Re: [milo-dev] Create java a opc client using milo with an OPC UA Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection

From: Kevin Herron <kevinherron@xxxxxxxxx>
Date: Mon, 15 Jun 2020 07:16:33 -0700
Delivered-to: milo-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/milo-dev>
List-help: <mailto:milo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/milo-dev>, <mailto:milo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/milo-dev>, <mailto:milo-dev-request@eclipse.org?subject=unsubscribe>

Ok, I had accidentally imported the certificates to UaCPP server's keystore in ASCII encoding instead of DER encoded.

Now I'm getting much closer, the current error is:

14:14:26.841Z|4|2E04* [uastack] OpcUa_P_OpenSSL_CertificateStore_PopulateStore: Added certificate C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiuser\trusted\certs/kevin.der to store!

14:14:26.841Z|4|2E04* [uastack] OpcUa_P_OpenSSL_CertificateStore_PopulateStore: Added certificate C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiuser\issuers\certs/ca.der to store!

14:14:26.841Z|4|2E04* [uastack]

verify error:

num=24:invalid CA certificate

depth=0

/CN=Kevin Herron

So I just need to figure out what's wrong with the CA cert I generated.

On Mon, Jun 15, 2020 at 6:57 AM Kevin Herron <kevinherron@xxxxxxxxx> wrote:

There should not be any additional action needed on your end beyond configuring the X509IdentityProvider when building your OpcUaClientConfig.

When I try to reproduce this with the UaCPP Demo server with trace logging enabled I get some kind of problem with the certificates but I don't know exactly what it's complaining about.

I did notice there is a bug in the X509IdentityProvider when connecting *without* security but that doesn't apply to you (or this test I've set up).

