Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Simulation Server public key file
April 29, 2021
15:05, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hi,

I am creating a OPCUA client in C/C++ using the S2OPC library and testing it against Prosys OPCUA simulation server.

When I use security mode as none, I am able to subscribe to and get data change notifications from Prosys server. But when I configure security mode as “Sign” or “SignAndEncrypt”, I run into various issues. I am using PKI files from Prosys simulation server and Prosys UA browser settings from my home directory.

I basically need to configure following file paths in S2OPC connection config structure:

path_cert_auth – Zero-terminated path to the root certificate authority in the DER format
path_cert_srv – Zero-terminated path to the server certificate in the DER format, signed by the root certificate authority
path_cert_cli – Zero-terminated path to the client certificate in the DER format, signed by the root certificate authority
path_key_cli – Zero-terminated path to the client private key which is paired to the public key signed server certificate, in the DER format
path_crl – Zero-terminated path to the certificate revocation list in the DER format

I tried following values:

cfg_con.path_cert_auth = NULL;
cfg_con.path_cert_srv = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der);
cfg_con.path_cert_cli = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/2701EA950B90C37CDDEE5E2BE28870BE172EBCEE.der);
cfg_con.path_key_cli = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-browser/PKI/CA/private/UaBrowser@nerd-vb_2048.der);
cfg_con.path_crl = NULL;
cfg_con.disable_certificate_verification = true;

Can someone please verify if these are the correct files to use? Particularly, I am not sure which one is the server public certificate file?

And also there is no CRL der file that I can use. And if I have to generate one that works with other PKI files, I probably need private key of the CA that signed the server certificate.

And if I generate all the 5 files needed above, I don’t know how to configure the server private key in “~/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/” folder.

Please provide your inputs.
1
Best,
Aman

April 29, 2021
16:51, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

The keys that the apps create themselves are self-signed.

You seem to use the .der files for them all – they are the certificates of the apps. Use the .pem for the private key, if you really need that.

I don’t quite understand though, why you want to use the keys of UaBrowser – your client should use keys of its own by default.

And in general, the private keys should not be used by anyone else, except the application itself. And for these apps, they are actually password protected, so you can’t read them just like that either.

So, I would expect that your client app creates its own private key and certificate and then you make it trust the server certificate and also make the server trust the certificate of your client.

April 29, 2021
18:16, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Thanks for your reply.

I am not very familiar with PKI topic, so please excuse my ignorance.

As a first cut, I was actually trying to just replicate the existing PKI settings between Prosys server & browser to my client app also.

With your inputs, I was able to make some progress.

I converted client-side private key from pem to der format and used it in S2OPC client code. S2OPC C++ library interface only works with der files, so this conversion is required.

$ openssl pkey -inform pem outform der -in ./prosys-opc-ua-browser/PKI/CA/private/UaBrowser@nerd-vb_2048.pem -out ./prosys-opc-ua-browser/PKI/CA/private/UaBrowser@nerd-vb_2048_key.der

Now I am setting:

cfg_con.path_cert_auth = NULL;
cfg_con.path_cert_srv = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der);
cfg_con.path_cert_cli = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-browser/PKI/CA/private/UaBrowser@nerd-vb_2048.der);
cfg_con.path_key_cli = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-browser/PKI/CA/private/UaBrowser@nerd-vb_2048_key.der);
cfg_con.path_crl = NULL;

There is some progress and I get following logs/error:

install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.700 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-1] com.prosysopc.ua.stack.transport.tcp.nio.f [] – OpcTcpServer(opc.tcp(/fe80:0:0:0:84b6:6f71:5a40:8031%enp0s3:53530, (opc.tcp://nerd-vb:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]])(opc.tcp://nerd-vb:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,Sign]]))opc.tcp(/0:0:0:0:0:0:0:1%lo:53530, (opc.tcp://nerd-vb:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]])(opc.tcp://nerd-vb:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,Sign]]))opc.tcp(/127.0.0.1:53530, (opc.tcp://nerd-vb:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]])(opc.tcp://nerd-vb:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,Sign]]))opc.tcp(/192.168.1.250:53530, (opc.tcp://nerd-vb:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]])(opc.tcp://nerd-vb:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss,Sign]]))): /127.0.0.1:52456 connected

