BadSecurityPolicyRejected with No Security

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
bradymath
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Feb 2019, 20:43

BadSecurityPolicyRejected with No Security

Post by bradymath »

I am using the centos7.0-x86_64-gcc4.8.2v1.6.3-406 version of the CPP SDK bundle to build my server.
I have been able to connect UaExpert to my server using the following settings:

Security Settings
Security Policy: Basic256Sha256
Message Security Mode: Sign & Encrypt

Authentication Setting
Anonymous

When my ServerConfig.xml has the following lines added:

Code: Select all

<UaEndpoint>

   <SecuritySettings>
      <SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicy>
      <MessageSecurityMode>Sign</MessageSecurityMode>
      <MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
   </SecuritySettings>

   <AutomaticallyTrustAllClientCertificates>true</AutomaticallyTrustAllClientCertificates>

</UaEndpoint>

<UserIdentityTokens>
   <EnableAnonymous>true</EnableAnonymous>
</UserIdentityTokens>
Therefore, since I have been able to connect, I do know my server is working properly.
However, when I try and switch the UaExpert settings to the following:

Security Settings
Security Policy: None
Message Security Mode: None

Authentication Setting
Anonymous

And have the following lines in my ServerConfig.xml:

Code: Select all

<UaEndpoint>
   <SecuritySettings>
      <SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicy>
      <MessageSecurityMode>None</MessageSecurityMode>
   </SecuritySettings>
</UaEndpoint>

<UserIdentityTokens>
   <EnableAnonymous>true</EnableAnonymous>
</UserIdentityTokens>
I get the following debug lines from UaExpert:
Endpoint: 'opc.tcp://my-hostname:48010'
Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#None'
ApplicationUri: 'urn:my-hostname:UnifiedAutomation:UaServerCpp'
Used UserTokenType: Anonymous
Error 'BadSecurityPolicyRejected' was returned during CreateSession
Connection status of server 'UaServerCpp@my-hostname' changed to 'Disconnected'.
Are there other settings in the configuration file that are causing this failure?
The line which looks the most suspicious to me is:

Code: Select all

<UserIdentityTokens>
   <!--The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server.
       This security policy is only applied for None Endpoints. For other Endpoints we use the security policy of the Endpoint.-->
   <SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicy>
</UserIdentityTokens>
I have tried changing this SecurityPolicy tag to use #None, but after restarting the server, it continues to produce the same error message in UaExpert. I also received the same result by putting in every other security option here, or removing this line completely from the file.

There is also a large section in the UaEndpoint tag called SecurityCheckOverwrites where you can disable many checks. I have tried setting all these values to true, meaning all checking is basically turned off, and after restarting the server, my results within UaExpert remain the same.

Also, I would like to point out that if I remove the #None from the UaEndpoint SecuritySettings in the ServerConfig.xml and then try and connect UaExpert with the None, None settings, it will produce a pop up saying:
Unsupported Security Policy
The connection cannot be established, because the server does not support the configured security policy.
Please try another configuration or press 'Ignore' to force trying to connect.
And the debug log produces the following:
ApplicationUri: "
The server does not support the configured security policy 'http://opcfoundation.org/UA/SecurityPolicy#None
Which is a vastly different message than the one I am getting with the lines in the configuration file. Therefore it seems like it is initially supporting no security, but then something else is getting lost along the way, and I am very confused on what the issue is at this point.

bradymath
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Feb 2019, 20:43

Re: BadSecurityPolicyRejected with No Security

Post by bradymath »

I found that in the configuration file, if I set UaStackTraceEnabled to true, UaStackTraceLevel to ERROR, UaAppTraceEnabled to true, and UaAppTraceLevel to Data, I get a UaServerCPP.log that produces the following:

Code: Select all

18:57:23.969Z|3|545EF700* UaServer_EndpointCallback: SecureChannel 209444056 opened!
18:57:23.969Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened: RequestedLifetime 300000
18:57:23.970Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened: Security Mode 1 Security Policy http://opcfoundation.org/UA/SecurityPolicy#None
18:57:23.970Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened - ClientCertificate: 
18:57:23.970Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened - ClientCertificateThumbprint: 
18:57:23.970Z|6|545EF700* --> SessionManager::secureChannelCreated EndpointIndex = 0, SecureChannelId = 209444056
18:57:23.970Z|6|545EF700* <-- SessionManager::secureChannelCreated
18:57:23.970Z|4|548F2700* ==> UaServer::GetEndpoints [Request=1]
18:57:23.970Z|4|548F2700* CALL  Send Response [Request=1][ServiceResult=0x0]
18:57:23.970Z|4|548F2700* CLEAN Send Response
18:57:23.970Z|4|548F2700* DONE  Send Response
18:57:23.970Z|4|548F2700* <== UaServer::GetEndpoints
18:57:23.970Z|3|545EF700* UaServer_EndpointCallback: SecureChannel 209444056 closed! [status=0x0]
18:57:23.970Z|6|545EF700* --> SessionManager::secureChannelDeleted EndpointIndex = 0, SecureChannelId = 209444056
18:57:23.970Z|6|545EF700* <-- SessionManager::secureChannelDeleted - SecureChannel invalidated in Sessions
18:57:23.984Z|3|545EF700* UaServer_EndpointCallback: SecureChannel 209444057 opened!
18:57:23.984Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened: RequestedLifetime 3600000
18:57:23.984Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened: Security Mode 1 Security Policy http://opcfoundation.org/UA/SecurityPolicy#None
18:57:23.984Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened - ClientCertificate: 
18:57:23.984Z|3|545EF700* UaServer_EndpointCallback/SecureChannelOpened - ClientCertificateThumbprint: 
18:57:23.984Z|6|545EF700* --> SessionManager::secureChannelCreated EndpointIndex = 0, SecureChannelId = 209444057
18:57:23.984Z|6|545EF700* <-- SessionManager::secureChannelCreated
18:57:23.984Z|4|546F0700* ==> UaServer::CreateSession [Request=1000016]
18:57:23.984Z|4|546F0700* [uastack] OpcUa_P_CryptoFactory_CreateCryptoProvider: SecurityPolicy Aes256Sha256RsaPss requires OpenSSL 1.0.2 or newer!
18:57:23.984Z|3|546F0700* Session/CreateSession - ClientUserId: System/ActivateSession
18:57:23.984Z|3|546F0700* Session/CreateSession - ClientCertificate: 
18:57:23.984Z|3|546F0700* Session/CreateSession - ClientCertificateThumbprint: 
18:57:23.984Z|3|546F0700* Session/CreateSession - RevisedSessionTimeout: 0.000000
18:57:23.984Z|4|546F0700* CALL  Send Response [Request=1000016][ServiceResult=0x80550000]
18:57:23.984Z|4|546F0700* CLEAN Send Response
18:57:23.984Z|4|546F0700* DONE  Send Response
18:57:23.984Z|4|546F0700* <== UaServer::CreateSession [ServiceResult=0x80550000]
18:57:23.985Z|3|545EF700* UaServer_EndpointCallback: SecureChannel 209444057 closed! [status=0x0]
18:57:23.985Z|6|545EF700* --> SessionManager::secureChannelDeleted EndpointIndex = 0, SecureChannelId = 209444057
18:57:23.985Z|6|545EF700* <-- SessionManager::secureChannelDeleted - SecureChannel invalidated in Sessions
Now the main line to focus on is:
OpcUa_P_CryptoFactory_CreateCryptoProvider: SecurityPolicy Aes256Sha256RsaPss requires OpenSSL 1.0.2 or newer!

If I look at my version of OpenSSL, I have version 1.0.2k-16 installed, which is the highest version I can get on my OS, which is based off of Centos 7, and this SDK version is supposed to be for Centos 7. So I am still confused on what I am missing.

bradymath
Jr. Member
Jr. Member
Posts: 3
Joined: 04 Feb 2019, 20:43

Re: BadSecurityPolicyRejected with No Security

Post by bradymath »

I contacted support directly, and they suggested I recompile the libraries from the source in the SDK and install those instead of using the precompiled ones from the SDK, that way they link and work properly with my version of OpenSSL.

For those looking at this topic because they have the same issue, here is my little walkthrough:

In terminal, navigate to the src/ directory inside of the SDK.
I like to make a build directory in here and then navigate into it.
Then type, "ccmake .." inside of the build directory.
(I personally had to edit cmake/ConfigureCompiler.cmake to remove some line breaks before cmake would work on my machine)
You're going to press, "c" to configure until you get a some variable options you can change.
Navigate down to "CMAKE_BUILD_TYPE" and type "Release"
Press "c" again to configure, and then you should be given a new option "g" to generate and exit.
This will have put a Makefile in your build directory, so now run make.
This is going to generate all new *.a files, and new libuastack.so

Then I like to make a new build directory for debug inside of source. Follow the same steps as above until you get to the "CMAKE_BUILD_TYPE" variable, and put "Debug" instead. After you run make, you should have newly generated *d.a files and a new libuastackd.so.

Now, install/use the new *.a, and *.so files generated on your local machine, rebuild your project that links to these sources, and your server should now work and connect to clients using No Security without throwing an OpenSSL error.

Post Reply