I am new to this OPC-UA world and Eclipse Milo. I do not understand how the security works here, Discussing about client-example provided by eclipse-milo
I see few properties of security being used to connect to the OPCUA Server:
SecurityPolicy, MessageSecurityMode, clientCertificate, clientKeyPair, setIdentityProvider,
I was trying to run client-examples -> BrowseNodeExample.
This example internally runs the ExampleServer.
ExampleServer is configured to run with Anonymous and UsernamePassword Provider. It is also bound to accept SecurityPolicy.None
, Basic128Rsa15
, Basic256
, Basic256Sha256
with MessageSecurityMode
as SignandEncrypt
except for SecurityPolicy.None
where MessageSecurityMode
is None
too.
SecurtiyPolicy
and MessageSecurityMode
pair mentioned above (without client certificates provided).
But I could not do the same for UsernameProvider
, For UsernameProvider
only SecurityPolicy
MessageSecurityMode
pair with None
runs successfully.
All others pairs throw security checks failed exception (when certificate provided) else user access denied (when client certificate not provided). How to make this work?Lastly, It would be really nice if someone could point me to proper User documentation for Eclipse Milo. Since I could not see any documentation except examples codes, and they are not documented.
SecurityPolicy
and MessageSecurityMode
go hand-in-hand. The security policy dictates the set of algorithms that will be used for signatures and encryption, if any. The message security mode determines whether the messages will be signed, signed and encrypted, or neither in the case where no security is used.
clientCertificate
and clientKeyPair
must be configured if you plan to use security. You can't use encryption or signatures if you don't have a certificate and private key, after all.
IdentityProvider
used to provide the credentials that identify the user of the session, if any.
When the ExampleServer
starts up it logs that its using a temporary security directory, something like this: security temp dir: /var/folders/z5/n2r_tpbn5wd_2kf6jh5kn9_40000gn/T/security
. When a client connects using any kind of security its certificate is not initially trusted by the server, resulting in the Bad_SecurityChecksFailed
errors you're seeing. Inside this directory you'll find a folder rejected
where rejected client certificates are stored. If you move the certificate(s) to the trusted
folder the client should then be able to connect using security.