logo

Notification

Icon
Error

Options
Go to last post Go to first unread
Offline Roberto Dias  
#1 Posted : Wednesday, July 1, 2015 6:31:55 AM(UTC)
Roberto Dias

Rank: Member

Joined: 4/15/2015(UTC)
Posts: 12
Location: Florianópolis

Was thanked: 5 time(s) in 5 post(s)
Dear colleagues,

I try to use the embedded_profile_with_openssl example provided by Embedded SDK with security profile (basic RSA 128 Sign and basic RSA 128 Sign and Encripty) but my client return a message error: "BadSecurityChecksFailed". Without security run fine!

All server folders bellow PKI (../../Debug/pki) are empty!!!

I need install certificates in server or client side?

The example uses a self signed certificate. Correct? Where it is stored em the server?

Best Regards
Offline Basavaraju B V  
#2 Posted : Wednesday, July 1, 2015 11:11:39 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Roberto,

Yes. It is self signed certificate.

First time when server runs, pki folder structure will be created inside Debug folder. when we run the server below mentioned files and folders should be created inside ../../Debug/pki. Can you please verify if below mentioned files and folders are present?

../../Debug/pki/applications
../../Debug/pki/applications/issuers
../../Debug/pki/applications/issuers/certs (This will be empty)
../../Debug/pki/applications/issuers/crl (This will be empty)
../../Debug/pki/applications/issuers/private (This will be empty)

../../Debug/pki/applications/trust
../../Debug/pki/applications/trust/certs
../../Debug/pki/applications/trust/certs/rejected (this will be empty)
../../Debug/pki/applications/trust/certs/server.der (This is the server certificate)
../../Debug/pki/applications/trust/crl (this will be empty)
../../Debug/pki/applications/trust/private
../../Debug/pki/applications/trust/private/server_key.pen (private key)

../../Debug/pki/users
../../Debug/pki/users/issuers
../../Debug/pki/users/issuers/certs (this will be empty)
../../Debug/pki/users/issuers/crl (this will be empty)
../../Debug/pki/users/issuers/private (this will be empty)

../../Debug/pki/users/trust
../../Debug/pki/users/trust/certs
../../Debug/pki/users/trust/certs/rejected (this will be empty)
../../Debug/pki/users/trust/crl (this will be empty)
../../Debug/pki/users/trust/private (this will be empty)

If server.der is present inside the ../../Debug/pki/applications/trust/certs/ path and server_key.pen inside ../../Debug/pki/applications/trust/private/, we can connect to the server from UA client.
When we first time try to connect to the server with security(basic RSA 128 Sign and basic RSA 128 Sign and Encripty), it will ask asks for accepting the certificate. Once you accept the first time it will fail with error "BadSecurityChecksFailed". This will create a file(client certificate) inside the ../../Debug/pki/applications/trust/certs/rejected folder. Copy the file which is created inside the rejected folder to outside the rejected folder(location ../../Debug/pki/applications/trust/certs). Then if we try to connect with security we should be able to connect without any problem.

I hope this solves your problem.

Regards,
Basavaraju B V
Offline Roberto Dias  
#3 Posted : Thursday, July 2, 2015 5:56:36 AM(UTC)
Roberto Dias

Rank: Member

Joined: 4/15/2015(UTC)
Posts: 12
Location: Florianópolis

Was thanked: 5 time(s) in 5 post(s)
Hi Basavaraju,

Very thanks!!!

The solution proposed run fine!!!

Best Regards!
Offline Basavaraju B V  
#4 Posted : Thursday, July 2, 2015 8:09:05 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Roberto,

You are welcome.

Regards,
Basavaraju B V
Offline Roberto Dias  
#5 Posted : Tuesday, July 7, 2015 7:32:42 AM(UTC)
Roberto Dias

Rank: Member

Joined: 4/15/2015(UTC)
Posts: 12
Location: Florianópolis

Was thanked: 5 time(s) in 5 post(s)
Hi Basavaraju,

In the last post (reply) I use the UAExpert Client of Unified Automation to test my server and its run fine.
Now i try to use the SampleUaConsole example provided in the Matrikon UA SDK Clien, but with RSA security the application return a error
Do you try make a security client with MatrikoOPC SDK?

I was develop a client application based on SampleUaConsole example and need to use secure communication.

Do you help me?

Best Regards.
Offline Basavaraju B V  
#6 Posted : Tuesday, July 7, 2015 11:34:35 PM(UTC)
Basavaraju B V

Rank: Advanced Member

Joined: 6/10/2015(UTC)
Posts: 34
Location: Bengaluru

Was thanked: 1 time(s) in 1 post(s)
Hi Roberto,

I tried to understand your problem by using the SampleUaConsole. I too faced some problems, and I was able to solve the problem and was able to connect to the server with security. I will mention the steps which solved the problem. I hope that will solve the problem for you as well.

+ SampleUaConsole.exe will look for the servers in the local machine. So we have to change the code in UaClient.cpp file.

+ open the project SampleUAConsole.sln inside folder <path_where_MatrikonOpc_SDK_is_installed>/MatrikonOPC/UA_SDK/Samples/Sample_Client_SourceCode/

+ change the server url path in the function bool UaClient::DiscoverServer()
ex:
ldsUrl = L"opc.tcp://";
ldsUrl += L"199.63.214.53"; //IP address of the server
ldsUrl += L":4840"; //port number of the server

+ rebuild the solution, and run newly generated SampleUAConsole.exe file inside the Debug folder.

+ Now you should be able to connect to server with out security.

+ But, With security there it will fail first time.

+ Copy the client certificate from the rejected folder to outside the rejected folder in the machine where server is running. just like our previous conversation. copy from ../../Debug/pki/applications/trust/certs/rejected to ../../Debug/pki/applications/trust/certs

+ Now client will be able to connect to server with certificate. But it will fail to browse nodes.

+ to fix the browsing nodes problem, UaClient.cpp code has to be modified again.

+ Reason for failing to browse for nodes in server is, the URI in the client certificate, is not matching with the uaSessionConfig->ClientApplicationDescription().ApplicationUri() and uaSessionConfig->ClientApplicationDescription().ProductUri(). It can be verified by opening the client certificate, and check the Subject alternate name under details tab of the client certificate and uaSessionConfig->ClientApplicationDescription().ApplicationUri() and uaSessionConfig->ClientApplicationDescription().ProductUri() in uaClient.cpp file

+ Now copy the URL value present inside the Subject alternate name, and replace the string L"http://HoneywellOpc.com/UA Client Toolkit"; in UaClient.cpp.

+ build the UaClient.cpp and run the newly generated SampleUAConsole.exe file inside the Debug folder.

+ Now client will be able to connect to server and browse nodes with security.

Basically, URL value in Subject Alternate Name of the client certificate should match with the uaSessionConfig->ClientApplicationDescription().ApplicationUri() and uaSessionConfig->ClientApplicationDescription().ProductUri(). I hope this helped you to solve the problem.

Regards,
Basavaraju B V

Edited by user Wednesday, July 8, 2015 12:26:31 AM(UTC)  | Reason: Not specified

Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Matrikon Subscribe  |   Matrikon Unsubscribe  |   Global Unsubscribe  |   Privacy Statement  |   Do Not Sell My Personal Information   |   Cookie Notice