Page 1 of 1
wich certifcat for Endpoint ( security mode and user tocken policy)?
Posted: 26 Oct 2021, 11:01
by farka01_uaexpert
there is an example about
two Endpoint
Endpoint 1
- Endpiont Url:
opc.tcp://MyServer:4840
Secuity Policy:
Basic256
Message Security Mode:
Sign, SignAndEncrpyt
user Tocken Type:
username, X.509
Endpoint2
- Endpiont Url:
opc.tcp://MyServer:4840
Secuity Policy:
Basic256Sha256
Message Security Mode:
Sign, SignAndEncrpyt
user Tocken Type:
username
My Question please Security Polic and Message Security Mode: wich certificat is application certificat or user certificat
And User tocken type with x.509 in
Endpoint 2 is Application certificat or speziel only for user certificat
Re: wich certifcat for Endpoint ( security mode and user tocken policy)?
Posted: 26 Oct 2021, 16:17
by Support Team
Hi,
application certificate and user certificate are two different certificates, and you should not mix up.
OPC UA has defined multiple levels of security, on application level but also on user (authentication) level. The Message Security Mode belongs to the application certificate enforcing either sign only, or sign&encrypt on the messages sent over the secure channel. In addition thereto the user authentication is used to decide which user is allowed to access data of which individual nodeID. You can use either username/pwd or user-certificate depending on the token type allowed/configured for the particular endpoint.
Re: wich certifcat for Endpoint ( security mode and user tocken policy)?
Posted: 27 Oct 2021, 12:05
by farka01_uaexpert
thank for reply and you passion, i have understand, what i m looking for
but when security mode : none none and user tocking anonymous
opc ua client need certificat from sever !
Re: wich certifcat for Endpoint ( security mode and user tocken policy)?
Posted: 27 Oct 2021, 13:13
by Support Team
Hi,
If you have "None" on the channel, the certificate (if any) should be ignored (because your SecurityMode is "None"). However, for the UserToken "username" you would need to encrypt the pwd (do not transmit clear text pwds). In order to do so you need an "encryption algorithm", which the server must have told you in the endpoint descritpion. And because of that you probably must have and derive algorithm from there.
However, the combination of "no securtiy" on the channel and "anonymous" user is valid (security is completely turned off), but when having "no security" on the chennel in combination with "username", you must have a policy (you should not transmit clear text pwd).