https://forge.codesys.com/u/alexschooneveld/2026-06-22T21:10:45ZRecent posts by alexschooneveld2026-06-22T21:10:45Z2026-06-22T21:10:45Zalexschooneveldhttps://forge.codesys.com/u/alexschooneveld/https://forge.codesys.comc2111d5b5d2ce267d1a68793fd986e4c31721bee

<div class="markdown_content"><p>I am currently investigating an OPC UA PubSub connection over UDP. When I don't use encryption, the publish and subscribe are working correctly. But with encryption it does not.</p> <p><strong>Environment</strong></p> <p>OPC UA PubSub SL 1.3.0.0 (namespace UADP)<br/> OPC UA PubSub Security 1.3.0.0 (namespace PSS)<br/> OPC UA PubSub Base 1.3.0.0 (namespace PSB, incl. PSS.SecurityGroup / PSS.CONFIG)<br/> Programmatic PubSub in a CFC: UADP.Configuration → UADP.Connection → UADP.writerGroup → UADP.writer → writerDataSet, plus a CyclicCall gated by xEnable.</p> <p><strong>Goal</strong>: publish secured UADP, SignAndEncrypt, policy PubSub-Aes256-CTR.</p> <p><strong>What I do (one-shot, before xEnable := TRUE):</strong><br/> fbSecurityGroup.SetInitialValue(<br/> 'http://opcfoundation.org/UA/SecurityPolicy#PubSub-Aes256-CTR',<br/> PSB.SECURITY.SIGNING_AND_ENCRYPTION);<br/> stSecurityCfg := fbSecurityGroup.GetConfig(eErrorID =&gt; eError); // eError=NO_ERROR, udiEncryptionKeySize=32<br/> eError := fbSecurityGroup.SetSecurityKeys(udiTokenId, ADR(abyKey), SIZEOF(abyKey), 24<em>3600</em>1000); // eError=NO_ERROR, SIZEOF=68<br/> // writerGroup.itfSecurityGroup := fbSecurityGroup -- set in the WriterGroup block's Parameters (a per-scan code write got overwritten)</p> <p><strong>What I verified</strong><br/> eError = NO_ERROR after both GetConfig and SetSecurityKeys; udiEncryptionKeySize = 32.<br/> Key length = 68 bytes (signing 32 ‖ encrypt 32 ‖ nonce 4).<br/> itfSecurityGroup is set via the WriterGroup's Parameters (so it isn't clobbered each scan).<br/> Init runs before xEnable (the writer doesn't run with xEnable=FALSE).<br/> The UADP.writerGroup FB exposes only itfSecurityGroup for security — no SecurityMode/MessageSecurityMode property.</p> <p><strong>Result</strong>: the published datagrams are still plaintext — ExtendedFlags1 = 0x01 (security bit 0x10 clear), no security header:<br/> b1 01 29 00 0f 16 00 … (PublisherId 41, WriterGroupId 22, RawData, no security)</p> <p><strong>Questions</strong></p> <p>With UADP.writerGroup, is assigning a configured + keyed PSS.SecurityGroup to itfSecurityGroup sufficient to enable message security, or is there an additional step/property/method to switch the WriterGroup to SignAndEncrypt?<br/> At what point in the WriterGroup lifecycle is itfSecurityGroup read? Must it be assigned/keyed before xActive, and does the group need a stop→start to pick it up?<br/> Is there a required call order, and does SetSecurityKeys need to be called once or repeatedly?<br/> Should security be configured on the Connection/Configuration level rather than (or in addition to) the WriterGroup?<br/> Is there a working example of secured (SignAndEncrypt) programmatic UADP publishing with this library, or a known limitation in 1.3?<br/> How can I read back at runtime whether security is actually active (via itfDiagnostics or similar)?</p> <p><strong>Additional information</strong><br/> I can confirm that the consumer side works — i.e. a standard subscriber decrypts the same keys fine — so the keys/profile aren't the issue.<br/> The Wireshark capture of the published message is:<br/> 0000 b1 01 29 00 0f 16 00 df 0d bb 25 01 00 0e 00 1b ..).......%.....<br/> 0010 0e 00 00 00 00 00 00 00 ........</p></div>

