Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
using a self-signed to authenticate
June 13, 2023
16:31, EEST
Avatar
Lacroix
New Member
Members
Forum Posts: 2
Member Since:
May 31, 2023
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi,

I’m trying to use a self-signed certificate to authenticate towards the Simulation Server, but can’t get it to work. When using anonymous authentication it is working.

The steps I’ve used to create the self-signed certificate:

set OPENSSL_CONF=openssl.cfg
openssl req -x509 -newkey rsa:4096 -keyout “test10.key.pem” -outform der -out “test10.crt.der” -days 3650 -extensions v3_req
This gives me a .der file which I use as the ‘certificate’ and a .pem file which I use as the private key file.

Where the contentsof openssl.cfg looks like this:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth

Full config:
https://pastebin.com/WEqfBmtc

My simulation server (version 5.4.6) has security mode ‘sign & encrypt’ enabled and security policy ‘basic256Sha256’.
I’ve tried connecting in two ways, a UaExpert OPC:UA Client and a custom.NET client written using https://github.com/convertersystems/opc-ua-client
Both methods fail, and result in the same error in the simulationserver.log

First time connecting, I get this:

06/13/2023 15:26:55.344 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-2] com.prosysopc.ua.stack.transport.tcp.nio.f [] – OpcTcpServer(opc.tcp(/[0:0:0:0:0:0:0:0]:53530, (opc.tcp://:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign]])(opc.tcp://:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]]))): /[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64428 connected
06/13/2023 15:26:55.543 INFO [OPC-UA-Stack-Blocking-Work-Executor-1] com.prosysopc.ua.stack.transport.tcp.nio.h [] – SecureChannel opened; SecurityToken(Id=1, secureChannelId=1, creationTime=13 Jun 2023, 15:26:55, lifetime=3600000)
06/13/2023 15:26:55.584 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-12] com.prosysopc.ua.stack.transport.tcp.nio.h [] – Secure Channel closed, token=SecurityToken(Id=1, secureChannelId=1, creationTime=13 Jun 2023, 15:26:55, lifetime=3600000)
06/13/2023 15:26:55.585 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-12] com.prosysopc.ua.stack.transport.a.a [] – Channel closed: Id=1
06/13/2023 15:26:55.609 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.transport.tcp.nio.f [] – OpcTcpServer(opc.tcp(/[0:0:0:0:0:0:0:0]:53530, (opc.tcp://:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign]])(opc.tcp://:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]]))): /[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64430 connected
06/13/2023 15:26:55.793 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.cert.d [] – Certificate ‘B34D113DA73B9CD1CD9773E5CAB7AC1FD48F4C7F’ added to rejected certificates.
06/13/2023 15:26:55.796 WARN [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Remote certificate not accepted: Bad_SecurityChecksFailed (0x80130000) “An error occurred verifying security.”
06/13/2023 15:26:55.796 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Error in handleChunk
com.prosysopc.ua.stack.b.h: Bad_SecurityChecksFailed (code=0x80130000, description=”An error occurred verifying security.”)
at com.prosysopc.ua.stack.transport.tcp.nio.g.p(SourceFile:600) ~[app-5.4.6-148.jar:5.4.6-148]
at com.prosysopc.ua.stack.transport.tcp.nio.g.q(SourceFile:642) ~[app-5.4.6-148.jar:5.4.6-148]
at com.prosysopc.ua.stack.transport.tcp.nio.g$2.a(SourceFile:224) [app-5.4.6-148.jar:5.4.6-148]
at com.prosysopc.ua.stack.transport.tcp.nio.g$2.a(SourceFile:174) [app-5.4.6-148.jar:5.4.6-148]
at com.prosysopc.ua.stack.utils.a$1.run(SourceFile:345) [app-5.4.6-148.jar:5.4.6-148]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at java.lang.Thread.run(Thread.java:833) [?:?]

