Establishing Secure Connections

Table of Contents

• Connect without Security
• Connect with Security
• Troubleshooting

This section shows how to establish a secure connection between server and client. For this purpose we use the HP SDK demo server and connect using UaExpert as a client.

This procedure describes how to connect using self-signed certificates which is good for testing. In production, you should not use self-signed certificates, because this is hard to maintain. Instead, you should create CA-signed certificates and install the CA certificate in all UA applications. This way there is no need to trust individual certificates.

Connect without Security

Connecting without security can be a first and easy way to ensure that the network is working and the server can be reached.

Add Server

If this does not work, read the section Troubleshooting.

Connect with Security

To connect with security we choose a secure endpoint indicated with the green lock icon.

Accept Secure Server

When connecting the first time to the server and the certificate is not trusted, UaExpert will show the "Certificate Validation" dialog. In this dialog you can inspect all certificate information of the server you are going to connect.

You will need to accept the server certificate to be able to proceed by clicking on the "Trust Server Certificate" button.

Accept Certificate

UaExpert stores this in the client's trust list when accepting the certificate. The next time you try to connect, the server certificate will be accepted automatically.

Certificate Trusted

When clicking the "Continue" button, the client will connect to the server. This must fail the first time, because the server does not trust the client certificate yet.

You can see this in UaExpert "Log Window". The server simply returns the error "BadSecurityChecksFailed". The server does not give more information to minimize the attack surface. But we expected this error and know that the reason is the untrusted client certificate.

BadSecurityChecksFailed

On server side you would see the reason when inspecting the log:

$> ./uaserverhp -d 255 -f 8192 -t0
Server is up and running.
Listening on opc.tcp://ws-gergap.ascolab.com:4840
D|13|15:19:45.394180|23275|  pki_cert_verify: cert 0x56391c1e02a0 will be tested
G|13|15:19:45.394568|23275|  pki_cert_ossl_verify_cb: verify ok at depth 0
I|13|15:19:45.394594|23275|  pki_cert_verify: certificate is not trusted

The server automatically stores rejected certificates in the rejected folder inside the PKI store. This makes it easy to trust a client certificate, because it is already there. You can simply trust rejected certificate by using the uacertmgr tool.

First use the list command to inspect the rejected certificates:

$> ./uacertmgr list rejected
List all certificates:
Idx SHA1 Certificate Id                      Common Name        Application URI                          Key Type       Key Size
[0] 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F HP SDK Demo Server urn:UnifiedAutomat....ServerHP:ws-demo   RSA Public Key 4096

Then use the trust command to trust the certificate:

$> ./uacertmgr trust 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F
The certificate '5F3035BB9E81410802926CB22A5D2A1F6DA0C42F' is now trusted.

After this client is trusted by the server and you are able to connect.

You can also inspect the certificate details before trusting it by using the uacertmgr command "show [ location ] <sha1> Show certificate details":

./uacertmgr show rejected 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F
Certificate details of 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F:
 Application URI:        urn:UnifiedAutomation:UaServerHP:ws-demo
 IP Address:
 DNS:                    ws-demo.ascolab.com
 E-Mail:                 email@ascolab.com
 Valid From:             2020-12-02T18:18:27
 Valid Till:             2024-11-19T18:18:27
 Serial:                 5FC7DA73
Key Usage:
 Key Usage Flags:        0x2f
 Key Usage String:       DigitalSignature, NonRepudiation, KeyEncipherment, DataEncipherment, KeyCertSign
Ext Key Usage:
 Ext Key Usage Flags:    0x200
 Ext Key Usage String:   ExtServerAuth
Subject:
 Common Name:            HP SDK Demo Server
 Organization:           Unified Automation GmbH
 Organization Unit:      HPSDK
 Locality:               Kalchreuth
 State:                  Bayern
 Country:                DE
Issuer:
 Common Name:            HP SDK Demo Server
 Organization:           Unified Automation GmbH
 Organization Unit:      HPSDK
 Locality:               Kalchreuth
 State:                  Bayern
 Country:                DE
Public Key:
 Key Type:               RSA Public Key
 Key Length:             4096

For more information on uacertmgr have look at UA Certificate Manager.

Troubleshooting

Problem: The server cannot be reached.

Solution: Try to ping the hostname of the server. If ping does not work, please check your network configuration

Problem: You can reach the server, but the server port is blocked by a firewall, or you are using the wrong port.

Solution: Use telnet <hostname> <port> to test if your can connect to that port. If you cannot even connect the TCP port using telnet, check your firewall permissions and verify using netstat if the server has opened the correct port.

Problem: DNS is not working. You can reach the server by IP, but not using the hostname. This can be a problem, because even if you configure a discovery URL with IP, the server may return an endpoint URL with hostname during the GetEndpoints service call. Then in the second step the client cannot connect anymore to this URL. UaExpert detects such situations und can replace the hostname with the IP that what used in the first step. But this cannot be expected by very client.

Solution1: Configure DNS to be able to resolve the hostname. Combined DHCP/DNS servers make this working automatically for each machine that gets an IP from the DHCP server.

Solution2: Change the server configuration to use IP addresses and the endpoint description. This way you don't need DNS.