eclipse milo opcua client connection to prosys server problems
Question
I am trying to connect to Prosys opcua simulation server using milo (0.4.2)
- I generated certificates/keys for user using openssl
- I generated certificate for application using given example from milo sdk and exported them as certificate file and unencrypted pkcs 8 pem file.
- I copied both certificates to prosys folders
/home/user/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs
/home/user/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
I checked that in prosys ui both certificates appeared & look trusted
finally when I am making connection with auth mode as certificate and transport security as Sign (using all generated on step 1 keys & cerificates) then I run into rather funny exception inside of milo like
Exception in thread "main" java.util.concurrent.ExecutionException: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
at de.api.snippets.derReader.main(derReader.java:68)
Caused by: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm.fromUri(SecurityAlgorithm.java:143)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:852)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory$$Lambda$2643/0000000000000000.apply(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1072)
And I actually see that these fields come from prosys empty
Basically here I am stuck, as you can see from picture that I requested endpoint with security mode and receive in response I dunno what. I tried all available SecurityPolicy that milo provides but in all cases I ran into the same situation.
So first question is what must be specified in this securityAlgorithmUri and is anyway to point for prosys to fill it right ?
2 answers
solution1
0 2020-09-29 03:45:16
Best I can tell this is a bug in the Prosys stack or server.
It doesn't seem to occur when using the standard UA TCP transport, so give that a try instead of HTTPS.
solution2
0 2020-10-28 20:48:10
As a reminder: the issue with prosys really was due to usage of opc over https protocol to connect to server.
So after I switched to opc over tcp I managed to discover endpoints that made use of certificate to authenticate user and message level security sign&encrypt.
btw: if somebody will be in search of script to generate user certificate using opensssl here is a sample conf file:
openssl req -x509 -config openssl_cert.conf -extensions 'my server exts' -nodes \
-days 365 -newkey rsa:2048 -keyout user.key -out user.crt
and file content:
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = user
countryName = DE
localityName = DE
organizationName = comp
organizationalUnitName = comp Dept.
stateOrProvinceName = DE
emailAddress = user@example.com
name = user
surname = user
givenName = user
initials = uu
dnQualifier = some
[ my server exts ]
extendedKeyUsage = clientAuth, codeSigning
keyUsage = digitalSignature, keyAgreement, keyEncipherment, nonRepudiation, dataEncipherment, keyCertSign
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.