I set up a user called "opcua", gave it access rights to modify/write on the opcuaserver object under access rights.
Created certificate.
Now I can try to connect from f.ex. UaExpert with sign&encrypt, get the error, move quarentined certificate to trusted and all is fine, I can log in and change data.
But I can also choose to login without any security options and only use username/password, and still I can changed values.
This behaviour can not be right? Where is the option to force certificate to be trusted?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you, that works now and is forced to only use Basic256Sha256.
Additional help to others:
I had some troubles with a change of hostname that does not kick all the way through to /etc/hosts and thus when pulling a new certificate, it would get the old hostname. I commented out the old hostnames with # and rebooted the controller. OPCUAServer would then not start up as plain text is not allowed and it was shutdown according to the codesys IDE log, so it required to generate new certificates and reboot again for OPCUAServer to start up properly.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have had my controllers running with certificate and encryption, worked fine.
Now I wanted to remove it again, as certificate renewel will be a huge work load with the number of PLC's we are looking into. We are looking into finding a setup with automatic certificate renewal from a security server before working with that again.
I have removed the following again:
**CODESYSControl_User.cfg
I have removed the certificates from the security package on the devices, but I still have a user with password on, to access the OPCUAserver under users for the device. But now I can no longer get communication going with the OPCUA client :(
From UaExpert client:
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#None'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
15:03:45.431 | Server Node | OPCUAServer@ST006-KFC005-PF... | The server returned no certificate, all certificate checks will be skipped.
15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description
15:03:45.533 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadConfigurationError' was returned during ActivateSession
15:03:45.542 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.
From Codesys controller log:
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_TcpListener_ReadEventHandler: Process Request returned an error (0x800B0000)!
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_SecureListener_ProcessRequest: Closing channel due error 0x800B0000!
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_Endpoint_BeginProcessRequest: Not able to create/send response. (0x800B0000)
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Valid license found for OPC UA IecVarAccess provider.
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CmpOPCUAProviderIecVarAccess with Version 0x305100a registerd at the OPC UA server.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CODESYS_DefaultProvider with Version 0x3051000 registerd at the OPC UA server.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">**********
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">All available networkadapters are used.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Loopbackadapter activated.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">URL: opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Hostname: ST006-KFC005-PFC200V3-47CD42, Port: 4840
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">OPC UA Server Started:
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">************
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Security policy allows plain text communication. Secure communication is deactivated.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">No certificate for the OPC UA server available.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I still need an answer on to what needs to be changed to remove certificate requirements on OPC-UA communication, as per above reply from myself, I have also tried with the other possible OPC-UA settings as "ONLY_PLAINTEXT" or "ALL" with same result.
It seems to me there there is some settings, somewhere, besides CODESYSControl_User.cfg that is affected by forcing on certificates that is NOT SET BACK, if that setting is set to something else. Especially "15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description" tells me this...
Re-enabling "SIGNED_AND_ENCRYPTED" and all works again, once the certificate has been moved to trusted certificates on the codesys controller.
13:55:18.800 | DiscoveryWidget | | Adding Server OPCUAServer@ST006-KFC005-PFC200V3-47CD42 with URL opc.tcp://ST006-KFC005-PFC200V3-47CD42
13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Error Message!
13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Status 0x80130000!
13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel
13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
13:56:25.836 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Registered for ModelChangeEvents
13:56:25.836 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Connected'.
13:56:25.838 | Server Node | OPCUAServer@ST006-KFC005-PF... | Revised values: SessionTimeout=1200000, SecureChannelLifetime=3600000
13:56:25.970 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=84' succeeded.
13:56:26.031 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|35 succeeded
13:56:26.231 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|33 succeeded
13:56:26.433 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|31 succeeded
13:56:26.640 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=85' succeeded.
13:56:26.799 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|2004 succeeded
13:56:26.910 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|58 succeeded
π
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
I followed guide: https://help.codesys.com/api-content/2/codesys/3.5.14.0/en/_cds_runtime_opc_ua_server/
I set up a user called "opcua", gave it access rights to modify/write on the opcuaserver object under access rights.
Created certificate.
