Hi there,
how can I get the Server SDK to automatically accept all clients and not rejecting them?
There is an option to set "AutomaticallyTrustAllClientCertificates" to "true" in the configuration files , but client certificates are not be stored.
I want to store the certificate in trust folder.
Are there any other ways ?
Thanks in advance.
Automatically trust all certificates
Moderator: uasdkcpp
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Automatically trust all certificates
Hi,
regarding security there are only two ways to do it: do it correct, or leave it.
If you want to trust all clients (in fact you ignore their certificates without even checking them), there is no need to store them, because they are not even looked at anyways. The "TrustAllClient" mode is switching fom the OPC UA double-side trust check into a single-side trust check (as of typical web applications). Your server will be "public" (for every client) available and should take user authentication into account instead. That said, the "TrustAllClient" is a very special use case and should not be used for regular OPC UA application scenarios.
The SDK will callback the application whenever a certificate is quarantained in the "rejected" folder, your application can decide what to do next.
regarding security there are only two ways to do it: do it correct, or leave it.
If you want to trust all clients (in fact you ignore their certificates without even checking them), there is no need to store them, because they are not even looked at anyways. The "TrustAllClient" mode is switching fom the OPC UA double-side trust check into a single-side trust check (as of typical web applications). Your server will be "public" (for every client) available and should take user authentication into account instead. That said, the "TrustAllClient" is a very special use case and should not be used for regular OPC UA application scenarios.
The SDK will callback the application whenever a certificate is quarantained in the "rejected" folder, your application can decide what to do next.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Jr. Member
- Posts: 2
- Joined: 15 May 2023, 06:19
Re: Automatically trust all certificates
Hi,
I just found this post.
Thanks,
Bastian
I just found this post.
Where can I find this callback?The SDK will callback the application whenever a certificate is quarantained in the "rejected" folder, your application can decide what to do next.
Thanks,
Bastian
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Automatically trust all certificates
Hello Bastian,
you can implement the Interface UaServer::secureChannelCertificateError() and then create an instance of your implementation via the Interface UaServerApplicationCallback::createUaServer().
you can implement the Interface UaServer::secureChannelCertificateError() and then create an instance of your implementation via the Interface UaServerApplicationCallback::createUaServer().
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Jr. Member
- Posts: 2
- Joined: 15 May 2023, 06:19
Re: Automatically trust all certificates
Hi,
thanks for the reply.
UaServer::secureChannelCertificateError() is not virtual, so it cannot be overridden.
A UaServer* pointer from createUaServer() will always call UaServer::secureChannelCertificateError().
Or did I misunderstand the answer?
Thanks,
Bastian
thanks for the reply.
UaServer::secureChannelCertificateError() is not virtual, so it cannot be overridden.
A UaServer* pointer from createUaServer() will always call UaServer::secureChannelCertificateError().
Or did I misunderstand the answer?
Thanks,
Bastian
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Automatically trust all certificates
Hello Bastian,
apologies, we did not catch that. There is no callback. Usually there is no use case for that in an environment with a proper PKI infrastructure.
apologies, we did not catch that. There is no callback. Usually there is no use case for that in an environment with a proper PKI infrastructure.
Best regards
Unified Automation Support Team
Unified Automation Support Team