2026-06-22T21:10:39Z2026-06-22T21:10:39Zalexschooneveldhttps://forge.codesys.com/u/alexschooneveld/https://forge.codesys.comee11b867b7d8be29d00513d0f2bf42bf26ad05f2

<div class="markdown_content"><p>I am currently investigating an OPC UA PubSub connection over UDP. When I don't use encryption, the publish and subscribe are working correctly. But with encryption it does not.</p> <p><strong>Environment</strong></p> <p>OPC UA PubSub SL 1.3.0.0 (namespace UADP)<br/> OPC UA PubSub Security 1.3.0.0 (namespace PSS)<br/> OPC UA PubSub Base 1.3.0.0 (namespace PSB, incl. PSS.SecurityGroup / PSS.CONFIG)<br/> Programmatic PubSub in a CFC: UADP.Configuration → UADP.Connection → UADP.writerGroup → UADP.writer → writerDataSet, plus a CyclicCall gated by xEnable.</p> <p><strong>Goal</strong>: publish secured UADP, SignAndEncrypt, policy PubSub-Aes256-CTR.</p> <p><strong>What I do (one-shot, before xEnable := TRUE):</strong><br/> fbSecurityGroup.SetInitialValue(<br/> 'http://opcfoundation.org/UA/SecurityPolicy#PubSub-Aes256-CTR',<br/> PSB.SECURITY.SIGNING_AND_ENCRYPTION);<br/> stSecurityCfg := fbSecurityGroup.GetConfig(eErrorID =&gt; eError); // eError=NO_ERROR, udiEncryptionKeySize=32<br/> eError := fbSecurityGroup.SetSecurityKeys(udiTokenId, ADR(abyKey), SIZEOF(abyKey), 24<em>3600</em>1000); // eError=NO_ERROR, SIZEOF=68<br/> // writerGroup.itfSecurityGroup := fbSecurityGroup -- set in the WriterGroup block's Parameters (a per-scan code write got overwritten)</p> <p><strong>What I verified</strong><br/> eError = NO_ERROR after both GetConfig and SetSecurityKeys; udiEncryptionKeySize = 32.<br/> Key length = 68 bytes (signing 32 ‖ encrypt 32 ‖ nonce 4).<br/> itfSecurityGroup is set via the WriterGroup's Parameters (so it isn't clobbered each scan).<br/> Init runs before xEnable (the writer doesn't run with xEnable=FALSE).<br/> The UADP.writerGroup FB exposes only itfSecurityGroup for security — no SecurityMode/MessageSecurityMode property.</p> <p><strong>Result</strong>: the published datagrams are still plaintext — ExtendedFlags1 = 0x01 (security bit 0x10 clear), no security header:<br/> b1 01 29 00 0f 16 00 … (PublisherId 41, WriterGroupId 22, RawData, no security)</p> <p><strong>Questions</strong></p> <p>With UADP.writerGroup, is assigning a configured + keyed PSS.SecurityGroup to itfSecurityGroup sufficient to enable message security, or is there an additional step/property/method to switch the WriterGroup to SignAndEncrypt?<br/> At what point in the WriterGroup lifecycle is itfSecurityGroup read? Must it be assigned/keyed before xActive, and does the group need a stop→start to pick it up?<br/> Is there a required call order, and does SetSecurityKeys need to be called once or repeatedly?<br/> Should security be configured on the Connection/Configuration level rather than (or in addition to) the WriterGroup?<br/> Is there a working example of secured (SignAndEncrypt) programmatic UADP publishing with this library, or a known limitation in 1.3?<br/> How can I read back at runtime whether security is actually active (via itfDiagnostics or similar)?</p> <p><strong>Additional information</strong><br/> I can confirm that the consumer side works — i.e. a standard subscriber decrypts the same keys fine — so the keys/profile aren't the issue.<br/> The Wireshark capture of the published message is:<br/> 0000 b1 01 29 00 0f 16 00 df 0d bb 25 01 00 0e 00 1b ..).......%.....<br/> 0010 0e 00 00 00 00 00 00 00 ........</p></div>