Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
How to add own certificates in Prosys opcua simulation server (in certificates tab)?
January 31, 2020
13:23, EEST
Avatar
shitaljadhav
Member
Members
Forum Posts: 4
Member Since:
January 31, 2020
sp_UserOfflineSmall Offline

Hi,
I am using ‘https://github.com/open62541/open62541/’ this opcua library. Created certificates using ‘tools/certs/create_self-signed.py’ file. After running this file it generates server_cert.der and server_key.der files. Now I want to add this certificate and key file in Prosys OPCUA Simulation Server(in Certificates tab). So that I can connect with my opcua cpp client.

Could you please tell me how I can add these certificates to Prosys Opcua Simulation Server (in Certificate tab)?

Thanks in advance.

January 31, 2020
15:00, EEST
Avatar
Markus Johansson
Moderator
Members

Moderators
Forum Posts: 11
Member Since:
August 6, 2019
sp_UserOfflineSmall Offline

Hi,

When you try to connect to the server with a secured connection the certificate should appear in the Certificates tab. Then you can right-click it to trust it.

February 17, 2020
8:40, EEST
Avatar
shitaljadhav
Member
Members
Forum Posts: 4
Member Since:
January 31, 2020
sp_UserOfflineSmall Offline

I have added certificate as trusted but still client is not getting connected to prosys opcua server. It gives following error :-

——————————–
INFO::OPCUA_SERVER_ADDRESS opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer
[2020-02-17 11:11:00.196 (UTC+0550)] info/client Connecting to endpoint opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer
[2020-02-17 11:11:00.196 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2020-02-17 11:11:00.197 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2020-02-17 11:11:00.202 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2020-02-17 11:11:00.205 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2020-02-17 11:11:00.206 (UTC+0550)] info/client SecurityPolicy not specified -> use default #None
[2020-02-17 11:11:00.248 (UTC+0550)] info/client TCP connection established
[2020-02-17 11:11:00.252 (UTC+0550)] info/channel Connection 528 | SecureChannel 6 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2020-02-17 11:11:00.252 (UTC+0550)] info/client Endpoint and UserTokenPolicy unconfigured, perform GetEndpoints
…OK
[2020-02-17 11:11:00.259 (UTC+0550)] info/client Found 11 endpoints
[2020-02-17 11:11:00.259 (UTC+0550)] info/client Rejecting endpoint 0: security policy not available
[2020-02-17 11:11:00.259 (UTC+0550)] info/client Endpoint 1 has 5 user token policies
[2020-02-17 11:11:00.260 (UTC+0550)] info/client Selected Endpoint opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer with SecurityMode Sign and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2020-02-17 11:11:00.261 (UTC+0550)] info/client Selected UserTokenPolicy anonymous with UserTokenType Anonymous and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2020-02-17 11:11:00.261 (UTC+0550)] info/client Disconnect to switch to a different SecurityPolicy
[2020-02-17 11:11:00.262 (UTC+0550)] info/client Connecting to endpoint opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer
[2020-02-17 11:11:00.262 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2020-02-17 11:11:00.263 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2020-02-17 11:11:00.264 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2020-02-17 11:11:00.265 (UTC+0550)] warn/client The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2020-02-17 11:11:00.269 (UTC+0550)] info/client TCP connection established
[2020-02-17 11:11:00.375 (UTC+0550)] info/channel Connection 528 | SecureChannel 7 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[2020-02-17 11:11:00.379 (UTC+0550)] info/client Received a ServiceFault response with StatusCode BadServiceUnsupported
[2020-02-17 11:11:00.379 (UTC+0550)] error/client Could not open a Session with StatusCode BadServiceUnsupported

UA_Client_getState :: 0
————————————————————————————-
Suggest some solution.

February 17, 2020
14:27, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 491
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Ask help on that projects’s github page.

Alternatively provide some kinds of examples + steps to reproduce this.

Check with wireshark (https://www.prosysopc.com/blog/opc-ua-wireshark/)? Is the client actually connecting to the correct address i.e. does the “Hello” Message contain the proper EndpointUrl with the “…/OPCUA/SimulationServer” part. Check what service call failed and returned that service fault. What were it’s parameters? Note that you have to use Sign (not Sign&Encrypt) in order to see the calls.

Check SimulationServer’s logs at /.prosysopc/prosys-opc-ua-simulation-server/log

Generally our server’s has been working with normal clients that have been participating in the OPC Foundation’s IOP workshops. If we have errors, we can fix them if we know what they are.

February 18, 2020
9:42, EEST
Avatar
shitaljadhav
Member
Members
Forum Posts: 4
Member Since:
January 31, 2020
sp_UserOfflineSmall Offline

Thanks for reply. I tried to capture packets using wireshark and it is giving following information –
76 Hello Message
72 Acknowledge Message
176 OpenSecureChannel message: OpenSecureChannelRequest
179 OpenSecureChannel message: OpenSecureChannelResponse
172 UA Secure Conversation Message: GetEndpointsRequest
1928 UA Secure Conversation Message: GetEndpointsResponse
101 CloseSecureChannel message: CloseSecureChannelRequest

Steps to reproduce this issue –
step 1: Use following code for connection with opcua server
UA_ByteString certificate = loadFile(cert_file_path.c_str());
UA_ByteString privateKey = loadFile(key_file_path.c_str());

