Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » 4DIAC - Framework for Distributed Industrial Automation and Control » OPC UA Connection (Error: BadSecurityChecksFailed)
OPC UA Connection (Error: BadSecurityChecksFailed) [message #1854802] Mon, 12 September 2022 08:18 Go to next message
Eclipse UserFriend
Hello,

I have an issue (Error: BadSecurityChecksFailed) with a connection to a third party OPC UA server (Ignition OPC UA Server). I have compiled the forte with open62541 and mbedtls libraries according to manual and created a config file.
My question is: What can cause this error and how can i fix it? P.S. With forte's OPC UA it works, I can publish nodes and subscribe to them like it described in manual, so its probably not the problem of open62541.
All software is installed on one laptop (Win 10), 4DIAC IDE 2.0.1, Ignition 8. 1.19. I do not have much experience with security so i suppose that the problem could be in my certificates. Below in attachment are pictures i decided can be useful.

Error messsage:
INFO: T#834772112449: [CConfigFileParser]: Configuration file configSecurity.forte opened
[2022-09-12 12:51:26.513 (UTC+0200)] error/securitypolicy       Could not create securityContext: BadSecurityChecksFailed
ERROR: T#834772618949: [CUA_ClientConfigFileParser]: Error setting client configuration. Error: BadSecurityChecksFailed
INFO: T#834772670549: [CConfigFileParser]: Closing configuration file
INFO: T#834772737649: [OPC UA CLIENT]: Uninitializing client opc.tcp://localhost:62541


For generating of certificates i use OpenSSL by using this command:
req -new -x509  -config opcuaviewer.config -newkey rsa:2048 -keyout opcuaviewer.key -nodes -outform der -out opcuaviewer.der


my OpenSSL opcuaviewer.config file:
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment,  dataEncipherment, keyCertSign
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid:always,issuer:always

[ subject ]
countryName = AT
stateOrProvinceName = Wien
localityName = Yegor
organizationName = TU
commonName = ACIN


my forte configSecurity.forte config file:
endpoint=opc.tcp://localhost:62541
username=opcuauser
password=password
certificate=C:/4diac/forte/build/src/Release/opcuaclient.der
privateKey=C:/4diac/forte/build/src/Release/opcuaclient.pem
securityPolicy=http:/ /opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
securityMode=3
Re: OPC UA Connection (Error: BadSecurityChecksFailed) [message #1854818 is a reply to message #1854802] Tue, 13 September 2022 02:01 Go to previous messageGo to next message
Eclipse UserFriend
Hi,

I don't know much about certificates and keys, but you should get 1 certificate and 1 private key files, both in binary files.
In your case you should use opcuaviewer.key and opcuaviewer.der

According to https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file opcuaviewer.key is probably in PEM format, which should probably be converted to .der which probably will work with

openssl x509 -in opcuaviewer.key -out opcuaviewer_key.der -outform DER
Re: OPC UA Connection (Error: BadSecurityChecksFailed) [message #1854829 is a reply to message #1854818] Tue, 13 September 2022 11:58 Go to previous messageGo to next message
Eclipse UserFriend
Thank you for the link.
I have also checked the manual:
https://www.eclipse.org/4diac/en_help.php?helppage=html/communication/opc_ua_version1.html
and noticed that both certificate and the key have .der format. So I have used additional parameter "-keyform der" which i found in OpenSSL documentation, so now OpenSSL command look like this:
req -new -x509 -config opcuaconfig.config -newkey rsa:2048 -keyform der -keyout opcuaviewer_key.der -nodes -outform der -out opcuaviewer_cert.der

Unfortunately it didn't help, error is still there.

Also I have tried to change server's Security Policies - "None" instead of "Basic256Sha256". It also didn't help. I can easily connect with UaExpert or Ignition Client to Ignition OPC server(no matter what is Security Policies) or forte's OPC server. But in case of 4DIAC to Ignition OPC server it is always the same error.
Re: OPC UA Connection (Error: BadSecurityChecksFailed) [message #1854837 is a reply to message #1854829] Wed, 14 September 2022 01:04 Go to previous messageGo to next message
Eclipse UserFriend
Try using the the python script from open62541

https://github.com/open62541/open62541/blob/master/tools/certs/create_self-signed.py

I didn't check the details to see if it's different to what you're trying, but I used it in the past
Re: OPC UA Connection (Error: BadSecurityChecksFailed) [message #1854869 is a reply to message #1854837] Thu, 15 September 2022 16:02 Go to previous message
Eclipse UserFriend
Thank you for helping.
Unfortunately it didn't help. For now I turned on Anonymous Access on OPC server and set Security Policies to "None" to avoid this problem. I will keep searching for solution.
Previous Topic:Read and Write OPC UA variables on a remote server
Next Topic:OPC UA core server disconnnect
Goto Forum:
  


Current Time: Tue Jun 17 14:09:04 EDT 2025

Powered by FUDForum. Page generated in 0.03938 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly