High Performance OPC UA Server SDK
1.7.1.383
|
This section shows how to establish a secure connection between server and client. For this purpose we use the HP SDK demo server and connect using UaExpert as a client.
This procedure describes how to connect using self-signed certificates which is good for testing. In production, you should not use self-signed certificates, because this is hard to maintain. Instead, you should create CA-signed certificates and install the CA certificate in all UA applications. This way there is no need to trust individual certificates.
Connecting without security can be a first and easy way to ensure that the network is working and the server can be reached.
If this does not work, read the section Troubleshooting.
To connect with security we choose a secure endpoint indicated with the green lock icon.
When connecting the first time to the server and the certificate is not trusted, UaExpert will show the "Certificate Validation" dialog. In this dialog you can inspect all certificate information of the server you are going to connect.
You will need to accept the server certificate to be able to proceed by clicking on the "Trust Server Certificate" button.
UaExpert stores this in the client's trust list when accepting the certificate. The next time you try to connect, the server certificate will be accepted automatically.
When clicking the "Continue" button, the client will connect to the server. This must fail the first time, because the server does not trust the client certificate yet.
You can see this in UaExpert "Log Window". The server simply returns the error "BadSecurityChecksFailed". The server does not give more information to minimize the attack surface. But we expected this error and know that the reason is the untrusted client certificate.
On server side you would see the reason when inspecting the log:
$> ./uaserverhp -d 255 -f 8192 -t0 Server is up and running. Listening on opc.tcp://ws-gergap.ascolab.com:4840 D|13|15:19:45.394180|23275| pki_cert_verify: cert 0x56391c1e02a0 will be tested G|13|15:19:45.394568|23275| pki_cert_ossl_verify_cb: verify ok at depth 0 I|13|15:19:45.394594|23275| pki_cert_verify: certificate is not trusted
The server automatically stores rejected certificates in the rejected
folder inside the PKI store. This makes it easy to trust a client certificate, because it is already there. You can simply trust rejected certificate by using the uacertmgr
tool.
First use the list
command to inspect the rejected certificates:
$> ./uacertmgr list rejected List all certificates: Idx SHA1 Certificate Id Common Name Application URI Key Type Key Size [0] 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F HP SDK Demo Server urn:UnifiedAutomat....ServerHP:ws-demo RSA Public Key 4096
Then use the trust
command to trust the certificate:
$> ./uacertmgr trust 5F3035BB9E81410802926CB22A5D2A1F6DA0C42F The certificate '5F3035BB9E81410802926CB22A5D2A1F6DA0C42F' is now trusted.
After this client is trusted by the server and you are able to connect.
You can also inspect the certificate details before trusting it by using the uacertmgr command "show [ location ] <sha1> Show certificate details"
:
For more information on uacertmgr have look at UA Certificate Manager.
Problem: The server cannot be reached.
Solution: Try to ping the hostname of the server. If ping does not work, please check your network configuration
Problem: You can reach the server, but the server port is blocked by a firewall, or you are using the wrong port.
Solution: Use telnet <hostname> <port>
to test if your can connect to that port. If you cannot even connect the TCP port using telnet, check your firewall permissions and verify using netstat
if the server has opened the correct port.
Problem: DNS is not working. You can reach the server by IP, but not using the hostname. This can be a problem, because even if you configure a discovery URL with IP, the server may return an endpoint URL with hostname during the GetEndpoints service call. Then in the second step the client cannot connect anymore to this URL. UaExpert detects such situations und can replace the hostname with the IP that what used in the first step. But this cannot be expected by very client.
Solution1: Configure DNS to be able to resolve the hostname. Combined DHCP/DNS servers make this working automatically for each machine that gets an IP from the DHCP server.
Solution2: Change the server configuration to use IP addresses and the endpoint description. This way you don't need DNS.