/* Load the trustList. Load revocationList is not supported now */
size_t trustListSize = 0;
if (argc > MIN_ARGS)
trustListSize = (size_t)argc – MIN_ARGS;
UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
for (size_t trustListCount = 0; trustListCount < trustListSize; trustListCount++){
trustList[trustListCount] = loadFile(argv[trustListCount + 4]);
std::cout << " Trustlist [trustListCount] " << (trustList[trustListCount]).data << ", i = " << trustListCount <securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);

UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);
for (size_t deleteCount = 0; deleteCount securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT; /* require encryption */

/*UA_Client* client = UA_Client_new();
UA_ClientConfig* cc = UA_Client_getConfig(client);
UA_ClientConfig_setDefault(cc);
cc->timeout = msSleep;*/

UA_StatusCode retval = UA_Client_connect(client, endpointUrl.c_str()); /// ——- Getting error after this line as (Could not open a Session with StatusCode BadServiceUnsupported)
if (retval != UA_STATUSCODE_GOOD) {
UA_Client_delete(client);
return EXIT_FAILURE;
}
Step 2: Endpoint url is “opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer”

February 18, 2020
12:06, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 491
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Check SimulationServer’s logs at (your home folder)/.prosysopc/prosys-opc-ua-simulation-server/log, if the client sent something we do not support (or client is not allowed to send), a line showing “Service {name} is not supported” should be visible on the INFO level (and this is the default logging level so it should show up). For example, if it so were to happen that the client would call FindServersOnNetwork, you would get that error, since that service call is only allowed to be called for DiscoveryServers (not normal servers, those can still however reply to FindServers).

If it were that FindServersOnNetwork then you will need to report a bug to that projects github page (and somehow connect without calling that as a workaround where possible).

If not, let us know what it was.

If the log does not show anything, check more with wireshark. NOTE!! As I said, you need to use Sign (NOT Sign&Encrypt) if you wish to see anything useful if wireshark. Your log only shows the first part, nothing wrong there (as far as I can see). Typically client will make 2 connections, first one without security that can call GetEndpoints (since these are needed for other calls later and that can/must be called without security). Then that is closed and a separate is opened with the selected security mode. Somewhere there one of these calls fails. That would be the one to look for (and all other calls before it as well).

Normally the wireshark should look something like this (need None or Sign, as otherwise on Sign&Encrypt after the secure channel is formed (the second time) the messages are encrypted thus not something wireshark would understand):
Hello
Acknowledge
OpenSecureChannelRequest
OpenSecureChannelResponse
GetEndpointsRequest
GetEndpointsResponse
CloseSecureChannelRequest
probably wont see CloseSecureChannelResponse, client usually terminates the socket after the request
Hello
Acknowledge
OpenSecureChannelRequest
OpenSecureChannelResponse
CreateSessionRequest
CreateSessionResponse
ActivateSessionRequest
ActivateSessionResponse
(your calls then)

There might be some small variations, but mostly like that.

P.S.
Please note, we wont generally debug your code for you, not even if you were our SDK customer, our normal technical support _only_ covers fixing bugs, but it would even then be upto you to show differences to the specification (i.e. tell what we do wrong). _Everything else_ is just goodwill from our part. Though if you were to use our SDKs it would be a lot easier to help.. Out of interop interest we have tried to use the lib now a short while ourselves, but that seems to be non-trivial (outside of simple None security mode connection, that does work).

February 21, 2020
6:50, EEST
Avatar
shitaljadhav
Member
Members
Forum Posts: 4
Member Since:
January 31, 2020
sp_UserOfflineSmall Offline

Hi,
I tried to connect opcua client to Top Server with encryption and the connection was successful. Then I did same settings and used same certificates in Prosys OPCUA Server but getting the same error as follows :-

[2020-02-21 10:17:13.902 (UTC+0550)] info/client TCP connection established
[2020-02-21 10:17:14.093 (UTC+0550)] info/channel Connection 440 | SecureChannel 2 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2020-02-21 10:17:14.101 (UTC+0550)] info/client Received a ServiceFault response with StatusCode BadServiceUnsupported
[2020-02-21 10:17:14.101 (UTC+0550)] error/client Could not open a Session with StatusCode BadServiceUnsupported

Does this mean the client has requested for some service ans server does not support that service?
Am I correct?

February 21, 2020
9:37, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 491
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Please read the previous post of mine above yours and check the log files as I instructed.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
11 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 93

pramanj: 86

ibrahim: 69

kapsl: 57

gjevremovic: 49

TimK: 41

Fransua33: 39

fred: 36

Rainer Versteeg: 32

Thomas Reuther: 26

Member Stats:

Guest Posters: 0

Members: 990

Moderators: 13

Admins: 1

Forum Stats:

Groups: 3

Forums: 14

Topics: 945

Posts: 3987

Newest Members:

jerrodharness1, chandrahollis, kandimilano0008, deonbracewell, swati kulha, muoipoupinel64, lannybroadway, 12315544121666, Joel Mariadasan, alfonsobarringto

Moderators: Jouni Aro: 837, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 491, Heikki Tahvanainen: 402, Jukka Asikainen: 1, Teppo Uimonen: 18, Markus Johansson: 11, Matti Siponen: 8

Administrators: admin: 0