String hostName = InetAddress.getLocalHost().getHostName();
identity.setHttpsCertificate(ApplicationIdentity.loadOrCreateHttpsCertificate(appDescription, hostName, “opcua”,issuerCertificate,
privatePath, true));
client.setApplicationIdentity(identity);

What I think is the certificate is not validating correctly, my client cant able to get the certificate from PKI\CA\certs\ . I don’t know exactly it’s just a guess! looking for your suggestion ..

April 13, 2017
15:43, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi,

Based on the error message, there’s some issue with the client application certificate which makes the certificate validation fail in the Simulation Server application.

One thing to note in the above code is that you don’t have to use hard-coded hostnames such as ‘Peter-PC.mshome.net’. Instead, you should use ‘localhost’ in ApplicationName and ApplicationURI. All lower case ‘localhost’ in the ApplicationName and ApplicationURI is converted to the actual host name of the computer in which the application is run.

appDescription.setApplicationName(new LocalizedText(APP_NAME + "@localhost"));
appDescription.setApplicationUri("urn:localhost:OPCUA:" + APP_NAME);

Also, after making this modification, you need to delete the previous certificate and private key from the PKI folder. Otherwise, the loadOrCreateCertificate will load the previous files.

Please try making these modifications and see if the connection works then.

April 19, 2017
13:06, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Hi Heikki,

The above problem is solved. As I can able to get the output from the server, still the certificate uri is not matching, there is no error, but I would like to know the problem why the uri is not matching. and another problem is even if I trusted my certificate (always), because of the different uri I have to trust the certificate every time.

** The Server Certificate :
Subject : DC=DESKTOP-6FRQH0D, O=Prosys OPC, CN=SimulationServer, Issued by : DC=DESKTOP-6FRQH0D, O=Prosys OPC, CN=SimulationServer
Valid from: Sat Apr 01 14:29:22 CEST 2017, to: Tue Mar 30 15:29:22 CEST 2027

* The Certificate URI DOES NOT MATCH the ApplicationDescription URI!
ApplicationURI in ApplicationDescription = urn:Peter-PC.mshome.net:OPCUA:SimulationServer
ApplicationURI in Certificate = urn:DESKTOP-6FRQH0D:OPCUA:SimulationServer
* The Certificate is self-signed.

Note: If the certificate is not OK, you will be prompted again, even if you answer ‘Always’ here.

Do you want to accept this certificate? (A=Always, Y=Yes, this time, N=No) (D=Show Details of the Certificate)
A
04/19/2017 11:48:02.900 INFO Certificate ‘A1BB7AAB953B4B6C677451A3E14BE0B2679169D3’ added to trusted certificates.
328

My desktop name is Peter-PC I checked again, I am looking for your suggestion.

regards
peter

April 24, 2017
10:43, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

The URI is not matching if the hostname of the computer has changed after you have created the certificate for the server (i.e. started it for the first time). You should go to the PKI directory of the Simulation Server (see the User Manual) and remove the files from the ‘private’ directory. After restarting the server, it will recreate the certificates with the current hostname.

The client implementation, which decides whether the certificate is trusted or not and which affects the behaviour, when you press ‘Always’ is just a sample, and it may be possible to modify it to accept the invalid certificate in future. See the MyCertificateValidationListener class (in SDK samples) for the details.

April 28, 2017
13:43, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

I have done the correction, now i facing one more problem i can abe to run all the security configuration in my JAVA IDE.
If i convert the same program into a runnable jar file i can’t able to read the values. it generated a PKI folder where my jar file is located inside that: PKI\CA\private i have the certificates and i trusted certificate of the jar file in the server too.

But the runnable jar file is working when there is no security methods are choosen
Is it due to i cant able to trust my certificate? (A=Always, Y=Yes, this time, N=No) (D=Show Details of the Certificate) in my runnable jar file?

April 28, 2017
16:48, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Yes, the application needs to be able to add files in the PKI folder that you define. So, you should define a location in the target computer, instead of inside the .jar.

April 28, 2017
19:14, EEST
Avatar
peterrob45
Member
Members
Forum Posts: 25
Member Since:
March 9, 2017
sp_UserOfflineSmall Offline

Yup, Its working fine. Thanks for your suggestion!

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
23 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 727

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1