Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Browse Data Nodes

More
03 Jan 2014 16:56 #1644 by support
Replied by support on topic Browse Data Nodes
The BadCertificateHostNameInvalid is not related to ApplicationUriString.

Can you please check the server certificate, and specifically, the domains it is supposed to be for? The domain may be simply a computer name (such as TEST-PC), or a fully-qualified host name (such as test-pc.mydomain.com). One of the domains has to match the host name in the URL of the endpoint used.

Please Log in or Create an account to join the conversation.

More
03 Jan 2014 15:18 #1643 by support
Replied by support on topic Browse Data Nodes
The OPC spec does not say much of ApplicationUri-s for the clients, but the logic says that similar approach as for servers should be used. For servers: "This identifier should be a fully qualified domain name; however, it may be a GUID or similar construct that ensures global uniqueness."

The bottom line is as I wrote earlier: Make sure it is something that would not conflict with another application, and you will be OK. I recommend to keep it conformant with the URI syntax.

Please Log in or Create an account to join the conversation.

More
30 Dec 2013 14:13 #1640 by support
Replied by support on topic Browse Data Nodes
I can only give you detailed answers after I am back in office - January 3.

Short ones:
- The value of ApplicationUriString isn't that important, as long as it conforms to URI syntax and is unique
- BadCertificateHostNameInvalid: you can turn it off by setting CheckEndpointDomain to false as indicated, OR make the server (or connection URI) use the proper host name.

More on this later

Please Log in or Create an account to join the conversation.

More
29 Dec 2013 10:36 #1639 by adid@contel.co.il
Replied by adid@contel.co.il on topic Browse Data Nodes
hello,

stil getting the error :

OPC-UA service result - BadCertificateHostNameInvalid. ---- SERVICE RESULT ---- StatusCode: {BadCertificateHostNameInvalid} = 0x80160000 (2148925440) ---- REMARKS ---- This error may be an indication of a spoofing attempt. A possible cause is that the effective host name in endpoint URL returned by the server does not match any of the domain names in the server certificate. Associated session-level setting: "CheckEndpointDomain

i think this is beacuse of the ApplicationUriString property.
how should i define this property ?

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
29 Dec 2013 10:26 #1638 by adid@contel.co.il
Replied by adid@contel.co.il on topic Browse Data Nodes
hello,

ignore my last comment - now it's all working, i needed to mark the client as trusted client in the Kepware Opc-UA Configuration.

i am not quite sure what to write in the ApplicationUriString property. i have just copt it from another certificate in the UA Configuration tool. can you examplain this property and provide example ?

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
29 Dec 2013 10:15 #1637 by adid@contel.co.il
Replied by adid@contel.co.il on topic Browse Data Nodes
hello,

i succeed created the certificate in both environment (my computer, and in client test server) using EasyUAClient.Install, see the code below, and succeed see it with UA Configuration tool in both environment. the code is :

EasyUAClient.SharedParameters.Engine.ApplicationCertificateSubject = "Contel-MES";
EasyUAClient.SharedParameters.Engine.ApplicationName = "Contel-MES";
EasyUAClient.SharedParameters.Engine.ApplicationUriString = "urn:adid-win7:mscorlib%252C%2520Version%253D2.0.0.0%252C%2520Culture%253Dneutral%252C%2520PublicKeyToken%253Db77a5c561934e089";
EasyUAClient.SharedParameters.Engine.ProductUriString = "Contel-MES";

EasyUAClient.Install();


when i try to use this defenitions for the asp.net application before the "new EasyUAClient" i get exception in the browseDataNodesCode :

An OPC-UA operation failure with error code -2138701824 (0x80860000) occurred, originating from 'Opc.Ua.Core'. The inner OPC-UA service exception with service result 'BadSecureChannelClosed' contains details about the problem.

and in the output window i saw :
An exception of type 'Opc.Ua.ServiceResultException' from source 'Opc.Ua.Core' has occurred in OPC-UA SDK action 'Session.Create'. The exception descend follows.
(1) {Opc.Ua.ServiceResultException} Opc.Ua.Core(End) -> BadSecureChannelClosed

also i am not sure what to put in the ApplicationUriString - i appriciate if you can provide example.

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
28 Dec 2013 11:47 - 28 Dec 2013 11:48 #1636 by support
Replied by support on topic Browse Data Nodes
Regarding the remainder of your questions:

Ad 1. There may be various reasons. For example, when you first run your application your development computer, you may use the development Web server built-in in Visual Studio. This one uses different accounts and permissions from IIS, and the certificate creates just fine.

Ad 2. Most likely this is due to permissions. IIS settings are VERY restrictive (for good reason), and the feaults won't allow the certification generation or storing it into the store.

Ad 3, ad 5. The default certificate store for OPC-UA applications is not one of the Windows stores, but instead, a file-system (directory) based store. It defaults to "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications", where %CommonApplicationData% is e.g. "C:\ProgramData". The best way to inspect the UA certificates is to run Start -> All Programs -> OPC Foundation -> UA SDK 1.01 -> UA COnfiguration Tool. Then, select the "Manage Certificates" tab, press the drop-down next to "Store Path", select the store I listed above, and press the "View Certificates" button.

