Connecting UaExpert to UaAnsiCServer with cert based auth

[jannpoppinga]

Hi all,

I'm trying to connect UaExpert to the UaAnsiCServer with certificate based authentication. However, I get a BadIdentityTokenRejected error in UaExpert.

Please find the details below. My questions:
1. How do I get the server to log more? I have trouble really analysing the problem.
2. How can I double-check whether .der and .pem file match?
3. And of course: How do I make it work?
Edit: 4. How do I generate a matching key-pair that works with UaExpert and the UaAnsiCServer?

Server properties/settings in UaExpert
Security Policy: None
Message Security Mode: None
Authentication Settings: Certificate/Private key with a .der/.pem key-pair the certificate of which is also in {ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/trusted/certs

UaExpert's log of trying to connect
(I edited the endpoint's URI)

Found endpoint 'opc.tcp://XYZ:48020'
Found security policy 'http://opcfoundation.org/UA/SecurityPolicy#None'
ApplicationUri: 'urn:bremlapjpoppi.matone.materialise:UnifiedAutomation:UaServerC'
The server returned no certificate, all certificate checks will be skipped.
Connecting failed with error 'BadIdentityTokenRejected'

Server's settings.ini
# ANSI C Demo Server Configuration File

[General]
# Maximum number of nodes per provider supported by the server.
MaxProviderNodes = 3000
# Maximum number of references to return in a Browse/BrowseNext response.
MaxReferencesToReturn = 10000
# Maximum number of sessions (0 -> unlimited).
MaxSessions = 50
# Maximum number of subscriptions per session.
MaxSubscriptionsPerSession = 20
# Maximum number of publish requests per session.
MaxPublishPerSession = 10
# Maximum number of continuation points per session.
MaxContinuationPointsPerSession = 5
# Maximum number of continuation points per session for Query services.
MaxQueryContinuationPointsPerSession = 5
# Maximum number of continuation points per session for ReadHistory services.
MaxHistoryContinuationPointsPerSession = 5
# The minimum supported publishing interval.
MinPublishingInterval = 50
# The maximum supported publishing interval.
MaxPublishingInterval = 3600000
# The minimum supported KeepAliveInterval for subscriptions.
MinKeepAliveInterval = 500
# The maximum supported KeepAliveInterval for subscriptions.
MaxKeepAliveInterval = 30000
# The minimum supported Lifetime for subscriptions.
MinLifetimeInterval = 1500
# The maximum supported Lifetime for subscriptions.
MaxLifetimeInterval = 90000
# Maximum number of monitored items per subscription.
MaxMonitoredItemsPerSubscription = 1000
# Maximum queue size for monitored items.
MaxMonitoredItemsQueueSize = 10000
# Maximum number of monitored items for the subscription containing the data logger nodes.
MaxDataLoggerSubscriptionItems = 1000
# Publishing interval of the subscription containing the data logger nodes.
DataLoggerSubscriptionPublishingInterval = 500

[Endpoints]
Endpoints/size = 1
# Endpoint URL to listen on; [gethostname] gets replaced with the local hostname
Endpoints/0/EndpointURL = opc.tcp://[gethostname]:48020
# Optional URL that allows to define a specific address the stack should use to bind to.
# Can be used to bind the endpoint to a specific network card or to localhost only.
# [gethostname] gets replaced with the local hostname
Endpoints/0/BindURL = opc.tcp://[gethostname]:48020
# SecurityPolicies the endpoint shall offer (comma separated list of sections)
Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic128Rsa15, SecurityPolicy_Basic256
# UserTokenPolicies the endpoint shall offer (comma separated list of sections)
Endpoints/0/UserTokenPolicies = Anonymous, UserName_128, Certificate_128
# The PKI store section this endpoint shall use
# This example settings file provides two stores, PKIStore_OpenSSL and PKIStore_None
#Endpoints/0/PKIStore = PKIStore_OpenSSL
Endpoints/0/PKIStore = PKIStore_None
# This option can be activated if certificates are used only for message security but not for application authentication.
# If set to true, all client certificates will be accepted automatically and they are not stored.
# It is strongly recommended to use this option only together with user authentication.
Endpoints/0/TrustAllClientCertificates = true