13:54:18.469Z|4|28AC* ==> UaServer::ActivateSession [Request=1]
13:54:18.469Z|4|28AC* CALL OpcUa_Endpoint_GetMessageSecureChannelId
13:54:18.484Z|4|28AC* DONE OpcUa_Endpoint_GetMessageSecureChannelId [Result=0x0]
13:54:18.484Z|4|28AC* CALL OpcUa_Endpoint_GetMessageSecureChannelSecurityPolicy
13:54:18.484Z|4|28AC* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelBySecureChannelID: Searched SecureChannel 03B1FCF0 with id 1886548749 refs 3!
13:54:18.484Z|4|28AC* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: Searched SecureChannel 03B1FCF0 with id 1886548749 refs 2!
13:54:18.484Z|4|28AC* DONE OpcUa_Endpoint_GetMessageSecureChannelSecurityPolicy [Result=0x0]
13:54:18.484Z|4|28AC* CALL OpcUa_CryptoProvider_Create
13:54:18.484Z|4|28AC* DONE OpcUa_CryptoProvider_Create [Result=0x0]
13:54:18.484Z|6|28AC* --> UaSession::startingServiceProcessing [ID=1885512568]
13:54:18.484Z|6|28AC* <-- UaSession::startingServiceProcessing - activeServiceCount = 1
13:54:18.484Z|6|28AC* ActivateSession passed X509IdentityToken
13:54:18.484Z|4|28AC* CALL OpcUa_CryptoProvider_Create for User
13:54:18.484Z|4|28AC* DONE OpcUa_CryptoProvider_Create for User [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.GetPublicKeyFromCert
13:54:18.484Z|4|28AC* DONE cryptoProvider.GetPublicKeyFromCert [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.GetPublicKeyFromCert
13:54:18.484Z|4|28AC* DONE cryptoProvider.GetPublicKeyFromCert [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.AsymmetricVerify
13:54:18.484Z|4|28AC* DONE cryptoProvider.AsymmetricVerify [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.GetPublicKeyFromCert
13:54:18.484Z|4|28AC* DONE cryptoProvider.GetPublicKeyFromCert [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.GetPublicKeyFromCert
13:54:18.484Z|4|28AC* DONE cryptoProvider.GetPublicKeyFromCert [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.AsymmetricVerify
13:54:18.484Z|4|28AC* DONE cryptoProvider.AsymmetricVerify [Result=0x0]
13:54:18.484Z|4|28AC* CALL cryptoProvider.GenerateKey
13:54:18.484Z|4|28AC* DONE cryptoProvider.GenerateKey [Result=0x0]
13:54:18.484Z|4|28AC* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelBySecureChannelID: Searched SecureChannel 03B1FCF0 with id 1886548749 refs 3!
13:54:18.484Z|4|28AC* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: Searched SecureChannel 03B1FCF0 with id 1886548749 refs 2!
13:54:18.484Z|6|28AC* --> SessionManager::activateSession
13:54:18.484Z|6|28AC* --> UaSession::setSecureChannelMutex [ID=1885512568]
13:54:18.484Z|6|28AC* <-- UaSession::setSecureChannelMutex
13:54:18.484Z|7|28AC* Client information:
13:54:18.484Z|7|28AC* Client ApplicationUri = urn:eclipse:milo:examples:client
13:54:18.484Z|7|28AC* Session name = UaSession:eclipse milo opc-ua client:1592229258431
13:54:18.484Z|7|28AC* Network address = [::ffff:172.16.127.1]:62639
13:54:18.484Z|7|28AC* EndpointUrl = opc.tcp://DESKTOP-4KN5LL4:48010
13:54:18.484Z|7|28AC* SecurityPolicy = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
13:54:18.484Z|7|28AC* MessageSecurityMode = Sign
13:54:18.484Z|4|28AC* CALL ServerConfig::logonSessionUser
13:54:18.484Z|4|28AC* [uastack] OpcUa_P_OpenSSL_CertificateStore_PopulateStore: Could not add certificate C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiuser\issuers\certs/ca.der to store!
13:54:18.484Z|4|28AC* DONE ServerConfig::logonSessionUser [ret=0x80210000]
13:54:18.484Z|7|28AC* SessionManager::disconnectSessionFromSecureChannel - disconnected session 1885512568
13:54:18.484Z|6|28AC* <-- SessionManager::activateSession [ret=0x80210000]
13:54:18.484Z|3|28AC* Session/ActivateSession - SessionId: {a3a27ec5-f2a0-4c56-8e4d-681db67ab7e5}
13:54:18.484Z|3|28AC* Session/ActivateSession - ClientUserId:
13:54:18.484Z|3|28AC* Session/ActivateSession - UserTokenCertificate: Certificate Data: 308203253082020DA00302010202045EE77C1C300D06092A864886F70D01010B050030123110300E06035504030C0755736572204341301E170D3230303631353133343831325A170D3231303631353133343831325A30173115301306035504030C0C4B6576696E20486572726F6E30820122300D06092A864886F70D01010105000382010F003082010A0282010100E1D381FB2F28C17247081C4AEA7979DF0174798813A3FEF90851353274C652B8434652ADEA63D19ABADCD98E1F3FF8DA78AB532FC5134CCA58CF6C2BD68767821C0A3F0D6279C67E7CF051E9766716C27CCF225EC1B2D5ED71D881E6F50EF401D2A4B8159876337A820FFE8E7573C905513EF60A3C850A27C8C49FC4B372F0480EC8EC433FCD2FB90C12061D40F24364E3DE2E3513F6AC0B78E8AC08C8463C0F139BC1DE5844D8F5B80CEDA9F74F14FA7A0A518999738CF6952D3C3BF4D19DBDF0456BB0399BECBD4B812FE7A34F7CD78AA3ED0D0D240BC4CBD881337BC36378375E45FFEF675B24AC60CEBBF94718064306D96BE1F547B3E3B08D0B13A197350203010001A37E307C303D0603551D230436303480145BBCC422A09CBDAC8F5E5A8EFE7B92780544FE23A116A41430123110300E06035504030C075573657220434182045EE77B9D301D0603551D0E04160414E1E691218AFFCAB3EBDDAA2AB88076DCA46192B2300B0603551D0F0404030202FC300F0603551D25040830060604551D2500300D06092A864886F70D01010B0500038201010043B458B152697E2E7D9BEEB8A68963DCAD5061EDA84718B16CDC09AC67A515DA53265C75100A1CB13E1E2B098E49487120E0E4D322EDF20FDD221BB2B013033C530E6E6AA270DBC19062E17CBB3679A8A0426C9C563979CC72D74B835293F9047DA8FD47F45515E8F369FCD8DBC0ED1FD44A2219488C831CEAB741C4ED82D49B8E913131E5F02322CD293577869D8E10CD85C65E50BB421FF05170C4E1BEC59E353E92F3746AD0E0A1A1693D851BE0FB3AB3BFAD0D01AA31DF18B9B52930A603FDA8BEBAD330D58B1E036C9853A2EBC9F541D908E3281B82BC08E1F1B75A1EEBDA576F38B0CEBF22381D6A55204C22C25BF7EB1CCE91DE8BD1E47519AAA56FA5
13:54:18.484Z|6|28AC* --> UaSession::lockSendResponse [ID=1885512568]
13:54:18.484Z|6|28AC* <-- UaSession::lockSendResponse
13:54:18.484Z|6|28AC* --> UaSession::unlockSendResponse [ID=1885512568]
13:54:18.484Z|6|28AC* <-- UaSession::unlockSendResponse

On Sun, Jun 14, 2020 at 11:44 PM Javier Chamorro <javierchamorro666666@xxxxxxxxx> wrote:
I am trying to create a opc ua client with java using milo library. I need to connect with an OPC Server which uses http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 Security Policy in addition i need to authenticate the user with certificates.
I am having the following error in the client "The user identity token is valid but the server has rejected it" which corresponds with the opc ua error "UA_SCBADIDENTITYTOKENREJECTED 0x80210000". I can look for the server information and i have the following log information "Verification of UserTokenSignature failed".
I have investigate the topic and it seems that the UserTokenSignature has not been created properly, I think that it could be because of the nonce, but i am not sure, i have had a look to the wireshark information and in the startup of the communication the client does not include any nonce. In my tests using Ua Expert (which create the secure connection and authenticates the user) the first message from the client includes the nonce.
I do not know if it is necessary to configure any property in the client to include the nonce, i think that it should be included automatically.
Maybe the "Verification of UserTokenSignature failed" error is caused because of an error in the certificates, i do not know, but i have tested the connection with UA Expert and it works properly.
_______________________________________________
milo-dev mailing list
milo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/milo-dev

Follow-Ups:
- Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
  - From: Kevin Herron

References:
- [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
  - From: Javier Chamorro
- Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
  - From: Kevin Herron

Prev by Date: Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
Next by Date: Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
Previous by thread: Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
Next by thread: Re: [milo-dev] Create java a opc client using milo with an OPC UA Server with secure connection
Index(es):
- Date
- Thread

Breadcrumbs