英文:
eclipse milo opcua client connection to prosys server problems
问题
我正在尝试使用milo(0.4.2)连接到Prosys opcua模拟服务器。
- 我使用openssl为用户生成了证书/密钥。
- 我使用milo sdk中提供的示例为应用程序生成了证书,并将它们导出为证书文件和未加密的pkcs 8 pem文件。
- 我将这两个证书都复制到了prosys文件夹中:
/home/user/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs
/home/user/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
- 我在prosys界面中检查了这两个证书,它们都显示为受信任的。
- 最后,当我使用证书作为身份验证模式,传输安全性为Sign(使用在步骤1中生成的所有密钥和证书)进行连接时,我遇到了一个有趣的milo内部异常,如下所示:
Exception in thread "main" java.util.concurrent.ExecutionException: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
at de.api.snippets.derReader.main(derReader.java:68)
Caused by: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm.fromUri(SecurityAlgorithm.java:143)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:852)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory$$Lambda$2643/0000000000000000.apply(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1072)
实际上我注意到这些字段在prosys中是空的:
基本上我陷入了困境,正如您从图片中看到的,我请求了具有安全模式的端点,但在响应中收到了我不知道的内容。
我尝试了milo提供的所有可用SecurityPolicy,但在所有情况下都遇到了相同的情况。
因此,第一个问题是在securityAlgorithmUri中必须指定什么,是否有办法让prosys正确填充它?
英文:
I am trying to connect to Prosys opcua simulation server using milo (0.4.2)
- I generated certificates/keys for user using openssl
- I generated certificate for application using given example from milo sdk and exported them as certificate file and unencrypted pkcs 8 pem file.
- I copied both certificates to prosys folders
/home/user/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs
/home/user/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
-
I checked that in prosys ui both certificates appeared & look trusted
-
finally when I am making connection with auth mode as certificate and transport security as Sign (using all generated on step 1 keys & cerificates) then I run into rather funny exception inside of milo like
Exception in thread "main" java.util.concurrent.ExecutionException: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
at de.api.snippets.derReader.main(derReader.java:68)
Caused by: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
at org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm.fromUri(SecurityAlgorithm.java:143)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:852)
at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory$$Lambda$2643/0000000000000000.apply(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1072)
And I actually see that these fields come from prosys empty
Basically here I am stuck, as you can see from picture that I requested endpoint with security mode and receive in response I dunno what.
I tried all available SecurityPolicy that milo provides but in all cases I ran into the same situation.
So first question is what must be specified in this securityAlgorithmUri and is anyway to point for prosys to fill it right ?
答案1
得分: 1
作为提醒:prosys的问题确实是由于使用opc通过https协议连接到服务器引起的。
所以在我切换到opc通过tcp后,我成功地发现了使用证书进行用户身份验证和消息级安全签名和加密的终端点。
顺便说一句,如果有人正在寻找使用opensssl生成用户证书的脚本,这里是一个示例配置文件:
openssl req -x509 -config openssl_cert.conf -extensions 'my server exts' -nodes \
-days 365 -newkey rsa:2048 -keyout user.key -out user.crt
以及文件内容:
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# 最低要求可能是一个commonName
commonName = user
countryName = DE
localityName = DE
organizationName = comp
organizationalUnitName = comp Dept.
stateOrProvinceName = DE
emailAddress = user@example.com
name = user
surname = user
givenName = user
initials = uu
dnQualifier = some
[ my server exts ]
extendedKeyUsage = clientAuth, codeSigning
keyUsage = digitalSignature, keyAgreement, keyEncipherment, nonRepudiation, dataEncipherment, keyCertSign
英文:
As a reminder: the issue with prosys really was due to usage of opc over https protocol to connect to server.
So after I switched to opc over tcp I managed to discover endpoints that made use of certificate to authenticate user and message level security sign&encrypt.
btw: if somebody will be in search of script to generate user certificate using opensssl here is a sample conf file:
openssl req -x509 -config openssl_cert.conf -extensions 'my server exts' -nodes \
-days 365 -newkey rsa:2048 -keyout user.key -out user.crt
and file content:
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = user
countryName = DE
localityName = DE
organizationName = comp
organizationalUnitName = comp Dept.
stateOrProvinceName = DE
emailAddress = user@example.com
name = user
surname = user
givenName = user
initials = uu
dnQualifier = some
[ my server exts ]
extendedKeyUsage = clientAuth, codeSigning
keyUsage = digitalSignature, keyAgreement, keyEncipherment, nonRepudiation, dataEncipherment, keyCertSign
答案2
得分: 0
据我所知,这似乎是Prosys堆栈或服务器中的一个错误。
在使用标准UA TCP传输时似乎不会出现这个问题,所以请尝试使用它来替代HTTPS。
英文:
Best I can tell this is a bug in the Prosys stack or server.
It doesn’t seem to occur when using the standard UA TCP transport, so give that a try instead of HTTPS.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论