# Uncomment the next settings (Endpoints/1/...) and set Endpoints/size to 2 to enable the HTTPS based profiles.
# This profile works but is not officially supported in this version of the SDK.
# This is the HTTP based protocol that will be supported by embedded devices.
# The HTTPS profile is not completely tested, so you can use it on your own risk.
# Additionally, you have to recompile the SDK with the following options set to 'ON':
# TLS : UASTACK_WITH_TLS
# HTTPS : UASTACK_WITH_HTTPS

#Endpoints/1/EndpointURL = https://[gethostname]:48021
#Endpoints/1/BindURL = https://[gethostname]:48021
#Endpoints/1/SecurityPolicies = SecurityPolicy_None
#Endpoints/1/UserTokenPolicies = Anonymous
#Endpoints/1/PKIStore = PKIStore_OpenSSL
#Endpoints/1/TrustAllClientCertificates = false

[SecurityPolicy_None]
Url = http://opcfoundation.org/UA/SecurityPolicy#None
MessageSecurity = None

[SecurityPolicy_Basic128Rsa15]
Url = http://opcfoundation.org/UA/SecurityPol ... ic128Rsa15
MessageSecurity = Sign, SignAndEncrypt

[SecurityPolicy_Basic256]
Url = http://opcfoundation.org/UA/SecurityPolicy#Basic256
MessageSecurity = Sign, SignAndEncrypt

[Anonymous]
PolicyId = Anonymous_Token
TokenType = Anonymous

[UserName_128]
PolicyId = UserName_128_Token
TokenType = UserName
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPol ... ic128Rsa15

[Certificate_128]
PolicyId = Certificate_128_Token
TokenType = Certificate
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPol ... ic128Rsa15

[PKIStore_OpenSSL]
# The PKI provider to use. OpenSSL is available on all platforms
PkiType = OpenSSL
# Server Certificate: Path to a PEM or DER encoded certificate file.
CertificateFile = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/own/uaservercert.der
# Server Private Key: Path to a PEM encoded private key file. This should not be password protected
# so that the server can start unattended. With a password protected file the server will need to prompt the user to
# input the password to unlock the file, which is not possible when running as a service.
CertificateKeyFile = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/own/uaserverkey.nopass.pem
# Path to trusted certificates. This includes trusted CA certificates as well as self-signed certificates.
TrustListPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/trusted/certs
# This is the directory where the server stores certificate revocation lists.
# By default this directory contains no CRLs.
CRLPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/trusted/crl
# Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain.
IssuerTrustListPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/issuers/certs
# Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain.
IssuerCRLPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/issuers/crl
# Optional comma separated list of PKI store specific flags, depending on the PkiType following values are possible:
# PkiType = OpenSSL: OPENSSL_CHECK_REVOCATION_STATUS, OPENSSL_SET_DEFAULT_PATHS
#Flags =

# Enable server certificate creation if certificate is not available
GenerateCertificate = true
# Name of the application - [ApplicationName] is the default value to use the configured ApplicationName
CommonName = [ApplicationName]
# Name of the organization using the OPC UA server
Organization = Unified Automation GmbH
# Name of the organization unit using the OPC UA server
OrganizationUnit =
# Name of the location where the OPC UA server is running
Locality = Nuremberg
# State where the OPC UA server is running
State = Bavaria
# Two letter code for country where the OPC UA server is running e.g. DE or US
Country = DE
# The number of years the certificate is valid for. The maximum accepted number is 20
# but it is strongly recommended to use a shorter time.
YearsValidFor = 5
# Key length of the certificate to create. Valid values are 1024 and 2048 bits
KeyLength = 2048

[PKIStore_None]
# Example PKI provider for disabled security
PkiType = None

[PKI]
# RejectedPath: Path where rejected certificates will be stored.
RejectedPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/rejected
# Maximum number of rejected certificates. This prevents malicious programs from filling up available disk space by
# calling OpenSecureChannel with different certificates.
MaxRejectedCertificates = 50
# All groups containing PKI store settings (comma separated list of groups)
PKIStores = PKIStore_OpenSSL

