Support for X509IdentityToken in discovery services|OPC Certification and Interoperability Testing|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Support for X509IdentityToken in discovery services
Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
1
03/03/2020 - 22:59
sp_Permalink sp_Print sp_EditHistory

Hi Team,

 

I am trying to test OPC client for Discovery services. Where there is one test case which says –

TestCase: GetEndpoints: Response includes at least one endpoint where userIdentityTokens.tokenType is ISSUEDTOKEN_3 but userIdentityTokens.issuedtokenType is empty.

Expected: Client logs and/or displays an error to the end-user about misbehaving server and does not use the endpoint for a connection. The endpoint is not displayed or is displayed while being identified in error state.

Since we haven’t added support for IssuedIdentityToken, the above mentioned test case is not applicable for certification.

 

But, after reading the above test case, there is a question in my mind, since we have added support for securing our client by Certificates,

1. Is it necessary to implement X509IdentityToken feature ?

2. Will not implementing this feature impact security of an OPC client ?

3. Is it necessary to have support for all 4 types of UserIdentityTokens ?

 

FYI: We are using opc-stack-1.4.1.jar & simulation servers for testing our client.

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
03/04/2020 - 11:03
sp_Permalink sp_Print

If the profile you are testing with requires it then it is mandatory.

Not implementing it would mean your client could not be used in some systems where they use certificates and smart cards for authentication instead of relying on user names and password.

Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
3
03/16/2020 - 00:02
sp_Permalink sp_Print sp_EditHistory

Sorry for delayed reply & Thank you for quick response.

Can we say that X509IdentityToken is used for certificate & IssuedIdentityToken is for Smart Card authentication ? And since, we’re supporting certificate authentication, we must implement X509IdentityToken ?

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
03/16/2020 - 00:54
sp_Permalink sp_Print sp_EditHistory

X509IdentityToken is for smart cards.

IssuedIdentityTokens are for JSON Web Tokens.

Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
5
03/16/2020 - 13:30
sp_Permalink sp_Print sp_EditHistory

Thank you Randy. 

I understood about IssuedIdentityTokens. But, still didn’t understand about X509IdentityToken ? Isn’t this X509 in X509IdentityToken is related to X.509 Certificate

Currently, there is no way in our client to connect Smart Cards. Could you please elaborate this in more details ?

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
03/17/2020 - 21:00
sp_Permalink sp_Print sp_EditHistory

Many organizations issue X509 certificates to their users. In some cases, the private key for the X509 is stored on a smart card but it is not a requirement. As a server developer you may not be in control how the factory owner manages user credentials. For that reason, supporting X509 user identity tokens are a good idea.

Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
7
03/17/2020 - 22:40
sp_Permalink sp_Print

Got it. Thank you so much Randy for giving your time in explaining the things to me. 🙂

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 36
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4891