UAExpert, mappView: How to make a secure OPCUA connection to OPCUA server with communication partner validation

Introduction

  • The aim of this how-to is not to cover theory of secured communication
  • it is how to example of a configuration in Automation studio project running in ArSim

Source of information:

1 OPCUA server side

  • configuration of unique host name for your PLC (CPU – Ethernet Paramaters – Hostname)

  • for local connection without DHCP server, IP address must be inserted manually

  • new OPCUA certificate creation for OPCUA server

  • important fields that must be filled in (organization,common name, etc)
  • some of them are taken from your configuration (IP-Address, DNS name,…)
  • the remaining ones are optional

  • SSL configuration creation
    β†’ Select OPCUA SSL
    β†’ Use certificate and key you have created before

  • Assign SSL configuration to OPCUA server, if you would like to prevent No Secure communication, just disabled it.

2. OPCUA client side (UAExpert)

  • You have to validate certificate of OPCUA server (either import it manually or set it as a trusted during first connection attempt)
  • Check that this is really your certificate you have created before

  • Trusted certificates you can see in certificate manager of UAExpert client

  • Test communication with security policy NONE, connection is refused by server

  • Test with security policy, connection is established (WireShark trace of OPCUA communication)
  • be careful, only security policy enabled on/supported by OPCUA server can be used


From know OPCUA client can use secure communication to OPCUA server using certificate. Disadvantage is that any OPCUA client that will trust server certificate can connect. If you would like to limit that only certain OPCUA client can establish connection, you can activate communication partner validation on OPCUA server side.

3. SSL communication partner validation (UAExpert client)

  • Client must have his own certificate
  • UAExpert creates one during first start up or you can use button to create new one

  • This certificate must be added to project to package ThirdPartyCertificate

  • In SSLConfiguration

β†’ Enable SSL communication partner validation.
β†’ Insert imported certificate to the list of trusted certificates.

  • Download and restart.
  • From know only UAExpert with this certificate can connect to OPCUA server.

4. mappView server certificate

Client certificate must contain property authorityKeyIdentifier and be in DER format.
For this reason, the client certificate must be created with an external tool, preferably OpenSSL for Windows.

  • You must install openSSL, if you have GIT installed, openSSL is part of it
  • OpenSSL is used for certificate creation (in my case I used one which was installed with my GIT)

  • Example of certificate configuration
    β†’ connection to OPC UA server is established over IP address

NOTE: keyUsage must contain keyCertSign parameter

[ req ]
prompt = no
distinguished_name = dn
x509_extensions = x509v3

[ dn ]
commonName = mapp View Server

[ x509v3 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyCertSign
extendedKeyUsage = critical,serverAuth,clientAuth
subjectAltName = URI:Client_Cpp_SDK@myComputer,IP:127.0.0.1

β†’ connection to OPC UA server is established over hostname

[ req ]
prompt = no
distinguished_name = dn
x509_extensions = x509v3

[ dn ]
commonName = mapp View Server

[ x509v3 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyCertSign
extendedKeyUsage = critical,serverAuth,clientAuth
subjectAltName = URI:Client_Cpp_SDK@myComputer,DNS:hostname

  • Command for certificate creation

openssl.exe req -x509 -config C:\temp\ca.conf -nodes -new -keyout C:\temp\ca.key -out C:\temp\ca.cer -sha256 -days 365 -outform DER


  • Output after successful creation (certificate and key)

4. mappView server – SSL configuration

  • New SSL configuration must be created
  • Import already created certificate and key
  • Validate SSL communication can be kept off, it is anyway ignored

  • Configuration of mappView server OPC UA remote connection

  • If mappView server try to establish connection to OPCUA server now, it will be refused

5. SSL communication partner validation (mappView client)

  • OPCUA server configuration must be adapted.
  • mappView certificate must be added to SSL communication partner validation


CertificateSample.zip (107.1 KB)

17 Likes

Hello Jaroslav,
When I follow the above steps to the last step, I get the -1061091026 error in AR Simulation mode, I can’t solve this problem, can you give any advice, thanks.

Then try it without hostname, only as it is in AS Help

subjectAltName = URI:Client_Cpp_SDK@myComputer

I found the difference in ca.Conf between u write and in AS Help, is that keyCertSign , So when I re-generated the ca.cer and ca.key file after re-editing the ca.conf file, the mapp View server was able to run successfully.


image

jop, there is a bug in AS online help. It is already reported. I though that you used config from my tutorial :slight_smile: happy that besides that is my description working for you :slight_smile:

1 Like

Very detailed,
Thanks a lot!

1 Like