Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

How do I set the Security Policy when connecting to an OPC UA server?

More
11 Sep 2023 17:13 #12092 by micham
Thank you.

Issue solved.

Regards,

Michael

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 15:08 #12091 by support
You have provided following code listing:
UaDataDialog1.EndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString = "opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
But it should be
UaDataDialog1.EndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString = "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"

The confusion might have come from the fact the forums display the URLs, even when entered with "http:", as clickable links without the "http:", unless explicitly quoted as code.

Regards

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:55 #12090 by micham
Thank you for your answer. Now when I try to brose for OPC items, I get the following error.

The OPC Server supports "Badsic256Sha256", "Sign & Encrypt".

Exceptions

Type: OpcLabs.BaseLib.Browsing.BrowseException
Data:
HelpLink:
HResult: -2146233088 (0x80131500)
InnerException:
OpcLabs.EasyOpc.UA.Engine.UAEngineException: Cannot preselect the best (or any) endpoint for OPC-UA client session. No suitable endpoint has been found. The server returned 2 endpoint(s).
There are several configurable settings that influence which endpoints are eligible for selection, such as the endpoint selection policy, and also parameters that influence how thorough checks of the information returned by the server are made. You may need to change the endpoint selection policy, or the additional parameters, in order to be able to connect. If you are unsure about what is causing all endpoints to be rejected, analyze the log entries generated by the component.
Candidate selection report follows.
[0:NotEligible(SecurityPolicyUri("opcfoundation.org/UA/SecurityPolicy#Basic256Sha256", NotAllowed(NoMatch(Uri)))), 1:NotEligible(SecurityPolicyUri("opcfoundation.org/UA/SecurityPolicy#Basic256Sha256", NotAllowed(NoMatch(Uri))))].
+ Connection attempt #1; last connected at 1/1/0001 12:00:00 AM (local); unconnected for 00:00:00.0780000.
+ The client method called (or event/callback invoked) was 'BrowseMultiple[1]'.
Activity Trace:
Data:
ErrorId_{045406CD-8EEA-4F21-B3D6-DC9DB5A34E58}: OpcLabs.UAEngine=4403
OpcLabs.EasyOpc.UA.Implementation.ErrorEnhancingEasyUAClient.Processed: True
Error Code: 4403
HelpLink:
HResult: -2146232832 (0x80131600)
InnerException:
Message:
Cannot preselect the best (or any) endpoint for OPC-UA client session. No suitable endpoint has been found. The server returned 2 endpoint(s).
There are several configurable settings that influence which endpoints are eligible for selection, such as the endpoint selection policy, and also parameters that influence how thorough checks of the information returned by the server are made. You may need to change the endpoint selection policy, or the additional parameters, in order to be able to connect. If you are unsure about what is causing all endpoints to be rejected, analyze the log entries generated by the component.
Candidate selection report follows.
[0:NotEligible(SecurityPolicyUri("opcfoundation.org/UA/SecurityPolicy#Basic256Sha256", NotAllowed(NoMatch(Uri)))), 1:NotEligible(SecurityPolicyUri("opcfoundation.org/UA/SecurityPolicy#Basic256Sha256", NotAllowed(NoMatch(Uri))))].
+ Connection attempt #1; last connected at 1/1/0001 12:00:00 AM (local); unconnected for 00:00:00.0780000.
+ The client method called (or event/callback invoked) was 'BrowseMultiple[1]'.
Source:
Stack Trace:
TargetSite:
Message: Problem browsing OPC Unified Architecture nodes.
Source:
StackTrace:
TargetSite:


Please advise.

Thank you.
Michael

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:49 #12089 by support
The type is in the OpcLabs.EasyOpc.UA.Engine namespace.

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:46 #12088 by micham
Hi,

Thank you for your answer.

I am getting the following error:

Severity Code Description Project File Line Source Suppression State
Error BC30002 Type 'UAEndpointSelectionPolicy' is not defined.

EBO_Browse D:\MyBin\Proj-VS2017\EBO-OPC Client\Configuration(3,76)\Form1.vb 1 Build N/A


Please advise.

Thank you.

Michael

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:35 #12087 by support
I see.

The exception happens because by default, the .EndpointSelectionPolicy in the UAEndpointDescriptor is null, which means that a "global" default endpoint selection policy (common for all servers) will be used (which is probably not what you want).

So, before accessing/manipulating properties of the .EndpointSelectionPolicy (e.g. on a line preceding it), create a new UAEndpointSelectionPolicy object and assign it. Something like
UaDataDialog1.EndpointDescriptor.EndpointSelectionPolicy = New UAEndpointSelectionPolicy()
Regards

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:29 #12086 by micham
Hi,

See the attachment.

The exception line is:

UaDataDialog1.EndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString = "opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"

Thank you.

