UA Ansi C Server Professional
1.3.3.242
|
This lesson will show how to create application instance certificates and how to sign and encrypt the server's communication to clients. The sources used are based on Lesson 1: Setting up a Basic OPC UA Server Console Application and are extended by the necessary functionality.
Content:
For being able to sign and/or encrypt a connection with a client, the server needs a X509 application instance certificate and a PKI folder structure for finding certificates, certificate revocation lists and CA certificates.
In our example, the folders and certificates to use are set using defines:
Creating the application's certificate is handled in the function CreateCertificates. It uses helper functions from uaserver_p_filesystem.h and uaserver_p_pki.h. The first step is to check if a certificate exists or if it needs to be created. This is done by opening the file - if it succeeds, we don't need to create a new one.
In case the file does not exist, we create the PKI folder structure given by the defines from above.
After that a key pair is created using a key length of 2048 bit. Also, the subject details and the certificate info is filled with reasonable values. The time the certificate should be valid is set to 5 years.
With the information filled in the helper structs we can now create the self-signed certificate. The new certificate is then stored in DER format as file, the according private key is stored in PEM format.
For telling the SDK to accept only secure connections, the endpoint configuration needs to be modified. This is done by getting the server's configuration structure using UaServer_GetConfiguration.
First, all preconfigured UserTokenPolicies are removed and an anonymous UserTokenPolicy is created.
Now all preconfigured security configurations of the endpoint are removed and replaced with one single configuration that requires signing and encryption and uses the SecurityPolicy Basic256.
To test our configuration we simply try to connect to the server with a client.
Open UaExpert and click 'Add Server...'. In the new dialog double-click '< Double click to Add Server... >' and enter opc.tcp://localhost:4842 as URL.
Now you can expand the created node and you will see that the server only supports the Basic256 security policy with signing and encryption. Select the Basic256 - Sign & Encrypt node and click 'OK'. On connecting, UaExpert will show a dialog saying that the server's certificate is unknown and if it should be accepted. Set the dialog to accept it permanently and click OK.
On connecting, UaExpert will show a dialog saying that the server's certificate is unknown and if it should be accepted. Set the dialog to accept it permanently and click 'OK'. The connection attempt will fail with the status BadCertificateInvalid, as the server did not accept the client's certificate yet.
To accept the client's certificate in the server, navigate to the folder defined by UASERVER_PKI_REJECTED. There will be the client's certificate with the certificate's SHA1 hash as it's filename. Simply move it to the folder defined by UASERVER_PKI_CERTDIR, where all accepted certificates reside. After moving it, you will be able to connect to the server successfully.