Codesys OPC-UA access with only user/pass DESPITE certificate is quarantined

MadsKaizer
2020-11-17
6 days ago
  • MadsKaizer

    MadsKaizer - 2020-11-17

    Hi

    I followed guide: https://help.codesys.com/api-content/2/codesys/3.5.14.0/en/_cds_runtime_opc_ua_server/

    I set up a user called "opcua", gave it access rights to modify/write on the opcuaserver object under access rights.

    Created certificate.

    Now I can try to connect from f.ex. UaExpert with sign&encrypt, get the error, move quarentined certificate to trusted and all is fine, I can log in and change data.

    But I can also choose to login without any security options and only use username/password, and still I can changed values.

    This behaviour can not be right? Where is the option to force certificate to be trusted?

     
  • MadsKaizer

    MadsKaizer - 2020-11-17

    See pictures, the connecte UaBrowser client is under quarantined certificates, but could still login and change values with just username/password.

     
  • i-campbell

    i-campbell - 2020-11-17

    Try this from one of Edwin's old posts:
    CODESYSControl_User.cfg

    [CmpOPCUAServer]
    SECURITY.CommunicationMode=SIGNED_AND_ENCRYPTED

     
  • MadsKaizer

    MadsKaizer - 2020-11-25

    Thank you, that works now and is forced to only use Basic256Sha256.

    Additional help to others:
    I had some troubles with a change of hostname that does not kick all the way through to /etc/hosts and thus when pulling a new certificate, it would get the old hostname. I commented out the old hostnames with # and rebooted the controller. OPCUAServer would then not start up as plain text is not allowed and it was shutdown according to the codesys IDE log, so it required to generate new certificates and reboot again for OPCUAServer to start up properly.

     
  • MadsKaizer

    MadsKaizer - 2021-01-08

    Hi All

    I have had my controllers running with certificate and encryption, worked fine.

    Now I wanted to remove it again, as certificate renewel will be a huge work load with the number of PLC's we are looking into. We are looking into finding a setup with automatic certificate renewal from a security server before working with that again.

    I have removed the following again:
    **CODESYSControl_User.cfg

    [CmpOPCUAServer]
    SECURITY.CommunicationMode=SIGNED_AND_ENCRYPTED**

    I have removed the certificates from the security package on the devices, but I still have a user with password on, to access the OPCUAserver under users for the device. But now I can no longer get communication going with the OPCUA client :(

    From UaExpert client:
    15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
    15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#None'
    15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
    15:03:45.430 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
    15:03:45.431 | Server Node | OPCUAServer@ST006-KFC005-PF... | The server returned no certificate, all certificate checks will be skipped.
    15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description
    15:03:45.533 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadConfigurationError' was returned during ActivateSession
    15:03:45.542 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.

    From Codesys controller log:
    CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_TcpListener_ReadEventHandler: Process Request returned an error (0x800B0000)!
    CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_SecureListener_ProcessRequest: Closing channel due error 0x800B0000!
    CmpOPCUAStack: 08-01-2021 14:01:20" infoId="0">OpcUa_Endpoint_BeginProcessRequest: Not able to create/send response. (0x800B0000)
    CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Valid license found for OPC UA IecVarAccess provider.
    CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
    CmpOPCUAProviderIecVarAccess: 08-01-2021 12:22:48" infoId="0">Symbolconfiguration changed
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CmpOPCUAProviderIecVarAccess with Version 0x305100a registerd at the OPC UA server.
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Provider CODESYS_DefaultProvider with Version 0x3051000 registerd at the OPC UA server.
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">**********
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">All available networkadapters are used.
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Loopbackadapter activated.
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">URL: opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Hostname: ST006-KFC005-PFC200V3-47CD42, Port: 4840
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">OPC UA Server Started:
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">
    ************
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">Security policy allows plain text communication. Secure communication is deactivated.
    CmpOPCUAServer: 08-01-2021 12:22:46" infoId="0">No certificate for the OPC UA server available.

     
  • MadsKaizer

    MadsKaizer - 6 days ago

    I still need an answer on to what needs to be changed to remove certificate requirements on OPC-UA communication, as per above reply from myself, I have also tried with the other possible OPC-UA settings as "ONLY_PLAINTEXT" or "ALL" with same result.

    It seems to me there there is some settings, somewhere, besides CODESYSControl_User.cfg that is affected by forcing on certificates that is NOT SET BACK, if that setting is set to something else. Especially "15:03:45.482 | General | | Error: UaSessionPrivate::activateSession - can't find UserNameIdentityToken in endpoint description" tells me this...

    Re-enabling "SIGNED_AND_ENCRYPTED" and all works again, once the certificate has been moved to trusted certificates on the codesys controller.

    13:55:18.800 | DiscoveryWidget | | Adding Server OPCUAServer@ST006-KFC005-PFC200V3-47CD42 with URL opc.tcp://ST006-KFC005-PFC200V3-47CD42
    13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
    13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840
    13:55:20.489 | DiscoveryWidget | | DiscoveryUrl[0] of FindServers (opc.tcp://ST006-KFC005-PFC200V3-47CD42) differs from the one received in GetEndpoints (opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840)
    13:55:20.489 | DiscoveryWidget | | Adding Url opc.tcp://ST006-KFC005-PFC200V3-47CD42
    13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
    13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
    13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
    13:55:43.589 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
    13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Error Message!
    13:55:49.385 | General | | [uastack] OpcUa_TcpConnection_ProcessResponse: Status 0x80130000!
    13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel
    13:55:49.385 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Disconnected'.
    13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Endpoint: 'opc.tcp://ST006-KFC005-PFC200V3-47CD42:4840'
    13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Security policy: 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
    13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | ApplicationUri: 'urn:ST006-KFC005-PFC200V3-47CD42:3S%20-%20Smart%20Software%20Solutions%20GmbH:CODESYS%20Control%20for%20PFC200%20SL:OPCUA:Server'
    13:56:19.006 | Server Node | OPCUAServer@ST006-KFC005-PF... | Used UserTokenType: UserName
    13:56:25.836 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Registered for ModelChangeEvents
    13:56:25.836 | Server Node | OPCUAServer@ST006-KFC005-PF... | Connection status of server 'OPCUAServer@ST006-KFC005-PFC200V3-47CD42' changed to 'Connected'.
    13:56:25.838 | Server Node | OPCUAServer@ST006-KFC005-PF... | Revised values: SessionTimeout=1200000, SecureChannelLifetime=3600000
    13:56:25.970 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=84' succeeded.
    13:56:26.031 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|35 succeeded
    13:56:26.231 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|33 succeeded
    13:56:26.433 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|31 succeeded
    13:56:26.640 | AddressSpaceModel | OPCUAServer@ST006-KFC005-PF... | Browse on node 'i=85' succeeded.
    13:56:26.799 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|2004 succeeded
    13:56:26.910 | TypeCache | OPCUAServer@ST006-KFC005-PF... | Reading type info of NodeId NS0|Numeric|58 succeeded

     

Log in to post a comment.