install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.709 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-2] com.prosysopc.ua.stack.cert.d [] – Certificate ‘2701EA950B90C37CDDEE5E2BE28870BE172EBCEE’ added to trusted certificates.
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.739 INFO [OPC-UA-Stack-Blocking-Work-Executor-7] com.prosysopc.ua.stack.transport.tcp.nio.h [] – SecureChannel opened; SecurityToken(Id=1, secureChannelId=3, creationTime=29-Apr-2021, 8:24:55 PM, lifetime=3600000)
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.748 INFO [OPC-UA-Stack-Blocking-Work-Executor-8] com.prosysopc.ua.stack.cert.d [] – Certificate ‘2701EA950B90C37CDDEE5E2BE28870BE172EBCEE’ added to trusted certificates.
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.768 INFO [OPC-UA-Stack-Blocking-Work-Executor-8] com.prosysopc.ua.server.ab [] – Session created: ServerAssigned ns=1;g=54aaab0e-0adf-4979-98b1-801545b17813 (ID=ns=1;g=54aaab0e-0adf-4979-98b1-801545b17813 Token=b=wE7llOQ2oty6lPMRwYl/6Y76LFSemfNsRgzS8JYKL18= Channel=(SecureChannelId=3 State=Open URL=opc.tcp://localhost:53530/OPCUA/SimulationServer SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256 RemoteAddress=/127.0.0.1:52456))
S2OPC s3[6379]: ERROR: Session activation failed with status code 0x80AF0000
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.830 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.utils.asyncsocket.e [] – AsyncSocketInputStream.close(): unexpected untriggered monitor
S2OPC s3[6379]: ERROR: Received unexpected message or event (1792) in state 2, switching to error state
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.832 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.tcp.nio.h [] – Secure Channel closed, token=SecurityToken(Id=1, secureChannelId=3, creationTime=29-Apr-2021, 8:24:55 PM, lifetime=3600000)
install4j_142h50w-UaSimulationServer.desktop[30247]: 04/29/2021 20:24:55.832 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.a.a [] – Channel closed: Id=3

This client’s certificate has already been trusted in OPCUA sim server’s certificate tab. Would you know what went wrong here?

Yes, next I plan to create client’s new certificate and key as you suggested.

Best,
Aman

April 30, 2021
12:13, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

I created new keys and certificates using https://gitlab.com/systerel/S2OPC/-/blob/master/samples/ClientServer/data/cert/generate_certs.sh script.

Then copied them into /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/ as follows:

cp cakey.pem /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.pem
cp cacert.der /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.der

cp server_2k_key.pem /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.pem
cp server_2k_cert.der /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der

OPCUA simulation server fails to start and I am getting following logs:

———————————————–
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.217 INFO [e STARTING] com.prosysopc.ua.app.simserver.license.e [] – License manager started.
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.219 INFO [a STARTING] com.prosysopc.ua.f [] – Reading application certificate from /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.220 INFO [a STARTING] com.prosysopc.ua.f [] – Reading private key from keystore /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.pem
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.222 DEBUG [a STARTING] com.prosysopc.ua.stack.utils.h [] – CryptoUtil init
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.223 DEBUG [a STARTING] com.prosysopc.ua.stack.utils.h [] – CryptoUtil init: random=SecureRandom
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.254 DEBUG [a STARTING] com.prosysopc.ua.stack.utils.h [] – Providers=[SUN version 11, SunRsaSign version 11, SunEC version 11, SunJSSE version 11, SunJCE version 11, SunJGSS version 11, SunSASL version 11, XMLDSig version 11, SunPCSC version 11, JdkLDAP version 11, JdkSASL version 11, SunPKCS11 version 11]
Apr 30 14:10:47 nerd-vb snapd[804]: 2021/04/30 14:10:47 Unsolicited response received on idle HTTP channel starting with “HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

408 Request Time-out

Your browser didn’t send a complete request in time.
“; err=
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.489 DEBUG [a STARTING] com.prosysopc.ua.f [] – Failed to read PEM: class org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMEncryptedKeyPair (org.bouncycastle.asn1.pkcs.PrivateKeyInfo and org.bouncycastle.openssl.PEMEncryptedKeyPair are in unnamed module of loader ‘app’)
Apr 30 14:10:47 nerd-vb install4j_142h50w-UaSimulationServer.desktop[12008]: java.lang.ClassCastException: class org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMEncryptedKeyPair (org.bouncycastle.asn1.pkcs.PrivateKeyInfo and org.bouncycastle.openssl.PEMEncryptedKeyPair are in unnamed module of loader ‘app’)
———————————————–

From https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/openssl/PEMEncryptedKeyPair.html, it seems it contains both private and public keys? So I need to do something special with openssl command-line to get such a pair in a single pem file?

Please advise if that is correct process and if that’s the right way to configure new keys/certificates on server side?

Thanks,
Aman

April 30, 2021
12:38, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Well, at least you are still mixing the certificate and private key – or seem to use the same file for both.

April 30, 2021
12:58, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hi,

Thanks for your reply.

I think you said “.pem” files are private keys and “.der” are certificates.

cp cakey.pem /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.pem
cp cacert.der /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.der

cp server_2k_key.pem /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.pem
cp server_2k_cert.der /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der

>> install4j_142h50w-UaSimulationServer.desktop[12008]: 04/30/2021 14:10:47.220 INFO [a STARTING] com.prosysopc.ua.f [] – Reading private key from keystore /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.pem

Can you please pinpoint which file is incorrect? File details appended below. Greatly appreciate your help/inputs.

