Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Errro in accessing OPC UA Simulation server with HTPPS
January 22, 2018
9:04, EEST
Avatar
shwetak
Member
Members
Forum Posts: 9
Member Since:
January 22, 2018
sp_UserOfflineSmall Offline

I am using OPC UA Simulation server to test OPC UA client. I am able to access the server using UA tcp, but facing an issue while connecting to server using HTTPS. It gives BadCertificate error with following description :
at Opc.Ua.WcfChannelBase`1.Initialize(ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, Binding binding, X509Certificate2 clientCertificate, String configurationName)
at Opc.Ua.SessionChannel.Create(ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, X509Certificate2 clientCertificate, ServiceMessageContext messageContext)
at CAS.OPC.UA.Viewer.Controls.SessionTreeCtrl.Connect(ConfiguredEndpoint endpoint)
at CAS.OPC.UA.Viewer.Controls.ClientForm.Connect(ConfiguredEndpoint endpoint)
at CAS.OPC.UA.Viewer.Controls.ClientForm.EndpointSelectorCTRL_ConnectEndpoint(Object sender, ConnectEndpointEventArgs e)

Can you please guide me on how to connect with HTTPS using SSL/TSL certificate. Also share information how to generate CA certificate(dummy certificate for testing) for ProSys simulation server ?

Thanks.

January 22, 2018
16:56, EEST
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

The error is reported by the OPC UA client application that you’re using. We are not the makers of the mentioned client application so we cannot know right away why the validation fails. To even give you a hint, we would need to know the exact error code that you receive. As an example, you might receive error stating Bad_CertificateTimeInvalid or Bad_CertificateUntrusted. Mentioning “BadCertificate” does not give us any meaningful information.

Furthermore, what is the Client application that you’re using? Have you made sure it even supports the HTTPS communication? The binary TCP communication is much more widely used than the HTTPS communication. Only few OPC UA client applications actually support HTTPS.

January 23, 2018
6:45, EEST
Avatar
shwetak
Member
Members
Forum Posts: 9
Member Since:
January 22, 2018
sp_UserOfflineSmall Offline

Hi Heikki,

Thanks for reply!
I am using Generic client provided by OPC UA Quick start.
I have also tried to establish HTTPS communication between Prosys simulation server and Prosys Client.
In Prosys client,In user Authentication window, after adding certificate ..\.prosys\SimulationServer\PKI\CA\private\SimulationServer_https.der and key file SimulationServer_https.pem, a pop up appeared for password. In Prosys server there is no field provided to set password for HTTPS certificate. So I tried ‘opcua’ as a password, then error “Could not load private key: Given final block not properly padded” is displayed.
So, Can you please share the steps for generating password for certificate used in HTTPS communication?
or, please guide me to establish HTTPS communication between ProSys server and ProSys Client?

January 23, 2018
13:07, EEST
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi Shwetak,

Allright, thank you for the information. If I understood correctly, we are now talking about the example client application supplied together with OPC Foundation’s .NET stack. These sample applications will indeed support HTTPS communication. The error probably happens because the client application does not trust the CA certificate of Simulation Server.

To answer your original question:
1) You need to obtain the SimulationServerCA.der file from the Prosys OPC UA Simulation Server installation. This file resides in “PKI\CA\private” folder. Simulation Server manual chapter “File locations” explains the exact locations.
2) You need to place this CA certificate into the trust store of the client application. For exact instructions, please see the client application documentation. I’m not an expert on OPC Foundation documentation, but this page seems to explain the concepts: https://opcfoundation.github.io/UA-.NET/help/https_connectivity.htm
3) Now the connection should work.

This manual trusting is necessary because the Prosys OPC UA Simulation Server application instance certificates are not signed by a “real” Certificate Authority, but instead they are self-signed.

To answer your second question “please guide me to establish HTTPS communication between ProSys server and ProSys Client”:

You only need to place the connection url to the client applications’s address bar at the top of the window. On the right hand side of the address bar, there is a button for connecting and disconnecting with the server. With Prosys OPC UA Client and Prosys OPC UA Simulation Server, the https connection will work without trusting any certificates manually.

