Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to authenticate with a Certificate with Twin? #385

Closed
Tracked by #2005
andr5362 opened this issue Apr 15, 2020 · 5 comments
Closed
Tracked by #2005

How to authenticate with a Certificate with Twin? #385

andr5362 opened this issue Apr 15, 2020 · 5 comments
Labels
feature request New feature or request Web-Api

Comments

@andr5362
Copy link

andr5362 commented Apr 15, 2020
edited
Loading

I am trying to read a node/value or write a node/value. I can get it to work without the certificate validation on both sides. But when I add the certificates I can't get it to work.

How do I add a certificate to be trusted/expected instead of rejected? And how do I set up a client certificate on the twin at should be trusted on the server-side in my case a PLC? (Not the auto-generated one, but if I would choose that how can I access it through the X509 Certificate store on Windows 10?)

{
    "endpoint": {
        "url": "opc.tcp://10.30.98.251:4840",
        "securityMode": "SignAndEncrypt",
        "certificate": "Thumbprint for server or client?"
    },
    "request": {
        "header": {
            "elevation" : {
                "type": "X509Certificate",
                "value": ".cert or .pfx for server or client?"
            }
        },
        "NodeId": "ns=3;s=\"OPC-UA_COMM\".\"Test\".\"Test\"" 
    }
}

One of the errors i get if i parse the .cer in the evaluation is following

[DirectMethod] Invoking Direct Method [ValueRead_V2] to [********/opctwin] ...
[DirectMethod] Response from [*******/opctwin]:
{
  "status": 401,
  "payload": {
    "ClassName": "System.UnauthorizedAccessException",
    "Message": null,
    "Data": null,
    "InnerException": {},
    "HelpURL": null,
    "StackTraceString": "   at Microsoft.Azure.IIoT.Modules.OpcUa.Twin.Controllers.SupervisorMethodsController.ValueReadAsync(EndpointApiModel endpoint, ValueReadRequestApiModel request) in D:\\a\\1\\s\\modules\\src\\Microsoft.Azure.IIoT.Modules.OpcUa.Twin\\src\\Controllers\\SupervisorMethodsController.cs:line 141",
    "RemoteStackTraceString": null,
    "RemoteStackIndex": 0,
    "ExceptionMethod": null,
    "HResult": -2147024891,
    "Source": "System.Private.CoreLib",
    "WatsonBuckets": null,
    "Exception": "UnauthorizedAccessException",
    "CausedBy": {
      "Message": "Endpoint does not support the user identity type provided.",
      "Exception": "ServiceResultException"
    }
  }
}
@marcschier
Copy link
Collaborator

This is not yet supported but is in our backlog. We will evaluate user certificates for a release later this year.

@marcschier marcschier added the feature request New feature or request label Apr 16, 2020
@andr5362
Copy link
Author

Okay, what are the other options? Can it forward its own generated certificate to the OPC Server?

@marcschier
Copy link
Collaborator

Hi @andr5362 - the certificate property is a thumbprint of a server certficiate on the endpoint you want to trust. the certificate in the user elevation is a user authentication certificate. This is being deprecated in favor of tokens, but we are looking at providing both token and certificate user authentication at some point in the future potentially. Can you use username/password or anonymous authentication over encrypted channel as alternative?

@marcschier marcschier added this to the 2.8 milestone May 4, 2020
@barnstee barnstee removed this from the 2.8 milestone Sep 17, 2020
@hansgschossmann
Copy link
Contributor

@andr5362 for now the workaround would be to change the configuration for the OPC Twin modules layered deployment configuration to bind the certificate directory to a host directory. Please let me know if you still need to resolve this.

simonjaeger pushed a commit that referenced this issue Jun 22, 2021
@algattik
Merged PR 12: Tests for alarm sequence
bc7ba67 
Builds on top of !11 to test that alarm messages are sent in with the right order and payload as defined in the deterministic alarms json file.

Not yet implemented are:
- #390 The first messages received are not in the correct order. As a workaround for now, we are skipping the first 10 messages.
- #391 We have no assertions on the times of the events and payload time fields, this will be added subsequently.

Related work items: #377, #389, #385
@marcschier marcschier added this to the Future milestone Jan 17, 2023
@marcschier marcschier mentioned this issue Jun 25, 2023
Closed
4 tasks
@marcschier marcschier removed this from the Future milestone Jun 25, 2023
@marcschier
Copy link
Collaborator

Will be tracked in #2005.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request New feature or request Web-Api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hansgschossmann @barnstee @marcschier @andr5362