OPC UA Server, how to add certificates and Encryption |OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

Avatar
sp_LogInOut Log In
sp_Search Search
Advanced Search
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC UA Server, how to add certificates and Encryption
Avatar
Thanushka Gunaseakara
Member
Members
Forum Posts: 3
Member Since:
06/06/2022
sp_UserOfflineSmall Offline
1
06/06/2022 - 02:59
sp_Permalink sp_Print

I'm new to OPC UA Server and OPC Standards. I've go through the OPC Standards and downloaded the OPC UA Server sample application and executed it. I wanted to add security certificate and encryption to OPC UA Server. I can see that

application.CheckApplicationInstanceCertificate method is called and 

config.CertificateValidator.CertificateValidation += CertificateValidator_CertificateValidation event is set. But still my client call connect to OPC UA Server without any certificates. 

How can I enforce the server to make a connection only a valid certificate is available and is there a possibility to encrypt the messages using the certificate. 

Help and guidance on above is highly appreciated. Thanks 

Avatar
Randy Armstrong
Admin
Forum Posts: 1451
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
06/06/2022 - 08:22
sp_Permalink sp_Print

1) The GetEndpoints and FindServers calls always allow no-security. You need to explain what you mean by "connect".

2) You need to select the right EndpointDescription returned from GetEndpoints. If you select the No-Security Endpoint you will connect without security.

Avatar
Thanushka Gunaseakara
Member
Members
Forum Posts: 3
Member Since:
06/06/2022
sp_UserOfflineSmall Offline
3
06/06/2022 - 22:24
sp_Permalink sp_Print

Randy Armstrong said
1) The GetEndpoints and FindServers calls always allow no-security. You need to explain what you mean by "connect".

2) You need to select the right EndpointDescription returned from GetEndpoints. If you select the No-Security Endpoint you will connect without security.

  

01) Connect means the connection between the OPC UA Server and the client.

02) I'll check the mentioned methods

Thanks Randy Armstrong. I'll check and get back. 

Avatar
Thanushka Gunaseakara
Member
Members
Forum Posts: 3
Member Since:
06/06/2022
sp_UserOfflineSmall Offline
4
06/07/2022 - 03:12
sp_Permalink sp_Print

Hi Randy Armstrong,

Thanks for the information provided. It is really helpful.

I got a list of endpoints with the same URL with different SecurityModes. Is there a way to remove the nodes with SecurityMode = none and keep only the nodes with SecurityMode = SignAndEncrypt. rnI tried below code segment, but not sure it is the the correct way of doing it.

var endpoints = Mserver.GetEndpoints();i

if(endpoints.Any())

{

endpoints.ForEach(c => c.SecurityMode = MessageSecurityMode.SignAndEncrypt);

}

Basically I wanted to allow the UA Server to communicate or connect with only approved clients with a valid certificate with encryption details.

I'm using the UA Expert client browser and I have set thernrnsecurity policy = Aes256Sha256RsaPss ; message security mode = sign & encrypt.

And getting an error saying "Could not connect to server: BadTcpInternalError"

Avatar
Randy Armstrong
Admin
Forum Posts: 1451
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
5
06/08/2022 - 18:32
sp_Permalink sp_Print

Clients are expected to loop through the endpoints and pick the one that they want.

If you have no other criteria pick the one with the highest SecurityLevel.

If you Client does not support some SecurityPolicies you need to pick the highest SecurityLevel with a SecurityPolicyUri that the Client supports.

sp_Feed
Go to top
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 32
Currently Browsing this Page:
2 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1349
Posts: 4577