Best,
Aman

$ cat /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.pem
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChgISo3yhE0uCS
g2dsqWDqfCdpYtkFuwKQGslAfJvLppn8aH4qL0Zb68Jj31EBMjQx/FOiFv7Q0jIB
9BEH+IQCxaAe8AVafvhoJ0DkDht0UY67FgTMcP14U8IOMLX4+wsTgbAuJ3UxCWTd

LkgQoAgojQf6fNKflXw/VVmJqpxKM/tG/RdAbqNP4EGAgySYmyQ18TXMkVFubrrq
4H9/sq4RbppV0qVDLfZc0dw=
—–END PRIVATE KEY—–

$ openssl x509 -inform der -text -noout -in /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = France, O = Systerel, CN = S2OPC Demo Certificate Authority for Tests, emailAddress = s2opc-support@systerel.fr
Validity
Not Before: Apr 21 11:50:39 2021 GMT
Not After : Apr 21 11:50:39 2023 GMT
Subject: C = FR, ST = France, O = Systerel, CN = S2OPC Demo Certificate for Server Tests
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a1:80:84:a8:df:28:44:d2:e0:92:83:67:6c:a9:
60:ea:7c:27:69:62:d9:05:bb:02:90:1a:c9:40:7c:
9b:cb:a6:99:fc:68:7e:2a:2f:46:5b:eb:c2:63:df:
51:01:32:34:31:fc:53:a2:16:fe:d0:d2:32:01:f4:

af:ad:d6:d1:86:fd:40:67:79:87:96:62:21:92:bc:
5f:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B1:BF:15:83:58:F9:E9:49:74:85:99:6B:1F:7B:F8:A3:8E:27:FF:48
X509v3 Authority Key Identifier:
keyid:91:39:06:DB:DB:23:47:96:3C:21:C5:CF:44:BC:52:E2:A8:A9:92:1B

X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
URI:urn:S2OPC:nerd-vb, DNS:nerd-vb
Signature Algorithm: sha256WithRSAEncryption
a1:6e:f8:92:04:c6:e8:55:59:c7:66:54:7b:bd:ec:1e:64:18:
03:6d:93:69:5c:44:08:81:93:8a:1f:d6:89:78:bd:f9:69:ac:
25:66:cc:17:e6:3e:b0:64:72:1a:c5:7f:4e:37:01:eb:fe:4c:

b5:df:0e:8b:1d:ac:46:c0:a0:08:a7:40:c1:52:af:4a:1e:26:
79:99:a3:02:cc:7b:de:f0:18:04:92:65:0c:5a:f4:1e:10:e8:
6a:ad:25:5a:ae:b1:e0:12

$ cat /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.pem
—–BEGIN RSA PRIVATE KEY—–
MIIJKQIBAAKCAgEAqwtXzKhyLSgf9gBszsPAR2T6y44/dvL605F8c/CVHFxHGAPh
euLUNIAxsGy1eIlZMr02qs5wXwyrn/HXy57oh3twEq0QVaukQE6OSPEjGj+z7B0U
3ftjnQOnv1x2kQkCQpHz6Vgn9Q4cdShElwZf2ZfOqWSN+iO+A2DWewXUOgsG+C4d

By+HjLaNPn1qYofU3Mk2m8Xm0StTI1LE2BTQ07J81QKFCV1+DAkYUhtCuUhtFsS2
8NAe4C3CiNezwA4jj5v3kkbpg+qM8dFN6c9cMxe7+5zmHu/UQogRj0gTxxMu
—–END RSA PRIVATE KEY—–

$ openssl x509 -inform der -text -noout -in /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServerCA.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:d8:9c:c5:dc:7e:79:b8:1b:25:40:bb:c6:48:8f:f3:cd:c5:d5:9b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = France, O = Systerel, CN = S2OPC Demo Certificate Authority for Tests, emailAddress = s2opc-support@systerel.fr
Validity
Not Before: Apr 21 11:50:25 2021 GMT
Not After : Apr 21 11:50:25 2023 GMT
Subject: C = FR, ST = France, O = Systerel, CN = S2OPC Demo Certificate Authority for Tests, emailAddress = s2opc-support@systerel.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ab:0b:57:cc:a8:72:2d:28:1f:f6:00:6c:ce:c3:
c0:47:64:fa:cb:8e:3f:76:f2:fa:d3:91:7c:73:f0:
95:1c:5c:47:18:03:e1:7a:e2:d4:34:80:31:b0:6c:

0e:e8:b9:c3:80:11:c2:0d:d3:ec:5f:8d:3c:90:fc:
bc:41:80:78:02:25:a0:b3:26:04:6b:e5:76:38:0d:
9a:da:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
91:39:06:DB:DB:23:47:96:3C:21:C5:CF:44:BC:52:E2:A8:A9:92:1B
X509v3 Authority Key Identifier:
keyid:91:39:06:DB:DB:23:47:96:3C:21:C5:CF:44:BC:52:E2:A8:A9:92:1B

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
48:4e:a2:5a:f1:07:5b:a5:2b:7b:05:bc:a5:93:84:56:18:33:
93:94:7d:6d:bb:f4:05:c9:6a:5b:9f:a7:44:51:31:ce:bc:38:
3a:e8:f2:84:04:10:c4:b3:0c:bf:e9:92:ea:14:4a:52:5d:e6:
7f:46:0c:48:b0:2e:d7:12:dc:9a:82:26:9c:8f:0b:41:ed:fa:

61:69:0b:7f:77:7d:4d:ca:f0:ee:58:42:2b:85:cb:ee:74:62:
66:9b:c8:74:c6:be:df:86

April 30, 2021
13:53, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Ah, sorry I was just misreading the configuration in the previous message.