[Discovery]
# Enables registration at the local discovery server: true (=default), false
Register = false
DiscoveryURL = opc.tcp://localhost:4840/UADiscovery/discovery
DiscoveryInterval = 30000

[Authentication]
# file path to passwd file
PasswdFilePath = passwd
# file path to group file
GroupFilePath = group
# The folder containing accepted user certificates for X509 authentication tokens.
UserCertsDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/trusted/certs
#UserCertsDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/auth_pki/certs
# The folder containing certificate revocation lists for X509 authentication tokens.
UserCrlDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/auth_pki/crl
# The folder containing issuer certificates for X509 authentication tokens.
#UserIssuerCertsDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/auth_pki/cacerts
UserIssuerCertsDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/pki/trusted/certs
# The folder containing issuer revocation lists for X509 authentication tokens.
UserIssuerCrlDir = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/auth_pki/cacrl

[DemoProvider]
# Start logging on startup
StartLogging = true
# Folder to contain the logged data
DataLoggerPath = $ENV{ALLUSERSPROFILE}/UnifiedAutomation/UaAnsiCServer/historian

[jannpoppinga]

I think I found the answer to two of my above questions:
re 1: start the server from the command line, use parameter -ddd (for log level INFO)
re 2/4: UaExpert has a certificate manager. You can view UaExpert's own certificates and generate a new one.

So with these powers combined, I retried. And it failed again. This is the log of one connection attempt with the part bolded I think is crucial:

|00000000| 2014-10-28T08:36:17.271Z OpcUa_TcpListener_ProcessHelloMessage: Transport connection from [::ffff:192.168.244.1]:54012 accepted on socket 1009F570!
|00000000| 2014-10-28T08:36:17.272Z OpcUa_TcpSecureChannel_GenerateSecurityToken: TOKEN ID is 89251994-1
|00000000| 2014-10-28T08:36:17.272Z ProcessOpenSecureChannelRequest: Open: Revised Lifetime of Channel 89251994 from 300000 to 600000 ms!
|00000000| 2014-10-28T08:36:17.272Z UaServer_EndpointEvent_Callback: SecureChannel 89251994 opened (a_uStatus=00000000)!
|00000000| 2014-10-28T08:36:17.272Z OpcUa_Endpoint_BeginProcessRequest: Service with RequestTypeId 426 called! (Request: GetEndpointsRequest)
|00000000| 2014-10-28T08:36:17.273Z UaServer_EndpointEvent_Callback: SecureChannel 89251994 closed!
|00000000| 2014-10-28T08:36:17.273Z OpcUa_TcpListener_ReadEventHandler: Closing network connection!
|00000000| 2014-10-28T08:36:17.273Z OpcUa_TcpListener_CloseConnection: Connection 00010000 is being closed with status 0x00000000
|00000000| 2014-10-28T08:36:17.285Z OpcUa_TcpListener_ProcessHelloMessage: Transport connection from [::ffff:192.168.244.1]:54013 accepted on socket 1009F570!
|00000000| 2014-10-28T08:36:17.286Z OpcUa_TcpSecureChannel_GenerateSecurityToken: TOKEN ID is 89251995-1
|00000000| 2014-10-28T08:36:17.286Z ProcessOpenSecureChannelRequest: Open: Revised Lifetime of Channel 89251995 from 3600000 to 3600000 ms!
|00000000| 2014-10-28T08:36:17.286Z UaServer_EndpointEvent_Callback: SecureChannel 89251995 opened (a_uStatus=00000000)!
|00000000| 2014-10-28T08:36:17.286Z OpcUa_Endpoint_BeginProcessRequest: Service with RequestTypeId 459 called! (Request: CreateSessionRequest)
|00000000| 2014-10-28T08:36:17.286Z OpcUa_Endpoint_BeginProcessRequest: Service with RequestTypeId 465 called! (Request: ActivateSessionRequest)
|00000000| 2014-10-28T08:36:17.286Z UaServer_SessionManager_BeginActivateSession: Wrong SignatureAlgorithm used in UserTokenSignature
|00000000| 2014-10-28T08:36:17.287Z OpcUa_Endpoint_BeginProcessRequest: Service with RequestTypeId 471 called! (Request: CloseSessionRequest)
|00000000| 2014-10-28T08:36:17.287Z UaServer_EndpointEvent_Callback: SecureChannel 89251995 closed!
|00000000| 2014-10-28T08:36:17.287Z OpcUa_TcpListener_ReadEventHandler: Closing network connection!
|00000000| 2014-10-28T08:36:17.287Z OpcUa_TcpListener_CloseConnection: Connection 00020000 is being closed with status 0x00000000

