BadSecurityPolicyRejected error when connecting to server

[Utkrist]

Hi, I have developed an OpcUa server in a microcontroller by cross-compiling with uasdkcppbundle-src-linux-v1.8.2-624. I have also used openssl 1.1.1 to include security policy. When connecting to the server with no security policy, everything works as intended. However, when I connect with any other security policy, I get

Error 'BadSecurityPolicyRejected' was returned during OpenSecureChannel

in UaExpert. When I connect to the server for the first time, I get the prompt to trust the server certificate, which I accept. In UaExpert, when going to Settings->ManageCerificates, I can see that the server certificate is trusted.

[Support Team]

Hi,

the error BadSecurityPolicyRejected is typically a configuration issue on the server side.

Background:
The server must provide a list of supported SecurityPolicies within it's list of EndpointDescriptions. Before connecting with the server, the client asks for "GetEndpoints()" and will receive the list of endpoints and now must select one of the given endpoints. You can check the list of endpoints the server returns with UaExpert (connect with "none", and open ServerDiagnostics-View).

hint: delete all the "recently used" entries in UaExpert's AddServer dialog, thereafter use the "Custom Discovery" entry in the tree (calling FindServers/GetEndpoints on the given discovery URI) to get the fresh list of Endpoints (and SecurityPolicies) as provided by the server. Only select what is supported by the server. If you can not find the SecurityPolicy that you are looking for, there is a configuration issue of the EndpointDescription on the server side.

[Utkrist]

Hi, Thank you for your quick response. I followed your instructions, but it did not solve the problem. Additionally, I compiled my project for linux-debian (instead of cross-compiling for my controller) and while connecting to the server with a security policy, I got this error.

Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel

which was fixed by moving the certificate from rejected to trusted folder, and I was able to connect to the server. I tried the same for my controller, but the problem persists.

[Support Team]

Hi,

the error "BadSecurityChecksFailed" is totally different from your first reported issue, and shows a "generic" error code related to security validation.

Background: over the wire the OPC UA does not report specific security relevant error codes, in order to not give the attacker any hint on what is doing wrong/must repair.

For you that means: this error you can only investigate by looking into the server-side (and client-side) local log files, which may contain more detailed information (which is not allowed to report over the wire).

My educatred guess: on one side (most probably server-side) your client certificate is not trusted anymore, because of your "recompile" and running on a totally different machine, all your previous trust and the certificates are (of course) broken. You must (again) trust on both sides.