Simulation Server stores the private key with a hard-coded password and you will have to use the same password, if you generate your own keys with it. Also the data in the certificate must match with the original, so that it will be valid.

These are the requirements: https://reference.opcfoundation.org/Core/docs/Part6/6.2.2/

April 30, 2021
14:47, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Thanks for your reply.

Can I find that password somewhere in server config or you can share that password if it is fixed?

Yeah, I am checking the requirement. On first look, I seem to have followed these, but I’ll look more closely again.

Best,
Aman

April 30, 2021
17:03, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

It seems to be ‘privatepasswordopcua’

May 3, 2021
14:55, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hi,

I stopped trying to change server keys/certificates and just focus on client side if that can work. So I restored the “~/.prosysopc/prosys-opc-ua-simulation-server” folder, I deleted it and restarted server and it recreated default PKI files.

Then I created just the self signed CA & client side certificates and keys using using https://gitlab.com/systerel/S2OPC/-/blob/master/samples/ClientServer/data/cert/generate_certs.sh script using cassl.cnf and cli_req.cnf in same location https://gitlab.com/systerel/S2OPC/-/tree/master/samples/ClientServer/data/cert/.
This creates cacert.der, cakey.pem, cacrl.der, client_2k_cert.der & client_2k_key.der files.

In the client code, I set:

cfg_con.path_cert_auth = QUOTE(/home/nerd039/dev/S2OPC/samples/ClientServer/data/cert/aman3/cacert.der);
cfg_con.path_cert_srv = QUOTE(/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/private/SimulationServer@nerd-vb_2048.der);
cfg_con.path_cert_cli = QUOTE(/home/nerd039/dev/S2OPC/samples/ClientServer/data/cert/aman3/client_2k_cert.der);
cfg_con.path_key_cli = QUOTE(/home/nerd039/dev/S2OPC/samples/ClientServer/data/cert/aman3/client_2k_key.der);
cfg_con.path_crl = QUOTE(/home/nerd039/dev/S2OPC/samples/ClientServer/data/cert/aman3/cacrl.der);

I start Prosys server and I get that client certificate is not trusted. I trust it and start the client again, then I get following logs from server indicating certificate chain is incomplete:

May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.221 WARN [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Remote certificate not accepted: Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.”
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.222 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Error in handleChunk
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: com.prosysopc.ua.stack.c.h: Bad_SecurityChecksFailed (code=0x80130000, description=”An error occurred verifying security.”)

Do I need to do something special in server config so that it can recognize client’s self signed certificate? Do I have to copy self-signing CA files cacert.der & cakey.pem that I created above into server config somewhere?

Please guide.

Best,
Aman

May 3, 2021
18:35, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

If you use a CA signed certificate in the client, you will need to copy the CA certificate (caret.der) to the certs folder in the Simulation Server’s trust store. If you open the location of a certificate in the Certificates View, you should be taken to the store – just find the ‘certs’ folder in there. Or check the User Manual for the location.

You can also decide to use a self-signed certificate in the client (without any CA certificate). Then you can just trust the certificate in Simulation Server.

May 4, 2021
10:49, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hello Jouni,

Yes, I created self-signed certificate and trusted it in server’s certificate tab.

What does the error above indicate?

The warning “The certificate chain is incomplete.” is the reason or it is just a warning and ”An error occurred verifying security.” is the real error?

And why would I get “The certificate chain is incomplete.” if the certificate is self-signed?

I compared my client-side certificate with UaBrowser’s certificate. See the comparison here: https://ibb.co/v436Fhj. Left window is for UaBrowser’s certificate and right side is my self-signed certificate for client. Do you see any issues with my client side certificate?

Best,
Aman

More logs:
—————

May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – listAdd: cert=89F8DAE3C3D5EE59B36E53092D20F8FCB8E3B62E; dir=/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – certificates.size()=2
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – Initialized cert from file: /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/89F8DAE3C3D5EE59B36E53092D20F8FCB8E3B62E.der
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – listAdd: cert=4D4325BE0134048FEB2FA8EED036A2539923352F; dir=/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – certificates.size()=2
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – Initialized cert from file: /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/4D4325BE0134048FEB2FA8EED036A2539923352F.der
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.216 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.DefaultCertificateValidator [] – isRevoked=false
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – listAdd: cert=89F8DAE3C3D5EE59B36E53092D20F8FCB8E3B62E; dir=/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – certificates.size()=2
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – Initialized cert from file: /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/89F8DAE3C3D5EE59B36E53092D20F8FCB8E3B62E.der
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – listAdd: cert=4D4325BE0134048FEB2FA8EED036A2539923352F; dir=/home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – certificates.size()=2
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – Initialized cert from file: /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/4D4325BE0134048FEB2FA8EED036A2539923352F.der
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.DefaultCertificateValidator [] – trusted=yes
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.DefaultCertificateValidator [] – trusted=true
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.DefaultCertificateValidator [] – valid=yes
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.217 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.DefaultCertificateValidator [] – valid=true
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.221 WARN [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Remote certificate not accepted: Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.”
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: 05/03/2021 16:58:54.222 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Error in handleChunk
May 3 16:58:54 nerd-vb install4j_142h50w-UaSimulationServer.desktop[23061]: com.prosysopc.ua.stack.c.h: Bad_SecurityChecksFailed (code=0x80130000, description=”An error occurred verifying security.”)

