Unable to connect to an OPC endpoint using Base256 with OPC Publisher

[dagefjestad]

Hi

I have some trouble to connect to an OPC endpoint which use: • Security policy: Basic256 • Message Security Mode: Sign & Encrypt

We have exchange certificates - and added it to thrusted. I am using Latest version of OPC Publisher.

Error message: 2022-03-21 15:14:41.418 +00:00 [INF] Azure IIoT b37d9b2f8445a4382e96f1d18342b2a48c455343 took "00:00:00.2354173". 2022-03-21 15:14:41.429 +00:00 [WRN] Failed to create session 'b37d9b2f8445a4382e96f1d18342b2a48c455343' due to One or more errors occurred. (Endpoint does not support the user identity type provided.)

pn.json: "EndpointUrl": "opc.tcp://someIPadr:62550/DataAccessServer", "UseSecurity": true, "OpcAuthenticationMode" : "Anonymous",

Is there any way to more specific for which security policy to use? Is there something else that could be wrong?

Thanks, Dag Efjestad

[hansgschossmann]

@dagefjestad can it be that your server requires username/password authentication? The error message "Endpoint does not support the user identity type provided." sounds like this. Please verify.

[dagefjestad]

Hi, Yes - it sounds like this but I tested the endpoint with UAExpert (Client tool) with anonymous - that works.

Is it possible to specify explicit that I want Basic256 and Sign&Encrypt for messages?

Tnks

[hansgschossmann]

@dagefjestad just to be sure: you are using OPC Publisher 2.8.2? cc: @cristipogacean

[dagefjestad]

Yes, I use the Latest. I got some further in the negotiation process with adding the certificate Subject as a UserName. The Server side gave med a certificate to use for OPCPublisher. The key length of the certificate is 1024. No I got this problem:

12:20:16 ERR Microsoft.Azure.IIoT.OpcUa.Protocol.Services.StackLogger] (Error) The key size (1024) in the certificate is less than the minimum provided (2048). Use certificate anyway? [12:20:16 ERR Root] Error during module execution - restarting!

Tried to set environment variable MinimumCertificateKeySize='1024' without any luck

[cristipogacean]

Hello @dagefjestad,

Is it possible to specify explicit that I want Basic256 and Sign&Encrypt for messages?

Unfortunately, it is not possible to explicitly specify the security policy and security mode for an endpoint. The publisher selects automatically the highest available security policy & mode on the server side.

The MinimumCertificateKeySize is referring to the peer certificates only. For the Own Application Certificate the MinimumCertificateKeySize hardcoded to 2048 therefore setting the environment variable is useless. Nevertheless, I think your problem has nothing to do with the publisher's autogenerated certificate. So, trying to change it with an external cert will potentially make things even more difficult to debug - like you already see here: 12:20:16 ERR Microsoft.Azure.IIoT.OpcUa.Protocol.Services.StackLogger] (Error) The key size (1024) in the certificate is less than the minimum provided (2048). Use certificate anyway? [12:20:16 ERR Root] Error during module execution - restarting!.

I suggest you try to use on the publisher side the --aa argument or AutoAcceptUntrustedCertificates=true as environment variable. Next, at the server side, validate once more if the publisher certificate was not rejected.

Would it be possible to have a look in the server's logs and check if something bad is reported there?

I hope this helps moving you forward.

[dagefjestad]

Thanks for your feedback.

I have the following in pn.json:

"OpcAuthenticationMode": "UsernamePassword", "OpcAuthenticationUsername": "Customer", "OpcAuthenticationPassword": "",

I use --aa on my side. I accept everything :-)

The server side are used by many different clients - so they limited possibilities for adjustments.

The situation now is that I get "BadSessionNotActivated" from them and they close the connection. According to them there is something wrong with my certificate because they get User=Anonymous

[hansgschossmann]

The username/password and the application certificate are typically used for very different purposes:

• the application cert is use for mutual authenication between the client and the server and encryption of the data communication
• the username/password is used for authentication of a user when the encrypted communication is already established and then used for authorization purposes by the server

At the beginning of the thread you stated you are using: "EndpointUrl": "opc.tcp://someIPadr:62550/DataAccessServer", "UseSecurity": true, "OpcAuthenticationMode" : "Anonymous",

Now you have posted: "OpcAuthenticationMode": "UsernamePassword", "OpcAuthenticationUsername": "Customer", "OpcAuthenticationPassword": "",

Is the latter what you need or the former? I think that if you are going for "UsernamePassword" you need to specify a value for the field OpcAuthenticationPassword.

[dagefjestad]

Thank you for the clarification about UserName.

When I dont have something in the UserName the Server respond with "Endpoint does not support the user identity type provided" very early in the negotiation. I asked the server guy about the password - they dont use it. They say that UserName should not be set but they cant explain why I get the identity type error and when I have some value I get further in negotiation before it stops with "BadSessionNotActivated" ?!

I mange to connect to the server with UAExpert - but the strange here is that I get an error: "BadCertificateHostnameInvalid" during connection fase - choose ignore to continue.

Is there any connection between fields in the certificate and identity (user) or username. I have set Application Name equal to Common Name in the certificate - "Customer".

The server is based on the Softing OPC/UA SDK.

[hansgschossmann]

The "BadCertificateHostnameInvalid" message is good to ignore and not concerning. This has to do with the SubjectName in the certificate not matching the actual hostname in the Endpoint URL you use to connect.

Do you use any username/password when connecting with UA Expert or do you use no authentication (means anonymous)?

[dagefjestad]

No, dont use any username there. I just set • Security policy: Basic256 • Message Security Mode: Sign & Encrypt

[hansgschossmann]

Got it. With "UseSecurity": true, we choose the best Security policy/Security mode combination supported by OPC Publisher and the server. Basic256/Sign & encrypt might not be the most secure one, but there might be a more secure one. You should see all the combinations supported by the server in UA expert. Can you try to connect to the most secure one using anonymous?

[dagefjestad]

I think the problem is that the server failing in negotiation. It is a "home made" server based on the Softing SDK. I have send a mail to the other party and ask them for a meeting with someone who knows the server software.

When I try to establish a connection the server respond after the start of negotiation respond with: “Endpoint does not support the user identity type provided” To get passed this I changed OpcAuthenticationMode from Anonymous to UsernamePassword. When I do this the negotiation process goes ok but in the end the server respond “BadSessionNotActivated”.

[hansgschossmann]

Please let us know when zou have more details.

[hansgschossmann]

closing because of no activity.

@dagefjestad pls reopen if there is more help needed.