logo

Notification

Icon
Error

2 Pages12>
Options
Go to last post Go to first unread
Offline dima_t  
#1 Posted : Wednesday, September 23, 2015 12:06:59 PM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
Since manual provides scarce amount of information regarding to custom self signed certificates.
I need some information.
I have generated CA certificate, intermediate certificate and server certificate, I also have created chain file and all this has been converted to .der format. Server certificate signed using intermediate certificate which is signed by CA certificate.
The client certificate has been created and signed as well.

If I put all the files except client and chain, into pki/application/trust/certs server simply doesn't start, it freezes right after UAServer_Initialise returned: 0.
What is the right procedure which will make it work? I wish to use certificate based authorization procedure for clients, which(certificates) were signed by my intermediate authority.
Where should I put my chain file to make server read it?

Edited by user Wednesday, September 23, 2015 12:07:41 PM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#2 Posted : Wednesday, September 23, 2015 9:08:25 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

If server is halted after UAServer_Initialise returned: 0, initialization of the server has been failed. it will have the error code. So, please change the line
printf("UAServer_Initialise returned: %u\n", (uint16_t)status); to printf("UAServer_Initialise returned: %x\n", (uint32_t)status); to get the actual error code and can be checked in opcua_status_codes.h file. or you can also debug and check the value of the status to find the actual error code. it looks like while server is initializing validation of the certificate is failed.

I am assuming that server certificate which has been created has all the necessary fields as per the specification (Part 4 and Part 6). To check if all the necessary fields are present, you can generate on self-signed certificate with openssl example project and compare the fields with the certificate which is generated using CA and Intermediate CA certificate.

could you please clarify us on chain file which has been converted to .der format?

Here is the PKI folder structure for you case:
../../Debug/pki/applications
../../Debug/pki/applications/issuers
../../Debug/pki/applications/issuers/certs/ (Here CA and Intermediate CA certificates has to be added (in .der format))
../../Debug/pki/applications/issuers/crl (if any)
../../Debug/pki/applications/issuers/private (if any for CA and intermediate CA)

../../Debug/pki/applications/trust
../../Debug/pki/applications/trust/certs
../../Debug/pki/applications/trust/certs/rejected (this will be empty)
../../Debug/pki/applications/trust/certs/server.der (server certificate which has been created using CA and Intermediate CA certificate)
../../Debug/pki/applications/trust/crl (this will be empty)
../../Debug/pki/applications/trust/private
../../Debug/pki/applications/trust/private/server_key.pem (private key)

Note: Server application will internally create the chain of certificates during validation of certificates. So we don't have to create the chain of certificate.

Regards,
Basavaraju B V

Edited by user Thursday, September 24, 2015 2:53:38 AM(UTC)  | Reason: Not specified

Offline dima_t  
#3 Posted : Thursday, September 24, 2015 7:23:59 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
By reading source code and getting info from automatically SDK generated CA certificate I've noticed that it has some extra fields. I ran the server through gdb and yes the SDK doesn't like my certificate, it simply doesn't have those fields.
Can you help me to locate "specification (Part 4 and Part 6)" that specification? - Found the specification it is this one https://opcfoundation.or...ns-unified-architecture, right?

could you please clarify us on chain file which has been converted to .der format? - I have concatenated CA and intermediate CA pem files into a single file and converted that to DER using openssl.

Here is a new question. Reading that spec, it looks like I don't need to sign client and server certificates using the same CA for proper certificate authorization. All I need is to put move client certificate from rejected to trusted directory. The server certificate generated by application itself is a CA on it's own. Am I right?

Edited by user Thursday, September 24, 2015 10:25:38 AM(UTC)  | Reason: Some updates.