May 4, 2021
20:10, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Your cert is not self-signed. It is signed by your CA cert. And therefore you get the “certificate chain is incomplete” error until you copy the CA cert to the trusted keys (certs folder). You can see this if you compare the Issuer with Subject.

There is a mechanism in OPC UA to deliver the certificate chain between the applications at the handshake phase, but we don’t support that yet. So the only way to get the key to the server is to copy it manually.

We will also need to update the Simulation Server to keep the Issuer Certificates (=CA certs) separate from the Application Instance Certificates and it might happen with the next update. So beware of that when you update.

May 5, 2021
11:43, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hi Jouni,

Thanks for catching the fact that the generated client certificates were not self-signed.

I placed cacert.der and cacrl.der (renamed to cacrl.crl) in ~/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA and I was able to make some progress. I am not getting following logs when client connects to Prosys server:

“`
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.495 INFO [OPC-UA-Stack-Blocking-Work-Executor-11] com.prosysopc.ua.stack.cert.d [] – CRL initialized from /home/nerd039/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/crl/cacrl.crl: no revoked certificates
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.495 INFO [OPC-UA-Stack-Blocking-Work-Executor-11] com.prosysopc.ua.stack.cert.d [] – Certificate ‘4D4325BE0134048FEB2FA8EED036A2539923352F’ added to trusted certificates.
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.524 INFO [OPC-UA-Stack-Blocking-Work-Executor-11] com.prosysopc.ua.server.ab [] – Session created: ServerAssigned ns=1;g=9a363379-dd9b-4b4e-a470-6faf1af75267 (ID=ns=1;g=9a363379-dd9b-4b4e-a470-6faf1af75267 Token=b=vyaY6GnOc/0Irlvuyx5XuqC4fpZnL3Ro/ZZDt9gCtrg= Channel=(SecureChannelId=4 State=Open URL=opc.tcp://localhost:53530/OPCUA/SimulationServer SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256 RemoteAddress=/127.0.0.1:46512))
May 5 13:46:36 nerd-vb Fledge s3[4377]: ERROR: Session activation failed with status code 0x80AF0000
May 5 13:46:36 nerd-vb Fledge s3[4377]: ERROR: Received unexpected message or event (1792) in state 2, switching to error state
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.582 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.utils.asyncsocket.e [] – AsyncSocketInputStream.close(): unexpected untriggered monitor
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.583 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.tcp.nio.h [] – Secure Channel closed, token=SecurityToken(Id=1, secureChannelId=4, creationTime=05-May-2021, 1:46:36 PM, lifetime=3600000)
May 5 13:46:36 nerd-vb install4j_142h50w-UaSimulationServer.desktop[3741]: 05/05/2021 13:46:36.583 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.a.a [] – Channel closed: Id=4
“`

Wireshark text logs are appended below. Also here is the pcapng file: https://easyupload.io/zv6twc

What seems to be the problem here?

Also please notie that second last message below is marked as “Malformed packet” by wireshark.

`266 3.654932193 127.0.0.1 127.0.0.1 OpcUa 16947 UA Secure Conversation Message[Malformed Packet]`

Thanks for all your help.

Best,
Aman

Wireshark logs:
—————

“`
252 3.516013341 127.0.0.1 127.0.0.1 OpcUa 148 Hello message
OpcUa Binary Protocol
Message Type: HEL
Chunk Type: F
Message Size: 80
Version: 0
ReceiveBufferSize: 65535
SendBufferSize: 65535
MaxMessageSize: 327675
MaxChunkCount: 5
EndPointUrl: opc.tcp://localhost:53530/OPCUA/SimulationServer
“`

“`
254 3.518495807 127.0.0.1 127.0.0.1 OpcUa 96 Acknowledge message
OpcUa Binary Protocol
Message Type: ACK
Chunk Type: F
Message Size: 28
Version: 0
ReceiveBufferSize: 8196
SendBufferSize: 8196
MaxMessageSize: 0
MaxChunkCount: 0
“`

