Im running node-red OPC-UA Client on my Raspberry pi 4 and OPC-UA server on Omron PLC NJ501-1400. Running without any security policy. But my client cannot connect to server, on debugbar it pops this message.
OPC UA connection error: The connection has been rejected by server,
Please check that client certificate is trusted by server.
Err = (connect ENETUNREACH 10.xxx.xxx.x:4840)
Any idea how to handle certificates. Or do I have something wrong with server settings?
I think you might need to add the Certificate of your OPC UA Client in the OPC UA Server's Trusted List of OPC UA Client
In the NJ-series, it is necessary to register the client certificate in the CPU Unit by
the Sysmac Studio
Source: Omron NJ Series Manual
Related
How can I configure OPC UA Server to use Username & Password?
How can I configure OPC UA Server to use Certificate? I need some sample code to Login with certificate In C#
Anonymous Login for OPC UA Server is working and able to create a session but can have alternative Login using certification authorization In C#
What's the difference between a regular OPC UA server and a Discovery Server such as LDS? I know that they are both UA Servers but what's the difference between them? What I could figure out from reading the specification is that all servers have a discovery URL where you discover the server with no security and a endpoint URL which is the "real" URL that you use to make a connection to the server. However, I have trouble understanding the registerServer() and findServers() for the UA server vs the discovery server. It seems like they both do the same thing?
Yes, every server supports part of the Discovery Services, such as FindServers (locates server addresses) and GetEndpoints (lists available endpoints = security modes, in practice). But the normal server only provides information about itself.
The Local Discovery Server (LDS) supports also RegisterServer and can provide information of several servers (in the same computer or local network).
I am developing a desktop client application for an https-protocol based REST API provided by a third party.
I want to test the programmatic communication with the API when the server's certificate is not installed on my local computer. For this, I need to know how to make it mandatory to have the server's computer installed on my computer. Note: the certificate is not self signed, rather it is issued by a CA.
I want to test what errors enterprise users will get when my client application will make the API call to the SSL server in a highly secure enterprise environment where the IT policy is configured to mandatorily require installation of server's certificate on the client's local computer.
Is there such a configuration in Window which makes it mandatory for server certificates installed on local computer, for any API communication? If yes, can someone guide me on the steps for Windows 10 Professional.
OPC UA allows for using different certificates and private keys for establishing the secure channel and for creating the session, i.e. authenticating the client.
I'm creating a client to connect to an OPC UA server and I'm trying to keep thins as simple as possible, therefore I'm considering allowing to set just a certificate and private key, and if certificate authentication is desired then re-use that very cert. and private key.
Is this a safe assumption or are there real world reasons not to couple the secure channel and the session to the same certificate?
That's how the applications usually do it, when using UA TCP transport protocol, so yes.
With HTTPS transport, you will need a separate certificate for transport and authentication. But HTTPS is optional.
In an Android client that I wrote, in the settings, the user can choose the common name of both certificates and they are automatically created
That helps the server administrator to identify who the connection attempt corresponds to, although if the user puts the same name for both then the same cert is used for the secure channel and session.
I want to connect to my ejabberd server from another machine using a certificate instead of a login/password. I've looked for authentication client-to-server with a certificate for ejabberd, but i couldn't find something helpfull.
If anyone has any ideas how it cas be done, I'm taking..
As of version 16.02, ejabberd Community Server does not yet support client cert authentication.
However, if your questions is about communication encryption, you can indeed configure ejabberd with Starttls support to use TLS between client and server. A service like Let's encrypt can provide such certificates for free: https://letsencrypt.org/