How can I configure OPC UA Server to use Username & Password?
How can I configure OPC UA Server to use Certificate? I need some sample code to Login with certificate In C#
Anonymous Login for OPC UA Server is working and able to create a session but can have alternative Login using certification authorization In C#
Related
OPC UA allows for using different certificates and private keys for establishing the secure channel and for creating the session, i.e. authenticating the client.
I'm creating a client to connect to an OPC UA server and I'm trying to keep thins as simple as possible, therefore I'm considering allowing to set just a certificate and private key, and if certificate authentication is desired then re-use that very cert. and private key.
Is this a safe assumption or are there real world reasons not to couple the secure channel and the session to the same certificate?
That's how the applications usually do it, when using UA TCP transport protocol, so yes.
With HTTPS transport, you will need a separate certificate for transport and authentication. But HTTPS is optional.
In an Android client that I wrote, in the settings, the user can choose the common name of both certificates and they are automatically created
That helps the server administrator to identify who the connection attempt corresponds to, although if the user puts the same name for both then the same cert is used for the secure channel and session.
I’ve written an OPC UA Client and i’m using ProSys OPC UA Simulator Server to test it. Running in Anonymous mode my client connects and i can browse the server. however when I configure my client to use a Username and Password it fails with No Suitable UserTokenPolicy found for the possible endPoints. I’ve debugged it and it appears that http://opcfoundation.org/UA/Se…..olicy#None is not in the endpoints userIdentityTokens array, although in ProSys it states it is.
I’ve set up a user in The OPC UA Simulator Username & Passord box is ticked
Security Modes = None
Security Policies = None are ticked
The list of server EndPoints
Security Mode = None
Security Policy = None
So i would expect to see it in userIdentityTokens array.
My Client is written using the Open62541 libraries
Any help would be appreciated.
Thanks
I haven't used the Open62541 libraries, but it seems the standard allows the OPC server to require that the username and password are encrypted even when the rest of the transport is not signed or encrypted.
It appears that at some point in time (and maybe still), Open62541 doesn't handle encrypting the password. Here are a couple of related github issues:
https://github.com/open62541/open62541/issues/934
https://github.com/open62541/open62541/issues/1548
https://github.com/open62541/open62541/issues/2757
I am working on a node.js OPC UA client based on the node-opcua library, and I was able to verify that I can connect to the ProSys OPC-UA simulation server with the security mode set to none and user authentication set to username & password. I do not know what type of password encryption node-opcua is doing behind the scenes, but it works.
----- Additional info -------
I found another forum with some clarification: https://forum.prosysopc.com/forum/opc-ua/clarification-on-opensecurechannel-messages-and-x509identitytoken-specifications/
The key part:
If passwords are sent, they will be encrypted as defined by the
UserTokenPolicy (which is separate from SecurityPolicy, but similar).
The Application Instance Certificates will be used for the encryption
in this case – and therefore they are required to be exchanged even
when MessageSecurityMode=None.
Im running node-red OPC-UA Client on my Raspberry pi 4 and OPC-UA server on Omron PLC NJ501-1400. Running without any security policy. But my client cannot connect to server, on debugbar it pops this message.
OPC UA connection error: The connection has been rejected by server,
Please check that client certificate is trusted by server.
Err = (connect ENETUNREACH 10.xxx.xxx.x:4840)
Any idea how to handle certificates. Or do I have something wrong with server settings?
I think you might need to add the Certificate of your OPC UA Client in the OPC UA Server's Trusted List of OPC UA Client
In the NJ-series, it is necessary to register the client certificate in the CPU Unit by
the Sysmac Studio
Source: Omron NJ Series Manual
What is the User Token Type in OPC UA? Why is this important, how do I know the User Token Type from the server, and add this in client to connect to the server?
I will answer your question in two parts.
Part 1:
What is the User Token Type in OPC UA? Why is this important?
Part 2:
How do I know the User Token Type from the server, and add this in
client to connect to the server?
Part 1: This comes under the topic of user authentication, i.e. when a user is trying to connect from an OPC UA Client to an OPC UA Server, the OPC UA server needs to confirm the identity of the user before allowing the connection from the OPC UA client.
There are four ways in which user authentication is specified in OPC UA and ‘UserTokenType’ is an enumeration specified with the values 0, 1, 2 and 3 for those four ways:
Anonymous
Connect without any credentials – can be useful during developer test/debug sessions
Should not to be used for deployments in the field
UserIdentityToken used is ‘AnonymousIdentityToken’
UserName
Username and password
The password may be encrypted by the client depending on the UserTokenPolicy used
UserIdentityToken used is ‘UserNameIdentityToken’
Certificate
X.509 v3 certificate
The certificate can include a signature depending on the UserTokenPolicy used
UserIdentityToken used is ‘X509IdentityToken’
IssuedToken
Text or binary token issued by an external authorization service
The token data may be encrypted by the client depending on the UserTokenPolicy used
UserIdentityToken used is ‘IssuedIdentityToken’
Part 2:
This wireshark trace contains the sequence of GetEndpointsRequest/GetEndpointsResponse between an OPC UA client and an OPC UA server. As you can see, the getEndpointResponse packet provides information on userTokens supported by the server. Specifically in this image, you can see that 'Anonymous' and 'UserName' are supported in a sample implementation.
Here you can see a list of some open source OPC UA stacks that also provide related sample application code that you can try out:
open62541 – https://open62541.org/certified-sdk.html – C stack | Mozilla License | Embedded ready | TSN ready
NodeOPCUA – https://node-opcua.github.io/ – NodeJS | MIT License | Cloud ready
FreeOpcUa – https://github.com/FreeOpcUa/freeopcua – C++ | LGPL-3.0 License | Python bindings
UA .NET stack – https://github.com/OPCFoundation/UA-.NETStandard – RCL License for corporate members of OPC Foundation & GPL 2.0 for others | Standard profile | Web oriented implementation
If you are looking for more hands-on information, you can check out these resources
Free documentation: You can look at the open source documentation page: https://open62541.org/doc/current/
Paid online course: Practical introduction to OPC UA – code walk-through and examples in this course use the open62541 stack: https://opcfoundation.org/products/view/practical-introduction-to-opc-ua-part-i
UserTokenType enumerates various authentication mechanisms (anonymous, username/password, x509, etc...)
Each endpoint you get from a server contains an array of UserTokenPolicy describing an authentication mechanism supported by that endpoint.
I'm new to OPC UA and I want to create a server that requires username and password in order to authenticate user, how is that possible in Milo OPC ?
This is covered by the example server: https://github.com/eclipse/milo/blob/master/milo-examples/server-examples/src/main/java/org/eclipse/milo/examples/server/ExampleServer.java
Create a UsernameIdentityValidator and set it on the config builder.