wich certifcat for Endpoint ( security mode and user tocken policy)?

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
farka01_uaexpert
Jr. Member
Jr. Member
Posts: 2
Joined: 26 Oct 2021, 10:37

wich certifcat for Endpoint ( security mode and user tocken policy)?

Post by farka01_uaexpert »

there is an example about two Endpoint
Endpoint 1
  • Endpiont Url:
    opc.tcp://MyServer:4840
    Secuity Policy:
    Basic256
    Message Security Mode:
    Sign, SignAndEncrpyt
    user Tocken Type:
    username, X.509
Endpoint2
  • Endpiont Url:
    opc.tcp://MyServer:4840
    Secuity Policy:
    Basic256Sha256
    Message Security Mode:
    Sign, SignAndEncrpyt
    user Tocken Type:
    username
My Question please Security Polic and Message Security Mode: wich certificat is application certificat or user certificat

And User tocken type with x.509 in Endpoint 2 is Application certificat or speziel only for user certificat

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: wich certifcat for Endpoint ( security mode and user tocken policy)?

Post by Support Team »

Hi,

application certificate and user certificate are two different certificates, and you should not mix up.

OPC UA has defined multiple levels of security, on application level but also on user (authentication) level. The Message Security Mode belongs to the application certificate enforcing either sign only, or sign&encrypt on the messages sent over the secure channel. In addition thereto the user authentication is used to decide which user is allowed to access data of which individual nodeID. You can use either username/pwd or user-certificate depending on the token type allowed/configured for the particular endpoint.
Best regards
Unified Automation Support Team

farka01_uaexpert
Jr. Member
Jr. Member
Posts: 2
Joined: 26 Oct 2021, 10:37

Re: wich certifcat for Endpoint ( security mode and user tocken policy)?

Post by farka01_uaexpert »

thank for reply and you passion, i have understand, what i m looking for
but when security mode : none none and user tocking anonymous
opc ua client need certificat from sever !

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: wich certifcat for Endpoint ( security mode and user tocken policy)?

Post by Support Team »

Hi,

If you have "None" on the channel, the certificate (if any) should be ignored (because your SecurityMode is "None"). However, for the UserToken "username" you would need to encrypt the pwd (do not transmit clear text pwds). In order to do so you need an "encryption algorithm", which the server must have told you in the endpoint descritpion. And because of that you probably must have and derive algorithm from there.

However, the combination of "no securtiy" on the channel and "anonymous" user is valid (security is completely turned off), but when having "no security" on the chennel in combination with "username", you must have a policy (you should not transmit clear text pwd).
Best regards
Unified Automation Support Team

Post Reply