“`
258 3.524093401 127.0.0.1 127.0.0.1 OpcUa 1966 OpenSecureChannel message: ServiceId 0
OpcUa Binary Protocol
Message Type: OPN
Chunk Type: F
Message Size: 1898
SecureChannelId: 0
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256
SenderCertificate: 30820507308202efa003020102020100300d06092a864886…
ReceiverCertificateThumbprint: cc6f323c1d29778cde26df59fae0ae85feb5a823
SequenceNumber: 1080430510
RequestId: 3802155741
Message : Encodeable Object
TypeId : ExpandedNodeId
NodeId EncodingMask: Unknown (0xd3)
“`

“`
259 3.555275650 127.0.0.1 127.0.0.1 OpcUa 1660 OpenSecureChannel message: ServiceId 0
OpcUa Binary Protocol
Message Type: OPN
Chunk Type: F
Message Size: 1592
SecureChannelId: 4
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256
SenderCertificate: 308203d5308202bda00302010202060179315dcd5c300d06…
ReceiverCertificateThumbprint: 4d4325be0134048feb2fa8eed036a2539923352f
SequenceNumber: 1126302010
RequestId: 3678338586
Message : Encodeable Object
TypeId : ExpandedNodeId
NodeId EncodingMask: Unknown (0x88)
“`

“`
262 3.562129619 127.0.0.1 127.0.0.1 OpcUa 1590 UA Secure Conversation Message (Message fragment 2)
OpcUa Binary Protocol
Message Type: MSG
Chunk Type: F
Message Size: 1522
SecureChannelId: 4
Security Token Id: 1
Security Sequence Number: 2
Security RequestId: 2
OpcUa Service : Encodeable Object
TypeId : ExpandedNodeId
NodeId EncodingMask: Four byte encoded Numeric (0x01)
NodeId Namespace Index: 0
NodeId Identifier Numeric: CreateSessionRequest (461)
CreateSessionRequest
RequestHeader: RequestHeader
AuthenticationToken: NodeId
…. 0000 = EncodingMask: Two byte encoded Numeric (0x0)
Identifier Numeric: 0
Timestamp: May 5, 2021 13:46:36.488325500 IST
RequestHandle: 1
Return Diagnostics: 0x00000000
…. …. …. …0 = ServiceLevel / SymbolicId: False
…. …. …. ..0. = ServiceLevel / LocalizedText: False
…. …. …. .0.. = ServiceLevel / AdditionalInfo: False
…. …. …. 0… = ServiceLevel / Inner StatusCode: False
…. …. …0 …. = ServiceLevel / Inner Diagnostics: False
…. …. ..0. …. = OperationLevel / SymbolicId: False
…. …. .0.. …. = OperationLevel / LocalizedText: False
…. …. 0… …. = OperationLevel / AdditionalInfo: False
…. …0 …. …. = OperationLevel / Inner StatusCode: False
…. ..0. …. …. = OperationLevel / Inner Diagnostics: False
AuditEntryId: [OpcUa Null String]
TimeoutHint: 5000
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
…. 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. …. = has server index: False
0… …. = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
…. …0 = has binary body: False
…. ..0. = has xml body: False
ClientDescription: ApplicationDescription
ApplicationUri: urn:S2OPC:nerd-vb
ProductUri: [OpcUa Null String]
ApplicationName: LocalizedText
EncodingMask: 0x00
…. …0 = has locale information: False
…. ..0. = has text: False
ApplicationType: Server (0x00000000)
GatewayServerUri: [OpcUa Null String]
DiscoveryProfileUri: [OpcUa Null String]
DiscoveryUrls: Array of String
ArraySize: 0
ServerUri: [OpcUa Null String]
EndpointUrl: opc.tcp://localhost:53530/OPCUA/SimulationServer
SessionName: [OpcUa Null String]
ClientNonce: 2672d6070dd3a2e85c640846f07a60e5b5d57873064ed63e…
ClientCertificate: 30820507308202efa003020102020100300d06092a864886…
RequestedSessionTimeout: 60000
MaxResponseMessageSize: 0
“`

“`
264 3.613156046 127.0.0.1 127.0.0.1 OpcUa 4208 UA Secure Conversation Message (Message fragment 620)
OpcUa Binary Protocol
Reassembled in: 266
Message Type: MSG
Chunk Type: C
Message Size: 4140
SecureChannelId: 4
Security Token Id: 1
Security Sequence Number: 620
Security RequestId: 2
“`

