Unable to securely connect to an Ignition OPC UA server

[jfaigan]

I am trying to use the OPC UA Client node to connect to an Ignition OPC UA server.

I see the Ignition certificate in the trusted folder of the contrib-opcua.

I accepted the node-red certificate in the Ignition server.

I am receiving the following error: 12:56:12.917Z :client_base_impl :502 Inner create secure channel has failed ClientTCP_transport4: socket has been disconnected by third party 2 Jun 08:56:12 - [warn] [OpcUa-Client:ee3e5f5ab7f8fe63] OpcUaClientNode: Case A: Endpoint does not contain, 1==None 2==Sign 3==Sign&Encrypt, using securityMode: [3] 2 Jun 08:56:12 - [warn] [OpcUa-Client:ee3e5f5ab7f8fe63] OpcUaClientNode: using securityPolicy: ["http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"] 2 Jun 08:56:12 - [warn] [OpcUa-Client:ee3e5f5ab7f8fe63] OpcUaClientNode: Case B: UserName & password does not match to server (needed by Sign), check username: opcuauser and password: XXX 2 Jun 08:56:12 - [warn] [OpcUa-Client:ee3e5f5ab7f8fe63] OpcUaClientNode: Invalid endpoint parameters: 2 Jun 08:56:12 - [error] [OpcUa-Client:ee3e5f5ab7f8fe63] Invalid endpoint

I am trying to connect with Basic256Sha256 and Sign&Encrypt.

Is there a known issue of connecting to an Ignition OPC UA server? I do not understand why this is not working.

I am using HighByte on the same machine where node-red is installed, and HighByte can connect to the Ignition server with the same configuration that is provided to contrb-opcua.

Any help would be appreciated!

[mikakaraila]

Check firewall on both sides, port should be open in & out!

Or openssl is not available/installed, with Linux permissions & Windows search path.

[jfaigan]

Thank you for the quick reply.

I checked the firewall and the port was open for in and out.

I added the path to openssl into the Windows environment Path variable.

Unfortunately, this did not make any difference.

I turned off the firewall on both servers, and unfortunately, this also did not make any difference.

As a test, I adjusted the security policy in the Igntion OPC UA so that it was set to None; I allowed Anonymous access and then retested connecting the contrib-opcua to the Ignition OPC UA and this time it worked. So I know there is communication between the two servers, however, it is the secure communication that is the problem.

I am attaching a text file that has some more verbose debug info from node-red. Hopefully this will be of use to you. secureOutput.txt

I am also attaching screenshots of the various item configurations.

Thank you very much

[mikakaraila]

1) Remove spaces from the endpoint hostname first. 2) Check trusted folder: C:\Users**USERNAME\AppData\Roaming\node-red-opcua-nodejs\Config\PKI\trusted\certs And rejectd: C:\Users\USERNAME**\AppData\Roaming\node-red-opcua-nodejs\Config\PKI\rejected 3) Check that you have accepted port in/out at Azure network setting and also on host machine firewall.

[jfaigan]

Ok, thank you for your feedback.

1. There are no spaces. The images were redacted for privacy and security. The missing info is the name of the server.
2. An image for the Trusted/Certs folder has been provided previously; certificates are present. The Rejected folder is empty
3. As previously mentioned, this was not working even with the Firewall disabled. The inbound and outbound rules on the opc-ua server is setup in the firewall: The Azure Inbound rule previously existed. I have added the Outbound rule.

With all these, I am still getting the same error as previously provided.

Your assistance is greatly appreciated!

[mikakaraila]

Have you white listed node-opcua client at Ignition? If it needs similar white listing as KepServer...

[jfaigan]

I am not sure about the white listing.

I know that node-opcua works when I turn off the security in Igintion.

As a test, I adjusted the security policy in the Igntion OPC UA so that it was set to None; I allowed Anonymous access and then retested connecting the contrib-opcua to the Ignition OPC UA and this time it worked. So I know there is communication between the two servers, however, it is the secure communication that is the problem.

