Hi Dima_t,

If server is halted after UAServer_Initialise returned: 0, initialization of the server has been failed. it will have the error code. So, please change the line
printf("UAServer_Initialise returned: %u\n", (uint16_t)status); to printf("UAServer_Initialise returned: %x\n", (uint32_t)status); to get the actual error code and can be checked in opcua_status_codes.h file. or you can also debug and check the value of the status to find the actual error code. it looks like while server is initializing validation of the certificate is failed.

I am assuming that server certificate which has been created has all the necessary fields as per the specification (Part 4 and Part 6). To check if all the necessary fields are present, you can generate on self-signed certificate with openssl example project and compare the fields with the certificate which is generated using CA and Intermediate CA certificate.

could you please clarify us on chain file which has been converted to .der format?

Here is the PKI folder structure for you case:
../../Debug/pki/applications
../../Debug/pki/applications/issuers
../../Debug/pki/applications/issuers/certs/ (Here CA and Intermediate CA certificates has to be added (in .der format))
../../Debug/pki/applications/issuers/crl (if any)
../../Debug/pki/applications/issuers/private (if any for CA and intermediate CA)

../../Debug/pki/applications/trust
../../Debug/pki/applications/trust/certs
../../Debug/pki/applications/trust/certs/rejected (this will be empty)
../../Debug/pki/applications/trust/certs/server.der (server certificate which has been created using CA and Intermediate CA certificate)
../../Debug/pki/applications/trust/crl (this will be empty)
../../Debug/pki/applications/trust/private
../../Debug/pki/applications/trust/private/server_key.pem (private key)

Note: Server application will internally create the chain of certificates during validation of certificates. So we don't have to create the chain of certificate.

Regards,
Basavaraju B V

Edited by user Thursday, September 24, 2015 2:53:38 AM(UTC)  | Reason: Not specified

Hi Dima_t,

Link to find the specification is https://opcfoundation.or...ons-unified-architecture

In the PKI folder structure (where the certificates are stored), there is no need to create the chain of certificates. All it needs is, CA certificate, intermediate CA certificate inside the below path (no need to merge the CA and intermediate CA into single certificate):
../../Debug/pki/applications/issuers/certs/ (Here CA and Intermediate CA certificates has to be added (in .der format))

and application certificate(which is generated using intermediate CA certificate) has to be inside the below path:

../../Debug/pki/applications/trust/certs/ (and this application certificate should be named as server.der)

Make sure that private key of that application certificate is in the below path:
../../Debug/pki/applications/trust/private (this private key file should in .PEM format and with the name server_key.pem)

Yes, your understanding is right. Client and server need not be signed by same CA certificate. and yes move the client certificate from the rejected folder to trusted directory (to this path ../../Debug/pki/applications/trust/certs/). And yes, server certificate which is generate by application doesn't need a CA certificate(s). As it will be self signed certificate.

Note: If you have OPC UA Embedded Server SDK, then an please refer the following code file:

path: <path where SDK is installed>\SDK_Source\API\security_interfaces\
file name: ua_security_openssl.c

In that you can look at the implementation of UASecurity_Create_self_signed_certificate() function to understand what are the extension to be added/present in the application certificate.
UASecurity_Callback_certificate_validate() function to understand how a certificate(s) has been validated along with CA and intermediate CA certificates.

I hope this helps you to solve the problem you are facing and to understand how certificate is used in OPC UA Embedded Servers.

Please let us know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Hi Dima_t

It looks like the configuration is incorrect. Here I would like to explain the deference between User Token policy and Security policy.

Security Policy

OPC UA specification suggested security policies are:
+ None
+ Basic128RSA15
+ Basic256
+ Basic256RSA256

where as the OPC UA Embedded SDK supports,
+ None
+ Basic128RSA15
+ Basic256

This information can be found user manual under Specification and Supported Security Facet part.

For security policies, Basic128RSA15 and Basic256 there are 2 further types.
+ Sign - where data will not be encrypted but the communication will be signed to make sure that data is from authorized source
+ Sign and Encrypt - Where data will be encrypted and signed

So, there are total 5 endpoint security policies supported and 2 not supported
+ Endpoint Security Policy - None
+ Endpoint Security Policy - Sign - Basic128Rsa15
+ Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15
+ Endpoint Security Policy - Sign - Basic256
+ Endpoint Security Policy - Sign & Encrypt - Basic256
+ Endpoint Security Policy - Sign - Basic256Sha256 /*Not supported yet. reserved for future*/
+ Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 /*Not supported yet. reserved for future*/

User Token Policy:

OPC UA Embedded SDK supports,
+ Anonymous - Anybody can be connected to server.
+ Username and Password - Can be connected to server with valid Username and password.
+ X509v3 Certificate - Can be connected to server with valid X509v3 certificate.