Offline Basavaraju B V  
#4 Posted : Thursday, September 24, 2015 10:44:48 AM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

Link to find the specification is https://opcfoundation.or...ons-unified-architecture

In the PKI folder structure (where the certificates are stored), there is no need to create the chain of certificates. All it needs is, CA certificate, intermediate CA certificate inside the below path (no need to merge the CA and intermediate CA into single certificate):
../../Debug/pki/applications/issuers/certs/ (Here CA and Intermediate CA certificates has to be added (in .der format))

and application certificate(which is generated using intermediate CA certificate) has to be inside the below path:

../../Debug/pki/applications/trust/certs/ (and this application certificate should be named as server.der)

Make sure that private key of that application certificate is in the below path:
../../Debug/pki/applications/trust/private (this private key file should in .PEM format and with the name server_key.pem)

Yes, your understanding is right. Client and server need not be signed by same CA certificate. and yes move the client certificate from the rejected folder to trusted directory (to this path ../../Debug/pki/applications/trust/certs/). And yes, server certificate which is generate by application doesn't need a CA certificate(s). As it will be self signed certificate.

Note: If you have OPC UA Embedded Server SDK, then an please refer the following code file:

path: <path where SDK is installed>\SDK_Source\API\security_interfaces\
file name: ua_security_openssl.c

In that you can look at the implementation of UASecurity_Create_self_signed_certificate() function to understand what are the extension to be added/present in the application certificate.
UASecurity_Callback_certificate_validate() function to understand how a certificate(s) has been validated along with CA and intermediate CA certificates.

I hope this helps you to solve the problem you are facing and to understand how certificate is used in OPC UA Embedded Servers.

Please let us know if anything is not clear.

Thank you.
Regards,
Basavaraju B V
Offline dima_t  
#5 Posted : Thursday, September 24, 2015 3:42:56 PM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
So I removed all my certificates, allowed server to generate it's own. Took client certificate from client SDK example.
Adjusted URI's to make them pass server validation. Copied rejected file into app/trust directory.

Now client fails at uaSessionPtr->Activate(sessconnStatus);

status code is 0x80200000 which is OpcUa_BadIdentityTokenInvalid = The user identity token is not valid.

Here is my Endpoint configuration

/** Endpoint Security Policy - None */
0,
/** Endpoint Security Policy - Sign - Basic128Rsa15 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15 */
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic256Sha256,
/** Endpoint Security Policy - Sign - Basic256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256 */
0,
/** Endpoint Security Policy - Sign - Basic256Sha256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 */
0,

Which confusing me because manual says that there are only 5 endpoints. And it looks like manual is right because 2 last values do not change anything.
The only one option which requires certificate for authorization is /** Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15 */

What have I missed?

UPDATE:
When it happens server log gives me this line Error: opcua_sdk_6339F1F0F70C68447460AB67C496545D6E9F43E9.cpp, Line: 1830

Edited by user Thursday, September 24, 2015 3:51:05 PM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#6 Posted : Friday, September 25, 2015 1:11:55 AM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t

It looks like the configuration is incorrect. Here I would like to explain the deference between User Token policy and Security policy.

Security Policy

OPC UA specification suggested security policies are:
+ None
+ Basic128RSA15
+ Basic256
+ Basic256RSA256

where as the OPC UA Embedded SDK supports,
+ None
+ Basic128RSA15
+ Basic256

This information can be found user manual under Specification and Supported Security Facet part.

For security policies, Basic128RSA15 and Basic256 there are 2 further types.
+ Sign - where data will not be encrypted but the communication will be signed to make sure that data is from authorized source
+ Sign and Encrypt - Where data will be encrypted and signed

So, there are total 5 endpoint security policies supported and 2 not supported
+ Endpoint Security Policy - None
+ Endpoint Security Policy - Sign - Basic128Rsa15
+ Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15
+ Endpoint Security Policy - Sign - Basic256
+ Endpoint Security Policy - Sign & Encrypt - Basic256
+ Endpoint Security Policy - Sign - Basic256Sha256 /*Not supported yet. reserved for future*/
+ Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 /*Not supported yet. reserved for future*/

User Token Policy:

OPC UA Embedded SDK supports,
+ Anonymous - Anybody can be connected to server.
+ Username and Password - Can be connected to server with valid Username and password.
+ X509v3 Certificate - Can be connected to server with valid X509v3 certificate.