[mikakaraila]

Then error is in the certificate verification, most probably when node-opcua install node-opcua-pki & node-opcua-crypto it has failed to install openssl. Try to uninstall/install node-opcua to see if there will come some error.

[jfaigan]

I removed all flows that use contrib-opcua. I disabled all nodes for contrib-opcua.

I ran npm uninstall -g node-red-contrib-opcua

I manually deleted the folder under Roaming. I removed the Trusted cert from Ignition.

I ran npm install -g node-red-contrib-opcua

I enabled the nodes in node-red

I created a new flow and configured the OPC Client connection.

I trusted the certificate in Ignition. I see the Ignition cert in the Roaming folder.

I am getting the same error.

I did not see any mention of installation of any sub-package when installing the contrib-opcua

[mikakaraila]

Hmm, I was expecting that you use installation from the palette manager. It makes it a bit different way... Uninstall and install again using node-red palette manager, please.

[jfaigan]

Here is what was written to the log. I removed it via npm and did the clean up. I reinstalled via the palette manager.

Unfortunately, I still have the same problem.

[mikakaraila]

Turn on debug log level from the settings.js to see more on console.

[jfaigan]

Ok. I turned on debug level logging.

Here is the result when executing:

I've redacted the server names for security and privacy.

Do you want me to try uninstalling and reinstalling with the increased debug level?

Also, I noticed this in the console when node-red starts up. Not sure if it is pertinent.

[mikakaraila]

1) Have you tested with UaExpert different certificates? Just to ensure server will accept them. Socket is closed by server according the debug output. 2) Node-red uses nodejs crypto, not openssl Etienne has in the roadmap that node-opcua will use nodejs, not anymore openssl in future.

New version is now available without openssl: https://github.com/node-opcua/node-opcua/releases

I have to test it and update into the package.json (you can of course test it immediately)

[mikakaraila]

Please retest with the latest version.

[jfaigan]

Hi Mika,

Sorry about the delay in responding.

Unfortunately, I am still receiving the same error.

Please let me know if you need any screenshots.

Regards, Joel

[mikakaraila]

REMOVE ME should be checked by @Etienne Rossignon @.***>

It is from node-opcua internal message.

On Fri, Jul 14, 2023, 18:46 jfaigan @.***> wrote:

Hi Mika,

Sorry about the delay in responding.

Unfortunately, I am still receiving the same error.

Please let me know if you need any screenshots.

Regards, Joel

— Reply to this email directly, view it on GitHub https://github.com/mikakaraila/node-red-contrib-opcua/issues/561#issuecomment-1636115423, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHRYDCVJFHAI5CXPRIC6HTXQFZWJANCNFSM6AAAAAAYYJGJXE . You are receiving this because you commented.Message ID: @.***>

[jfaigan]

Ok, thank you.

@erossignon Please let me know if you need any information.

Regards, Joel

[erossignon]

@jfaigan, this will require a investigation: one way would be the grant access the ignition server to us, so we can test the connection with node-opcua. Alternatively, we could organize a video conf with a Sterfive expert: book a slot

[jfaigan]

Hi @erossignon , thanks for the reply. I think a video conf would probably be best, however, is there a 350 Euro cost to that ?

[erossignon]

May be your company is already in business with Sterfive (the company behind node-opcua) and already benefits from the node-opcua support membership . In this case the fee would not apply.

This one-off cost is for a focused session with a Sterfive specialist, who will tackle your issue directly. This is not just support, but an in-depth, personalized service. The fee is essential for us to keep our open-source technology advancing and available to all.

[jfaigan]

Hi @erossignon , unfortunately we are currently only in proof of concept and there is no budget allocated for this at this point in time.

Thank you for all your assistance but I guess we will need to investigate an alternate solution.

Regards, Joel

[mikakaraila]

@erossignon did you check this console error message?

Could this be related to transport settings?

[erossignon]

@mikakaraila, sure I have. It could any thing, including transport settings, only deeper investigation with a live server will tell; I also have no time to investigate on my free time right now.