Security and encryption

Questions regarding the use of the Java SDK for Server or Client development or integration into customer products ...

Moderator: uasdkjava

Post Reply
akorol
Sr. Member
Sr. Member
Posts: 10
Joined: 27 May 2011, 10:30

Security and encryption

Post by akorol »

Dear supporters,

I am not sure about security and encryption with the sdk. All of my approaches establishing encryption by adding UserTokenPolicy.*Basic* and setting SecurityMode.Basic* failed with UaExpert's message \"The Server does not support configured security policy\". What am I missing?

And... I thought, communication would already run over an encrypted secure channel by default, am I wrong?

Thanks a lot and kind regards,
Andy
Last edited by akorol on 07 Feb 2013, 10:48, edited 1 time in total.

akorol
Sr. Member
Sr. Member
Posts: 10
Joined: 27 May 2011, 10:30

Re:Security and encryption

Post by akorol »

Ok, how simple things can be...

... approaches establishing encryption by adding UserTokenPolicy.*Basic* and setting SecurityMode.Basic* failed with UaExpert's message \"The Server does not support configured security policy\". What am I missing?
Just put the client's cert into servers folder PKI/CA/certs and 'sign and encrypt' works with 'Basic128Rsa15' and 'Basic256' - perfect!

I thought, communication would already run over an encrypted secure channel by default, am I wrong?
Encryption has to be activated explicitely. Makes sence, since if you did not need it, it would generate extra cpu power.

Kind regards,
Andy

ps: the quoting in the forum does not work...
Last edited by akorol on 07 Feb 2013, 10:48, edited 1 time in total.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re:Security and encryption

Post by Support Team »

Hello Andy,

UA Security configuration requires one manual step. The Client can accept the server certificate during connection configuration since there is normally somebody sitting in front of a user interface when this is done. But the server has normally no user interface and accepting the certificate for the server is the one manual step. But the server should store the rejected certificates in a special directory and should provide an administration GUI to accept client certificates.

The server decides which level of protection is required for the information he is providing. The client can choose one of the options configured in the server. The server provides this information through GetEndpoints. There are three main options to configure on the server:
  • SecurityPolicy - This is the set of algorithms used to secure the connection. Three options are defined at the moment - None, Basic128Rsa15 and Basic256. For the option None, no security is applied at all, no certificate check, no message signing, no encryption.
  • MessageSecurityMode - This is the protection level for the message exchanged between client and server. Three options are defined - None, Sign, SignAndEncrypt. For None, only the certificates are checked if SecurityPolicy is not None. For Sign, the messages are only signed. This level of protection creates only a small performance impact if the exchanged information is not private. SignAndEncrypt ensures also that the messages cannot be read by somebody else than client and server.
  • UserIdentityToken - In addition to an application authentication through application instance certificates, OPC UA provides user authentication through different types of user tokens like UserPasword, Certificate. Anonymous is also possible.
Best regards,
Unified Automation Support Team

PS: We will try to fix the quoting feature
Last edited by Support Team on 07 Feb 2013, 10:48, edited 1 time in total.
Best regards
Unified Automation Support Team

akorol
Sr. Member
Sr. Member
Posts: 10
Joined: 27 May 2011, 10:30

Re:Security and encryption

Post by akorol »

Thanks a lot, you brought it clearly to the point!

Kind regards,
Andy
Last edited by akorol on 07 Feb 2013, 10:48, edited 1 time in total.

edisonpinto
Jr. Member
Jr. Member
Posts: 1
Joined: 24 May 2012, 10:15

Re:Security and encryption

Post by edisonpinto »

I am still not clear about the encryption algorithm. I think I have mistaken somewhere.
Equestrian Vacation

Post Reply