Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Loading Certificate Properly using self made client

Start
Prev
1
Next
End

1

support
Offline
Moderator

More

09 Aug 2024 13:31 - 09 Aug 2024 14:21 #13009 by support

Replied by support on topic Loading Certificate Properly using self made client

You still fail to understand that there are two separate authentications:
- application authentication
- user authentication

Study the related OPC UA specifications if you want to learn more. In general, the idea is that one application can be used by multiple users. So for security reasons, one needs to verify that 1) it is is communicating with the right application, and not some spoofed one, AND 2) the user that is controlling the application is the right user.

You now have the application authenticated. But not the user.

You can either:
A ) Enable anonymous user in KEPServerEX: in KEPServerEX 6 Configuration, do Edit -> Properties. Then, under OPC UA, set "Allow anonymous login" to yes.
B ) Make use of user authentication. For this you will need to configure the user(s) in KEPServer EX, and then set the username/password in the UAEndpointDescriptor: use the .WithUserNameIdentity extension method.

I hope this helps
Best regards

Last edit: 09 Aug 2024 14:21 by support.

The following user(s) said Thank You: theder

Please Log in or Create an account to join the conversation.

theder
Topic Author
Offline
Senior Member

More

09 Aug 2024 13:03 #13008 by theder

Replied by theder on topic Loading Certificate Properly using self made client

So I did what you asked I removed the line of setting my own store path and I moved the certificate from the rejected path to UA applications. For me its still denying the connection. This is the error I receive, could this be an issue with not allowing for anonymous logins? I thought if you presented it with a certificate from the server it shouldn't matter or is that incorrect?

Also I tried this as well with my own cert store and I zipped that here along with the default with my changes.

The reason for all the questions is we are required to have a specific configuration on the server and I am trying to investigate all possible authentication routes so thank you for the help.

Please Log in or Create an account to join the conversation.

support
Offline
Moderator

More

09 Aug 2024 06:28 #13007 by support

Replied by support on topic Loading Certificate Properly using self made client

Hello.
You are making it much more complex than it needs to be.

Just do this:
1. Remove the line where you set your own store path.
2. Remove the .WithX509CertificatIdentity call
3. Under your project's output directory (OPCEncryptionTesting\OPCEncryptionTesting\bin\Debug\net8.0), copy the rejected server certificate "+KEPServerEX+UA Server+ [F690068F8490EC7AF468C83373149FF45147B5D3].der" from "OPC Foundation\CertificateStores\RejectedCertificates\certs" to "OPC Foundation\CertificateStores\UA Applications\certs".

And you are done.

It is true that the same can be made to work when you specify your own certificate store path (without Step 1). But since that points to a directory of which you have not provided a zipped contents, I could not diagnose it.

Also, pressing 'P' to trust the certificate permanently should have the same effect as copying.

WithX509CertificatIdentity deals with *user* authentication, not *application* authentication, and is thus a different beast, for a different purpose altogether, so you should not bring this in here. In addition, I think that KepServerEx does not support user authentication through certificates, it uses username/password.

Best regards

Please Log in or Create an account to join the conversation.

theder
Topic Author
Offline
Senior Member

More

08 Aug 2024 20:15 - 08 Aug 2024 20:18 #13006 by theder

Loading Certificate Properly using self made client was created by theder

Hello,

I have several questions on how certain parts of OPC Labs library works. First is the loading of a clients certificate to present to a kepware server. I thought previously that you only had to place a copy of the kepware's server certificate in the clients trusted store/file path which I have but I still fail authentication.

I have listed a picture of the error below. I also have labeled it as a trusted client and set the kepware server to not allow for anonymous connections. It seems to me it never properly loads the certificate or am I mistaken? Instead I tried authentication using x509 certificate identity like this

var attribute = client.Read(endpointDescriptor.WithX509CertificateIdentity("C:\\TestingMyOwnCertStore\\certs\\f690068f8490ec7af468c83373149ff45147b5d3.der", string.Empty), "nsu=KEPServerEX ;ns=2;s=Channel1.Device1.Tag1");

and this does not work either. I have attached my program below is there some kind of configuration I am missing? Is it possible to do it both ways one manually moving the certificate into the store file path or loading it via x509 method calls? If so can you explain both to me?