Professional OPC
Development Tools

logos

lupa

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

  1. Forum
  3. Discussions
  5. QuickOPC-UA in COM
  7. Discovery, Browsing, Browse Dialogs and Controls
  9. Browse Nodes OPC-UA in Delphi

Browse Nodes OPC-UA in Delphi

More
20 Oct 2016 11:15 #4487 by support
Replied by support on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
I made a test with setting the AllowedMessageSecurityModes, and it appears to work as designed. I therefore think that there was also something else at play with the server, which would require detailed analysis.

I would say, don't bother with it if you got it working now. But I would definitely inform Siemens that we think that returning an empty signature algorithm, is against the spec.

Best regards

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 12:18 #4468 by RH
Replied by RH on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
Ok, I will follow this thread for new information on this topic.

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 11:45 #4467 by support
Replied by support on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
Thank you for update. With the recommendations, I was trying to achieve the same from the client side, and it is still not clear to me why it had not worked. I will need to check whether the settings actually have the effect that they should have.

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 10:57 #4466 by RH
Replied by RH on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
We checked the Siemens software again and it turned out, that there are 2 endpoints. One unsecured and one secured. There is a possibility to enable just one of them.
With the unsecured endpoint disabled, I couldn't manage to connect to the secured endpoint, not even with UaExpert. But if we enable the unsecured endpoint and disable the secured one, then it's working. This seems to be enough for us for now. Thanks again for your help!

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 09:15 #4465 by RH
Replied by RH on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
I tried to get the inner exceptions, but there is no one when using the COM version in Delphi. It's just an OLE Exception with the message I wrote above.

Could you modify your browser window with my example url and the two new lines (isolated...) and provide it as a ready-to-use test program? I could then run it here and send you the exception output.

I also tried to find the two options in the properties of your browsedialog, but I didn't find them.

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 08:57 #4464 by support
Replied by support on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
The code looks correct to me. Can you please send me the exception details (the .txt file as before) again, as it happens with this new code? I know it is in principle the same exception, but I want to check whether the details inside it had changed.

Thank you

Please Log in or Create an account to join the conversation.

More
14 Oct 2016 08:44 #4463 by RH
Replied by RH on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
I tried you suggestion, but I stll get an Exception "Unexpected signature algorithm". This is my code, which works fine with the other OPC server:
mOPCUAClient := TEasyUAClient.Create(nil);
mOPCUAClient.Isolated := true;
mOPCUAClient.IsolatedParameters.SessionParameters.EndpointSelectionPolicy.AllowedMessageSecurityModes := UAMessageSecurityModes_SecurityNone;
 
EndpointDescriptor := CoUAEndpointDescriptor.Create;
EndpointDescriptor.UrlString := 'opc.tcp://192.168.1.2:4870';
 
NodeDescriptor := CoUANodeDescriptor.Create;
NodeDescriptor.NodeId.StandardName := 'Objects';
 
BrowseParameters := CoUABrowseParameters.Create;
BrowseParameters.NodeClasses := UANodeClass_All;
 
lclNodes := mOPCUAClient.BrowseNodes(EndpointDescriptor, NodeDescriptor, BrowseParameters);

Am I still missing something?

Please Log in or Create an account to join the conversation.

More
12 Oct 2016 13:18 - 12 Oct 2016 13:22 #4453 by support
Replied by support on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
Please try to set our client to the same (as in UaExpert). In C# it would look like this:
client.Isolated = true;
client.IsolatedParameters.SessionParameters.EndpointSelectionPolicy.AllowedMessageSecurityModes = UAMessageSecurityModes.SecurityNone;
Best regards
Last edit: 12 Oct 2016 13:22 by support.

Please Log in or Create an account to join the conversation.

More
12 Oct 2016 13:11 #4451 by RH
Replied by RH on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
I'm out of office and therefore can't check at the moment. But I have a screenshot for you to check. Actually, I selected "None" as security policy, that seems to be the reason. I attached a screenshot that might help you to understand whats happening.

I think, there is no demo version of this server as it's included in a Siemens Touchpanel. So you can just test it if you have this piece of hardware.
Attachments:

Please Log in or Create an account to join the conversation.

More
11 Oct 2016 08:16 - 11 Oct 2016 08:18 #4442 by support
Replied by support on topic BadSecurityChecksFailed with Simatic Panel TP700 Comfort
As far as I can tell, after some checking, I think that the server is not compliant with OPC UA specs in this respect (I am not an expert in the details of the spec, though).

Related info: The problem appears to be in the response returned by the CreateSession call to the server. Spec Part 4, chapter 5.6.2, 5.6.2.2. The server returns serverSignature (SignatureData) that should be as follows:

This is a signature generated with the private key associated with the serverCertificate. This parameter is calculated by appending the clientNonce to the clientCertificate and signing the resulting sequence of bytes.
The SignatureAlgorithm shall be the AsymmetricSignatureAlgorithm specified in the SecurityPolicy for the Endpoint.
The SignatureData type is defined in 7.32.


Here the server returns an empty string for the SignatureAlgorithm. But for the Security of the Endpoint you are using (which is either Basic256 or Basic128Rsa15), the algorithm should be RsaSha1. This is specified in OPC UA spec Part 7 - Profiles, where (under 5.3 Transport and communication related features), it requires

AsymmetricSignatureAlgorithm – RsaSha1 – (www.w3.org/2000/09/xmldsig#rsa-sha1)

for these two security policies.

I am surprised that this works with UaExpert, but my guess is that with UaExpert, you are connecting to a different endpoint, possibly unsecured one. Can you please check precisely which endpoint you are connecting to with UaExpert?

In QuickOPC, you normally do not specify the endpoint so precisely - the selection of the endpoint is done using policies. Therefore you may end up with a different one, albeit on the same URL. If this proves to be the issue, I can later show you how to influence the selection of the endpoint in QuickOPC.

Is (a demo version of) this server available somewhere for download or test?

Best regards
Last edit: 11 Oct 2016 08:18 by support.

Please Log in or Create an account to join the conversation.

Moderators: support
  1. Forum
  3. Discussions
  5. QuickOPC-UA in COM
  7. Discovery, Browsing, Browse Dialogs and Controls
  9. Browse Nodes OPC-UA in Delphi
Time to create page: 0.064 seconds