High Performance OPC UA Server SDK  1.4.2.279
Authentication

Overview

The server allows to authenticate users in different manners like username and password or X509 certificate when a session is activated. The user’s credentials are then verified with one of the available authentication backends. Only one backend can be activated at the same time. The following backends are currently available:

Null Backend
Disable authentication
Internal Backend
SDK internal username/password store, available on all OS

To activate a backend, the according backend must be selected using the cmake option UA_AUTHENTICATION_BACKEND. This may enable further backend specific cmake options.

Null Backend

This backend disables authentication and allows everybody with network access to access your server and read/write values. Thus the null backend is generally not recommended and should only be used where public access is denied and the complete network infrastructure and devices are under full control of the administrator.

Internal Backend

The internal backend stores usernames and passwords and verifies new sessions against these. Passwords can be either stored as cleartext or as SHA-256 hash with additional salt.

Filesystem

At the start of the server users and passwords can be imported from file, if filesystem support is enabled. One line of the file represents one user and can have the following form:

Cleartext:

<username>:cleartext:<password>
john:cleartext:password1

SHA-256:

<username>:sha256:<salt>:<hashed password>
john:sha256:wZa9AHGxXAZ6vjkL:8650866a3e667b247321ea479183e5cada8257112183b6fdd09c70e6da4b5c58

The username, salt and cleartext password may contain any printable characters except ':' and '#'. The hashed password is kept as hexadecimal string, so the password itself may contain any characters.

To easily create and edit the password file, the SDK includes the uapasswd tool.

Code

If using a filesytem is no appropiate solution, users can be directly added from within the code using ua_authentication_add_user.

#include <uaserver/session/authentication/internal/internal_authentication.h>
int ret;
/* add user with cleartext password */
ret = ua_authentication_add_user(UA_AUTH_HASH_NONE, "john", NULL, "password1");
if (ret != 0) goto error;
/* add user with hashed password (note: the same user cannot be added twice) */
ret = ua_authentication_add_user(UA_AUTH_HASH_SHA256, "john", "wZa9AHGxXAZ6vjkL", "8650866a3e667b247321ea479183e5cada8257112183b6fdd09c70e6da4b5c58");
if (ret != 0) goto error;

To generate a salt and to hash the password, the uapasswd tool with the -n option can be used.