January 23, 2018
13:43, EEST
Avatar
shwetak
Member
Members
Forum Posts: 9
Member Since:
January 22, 2018
sp_UserOfflineSmall Offline

Hi Heikki

Right now I am tiring to establish HTTPS connection between Prosys Server and Prosys client with User authentication mode set to “Certificate”.
I have configured Prosys server and Client with User authentication mode “Anonymous”, I am able to establish HTTPS connection between Prosys Server and Prosys client .
I have also tried with setting User authentication mode to “Username & password” for both Prosys server and client, I am able to establish HTTPS connection between Prosys Server and Prosys client .
Now, when I tried with setting User authentication mode to “Certificate and private key” for both Prosys server and client, I am facing an issue while establishing connection.
When I am adding certificate and private key from folder PKI\CA\private to User authentication window present in Prosys client, a pop up window appeared for password to access private key file. I am not aware of “which” password. So I entered “opcua”, then private key field set to “Could not load private key: Given final block not properly padded”. If I ignored the password and tried to connecting the server, It gives User identification error window with message: “Server rejected selected identification ( wrong username or password, certificate or private key ” on Prosys Client (I am not able to add snapshot here).
So can you please guide me how to connect HTTPS mode when User authentication mode to “Certificate and private key”, also provide information of password for private key file. Is it possible to you to share your email id so I can share the error snapshot with you.

January 23, 2018
17:33, EEST
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi Shwetak,

Thank you for a good explanation. As you already mentioned yourself, the error message “Could not load private key” happens because the password is wrong. If I understood correctly, you tried to use Prosys OPC UA Simulation Server application instance certificate as the user authentication certificate. The reason why this failed is that the password for the private key is not “opcua”.

At this point it’s good to note that the application instance certificates are not meant to be used as user certificates. The correct way would be to provide some separate user-level certificates which are unique to each user. As an example, you could create X509 certificates with OpenSSL and use them to authenticate.

However, you can technically use the application instance certificate also for the user level authentication. For Prosys OPC UA Client, these are the files “ProsysOpcUaClient.der” and “ProsysOpcUaClient.pem”. Password for the pem file is “opcua”.

The error message “Server rejected selected identification” means that the server does not trust the selected user certificate. In other words, you can find the user certificate at “SimulationServer\USERS_PKI\CA
ejected” folder. Then you need to manually move this certificate to the “SimulationServer\USERS_PKI\CA\certs” folder. After this, the Simulation Server trusts this user certificate and the connection is succesful.

January 24, 2018
10:40, EEST
Avatar
shwetak
Member
Members
Forum Posts: 9
Member Since:
January 22, 2018
sp_UserOfflineSmall Offline

Thanks Heikki,

Finally…I am able to establish HTTPS connection between Prosys server and client, with User authentication mode to “Certificate and private key”.
I have been using the certificate from wrong folder i.e. server’s own certificate present in Private folder instead of client certificate present in cert folder!!!!

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 100

pramanj: 86

ibrahim: 70

kapsl: 57

gjevremovic: 49

TimK: 41

Fransua33: 39

fred: 37

Rainer Versteeg: 32

Thomas Reuther: 26

Member Stats:

Guest Posters: 0

Members: 1058

Moderators: 14

Admins: 1

Forum Stats:

Groups: 3

Forums: 14

Topics: 981

Posts: 4145

Newest Members:

mats989, Sebastien Petitrenaud, sting2005, Ron Hoppe, Seb, p.devito, g.ilengo, MohamedLazrek, brittr83165991, martintinsley9

Moderators: Jouni Aro: 846, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 523, Heikki Tahvanainen: 402, Jukka Asikainen: 1, Teppo Uimonen: 20, Markus Johansson: 18, Matti Siponen: 31, Lusetti: 0

Administrators: admin: 0