Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Not able to connect using user certificate with newer OPC UA simulation server
July 17, 2023
13:23, EEST
Avatar
sukruttamhankar
New Member
Members
Forum Posts: 2
Member Since:
July 17, 2023
sp_UserOfflineSmall Offline

I am currently involved in OPC development activities and have been utilizing the Prosys simulation server for testing purposes. I wanted to bring to your attention an issue that arose after upgrading our server from version 4.0.2-108 to 5.4.6-148

Specifically, we encountered a problem when attempting to connect with the OPC client using a user certificate. Unfortunately, this connection now fails, whereas it was functioning correctly before the server upgrade. As this use case was previously working without any issues, I am eager to gather more information about the latest server upgrade. Below is the MATLAB API we are using for connecting using the user certificate (https://ch.mathworks.com/help/icomm/ug/opc.ua.client.connect.html#d124e20465):

connect(UaClient,PublicKeyFilename,PrivateKeyFileName,PrivateKeyPassword)

I kindly request your assistance in providing additional details regarding the changes implemented in the recent server upgrade. Specifically, I would appreciate any insights into modifications or updates that may have affected the compatibility of user certificates with the OPC client connections. Understanding these changes will significantly aid in resolving the connection failure and ensuring the smooth functioning of our OPC development activities.

Thank you in advance for your attention to this matter. I look forward to receiving your response and any information you can provide. If you require any further clarification or additional details from my end, please do not hesitate to let me know.

July 17, 2023
13:40, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1016
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

I think that old version was just very basic and thus just accepted all user-certs, if that user auth mode was on. Now it behaves similar to the normal connection/ApplicationInstanceCertificates and they must be trusted first. Though, the only way currently to do this is by via moving files on disk. User-authentication certs is a bit less used feature of OPC UA, but eventually we should build some UI for this (priority has been on the simulation features).

Ensure the user-certificate is in the directory (note the dot before ‘prosysopc’): (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs/ and NOT in (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/rejected (if it is in both, it is rejected). If you have tried to authenticate with it once, it should be in the rejected folder and you can simply move (not copy) the certificate to the ‘certs’ and it should then just work.

Alternatively it could be something else, but please check this first

July 17, 2023
15:52, EEST
Avatar
sukruttamhankar
New Member
Members
Forum Posts: 2
Member Since:
July 17, 2023
sp_UserOfflineSmall Offline

Hi,
We have tried this. Even after having the user certificate in the folder: C:/Users//.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs/, we are facing the error in connection such as “The user identity token is valid but the server has rejected it.” in the MATLAB side.

July 17, 2023
16:12, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1016
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Could you still doublecheck that you do not have the cert file also in the (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/rejected folder?

Can you try using https://www.prosysopc.com/products/opc-ua-browser/ and the same user-cert? Does this work? If yes, cert is valid and the difference is most likely something in the client side. Is using https://www.prosysopc.com/blog/opc-ua-wireshark/ an option to see (you’ll need to use the NONE security mode) is there a difference?
If no, then most likely in the server side.

Is there an option to send a test certificate via email so we could try to check this locally?

Can you check does the log file show anything? it is in folder (user.home)/.prosysopc/prosys-opc-ua-simulation-server/log/

July 19, 2023
12:35, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1016
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Adding this short note for future readers.

In this case the user-cert missed the ‘nonRepudiation’ bit that the current SDK does check (in the past it didn’t), if this error happens it is visible in the application log file.

SDK does contain a flag to disable this, but the simulation server application doesn’t yet have that. Anyway, this can at least be solved by making a new user-cert that contains the bit.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 86

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 732

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1508

Posts: 6396

Newest Members:

elainesever, powhephenry, mamiecaldwell5, Lamasom, scsneed, berrybulcock, icerdraizomma, athenasummy5, vtaletbhcx, HaroldaDob

Moderators: Jouni Aro: 1019, Pyry: 1, Petri: 0, Bjarne Boström: 1016, Jimmy Ni: 26, Matti Siponen: 340, Lusetti: 0

Administrators: admin: 1