Missing ActivateSessionRequest in 1.6.3

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
ruderik
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Oct 2022, 08:31

Missing ActivateSessionRequest in 1.6.3

Post by ruderik »

We use security mode None/None with username/password to connect to our (PLC) OPCUA server.
With version 1.5.1 of UaExpert this was no problem, but since 1.6.1 (?) or at least 1.6.3 this does not work anymore.
After comparing the Wireshark traces of both connects, it look like the 1.6.3 version does not send a ActivateSessionRequest after the CreateSession.
This results in BadSessionNotActivated and BasSessionIdInvalid during the browse
Messages from version 1.6.3 in Wireshark:

Code: Select all

Hello message
Acknowledge message
OpenSecureChannel message: OpenSecureChannelRequest
OpenSecureChannel message: OpenSecureChannelResponse	
UA Secure Conversation Message: CreateSessionRequest	
UA Secure Conversation Message: CreateSessionResponse	
UA Secure Conversation Message: BrowseRequest
UA Secure Conversation Message: ServiceFault
1.5.1 Wireshark

Code: Select all

Hello message
Acknowledge message
OpenSecureChannel message: OpenSecureChannelRequest
OpenSecureChannel message: OpenSecureChannelResponse
UA Secure Conversation Message: CreateSessionRequest
UA Secure Conversation Message: CreateSessionResponse
UA Secure Conversation Message: ActivateSessionRequest
UA Secure Conversation Message: ActivateSessionResponse
UA Secure Conversation Message: ReadRequest
UA Secure Conversation Message: ReadResponse
Why is this? Is my security too low? Strange thing is that UaExpert still tries to browse, even it gets an error immediately at the first ReadRequest.
Thanks

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Missing ActivateSessionRequest in 1.6.3

Post by Support Team »

Hi,

if you use none/none (have no certificate), AND you use the user/pwd authentication, which secret is used to encrypt the password?
Without having a certificate your server will force the Client to transmit the pwd in clear-text, this would be a massive security vulnerability, rogue server provoces the client to show pwd in clear-text message.

A good client (like UaExpert) will warn the user before doing so, or even better reject operation with such rogue server completely.

Who is the manufacturer of that UA Server ?
The goal of all OPC UA users is to identify and uninstall and delete such servers wherever we find them.
Best regards
Unified Automation Support Team

ruderik
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Oct 2022, 08:31

Re: Missing ActivateSessionRequest in 1.6.3

Post by ruderik »

Hi,

Thank you for the reply.
You are right, there is no secret to encrypt the password, it's a bad practice and stupid to work in this manner. But it is our choice to do so.
The setup is a client/server on a closed LAN inside a machine, so I know it is not an excuse, but chances of tapping the traffic are reasonably low.

It would be nice if there was a little more feedback in UaExpert that this is the failure-reason. Or do not make the option available to use username/password with none/none security settings.
Also I do not understand that UaExpert still tries to browse the nodes, even if the session is not activated, but that's a minor issue of course.

The server is made by Sigmatek (PLC manufacturer), but it can use certificates and enhanced security if configured properly, so I would not like to point the finger at them.

Thanks again,
Ruud

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Missing ActivateSessionRequest in 1.6.3

Post by Support Team »

Hi,

good to hear that the server product is implemented correctly, just mis-configured by the end user, or better said "he is taking the risk".

When UaExpert starts to browse than the "ActivateSession" obvioulsy has succeeded. It seems that the Browse never returns, instead of BrowseResponse you are getting ServiceFault. This indicates that the Browse service never returned or has send some invalid data.

To look into the details you can activate the trace in UaExpert.

Hint: The UaExpert is doing some heavy browsing on first connect, trying to obtain type dictionary information for complex/structured/unknown types. This may be "stressfull" to the server. However, it should not end in ServiceFault. You can switch of the initial browse approach in the Settings->Configure UaExpert menu, look for TypeDictionaryMode.

Anyways you should find the reason, as the ServiceFault may hit you later during operation again.
Best regards
Unified Automation Support Team

ruderik
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Oct 2022, 08:31

Re: Missing ActivateSessionRequest in 1.6.3

Post by ruderik »

Hi,

I think I narrowed the strange behavior down.
As soon as I have nodes in the Data Access View present, the connection fails in 1.6.3.
It seems that BrowseRequests are being send before an ActiveSessionRequest, which then causes the server to go into some error state which will also cause the ActiveSessionRequest (which comes later) to go wrong. I'm not a OPCUA expert, so I don't know if this server behavior is correct or not.
As soon as I remove all the nodes from the Data Access View, I can successfully connect.
This UaExpert behavior is definitely different from 1.5.1.

I tried several TypeDictionaryMode settings by the way, this makes no difference.

Partial trace logging below. The activeSession request is in progress, and then browsing is started (in a different thread?).

Code: Select all

12:34:25.680Z|6|8BD4* <-- UaSessionPrivate::createSession [ret=0x0]
12:34:25.680Z|6|8BD4* --> UaSessionPrivate::activateSession [Session=3]
12:34:25.680Z|1|8BD4* The SecurityMode for encrypting the password is None, would send plain text password
12:34:25.703Z|6|1B70* --> UaSessionPrivate::readDatatypeAttribute for NodeId i=0 [Session=3]
12:34:25.703Z|5|1B70* Ctor UaSession as copy
12:34:25.703Z|6|1B70* --> UaSession::browse [Session=3] startingNode=i=0 direction=1 refType=i=31
12:34:25.703Z|4|1B70* CALL OpcUa_ClientApi_Browse [Session=3]

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Missing ActivateSessionRequest in 1.6.3

Post by Support Team »

Hi,

we tried to reproduce but UaExpert runs just fine within our test setup (with and without allready added tags in DA View). Maybe this server is unexpectedly delaying the request, however the client typically wait until the session is up/activated, before doing anything else.

For detailed in depth analysis we need full trace of UaExpert (Configuration Settings) and we need the (matching) Wireshark recording for this error scenario (fresh connection startup phase). Make sure to isolate issue, e.g do not connect other clients to make trace readable.
Please contact support@ and send zipped files.

Thank you.
Best regards
Unified Automation Support Team

Post Reply