This user Token policy is to represent what user can communicate with the OPC UA Embedded Server.

Right ways to configure the server for endpoint security policy is as follows:

Ex:
/** Endpoint Security Policy - None */ - // under none security policy, what is the user token policy to be used
UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE - Anyone can connect to server in None mode
UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_NONE - Only with valid Username and Password client can be connected to server
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_NONE, - only with valid X509v3 certificate client can be connected to server.

Note: All 3 user tokens can be use for none mode with bitwise or operator so that client will be allowed to connect to server in all 3 forms like:
UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE | UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_NONE | UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_NONE,

In your configuration server is giving the correct error code 0x80200000 - OpcUa_BadIdentityTokenInvalid, because "UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic256Sha256" is not the right UA Server Security Configuration bitmap for Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15.

In your case the right way to configuration is:

/** Endpoint Security Policy - None */
0,
/** Endpoint Security Policy - Sign - Basic128Rsa15 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15 */

UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE,
or
UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_Basic128Rsa15
or
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15

or bitwise OR the necessary UA Server Security Configuration bitmaps.

/** Endpoint Security Policy - Sign - Basic256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256 */
0,
/** Endpoint Security Policy - Sign - Basic256Sha256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 */
0,

I hope this answered your question and cleared the confusion.

Please let us know if anything is not clear.

Thank you.
Regards,
Basavaraju B V
Offline dima_t  
#7 Posted : Friday, September 25, 2015 1:30:32 PM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
So I have changed endpoint settings. Now it looks like this.

/** Endpoint Security Policy - None */
0,
/** Endpoint Security Policy - Sign - Basic128Rsa15 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15 */
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15,
/** Endpoint Security Policy - Sign - Basic256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256 */
0,
/** Endpoint Security Policy - Sign - Basic256Sha256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 */
0,

As you suggested. Actually I tried it before. Now I receive code 0x80210000 which is the user identity token is valid but the server has rejected it.
And 2 errors this time:

2015-09-26 03:24:10.113 - Error: opcua_sdk_6339F1F0F70C68447460AB67C496545D6E9F43E9.cpp, Line: 1773
2015-09-26 03:24:10.113 - Error: opcua_sdk_6339F1F0F70C68447460AB67C496545D6E9F43E9.cpp, Line: 1830

My client and sample SDK client console does this. I'm using sample SDK client console certificate as client certificate.
Why it rejects it even if it is valid?

Thank you.




Offline Basavaraju B V  
#8 Posted : Saturday, September 26, 2015 6:44:08 AM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

Now the configuration is correct. The reason why it is giving error is "when user token policy is used other than Anonymous, Server SDK will call the application callback function to validate the user". Those functions are:
+ UAServer_Callback_login_username_password() //This callback will be called when Username and Password User token policy is used
+ UAServer_Callback_login_x509_certificate() //This callback will be called when x509 certificate User token policy is used.

this feature is provided to give control for application layer to validate user.

In your case, as you have mentioned UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15 for endpoint url, while validating the login certificate (which is provided by client), SDK will call UAServer_Callback_login_x509_certificate() (which has to be implemented by the developer of the server to make sure the user who is trying to login is authorized user). This function description can be found in the ua_server.h file. Implementation can be found in opcua_server.c file which is returning FALSE.

My suggestion is, for a time being you can return TRUE from the UAServer_Callback_login_x509_certificate() function just make sure that with your configuration the client is able to connect to the server. Once it is connected, please modify the function UAServer_Callback_login_x509_certificate() with implementation of your choice to authenticate the client which is trying to connect with the server.

Note:
1. I am assuming that you have kept the rejected client certificate in the trusted folder as you are getting this error. i.e. you have moved the rejected certificate from
+ ../../Debug/pki/users/trust/certs/rejected to ../../Debug/pki/users/trust/certs/
+ ../../Debug/pki/applications/trust/certs/rejected to ../../Debug/pki/applications/trust/certs/

2. You can cross verify the above mention problem description by putting the break point in UAServer_Callback_login_x509_certificate() function in opcua_server.c file.