“`
266 3.654932193 127.0.0.1 127.0.0.1 OpcUa 16947 UA Secure Conversation Message[Malformed Packet]
OpcUa Binary Protocol
[6 Message fragments (20875 bytes): #264(4116), #266(4116), #266(4116), #266(4116), #266(4116), #266(295)]
[Frame: 264, payload: 0-4115 (4116 bytes)]
[Frame: 266, payload: 4116-8231 (4116 bytes)]
[Frame: 266, payload: 8232-12347 (4116 bytes)]
[Frame: 266, payload: 12348-16463 (4116 bytes)]
[Frame: 266, payload: 16464-20579 (4116 bytes)]
[Frame: 266, payload: 20580-20874 (295 bytes)]
[Message fragment count: 6]
[Reassembled length: 20875]
Message Type: MSG
Chunk Type: C
Message Size: 4140
SecureChannelId: 4
Security Token Id: 1
Security Sequence Number: 621
Security RequestId: 2
OpcUa Service : Encodeable Object
TypeId : ExpandedNodeId
NodeId EncodingMask: Four byte encoded Numeric (0x01)
NodeId Namespace Index: 0
NodeId Identifier Numeric: CreateSessionResponse (464)
CreateSessionResponse
ResponseHeader: ResponseHeader
Timestamp: May 5, 2021 13:46:36.538000000 IST
RequestHandle: 1
ServiceResult: 0x00000000 [Good]
ServiceDiagnostics: DiagnosticInfo
EncodingMask: 0x00
…. …0 = has symbolic id: False
…. ..0. = has namespace: False
…. .0.. = has localizedtext: False
…. 0… = has locale: False
…0 …. = has additional info: False
..0. …. = has inner statuscode: False
.0.. …. = has inner diagnostic info: False
StringTable: Array of String
ArraySize: -1
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
…. 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. …. = has server index: False
0… …. = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
…. …0 = has binary body: False
…. ..0. = has xml body: False
SessionId: NodeId
…. 0100 = EncodingMask: GUID (0x4)
Namespace Index: 1
Identifier Guid: 7933369a-9bdd-4e4b-a470-6faf1af75267
AuthenticationToken: NodeId
…. 0101 = EncodingMask: Opaque (0x5)
Namespace Index: 0
Identifier ByteString: bf2698e869ce73fd08ae5beecb1e57baa0b87e96672f7468…
RevisedSessionTimeout: 60000
ServerNonce: 5fad800db7bbae7822abee4ae7aee9317950dfe51043cd56…
ServerCertificate: 308203d5308202bda00302010202060179315dcd5c300d06…
ServerEndpoints: Array of EndpointDescription
ArraySize: 11
[0]: EndpointDescription
EndpointUrl: opc.tcp://nerd-vb:53530/OPCUA/SimulationServer
Server: ApplicationDescription
ApplicationUri: urn:nerd-vb:OPCUA:SimulationServer
ProductUri: urn:prosysopc.com:OPCUA:SimulationServer
ApplicationName: LocalizedText
EncodingMask: 0x03, has locale information, has text
…. …1 = has locale information: True
…. ..1. = has text: True
Locale: [OpcUa Empty String]
Text: SimulationServer@nerd-vb
ApplicationType: Server (0x00000000)
GatewayServerUri: [OpcUa Null String]
DiscoveryProfileUri: [OpcUa Null String]
DiscoveryUrls: Array of String
ArraySize: 1
[0]: DiscoveryUrls: opc.tcp://nerd-vb:53530/OPCUA/SimulationServer
ServerCertificate: 308203d5308202bda00302010202060179315dcd5c300d06…
MessageSecurityMode: SignAndEncrypt (0x00000003)
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
UserIdentityTokens: Array of UserTokenPolicy
ArraySize: 5
[0]: UserTokenPolicy
PolicyId: certificate_basic256
UserTokenType: Certificate (0x00000002)
IssuedTokenType: [OpcUa Null String]
IssuerEndpointUrl: [OpcUa Null String]
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256
[1]: UserTokenPolicy
PolicyId: username_basic256
UserTokenType: UserName (0x00000001)
IssuedTokenType: [OpcUa Null String]
IssuerEndpointUrl: [OpcUa Null String]
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2]: UserTokenPolicy
PolicyId: username_basic128
UserTokenType: UserName (0x00000001)
IssuedTokenType: [OpcUa Null String]
IssuerEndpointUrl: [OpcUa Null String]
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[3]: UserTokenPolicy
PolicyId: certificate_basic128
UserTokenType: Certificate (0x00000002)
IssuedTokenType: [OpcUa Null String]
IssuerEndpointUrl: [OpcUa Null String]
SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
[4]: UserTokenPolicy
PolicyId: anonymous
UserTokenType: Anonymous (0x00000000)
IssuedTokenType: [OpcUa Null String]
IssuerEndpointUrl: [OpcUa Null String]
SecurityPolicyUri: [OpcUa Null String]
TransportProfileUri: http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary
SecurityLevel: 2
[1]: EndpointDescription
EndpointUrl: opc.tcp://nerd-vb:53530/OPCUA/SimulationServer
Server: ApplicationDescription
ApplicationUri: urn:nerd-vb:OPCUA:SimulationServer
ProductUri: urn:prosysopc.com:OPCUA:SimulationServer
ApplicationName: LocalizedText
EncodingMask: 0x03, has locale information, has text
…. …1 = has locale information: True
…. ..1. = has text: True
Locale: [OpcUa Empty String]
Text: SimulationServer@nerd-vb
ApplicationType: Server (0x00000000)
GatewayServerUri: [OpcUa Null String]
DiscoveryProfileUri: [OpcUa Null String]
DiscoveryUrls: Array of String
ArraySize: 1
[0]: DiscoveryUrls: opc.tcp://nerd-vb:53530/OPCUA/SimulationServer
ServerCertificate: 308203d5308202bda00302010202060179315dcd5c300d06…
MessageSecurityMode: Unknown (0x0a6d30ab)
SecurityPolicyUri: [Invalid String] Invalid length: -830187183
UserIdentityTokens: Array of UserTokenPolicy
ArraySize: -327456589
“`