Now I can try to connect from f.ex. UaExpert with sign&encrypt, get the error, move quarentined certificate to trusted and all is fine, I can log in and change data.
But I can also choose to login without any security options and only use username/password, and still I can changed values.
This behaviour can not be right? Where is the option to force certificate to be trusted?
more posts ...
See pictures, the connecte UaBrowser client is under quarantined certificates, but could still login and change values with just username/password.
Try this from one of Edwin's old posts:
CODESYSControl_User.cfg
[CmpOPCUAServer]
SECURITY.CommunicationMode=SIGNED_AND_ENCRYPTED
Thank you, that works now and is forced to only use Basic256Sha256.
Additional help to others:
I had some troubles with a change of hostname that does not kick all the way through to /etc/hosts and thus when pulling a new certificate, it would get the old hostname. I commented out the old hostnames with # and rebooted the controller. OPCUAServer would then not start up as plain text is not allowed and it was shutdown according to the codesys IDE log, so it required to generate new certificates and reboot again for OPCUAServer to start up properly.
Hi All
I have had my controllers running with certificate and encryption, worked fine.
Now I wanted to remove it again, as certificate renewel will be a huge work load with the number of PLC's we are looking into. We are looking into finding a setup with automatic certificate renewal from a security server before working with that again.
I have removed the following again:
**CODESYSControl_User.cfg
[CmpOPCUAServer]
SECURITY.CommunicationMode=SIGNED_AND_ENCRYPTED**
I have removed the certificates from the security package on the devices, but I still have a user with password on, to access the OPCUAserver under users for the device. But now I can no longer get communication going with the OPCUA client :(
From UaExpert client:
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#None'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
15:03:45.431 | Server Node | OPCUAServer@ST006-KFC005-PF... | The server returned no certificate, all certificate checks will be skipped.
15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description
15:03:45.533 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadConfigurationError' was returned during ActivateSession
15:03:45.542 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.
From Codesys controller log:
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_TcpListener_ReadEventHandler: Process Request returned an error (0x800B0000)!
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_SecureListener_ProcessRequest: Closing channel due error 0x800B0000!
CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_Endpoint_BeginProcessRequest: Not able to create/send response. (0x800B0000)
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Valid license found for OPC UA IecVarAccess provider.
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CmpOPCUAProviderIecVarAccess with Version 0x305100a registerd at the OPC UA server.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CODESYS_DefaultProvider with Version 0x3051000 registerd at the OPC UA server.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">**********
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">All available networkadapters are used.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Loopbackadapter activated.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">URL: opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Hostname: ST006-KFC005-PFC200V3-47CD42, Port: 4840
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">OPC UA Server Started:
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">************
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Security policy allows plain text communication. Secure communication is deactivated.
CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">No certificate for the OPC UA server available.
I still need an answer on to what needs to be changed to remove certificate requirements on OPC-UA communication, as per above reply from myself, I have also tried with the other possible OPC-UA settings as "ONLY_PLAINTEXT" or "ALL" with same result.
It seems to me there there is some settings, somewhere, besides CODESYSControl_User.cfg that is affected by forcing on certificates that is NOT SET BACK, if that setting is set to something else. Especially "15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description" tells me this...
Re-enabling "SIGNED_AND_ENCRYPTED" and all works again, once the certificate has been moved to trusted certificates on the codesys controller.
13:55:18.800 | DiscoveryWidget | | Adding Server OPCUAServer@ST006-KFC005-PFC200V3-47CD42 with URL opc.tcp://ST006-KFC005-PFC200V3-47CD42
13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Error Message!
13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Status 0x80130000!
13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel
13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
13:56:25.836 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Registered for ModelChangeEvents
13:56:25.836 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Connected'.
13:56:25.838 | Server Node | OPCUAServer@ST006-KFC005-PF... | Revised values: SessionTimeout=1200000, SecureChannelLifetime=3600000
13:56:25.970 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=84' succeeded.
13:56:26.031 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|35 succeeded
13:56:26.231 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|33 succeeded
13:56:26.433 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|31 succeeded
13:56:26.640 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=85' succeeded.
13:56:26.799 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|2004 succeeded
13:56:26.910 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|58 succeeded