Makes sense it doesn’t work, my certificate is not trusted yet.
By trying to authenticate with it, it is added in the ‘Certificates’ tab in the Simulation Server where I click ‘Trust’.
A new attempt has a different result then, but still doesn’t work:

Error:
Bad_IdentityTokenRejected (0x80210000) “The user identity token is valid but the server has rejected it.” StatusCode=Bad_IdentityTokenRejected (0x80210000) “The user identity token is valid but the server has rejected it.”

Full log:
06/13/2023 15:27:20.157 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-10] com.prosysopc.ua.stack.transport.tcp.nio.f [] – OpcTcpServer(opc.tcp(/[0:0:0:0:0:0:0:0]:53530, (opc.tcp://:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign]])(opc.tcp://:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]]))): /[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64443 connected
06/13/2023 15:27:20.305 INFO [OPC-UA-Stack-Blocking-Work-Executor-4] com.prosysopc.ua.stack.transport.tcp.nio.h [] – SecureChannel opened; SecurityToken(Id=1, secureChannelId=2, creationTime=13 Jun 2023, 15:27:20, lifetime=3600000)
06/13/2023 15:27:20.354 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.tcp.nio.h [] – Secure Channel closed, token=SecurityToken(Id=1, secureChannelId=2, creationTime=13 Jun 2023, 15:27:20, lifetime=3600000)
06/13/2023 15:27:20.354 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-6] com.prosysopc.ua.stack.transport.a.a [] – Channel closed: Id=2
06/13/2023 15:27:20.388 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-1] com.prosysopc.ua.stack.transport.tcp.nio.f [] – OpcTcpServer(opc.tcp(/[0:0:0:0:0:0:0:0]:53530, (opc.tcp://:53530/OPCUA/SimulationServer [[http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt], [http://opcfoundation.org/UA/SecurityPolicy#None,None], [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,Sign]])(opc.tcp://:53530 [[http://opcfoundation.org/UA/SecurityPolicy#None,None]]))): /[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64444 connected
06/13/2023 15:27:20.479 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-12] com.prosysopc.ua.stack.cert.d [] – Certificate ‘B34D113DA73B9CD1CD9773E5CAB7AC1FD48F4C7F’ added to trusted certificates.
06/13/2023 15:27:20.495 INFO [OPC-UA-Stack-Blocking-Work-Executor-7] com.prosysopc.ua.stack.transport.tcp.nio.h [] – SecureChannel opened; SecurityToken(Id=1, secureChannelId=3, creationTime=13 Jun 2023, 15:27:20, lifetime=3600000)
06/13/2023 15:27:20.543 INFO [OPC-UA-Stack-Blocking-Work-Executor-8] com.prosysopc.ua.stack.cert.d [] – Certificate ‘B34D113DA73B9CD1CD9773E5CAB7AC1FD48F4C7F’ added to trusted certificates.
06/13/2023 15:27:20.581 INFO [OPC-UA-Stack-Blocking-Work-Executor-8] com.prosysopc.ua.server.ab [] – Session created: Workstation.UaClient.FeatureTests (ID=ns=1;g=065e9171-d85a-4442-9957-bfd0991b1bec Token=b=2sO5YXs86tjqwt8EebuPW5qABv9hnPiqHOPqOakplKA= Channel=(SecureChannelId=3 State=Open URL=opc.tcp://:53530/OPCUA/SimulationServer SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 RemoteAddress=/[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64444))
06/13/2023 15:27:20.750 INFO [OPC-UA-Stack-Blocking-Work-Executor-10] com.prosysopc.ua.stack.cert.d [] – Certificate ‘F284879A81C9F33075C7A572C47690E575E6FC75’ added to rejected certificates.
06/13/2023 15:27:20.751 INFO [OPC-UA-Stack-Blocking-Work-Executor-10] com.prosysopc.ua.server.ab [] – Session NOT activated: Workstation.UaClient.FeatureTests – com.prosysopc.ua.Q: Bad_IdentityTokenRejected (0x80210000) “The user identity token is valid but the server has rejected it.” StatusCode=Bad_IdentityTokenRejected (0x80210000) “The user identity token is valid but the server has rejected it.”
06/13/2023 15:27:24.161 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.tcp.nio.h [] – Secure Channel closed, token=SecurityToken(Id=1, secureChannelId=3, creationTime=13 Jun 2023, 15:27:20, lifetime=3600000)
06/13/2023 15:27:24.162 INFO [OPC-UA-Stack-Async-Selector] com.prosysopc.ua.stack.transport.a.a [] – Channel closed: Id=3
06/13/2023 15:27:30.737 INFO [SessionMonitor-pool-1-thread-1] com.prosysopc.ua.server.ab [] – Session closed: Workstation.UaClient.FeatureTests (ID=ns=1;g=065e9171-d85a-4442-9957-bfd0991b1bec Token=b=2sO5YXs86tjqwt8EebuPW5qABv9hnPiqHOPqOakplKA= Channel=(SecureChannelId=3 State=Closed URL=opc.tcp://:53530/OPCUA/SimulationServer SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 RemoteAddress=/[fe80:0:0:0:e6f0:b03c:7456:86e5%10]:64444))