“`
271 3.655561293 127.0.0.1 127.0.0.1 OpcUa 145 CloseSecureChannel message: CloseSecureChannelRequest
OpcUa Binary Protocol
Message Type: CLO
Chunk Type: F
Message Size: 77
SecureChannelId: 4
Security Token Id: 1
Security Sequence Number: 3
Security RequestId: 3
Message : Encodeable Object
TypeId : ExpandedNodeId
NodeId EncodingMask: Four byte encoded Numeric (0x01)
NodeId Namespace Index: 0
NodeId Identifier Numeric: CloseSecureChannelRequest (452)
CloseSecureChannelRequest
RequestHeader: RequestHeader
AuthenticationToken: NodeId
…. 0000 = EncodingMask: Two byte encoded Numeric (0x0)
Identifier Numeric: 0
Timestamp: May 5, 2021 13:46:36.582144500 IST
RequestHandle: 1
Return Diagnostics: 0x00000000
…. …. …. …0 = ServiceLevel / SymbolicId: False
…. …. …. ..0. = ServiceLevel / LocalizedText: False
…. …. …. .0.. = ServiceLevel / AdditionalInfo: False
…. …. …. 0… = ServiceLevel / Inner StatusCode: False
…. …. …0 …. = ServiceLevel / Inner Diagnostics: False
…. …. ..0. …. = OperationLevel / SymbolicId: False
…. …. .0.. …. = OperationLevel / LocalizedText: False
…. …. 0… …. = OperationLevel / AdditionalInfo: False
…. …0 …. …. = OperationLevel / Inner StatusCode: False
…. ..0. …. …. = OperationLevel / Inner Diagnostics: False
AuditEntryId: [OpcUa Null String]
TimeoutHint: 0
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
…. 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. …. = has server index: False
0… …. = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
…. …0 = has binary body: False
…. ..0. = has xml body: False

“`

May 5, 2021
14:39, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hello Jouni,

Some changes were required in S2OPC library configuration and after that I am able to proceed further.

Current status:

1. When I use Basic256 security policy and “anonymous” policy ID, the communication is working between server and client. I see periodic PublishRequest and PublishResponse and node value updates.

2. When I use Basic256Sha256 security policy, “SignAndEncrypt” security mode and “anonymous” policy ID, the communication is working between server and client. I see periodic “UA Secure Conversation Message” and node value updates. The data is encrypted.

3. When I use Basic256 security policy, “Sign” security mode and “username” policy ID, I get an error in ActivateSessionResponse message with “ServiceResult: 0x80200000 [BadIdentityTokenInvalid]”.

Logs and more details are attached here:
https://gitlab.com/systerel/S2OPC/-/issues/854#note_567828868

Thanks,
Aman

May 5, 2021
15:43, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Great!

There are several things that can go wrong with the user name password verification that result into this error and I am afraid we don’t have the option to debug this so much without a commercial project. I don’t have good ideas either how to simply check it out, but you can try to enable DEBUG or TRACE level logging for Simulation Server in the log4j settings file, to see if it reveals more details where the token is rejected.

May 5, 2021
17:59, EEST
Avatar
aman79
Member
Members
Forum Posts: 10
Member Since:
April 29, 2021
sp_UserOfflineSmall Offline

Hi,

S2OPC library uses the policyID string “username” when trying to indicate username/password based authentication to Prosys server, which is rejected by the server. Can you please mention which string should be used instead?

In logs, I see:

05/05/2021 18:38:39.211 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-4] com.prosysopc.ua.server.af [] – handleServiceResultException:
com.prosysopc.ua.M: UserTokenPolicy unknown: username

And from wireshark logs, ActivateSessionRequest has:
UserNameIdentityToken: UserNameIdentityToken
PolicyId: username
UserName: username
Password: 70617373776f7264
EncryptionAlgorithm: [OpcUa Null String]

Best,
Aman

May 6, 2021
12:18, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 877
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

As you can see from the endpoint information, Simulation Server expects ‘username_basic128’ or ‘username_basic256’

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
8 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 109

pramanj: 86

ibrahim: 71

kapsl: 57

gjevremovic: 49

TimK: 41

fred: 41

Fransua33: 39

Xavier: 34

rocket science: 33

Member Stats:

Guest Posters: 0

Members: 1302

Moderators: 15

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1106

Posts: 4680

Newest Members:

keremcoban, hypnos97, ekosunen40, janellbusby73, huey6201719746, hildanott654389, laurenemay, aman79, dawnpreciado138, daltondoughty96

Moderators: Jouni Aro: 877, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 642, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Teppo Uimonen: 21, Markus Johansson: 30, Matti Siponen: 100, Lusetti: 0

Administrators: admin: 1