Ad 3. You should not use the same certificate for multiple applications. And, you should not use the same certificate even for multiple instances of the same application (such as when you deploy the application on multiple computers). Each instance of the application (typically, this means each application/computer combination, but can be even more) should have its own, unique certificate. This is how UA security is meant to work, because there needs to be a way for the server to authenticate each client connection separately and possibly deny the connection to unsecure or compromised clients. Technically, if you violate this and use the same certificate, things will probably work OK on the surface, but it is against the OPC-UA security specs. This is the reason why the certificate is generated anew on the computer - and the cause of some troubles.

Actually, while using the CertificateGenerator manually is possible, it would be probably too complicated to try to assemble the right set of parameters so that the generated certificate is then properly found by the client application. Instead, I suggest that you create a small Windows based (e.g. Windows Forms app, or a console app). In it, you set the 4 parameters in EasyUAClient.SharedParameters to meaningful values, and then call a static method EasyUAClient.Install(). You then run this application with administrator/elevated privileges, and it will create the certificate (verify it with the UA Configuration Tool described above). In your actual client app, set the parameters in precisely the same way before instantiating the EasyUAClient object, and doing so should assure that it will find and use the certificate (still, the Web app needs to have read access to the directory of the cert store - you may have to modify the permissions). The additional app you created may become part of your installation procedure.

Best regards
Last edit: 28 Dec 2013 11:48 by support.

Please Log in or Create an account to join the conversation.

More
23 Dec 2013 14:33 #1635 by support
Replied by support on topic Browse Data Nodes
To #4: Apparently, "/?" only works with the newer version I was accidentally using. Use "-?" instead with older versions.

Will answer the remainder of your points separately.

Best regards

Please Log in or Create an account to join the conversation.

More
23 Dec 2013 08:31 #1634 by adid@contel.co.il
Replied by adid@contel.co.il on topic Browse Data Nodes
Hello,

i have few questions :

1. Why this trial website i was created ( just to test the OPC-UA ) in asp.net 3.5 works in my computer, and doesn't work in the client test environment ? i will mention that in my computer both asp.net 4.0 and service using the OPC-UA and both working without any manually certificate creation ...

2. in the client test environment there is windows service ( .Net 4.0 ) i created using the OPC-UA and it's working, so why in the same computer the windows service is working and the asp.net 3.5 application doesn't working ? ( i will also mention that in my test client environment the kepware and my trial website and my service, are in the same computer )

3. if the service is working in the client test environment than from the certificate creation algorithem that you describe, certificate was created, so where it should be in the certificate store, and what sould be the certificate parameters ? can i use this certificate also for the asp.net 3.5 application ?

4. when i try to run the opc.ua.certificategenrator through the command line like this :
opc.ua.certificategenrator.exe /?
i get the error : -error Unrecognized Parameter: /?

5. In my computer, where the asp.net 4.0 is working, i search for the certificate in the certificate store but wasn't found it - in which folder it should be created, and what should be the certificate parameters ?

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
22 Dec 2013 19:47 - 23 Dec 2013 19:58 #1633 by support
Replied by support on topic Browse Data Nodes
Thank you very much for the information, it is really helpful.

It appears that there are two issues at play:
1) Problem creating the OPC-UA client application certificate. This may be working as designed (details below), but still you will need to take extra steps to resolve it.
2) Insufficient/incomplete error reporting. This is more or less a bug in QuickOPC. In case of the problem, you were supposed to receive an exception or a log message (or both) with details about the cause, and not just "engine not connected". Thankfully, you have noticed the original exception in the Debug Output.

We will work on improving the error reporting (2). This would not, however, resolve the actual problem (1). For it, however, I have a likely explanation, and instructions.

OPC-UA requires that both parties (client and server) mutually identify themselves using application certificates. The certificates are supposed to be unique for each application (instance), and therefore cannot be a constant part of the "toolkit" (such as QuickOPC), and need to be generated. In order to make this process invisible (in common cases) to the developer, QuickOPC
a) determines the parameters of the certificate automatically, using values such as the EXE name or the calling assembly name,
b) attempts to look up the certificate in the certificate store,
c) if not found, it attempts to create it, and save it into the certificate store.

The algorithm described above does not, however fit well wit hosted environments such as IIS, for two reasons:
- It is difficult to automatically determine reasonable and unique parameters for the certificate, because the hosting process is the IIS service, not "your" own application EXE.
- The page processing code in IIS typically runs with low privileges that do not allow it to call the necessary CertificateGenerator utility, and even less to save the new certificate to the store.

For usage in such environments, the recommendation is:
- Pre-generate the application certificate manually, and save it to the certificate store. This will remove the need for the application to create and save the certificate.
- In your application, set your own parameters of the certificate. The application will then use these parameters to look up the certificate.

Application certificate can be generated using Opc.Ua.CertificateGenerator.exe utility, typically located (after QuickOPC installation) at C:\Program Files (x86)\Common Files\OPC Foundation\UA\v1.0\Bin. Run it with "/?" to obtain usage instructions.

Setting the certificate parameters is done by modifying properties in EasyUAClient.SharedParameters.Engine (EasyUAClient.SharedParameteres is a static property, and you need to set the values before creating the first instance EasyUAClient, in order for it to have the desired effect). The properties of interest are:
- ApplicationCertificateSubject
- ApplicationName
- ApplicationUriString
- ProductUriString

The values should match those used when the certificate was generated, because they (or at least some of them) are used to look up the certificate in the store.

I understand that the above instructions may need further details or explanation; let me know which parts need more attention and I will try to help.

Best regards
Last edit: 23 Dec 2013 19:58 by support.

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.082 seconds