I am currently investigating an OPC UA PubSub connection over UDP. When I don't use encryption, the publish and subscribe are working correctly. But with encryption it does not.
Environment
OPC UA PubSub SL 1.3.0.0 (namespace UADP)
OPC UA PubSub Security 1.3.0.0 (namespace PSS)
OPC UA PubSub Base 1.3.0.0 (namespace PSB, incl. PSS.SecurityGroup / PSS.CONFIG)
Programmatic PubSub in a CFC: UADP.Configuration β UADP.Connection β UADP.writerGroup β UADP.writer β writerDataSet, plus a CyclicCall gated by xEnable.
What I do (one-shot, before xEnable := TRUE):
fbSecurityGroup.SetInitialValue(
'http://opcfoundation.org/UA/SecurityPolicy#PubSub-Aes256-CTR',
PSB.SECURITY.SIGNING_AND_ENCRYPTION);
stSecurityCfg := fbSecurityGroup.GetConfig(eErrorID => eError); // eError=NO_ERROR, udiEncryptionKeySize=32
eError := fbSecurityGroup.SetSecurityKeys(udiTokenId, ADR(abyKey), SIZEOF(abyKey), 2436001000); // eError=NO_ERROR, SIZEOF=68
// writerGroup.itfSecurityGroup := fbSecurityGroup -- set in the WriterGroup block's Parameters (a per-scan code write got overwritten)
What I verified
eError = NO_ERROR after both GetConfig and SetSecurityKeys; udiEncryptionKeySize = 32.
Key length = 68 bytes (signing 32 β encrypt 32 β nonce 4).
itfSecurityGroup is set via the WriterGroup's Parameters (so it isn't clobbered each scan).
Init runs before xEnable (the writer doesn't run with xEnable=FALSE).
The UADP.writerGroup FB exposes only itfSecurityGroup for security β no SecurityMode/MessageSecurityMode property.
Result: the published datagrams are still plaintext β ExtendedFlags1 = 0x01 (security bit 0x10 clear), no security header:
b1 01 29 00 0f 16 00 β¦ (PublisherId 41, WriterGroupId 22, RawData, no security)
Questions
With UADP.writerGroup, is assigning a configured + keyed PSS.SecurityGroup to itfSecurityGroup sufficient to enable message security, or is there an additional step/property/method to switch the WriterGroup to SignAndEncrypt?
At what point in the WriterGroup lifecycle is itfSecurityGroup read? Must it be assigned/keyed before xActive, and does the group need a stopβstart to pick it up?
Is there a required call order, and does SetSecurityKeys need to be called once or repeatedly?
Should security be configured on the Connection/Configuration level rather than (or in addition to) the WriterGroup?
Is there a working example of secured (SignAndEncrypt) programmatic UADP publishing with this library, or a known limitation in 1.3?
How can I read back at runtime whether security is actually active (via itfDiagnostics or similar)?
Additional information
I can confirm that the consumer side works β i.e. a standard subscriber decrypts the same keys fine β so the keys/profile aren't the issue.
The Wireshark capture of the published message is:
0000 b1 01 29 00 0f 16 00 df 0d bb 25 01 00 0e 00 1b ..).......%.....
0010 0e 00 00 00 00 00 00 00 ........
I am currently investigating an OPC UA PubSub connection over UDP. When I don't use encryption, the publish and subscribe are working correctly. But with encryption it does not.
Environment
OPC UA PubSub SL 1.3.0.0 (namespace UADP)
OPC UA PubSub Security 1.3.0.0 (namespace PSS)
OPC UA PubSub Base 1.3.0.0 (namespace PSB, incl. PSS.SecurityGroup / PSS.CONFIG)
Programmatic PubSub in a CFC: UADP.Configuration β UADP.Connection β UADP.writerGroup β UADP.writer β writerDataSet, plus a CyclicCall gated by xEnable.
Goal: publish secured UADP, SignAndEncrypt, policy PubSub-Aes256-CTR.
What I do (one-shot, before xEnable := TRUE):
fbSecurityGroup.SetInitialValue(
'http://opcfoundation.org/UA/SecurityPolicy#PubSub-Aes256-CTR',
PSB.SECURITY.SIGNING_AND_ENCRYPTION);
stSecurityCfg := fbSecurityGroup.GetConfig(eErrorID => eError); // eError=NO_ERROR, udiEncryptionKeySize=32
eError := fbSecurityGroup.SetSecurityKeys(udiTokenId, ADR(abyKey), SIZEOF(abyKey), 2436001000); // eError=NO_ERROR, SIZEOF=68
// writerGroup.itfSecurityGroup := fbSecurityGroup -- set in the WriterGroup block's Parameters (a per-scan code write got overwritten)
What I verified
eError = NO_ERROR after both GetConfig and SetSecurityKeys; udiEncryptionKeySize = 32.
Key length = 68 bytes (signing 32 β encrypt 32 β nonce 4).
itfSecurityGroup is set via the WriterGroup's Parameters (so it isn't clobbered each scan).
Init runs before xEnable (the writer doesn't run with xEnable=FALSE).
The UADP.writerGroup FB exposes only itfSecurityGroup for security β no SecurityMode/MessageSecurityMode property.
Result: the published datagrams are still plaintext β ExtendedFlags1 = 0x01 (security bit 0x10 clear), no security header:
b1 01 29 00 0f 16 00 β¦ (PublisherId 41, WriterGroupId 22, RawData, no security)
Questions
With UADP.writerGroup, is assigning a configured + keyed PSS.SecurityGroup to itfSecurityGroup sufficient to enable message security, or is there an additional step/property/method to switch the WriterGroup to SignAndEncrypt?
At what point in the WriterGroup lifecycle is itfSecurityGroup read? Must it be assigned/keyed before xActive, and does the group need a stopβstart to pick it up?
Is there a required call order, and does SetSecurityKeys need to be called once or repeatedly?
Should security be configured on the Connection/Configuration level rather than (or in addition to) the WriterGroup?
Is there a working example of secured (SignAndEncrypt) programmatic UADP publishing with this library, or a known limitation in 1.3?
How can I read back at runtime whether security is actually active (via itfDiagnostics or similar)?
Additional information
I can confirm that the consumer side works β i.e. a standard subscriber decrypts the same keys fine β so the keys/profile aren't the issue.
The Wireshark capture of the published message is:
0000 b1 01 29 00 0f 16 00 df 0d bb 25 01 00 0e 00 1b ..).......%.....
0010 0e 00 00 00 00 00 00 00 ........