Log In
Register
Forum
Topic RSS
13:23, EEST
July 17, 2023
Offline
I am currently involved in OPC development activities and have been utilizing the Prosys simulation server for testing purposes. I wanted to bring to your attention an issue that arose after upgrading our server from version 4.0.2-108 to 5.4.6-148
Specifically, we encountered a problem when attempting to connect with the OPC client using a user certificate. Unfortunately, this connection now fails, whereas it was functioning correctly before the server upgrade. As this use case was previously working without any issues, I am eager to gather more information about the latest server upgrade. Below is the MATLAB API we are using for connecting using the user certificate (https://ch.mathworks.com/help/icomm/ug/opc.ua.client.connect.html#d124e20465):
connect(UaClient,PublicKeyFilename,PrivateKeyFileName,PrivateKeyPassword)
I kindly request your assistance in providing additional details regarding the changes implemented in the recent server upgrade. Specifically, I would appreciate any insights into modifications or updates that may have affected the compatibility of user certificates with the OPC client connections. Understanding these changes will significantly aid in resolving the connection failure and ensuring the smooth functioning of our OPC development activities.
Thank you in advance for your attention to this matter. I look forward to receiving your response and any information you can provide. If you require any further clarification or additional details from my end, please do not hesitate to let me know.
13:40, EEST
April 3, 2012
Offline
Hi,
I think that old version was just very basic and thus just accepted all user-certs, if that user auth mode was on. Now it behaves similar to the normal connection/ApplicationInstanceCertificates and they must be trusted first. Though, the only way currently to do this is by via moving files on disk. User-authentication certs is a bit less used feature of OPC UA, but eventually we should build some UI for this (priority has been on the simulation features).
Ensure the user-certificate is in the directory (note the dot before ‘prosysopc’): (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs/ and NOT in (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/rejected (if it is in both, it is rejected). If you have tried to authenticate with it once, it should be in the rejected folder and you can simply move (not copy) the certificate to the ‘certs’ and it should then just work.
Alternatively it could be something else, but please check this first
15:52, EEST
July 17, 2023
Offline
Hi,
We have tried this. Even after having the user certificate in the folder: C:/Users//.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs/, we are facing the error in connection such as “The user identity token is valid but the server has rejected it.” in the MATLAB side.
16:12, EEST
April 3, 2012
Offline
Could you still doublecheck that you do not have the cert file also in the (user.home)/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/rejected folder?
Can you try using https://www.prosysopc.com/products/opc-ua-browser/ and the same user-cert? Does this work? If yes, cert is valid and the difference is most likely something in the client side. Is using https://www.prosysopc.com/blog/opc-ua-wireshark/ an option to see (you’ll need to use the NONE security mode) is there a difference?
If no, then most likely in the server side.
Is there an option to send a test certificate via email so we could try to check this locally?
Can you check does the log file show anything? it is in folder (user.home)/.prosysopc/prosys-opc-ua-simulation-server/log/
12:35, EEST
April 3, 2012
Offline
Adding this short note for future readers.
In this case the user-cert missed the ‘nonRepudiation’ bit that the current SDK does check (in the past it didn’t), if this error happens it is visible in the application log file.
SDK does contain a flag to disable this, but the simulation server application doesn’t yet have that. Anyway, this can at least be solved by making a new user-cert that contains the bit.
Most Users Ever Online: 518
Currently Online:
7 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
hbrackel: 135
pramanj: 86
Francesco Zambon: 81
rocket science: 77
Ibrahim: 76
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
TimK: 41
Member Stats:
Guest Posters: 0
Members: 682
Moderators: 16
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1467
Posts: 6261
Newest Members:
digitechroshni, LouieWreve, Kickbiche, karrimacvitie5, graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPoomaModerators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5
Administrators: admin: 1