What can I do about that? The only option for key generation I can choose in UaExpert is the key length (1024/2048). I tried both options unsuccessfully.

[Support Team]

Hello,

1. If the AnsiC DemoServer is used, start it with -d as command line argument, this increases the trace level. Each added 'd' increases the trace level (-ddd -> level INFO). The trace is being displayed on the console.

2. Use OpenSSL for checking your cert against the key, you will find many useful hints on google.

3.- The server returned no certificate, all certificate checks will be skipped.
Without the server sending a certificate the authorization won't work. This is because the line Endpoints/0/PKIStore = PKIStore_None
disables security in the server. Set this to PKIStore_OpenSSL again, then the server will send a certificate to the client; this is needed for X509 tokens to work.

- The PKI store [PKIStore_OpenSSL] used by the server is NOT the one used for X509 token authorization
The settings in [Authentication] are used for that; set User*Dir accordingly in this section of the settings file. It is possible to set these folders to the same folders as in [PKIStore_OpenSSL], but then you are mixing application instance certificates and user certificates.

For more general information, please see http://documentation.unified-automation ... l_sec_X509

4. Simply use any X509 certificate and its key for authentication.


Best regards
Support Team

[jannpoppinga]

Hello,

thanks for the reply.

I changed the PKIStore, but I still get 'Wrong SignatureAlgorithm used in UserTokenSignature' in the server and 'BadIdentityTokenRequested' in the client.

[mattfield]

I am having the same problem with UaExpert connecting to UaAnsiCServer Demo.

You say:
"Simply use any certificate and its key..."

I generated my certificate authority and signed a certificate using openssl (on linux).

When I try to load a pem encoded certificate into UaExpert, I get " Could not load certificate for X509 user token from file"

So I try to load a .der encoded certificate. This loads ok, but when I try to load the key, the only files I can load are .pem files (my .key files do not appear in the file selection tool).

I having been trying for 3 days to get Ua Expert to connect with UaAnsiCServer Demo, - works OK with anonymous, or user, but would love a simple step by step guide to connecting with X509 certificates.

[Support Team]

Hello jannpoppinga,

with an unmodified installation of UaExpert 1.4.4 and AnsiC DemoServer 1.7.0, you need following steps to connect with an X509 user token. For simplicity we use UaExpert's application instance certificate as authentication token, but every other X509 certificate could be used instead.

• Create the folder C:\ProgramData\UnifiedAutomation\UaAnsiCServer\auth_pki\trusted\certs, this is the default UserIssuerCertsDir
• Put UaExpert's certificate (C:\Users\<username>\AppData\Roaming\unifiedautomation\uaexpert\PKI\own\certs\uaexpert.der) into that folder
• The AnsiC DemoServer has the authorization module enabled by default, so we need to have entries in the passwd and group files matching the certificate. For simplicity, we just replace every occurence of 'sue' with the common name of the certificate in those two files (e.g. 'UaExpert@my-host-name')
• Start the DemoServer
• Start UaExpert and set UaExpert's certificate as user certificate in the 'Authentication Settings' box

You can also build the server without UASERVER_SUPPORT_AUTHORIZATION or set custom GetUserId/GetGroupId/GetUserGroups functions with UaServer_SetUserAuthenticationTypeEx, then you don't need the entries in the passwd and group files.

For more information, see http://documentation.unified-automation ... ation.html and http://documentation.unified-automation ... ation.html