This user Token policy is to represent what user can communicate with the OPC UA Embedded Server.

Right ways to configure the server for endpoint security policy is as follows:

Ex:
/** Endpoint Security Policy - None */ - // under none security policy, what is the user token policy to be used
UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE - Anyone can connect to server in None mode
UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_NONE - Only with valid Username and Password client can be connected to server
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_NONE, - only with valid X509v3 certificate client can be connected to server.

Note: All 3 user tokens can be use for none mode with bitwise or operator so that client will be allowed to connect to server in all 3 forms like:
UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE | UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_NONE | UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_NONE,

In your configuration server is giving the correct error code 0x80200000 - OpcUa_BadIdentityTokenInvalid, because "UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic256Sha256" is not the right UA Server Security Configuration bitmap for Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15.

In your case the right way to configuration is:

/** Endpoint Security Policy - None */
0,
/** Endpoint Security Policy - Sign - Basic128Rsa15 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic128Rsa15 */

UA_USER_TOKEN_POLICY_ANONYMOUS_TOKEN_SECURITY_POLICY_NONE,
or
UA_USER_TOKEN_POLICY_USERNAME_PASSWORD_TOKEN_SECURITY_POLICY_Basic128Rsa15
or
UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15

or bitwise OR the necessary UA Server Security Configuration bitmaps.
/** Endpoint Security Policy - Sign - Basic256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256 */
0,
/** Endpoint Security Policy - Sign - Basic256Sha256 */
0,
/** Endpoint Security Policy - Sign & Encrypt - Basic256Sha256 */
0,

I hope this answered your question and cleared the confusion.

Please let us know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Hi Dima_t,

Now the configuration is correct. The reason why it is giving error is "when user token policy is used other than Anonymous, Server SDK will call the application callback function to validate the user". Those functions are:
+ UAServer_Callback_login_username_password() //This callback will be called when Username and Password User token policy is used
+ UAServer_Callback_login_x509_certificate() //This callback will be called when x509 certificate User token policy is used.

this feature is provided to give control for application layer to validate user.

In your case, as you have mentioned UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15 for endpoint url, while validating the login certificate (which is provided by client), SDK will call UAServer_Callback_login_x509_certificate() (which has to be implemented by the developer of the server to make sure the user who is trying to login is authorized user). This function description can be found in the ua_server.h file. Implementation can be found in opcua_server.c file which is returning FALSE.

My suggestion is, for a time being you can return TRUE from the UAServer_Callback_login_x509_certificate() function just make sure that with your configuration the client is able to connect to the server. Once it is connected, please modify the function UAServer_Callback_login_x509_certificate() with implementation of your choice to authenticate the client which is trying to connect with the server.

Note:
1. I am assuming that you have kept the rejected client certificate in the trusted folder as you are getting this error. i.e. you have moved the rejected certificate from
+ ../../Debug/pki/users/trust/certs/rejected to ../../Debug/pki/users/trust/certs/
+ ../../Debug/pki/applications/trust/certs/rejected to ../../Debug/pki/applications/trust/certs/

2. You can cross verify the above mention problem description by putting the break point in UAServer_Callback_login_x509_certificate() function in opcua_server.c file.

3. if you are using the openssl, you can also put the break point in ua_security_openssl.c file for funciton authenticate_user(). There you can find that UAServer_Callback_login_x509_certificate() function is called.

I hope this will help you to solve the problem.

Please let me know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Edited by user Saturday, September 26, 2015 6:48:08 AM(UTC)  | Reason: Not specified

Hi Dima_t,

In the previous conversation, it was mentioned that "Now I receive code 0x80210000 which is the user identity token is valid but the server has rejected it." That will happen if UAServer_Callback_login_x509_certificate() returning FALSE.

Could you please let me know whether it is a same project work space where we are getting these errors(0x80200000 and 0x80210000)

If 0x80200000 is reported means, OpcUa_BadIdentityTokenInvalid. Please check the configuration under endpoint security policies as discussed earlier.

If the error is happening in ua_security_openssl.c line 864, and certificate_chain data equals to 0 and certificate_chain length equals to -1. That means in the trust folder there were no certificate(s) to validate.