3. if you are using the openssl, you can also put the break point in ua_security_openssl.c file for funciton authenticate_user(). There you can find that UAServer_Callback_login_x509_certificate() function is called.

I hope this will help you to solve the problem.

Please let me know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Edited by user Saturday, September 26, 2015 6:48:08 AM(UTC)  | Reason: Not specified

Offline dima_t  
#9 Posted : Monday, September 28, 2015 7:27:19 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
I am assuming that you have kept the rejected client certificate in the trusted folder as you are getting this error. i.e. you have moved the rejected certificate from. - Yes.
The certifiacate has been moved from rejected folder .../pki/application/trust/certs/rejected to .../pki/application/trust/certs, my rejected folder is empty now.
Regarding to .../pki/users/trust/certs/rejected that directory was always empty.

This function UAServer_Callback_login_x509_certificate() is not being called in my case. I have printf there since I have started to test.

Another thing I have tried, I did copy user certificate to /pki/users/trust/certs/ from /pki/application/trust/certs but that didn't change anything.

So I stuck with 0x80210000 error code and UAServer_Callback_login_x509_certificate() not being called.

Any suggestions?

UPDATE:

I set breakpoint to ua_security_openssl.c authenticate_user(), the function is not being called as well.

UPDATE 1:

This line ua_security_openssl.c line 864 generates error. 2 conditions aren't valid there it is certificate_chain data equals to 0 and certificate_chain length equals to -1. And it is being passed as parameter.

Edited by user Thursday, October 1, 2015 7:35:25 AM(UTC)  | Reason: Changed 0x8020 to 0x8021

Offline Basavaraju B V  
#10 Posted : Wednesday, September 30, 2015 10:07:34 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

In the previous conversation, it was mentioned that "Now I receive code 0x80210000 which is the user identity token is valid but the server has rejected it." That will happen if UAServer_Callback_login_x509_certificate() returning FALSE.

Could you please let me know whether it is a same project work space where we are getting these errors(0x80200000 and 0x80210000)

If 0x80200000 is reported means, OpcUa_BadIdentityTokenInvalid. Please check the configuration under endpoint security policies as discussed earlier.

If the error is happening in ua_security_openssl.c line 864, and certificate_chain data equals to 0 and certificate_chain length equals to -1. That means in the trust folder there were no certificate(s) to validate.

Please find the PKI directory structure below, if sign / sign & encrypt with security policy Basic128RSA15 and with user token policy x509v3 certificate. (UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15)

../../Debug/pki/applications
../../Debug/pki/applications/issuers
../../Debug/pki/applications/issuers/certs (This will be empty)
../../Debug/pki/applications/issuers/crl (This will be empty)
../../Debug/pki/applications/issuers/private (This will be empty)

../../Debug/pki/applications/trust
../../Debug/pki/applications/trust/certs/rejected (this will be empty)
../../Debug/pki/applications/trust/certs/ (under this server.der server certificate should be present. And client certificate if it was rejected and copied to this folder)
../../Debug/pki/applications/trust/crl (this will be empty)
../../Debug/pki/applications/trust/private/ (Under this private key for server certificate should present with name server_key.pem)

../../Debug/pki/users
../../Debug/pki/users/issuers
../../Debug/pki/users/issuers/certs (this will be empty)
../../Debug/pki/users/issuers/crl (this will be empty)
../../Debug/pki/users/issuers/private (this will be empty)

../../Debug/pki/users/trust
../../Debug/pki/users/trust/certs
../../Debug/pki/users/trust/certs/rejected (this will be empty)
../../Debug/pki/users/trust/certs/ (Under this a server certificate which is used for authentication has to be placed with the name server.der)
../../Debug/pki/users/trust/crl (this will be empty)
../../Debug/pki/users/trust/private/ (Under this a private key server certificate which is used for authentication has to be placed with the name server_key.pem)

If this is the directory structure then, While connecting to server, we have to provide the certificate and it's private key. If this is not provided, server will respond saying BadTokenIdInvalid 0x80200000. If proper certificate is provided at the client side while connecting to server, first time when it tries to connect it will put the certificate to rejected folder ../../Debug/pki/users/trust/certs/rejected. we have to move this rejected certificate to ../../Debug/pki/users/trust/certs/.