Michael
Attachments:

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 14:18 #12085 by support
Hello.

The exception is on line 277 in your Form1.vb.

What is on that line, and what is around it?

Regards

Please Log in or Create an account to join the conversation.

More
11 Sep 2023 13:21 #12084 by micham
Hi,

Thank you for your answer. I have tried it in two ways (see below) but in both ways I get an exception:

1)
Dim gdsEndpointDescriptor As UAEndpointDescriptor =
New UAEndpointDescriptor(MyServerURL) _
.WithUserNameIdentity(localUser, localPassword)

gdsEndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString = "opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"

If UA_Security_Annonymous Then ' Jul-18-2021
UaDataDialog1.EndpointDescriptor = MyServerURL
Else
UaDataDialog1.EndpointDescriptor = gdsEndpointDescriptor
End If


2)
Dim gdsEndpointDescriptor As UAEndpointDescriptor =
New UAEndpointDescriptor(MyServerURL) _
.WithUserNameIdentity(localUser, localPassword)

UaDataDialog1.EndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString = "opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"

If UA_Security_Annonymous Then ' Jul-18-2021
UaDataDialog1.EndpointDescriptor = MyServerURL
Else
UaDataDialog1.EndpointDescriptor = gdsEndpointDescriptor
End If

See the exception below:
System.NullReferenceException
HResult=0x80004003
Message=Object reference not set to an instance of an object.
Source=EBOOPCClientCFG
StackTrace:
at EBO_Browse.Form1.GlobalTagBrowse_UA(String MyServerURL, String MyServerName, String MyGroup) in D:\MyBin\Proj-VS2017\EBO-OPC Client\Configuration(3)\Form1.vb:line 277
at EBO_Browse.Form1.AddOPCItemsToolStripMenuItem_Click(Object sender, EventArgs e) in D:\MyBin\Proj-VS2017\EBO-OPC Client\Configuration(3)\Form1.vb:line 1020
at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
at System.Windows.Forms.ToolStripItem.FireEventInteractive(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStripItem.FireEvent(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ToolStrip.WndProc(Message& m)
at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnRun()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine)
at EBO_Browse.My.MyApplication.Main(String[] Args) in :line 81




Am I doing something wrong?

Thank you.

Michael

Please Log in or Create an account to join the conversation.

More
10 Sep 2023 15:24 #12083 by support
Hello

Ad 1. From the code, in UAEndpointDescriptor object used in EasyXXClient operation, you can set the security policy using one of the following properties: UAEndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyDisplayName, UAEndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString, or UAEndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyDisplayName.SecurityPolicyUri. They all set the security policy, but they differ in the kind of information you pass in. I recommend the UAEndpointDescriptor.EndpointSelectionPolicy.SecurityPolicyUriString. You can pass to it one of the predefined security policy URI strings from the UASecurityPolicyUriStrings, for example, UASecurityPolicyUriStrings.Basic256Sha256 (which equals to ""opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"").

The message security mode, which you also have on the picture, is not directly part of setting the security policy. But it can be set in similar manner. The property for it is UAEndpointDescriptor.EndpointSelectionPolicy.AllowedMessageSecurityModes.

If you are showing our UI to the interactive user, some of the dialogs for OPC UA allow the user to set anything that's in the endpoint selection policy - and they return the UAEndpointDescriptor already configures with what the user had selected.

Ad 2. The server certificate, including its private key, is primarily stored on the server. For it to be accepted by the client, its copy - without a private key - is transferred via OPC UA to the client, and the client verifies that is an acceptable one. The "trusted" , rejected, etc. certificates are stored in various certificate stores. This is a lengthy topic and we have appropriate documentation for it which cannot be repeated here. See e.g. opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...html#Certificate%20Stores.html .

Ad 3. Most commonly, you do it by locating the rejected certificate in the "Rejected certificated store", and copying or moving it to the "Trusted peers certificate store".

Ad 4. Normally QuickOPC creates the client certificate for you automatically behind the scenes, so you do not have to do anything.

With QuickOPC, you can programatically do various operations with the certificate stores, see e.g. opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...r%20Application%20Service.html and opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...ml#OPC%20UA%20Application.html .

It is, however, more likely that you just want to give you interactive users some way to manage the certificate-related tasks themselves in a friendly way. Since QuickOPC 2023.1, you can give them "Administer OPC UA Application Dialog" (opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...ml#OPC%20UA%20Application.html ), and through it, the users can do practically anything that is needed, certificate-wise. Here is how it looks, and how to operate it: kb.opclabs.com/Dialog:_Administer_OPC_UA_Application .

Approving "rejected" certificates, creating new own client certificates etc. - all of this can be done from this dialog.

Best regards

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.069 seconds