Please find the PKI directory structure below, if sign / sign & encrypt with security policy Basic128RSA15 and with user token policy x509v3 certificate. (UA_USER_TOKEN_POLICY_X509v3_CERTIFICATE_TOKEN_SECURITY_POLICY_Basic128Rsa15)

../../Debug/pki/applications
../../Debug/pki/applications/issuers
../../Debug/pki/applications/issuers/certs (This will be empty)
../../Debug/pki/applications/issuers/crl (This will be empty)
../../Debug/pki/applications/issuers/private (This will be empty)

../../Debug/pki/applications/trust
../../Debug/pki/applications/trust/certs/rejected (this will be empty)
../../Debug/pki/applications/trust/certs/ (under this server.der server certificate should be present. And client certificate if it was rejected and copied to this folder)
../../Debug/pki/applications/trust/crl (this will be empty)
../../Debug/pki/applications/trust/private/ (Under this private key for server certificate should present with name server_key.pem)

../../Debug/pki/users
../../Debug/pki/users/issuers
../../Debug/pki/users/issuers/certs (this will be empty)
../../Debug/pki/users/issuers/crl (this will be empty)
../../Debug/pki/users/issuers/private (this will be empty)

../../Debug/pki/users/trust
../../Debug/pki/users/trust/certs
../../Debug/pki/users/trust/certs/rejected (this will be empty)
../../Debug/pki/users/trust/certs/ (Under this a server certificate which is used for authentication has to be placed with the name server.der)
../../Debug/pki/users/trust/crl (this will be empty)
../../Debug/pki/users/trust/private/ (Under this a private key server certificate which is used for authentication has to be placed with the name server_key.pem)

If this is the directory structure then, While connecting to server, we have to provide the certificate and it's private key. If this is not provided, server will respond saying BadTokenIdInvalid 0x80200000. If proper certificate is provided at the client side while connecting to server, first time when it tries to connect it will put the certificate to rejected folder ../../Debug/pki/users/trust/certs/rejected. we have to move this rejected certificate to ../../Debug/pki/users/trust/certs/.

I hope this will help you to solve the problem. Please let me know if anything is not clear.

Thank you.
Regards,
Basavaraju B V

Edited by user Wednesday, September 30, 2015 10:10:12 PM(UTC)  | Reason: Not specified

Hi Dima_t,

No problem. I am glad that you are able to successfully reached a phase where SDK is calling a callback function to verify the login x509 certificate.

The only time server returns this error code (0x80570000) is, while verifying the signature (UASecurity_Callback_asymmetric_verify()).

This usually happens when the signature algorithm and/or signature hash algorithm used in the client certificate doesn't match with server's signature algorithm and/or signature hash algorithm. Can you please open the client's certificate(s) and server certificate(s) in view mode and check whether the signature algorithm and/or signature hash algorithm are matching. By default Server certificate will use sha1RSA as signature algorithm and sha1 as signature hash algorithm. In the client certificate also same algorithm should be used.

Also, can you Please debug the function UASecurity_Callback_asymmetric_verify() in ua_security_openssl.c file and let us know where it is returning non zero value from. If UASecurity_Callback_asymmetric_verify() doesn't return 0 then SDK will return 0x80570000 error code.

Note: If you have UA Expert, can you please try to use certificates of UA Expert client's certificate for user authentication and communication as well and check whether client is able connect successfully?

Thank you.
Regards,
Basavaraju B V

Edited by user Thursday, October 1, 2015 11:39:30 AM(UTC)  | Reason: Not specified

Hi Dima_t,

Good to hear that with UA Expert certificate, client is able to connect with server. Difference in algorithm is one such case where verification of signature fails. As we can clearly see from UASecurity_Callback_asymmetric_verify() implementation that, if the signature is verified successfully then function returns 0. If non 0 value is returned from function then 0x80570000 (OpcUa_BadApplicationSignatureInvalid) error code will be returned.

Actually there is no hard set rule for the size of a serial number, Hashed(digested) value of the serial number should not be more than 20 bytes.

Without seeing the client certificate which was leading to 0x80570000 error it is difficult to tell the exact reason. Could you please tell me which version of client SDK is being used. I will try to generate the client certificate and check what might be the reason for the same?

Thank you.
Regards,
Basavaraju B V

Hi Dima_t,

Thank you for providing the version. It is mentioned int he release notes that, "The X509v3 Certificate and WS-SecurityToken User Token Types are not supported". You can find the release notes (MatrikonOPC UA Client SDK Release Notes.txt) under Documents section of the UA client SDK installed folder.

That is the reason when UA Expert certificate(which worked with UA Expert client) used with the console client example it gives 0x80570000 error.

I hope this answered your question.

Note: Recently version 1.2 released. In that also release notes says User token types is not supported.

Thank you.
Regards,
Basavaraju B V

Hi Dima_t,

No Problem.

small correction. X509v3 Certificate User token policy is supported in V 1.2.0.

Regards,
Basavaraju B V

Hi Dima_t,

Sorry for the delayed response.
Correction to my previous response, release date of version V.1.2.0 is not confirmed yet. As soon as I get the information about the same, I will update on it. I hope that is fine.

Thank you.
Regards,
Basavaraju B V