I hope this will help you to solve the problem. Please let me know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Edited by user Wednesday, September 30, 2015 10:10:12 PM(UTC)  | Reason: Not specified

Offline dima_t  
#11 Posted : Thursday, October 1, 2015 10:06:38 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
It was confusing. It creates copy of certificate in pki/application/trust/certs/rejected after I logged in first time, then I should move certificate from pki/application/trust/certs/rejected to pki/application/trust/certs/, then I should try to log in again and this time it will create a copy in /pki/users/trust/certs/rejected I didn't notice this behaviour before, I should move it to /pki/users/trust/certs/ this time.
And finaly it called UAServer_Callback_login_x509_certificate() instead of giving me 0x80210000 error. I made a mistake and updated previous post from 0x80200000 to 0x80210000.

This one is solved, but I have new error, UAServer_Callback_login_x509_certificate() is being called and I return TRUE there. It still can't activate session and the error code is 0x80570000 which is OpcUa_BadUserSignatureInvalid. What kind of signature it complains about? Which certificate should I use to sign it if signature is required? Just to remind you the client certificate is the default certificate generated by Matrikon OPCUA client example console.

Edited by user Thursday, October 1, 2015 10:11:07 AM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#12 Posted : Thursday, October 1, 2015 11:37:20 AM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

No problem. I am glad that you are able to successfully reached a phase where SDK is calling a callback function to verify the login x509 certificate.

The only time server returns this error code (0x80570000) is, while verifying the signature (UASecurity_Callback_asymmetric_verify()).

This usually happens when the signature algorithm and/or signature hash algorithm used in the client certificate doesn't match with server's signature algorithm and/or signature hash algorithm. Can you please open the client's certificate(s) and server certificate(s) in view mode and check whether the signature algorithm and/or signature hash algorithm are matching. By default Server certificate will use sha1RSA as signature algorithm and sha1 as signature hash algorithm. In the client certificate also same algorithm should be used.

Also, can you Please debug the function UASecurity_Callback_asymmetric_verify() in ua_security_openssl.c file and let us know where it is returning non zero value from. If UASecurity_Callback_asymmetric_verify() doesn't return 0 then SDK will return 0x80570000 error code.

Note: If you have UA Expert, can you please try to use certificates of UA Expert client's certificate for user authentication and communication as well and check whether client is able connect successfully?

Thank you.
Regards,
Basavaraju B V

Edited by user Thursday, October 1, 2015 11:39:30 AM(UTC)  | Reason: Not specified

Offline dima_t  
#13 Posted : Thursday, October 1, 2015 2:03:36 PM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
Yes they do match.

Client:
Signature algorithm - sha1RSA
Signature hash algorith - sha1

Server:
Signature algorithm - sha1RSA
Signature hash algorith - sha1

The reason for that error lays here (signature->data == 0) || (signature->length <= 0) ua_security_openssl.c line 2371

(gdb) p signature->data
$1 = (uint8_t *) 0x0


(gdb) p signature->length
$2 = -1


No, I don't have UA Expert, but I can get it, if it is free. I can generate certificates using openSSL if you want to test something, I already have created openSSL configuration file to generate OPC UA valid certificates, but for testing I'm using SDK generated client and server certificates.

Additional info, here is my PKI structure.

pki/
├── application
│   ├── issuers
│   │   ├── certs
│   │   ├── crl
│   │   └── private
│   └── trust
│   ├── certs
│   │   ├── 0EFF295248FF3CFFFFFF5F5421FF2EFF50FFFFFF.der
│   │   ├── rejected
│   │   └── server.der
│   ├── crl
│   └── private
│   └── server_key.pem
└── users
├── issuers
│   ├── certs
│   ├── crl
│   └── private
└── trust
├── certs
│   ├── 0EFF295248FF3CFFFFFF5F5421FF2EFF50FFFFFF.der
│   ├── rejected
│   └── server.der
├── crl
└── private
└── server_key.pem

server.der and server_key.pem are the same for users and application directories.

