Professional OPC
Development Tools

logos

lupa

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

  1. Forum
  3. Discussions
  5. QuickOPC-UA in COM
  7. Connection, Reconnections, Certificates
  9. Certificate not trusted

Certificate not trusted

More
17 Nov 2017 12:50 #5665 by VFoxpro
Replied by VFoxpro on topic Certificate not trusted
BadSecurityChecksFailed: Ops, my fault. It's a server problem :whistle:

Please Log in or Create an account to join the conversation.

More
17 Nov 2017 12:38 #5664 by VFoxpro
Replied by VFoxpro on topic Certificate not trusted
Dear support,

thanks for the hint. The certificate will be accepted now. But there is still an issue:

I get an exception: "Error establishing a connection. = BadSecurityChecksFailed."

Regards,

Please Log in or Create an account to join the conversation.

More
14 Nov 2017 13:58 #5659 by support
Replied by support on topic Certificate not trusted
Hello.

The EasyUAEngineParameters object you have created is just a "free-standing", in-memory object, and modifying its parameters has not effect whatsoever. You need to modify the parameters that are actually used by the EasyUAClient object.

In .NET, that would mean accessing the static EasyUAClient.SharedParameters parameters property (and then, .EngineParameters inside it).

As there are no static members in COM, you need to instantiate the EasyUAClientConfiguration object instead, and then access its .SharedParameters.EngineParameters.

I hope this helps
Best regards

Please Log in or Create an account to join the conversation.

More
14 Nov 2017 11:36 #5658 by VFoxpro
Replied by VFoxpro on topic Certificate not trusted
I just upgraded to QuickOPC 2017.2 and got a certicate problem afterwards. A problem with the self signed certificate of a Siemens PLC.

I tried AcceptAnyCertificate = $True in my PowerShell Script, but I still have to acknowledge
the dialogbox. I assume, I made something wrong ...

$oEngine = new-object -com OpcLabs.EasyOpc.UA.Engine.EasyUAEngineParameters
$oEngine.CertificateAcceptancePolicy.AcceptAnyCertificate = $True
 
$oClient = new-object -com OpcLabs.EasyOpc.UA.EasyUAClient
$oClient.Isolated = $True
 
$oClient.IsolatedParameters.SessionParameters.EndpointSelectionPolicy.AllowedMessageSecurityModes = 7
$oClient.IsolatedParameters.SessionParameters.EndpointSelectionPolicy.MessageSecurityPreference = -1
$oClient.IsolatedParameters.SessionParameters.UserIdentity.UserNameTokenInfo.UserName="User"
$oClient.IsolatedParameters.SessionParameters.UserIdentity.UserNameTokenInfo.Password="Pass"
 
$sEndPoint = "opc.tcp://172.22.254.241:4840"
$sNode     = 'nsu=http://www.siemens.com/simatic-s7-opcua;ns=3;s="DataBase"."DataB_Stringlaenge"'
 
$nValue    = $oClient.ReadValue($sEndPoint, $sNode)
 
write-host "Value:" $nValue
 
exit
Attachments:

Please Log in or Create an account to join the conversation.

More
11 Feb 2012 13:49 #762 by support
Replied by support on topic Re: Certificate not trusted, AcceptAnyCertificate, and AllowCertificatePrompt

R.,

The AllowCertificatePrompt setting is for a different purpose. It is for client (application) certificate, that gets created (if it doesn’t exist) when an application made with QuickOPC-UA starts.



For checking the server certificates on the client side, you currently (with version 1.00) have to use the standard SDK methods, i.e. the server certificate must be placed (by you, or the installer…) in “trusted peers” certificate store, which (by default) is a directory-based store, "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications". You can use “UA Configuration Tool” (but also Windows tools etc.) to manipulate certificates in the stores. It is possible to choose a different store in QuickOPC-UA e.g. by changing EasyUAClient.EngineParameters.TrustedPeersCertificateStore.



The whole process looks roughly like this:
1. When a session to the server is being created, the UA SDK method for verifying the server certificate is used; the SDK is instructed to use the store given by EasyUAClient.EngineParameters.TrustedPeersCertificateStore.
2. If the above fails, but EasyUAClient.EngineParameters.CertificateAcceptancePolicy.AcceptAnyCertificate is true, the certificate is accepted (i.e. ignored – not checked at all).
3. If the server’s URL is in EasyUAClient.EngineParameters.CertificateAcceptancePolicy.TrustedEndpointUrlStrings, the certificate is accepted (i.e. ignored – not checked at all).
4. Otherwise, the certificate is rejected.


In future, I expect that we will enhance this process, by allowing the developer to hook into it and provide own validation.

Best regards,
Zbynek

From: R.
Sent: Friday, February 10, 2012 8:29 PM
To: Zbynek Zahradnik
Subject: RE: Ua Browsing

Ah ok. That makes sense. I have that working now.

I still don’t quite understand how the AllowCertificatePrompt is supposed to work, no if I actually want to add security. I have that set to true (on the EasyUAClient object) but I don’t receive any type of dialog prompting to accept the cert and I still get a certificate error when trying to browse the server.

How do I make sure the client accepts the server’s certificate?


Thanks again,
R.

Please Log in or Create an account to join the conversation.

More
10 Feb 2012 19:27 #761 by support
Certificate not trusted was created by support
R.,

In your code, you are changing the AcceptAnyCertificate on a new UACertificateAcceptancePolicy object that is just “yours”, floating around. It is not the one that the component uses.

So, I think you should either (I have not checked the code below, but the ideas should be clear):

a) Assign your object into the component, such as: EasyUAClient.EngineParameters.CertificateAcceptancePolicy = UACert;
or
b) Do not create your own object at all, but simply change the property inside existing object, such as: EasyUAClient.EngineParameters.CertificateAcceptancePolicy. AcceptAnyCertificate = True;

I suggest to use (b), not only because it is simpler, but also because the component might be changing some defaults upon startup in these objects – and if you go the route (a), the newly created object will have the hard-coded initial values, which may not be always ideal.

Best regards,
Z.

From: R.
Sent: Friday, February 10, 2012 3:27 PM
To: Zbynek Zahradnik
Subject: Ua Browsing

Zbynek,

I am trying to test some examples for UA. I am getting an exception that the certificate is not trusted when trying to run the code below. I have the accept any policy set to true. Also my TOP server UA endpoint is setup to have no security requirements. What am I missing?

Dim UACert As New OpcLabs.EasyOpc.UA.UACertificateAcceptancePolicy
UACert.AcceptAnyCertificate = True

Dim nodeElementCollection As UANodeElementCollection = EasyUAClient1.BrowseDataNodes( _
"opc.tcp://192.168.111.52:49380")

For Each nodeElement As UANodeElement In nodeElementCollection
ListBox1.Items.Add(String.Format("nodeElement.NodeId: {0}, nodeElement.DisplayName: {0}", _
nodeElement.NodeId, nodeElement.DisplayName))
Next nodeElement

R.

Please Log in or Create an account to join the conversation.

Moderators: support
  1. Forum
  3. Discussions
  5. QuickOPC-UA in COM
  7. Connection, Reconnections, Certificates
  9. Certificate not trusted
Time to create page: 0.073 seconds