Can anyone point me in the right direction here?
I’m not sure whether there’s an issue with how my certificate is made, or with how I’m including it in my client side authentication, or maybe how my simulation server is configured.

June 14, 2023
8:52, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 321
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hello,

It seems that you are attempting to use the self-signed certificate as the UserIdentityToken of a Session. At the moment, Simulation Server does not have a user interface for configuring User Certificates. The certificates in its Certificates tab are all Application Instance Certificates.

To trust the User Certificate, you must go to \.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA where is user home, e.g. C:\Users\ on Windows where is your username, and put the certificate to “certs” folder and make sure it is not in the “rejected” folder.

I was able to connect with UaExpert after configuring Simulation Server to trust the User Certificate so the certificate should be working.

June 14, 2023
11:41, EEST
Avatar
Lacroix
New Member
Members
Forum Posts: 2
Member Since:
May 31, 2023
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Thanks for the quick reply and solution Matti.

It indeed works, managed to connect using both UaExpert and the SDK after putting the cert in the USERS_PKI subfolder.
It does only work however if I also approve the certificate in the Simulation Server UI itself it seems, so both actions are required?

When are Application Instance Certificates used? I understand each time a new client connects to the server, the simulation server will automatically generate a certificate and reject it (to be manually trusted). But that doesn’t occur when connecting anonymously?

June 14, 2023
12:03, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 321
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
4sp_Permalink sp_Print

Hello,

Perhaps your Client application is using the same certificate as both the Application Instance Certificate and the User Certificate? That would explain why trusting the certificate in Simulation Server’s UI is required.

Application Instance Certificates are certificates that identify OPC UA applications so they’re used by both Clients and Servers. The Client and the Server exachange their Application Instance Certificates when connecting with security, e.g. when Message Security Mode and Security Policy are not both None or encrypting a password is done by using the Client’s certificate. The Client and the Server must trust each others Application Instance Certificates to be able to connect with security.

Simulation Server generates its Application Instance Certificate when it is started for the first time and that certificate will always be used to identify that installation of Simulation Server. The certificate is located in “user.home”\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\private and it can be replaced with a custom certificate or simply deleted to force Simulation Server to generate a new Application Instance Certificate when it is started for the next time.

For more information on the use of Application Instance Certificates, see https://reference.opcfoundation.org/Core/Part4/v104/docs/6.1.4

User Certificates on the other hand are used in User Identity Tokens in ActivateSession Requests. For more information, see https://reference.opcfoundation.org/Core/Part4/v104/docs/6.1.5

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
21 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 684

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6261

Newest Members:

LouieWreve, Kickbiche, karrimacvitie5, graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316

Moderators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1