UPDATE:

UA Expert certificate works.
Can 64 bit certificate serial number be the reason?

Edited by user Thursday, October 1, 2015 4:20:20 PM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#14 Posted : Saturday, October 3, 2015 8:09:32 AM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

Good to hear that with UA Expert certificate, client is able to connect with server. Difference in algorithm is one such case where verification of signature fails. As we can clearly see from UASecurity_Callback_asymmetric_verify() implementation that, if the signature is verified successfully then function returns 0. If non 0 value is returned from function then 0x80570000 (OpcUa_BadApplicationSignatureInvalid) error code will be returned.

Actually there is no hard set rule for the size of a serial number, Hashed(digested) value of the serial number should not be more than 20 bytes.

Without seeing the client certificate which was leading to 0x80570000 error it is difficult to tell the exact reason. Could you please tell me which version of client SDK is being used. I will try to generate the client certificate and check what might be the reason for the same?

Thank you.
Regards,
Basavaraju B V
Offline dima_t  
#15 Posted : Monday, October 5, 2015 8:17:47 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
I'm using this one.
Matrikon_OPC_UA_SDK_Win_x86_v1.1.1.25595

I have also tried to generate similar certificate on linux machine using openSSL got the same 0x80570000 error, I didn't have time to play more with it.
But I will let you know if I will find something else.

UPDATE:

I have used UA Expert to connect when it was successful.
It looks like there is problem with client. Because when I take original UA Expert certificate and try to use it in console client example it gives me the same 0x80570000 error.

Edited by user Monday, October 5, 2015 1:41:27 PM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#16 Posted : Monday, October 5, 2015 10:06:26 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

Thank you for providing the version. It is mentioned int he release notes that, "The X509v3 Certificate and WS-SecurityToken User Token Types are not supported". You can find the release notes (MatrikonOPC UA Client SDK Release Notes.txt) under Documents section of the UA client SDK installed folder.

That is the reason when UA Expert certificate(which worked with UA Expert client) used with the console client example it gives 0x80570000 error.

I hope this answered your question.

Note: Recently version 1.2 released. In that also release notes says User token types is not supported.

Thank you.
Regards,
Basavaraju B V
Offline dima_t  
#17 Posted : Tuesday, October 6, 2015 7:12:21 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
Unfortunately it does. Even though client example has implemented certificate based connection which doesn't work and that totally confused me.
Offline Basavaraju B V  
#18 Posted : Wednesday, October 7, 2015 7:48:14 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

No Problem.

small correction. X509v3 Certificate User token policy is supported in V 1.2.0.

Regards,
Basavaraju B V
Offline dima_t  
#19 Posted : Tuesday, October 13, 2015 8:12:22 AM(UTC)
dima_t

Rank: Member

Joined: 9/23/2015(UTC)
Posts: 29

Was thanked: 6 time(s) in 5 post(s)
Can you help me to find download link for ver 1.2?
All I can get is Matrikon_OPC_UA_SDK_Win_x86_v1.1.1.25595 from here http://www.matrikonopc.c.../downloads.aspx?dID=1265

Edited by user Tuesday, October 13, 2015 2:48:59 PM(UTC)  | Reason: Not specified

Offline Basavaraju B V  
#20 Posted : Wednesday, October 14, 2015 10:11:24 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Dima_t,

Sorry for the delayed response.
Correction to my previous response, release date of version V.1.2.0 is not confirmed yet. As soon as I get the information about the same, I will update on it. I hope that is fine.

Thank you.
Regards,
Basavaraju B V
2 Pages12>
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Matrikon Subscribe  |   Matrikon Unsubscribe  |   Global Unsubscribe  |   Privacy Statement  |   Do Not Sell My Personal Information   |   Cookie Notice