Trying to use Ignition to work with Rockwell’s Studio 5000 Emulate.

Also I’m not all sure about using wireshark to monitor a secure connections

Yes there is a quarantine area, It never gets the cert

By the way, I was able to get Ignition to see FT Gateway if I had created the endpoint with no security poilcy. I verified that data coming through by using OPC Quick Client.

But if f I add security, ie Basic 256 Sign & Encrypt, I’ll get that message

Generally it's not very useful, but the exchange I need to see happens before a secure connection is set up, calling the server's GetEndpoints service.

Yes, because no security policy means no certificate validation (unless you're using a username/password, in which case it can still come into play). As soon as you try to secure the connection all your certificate issues need to be fixed before it will work.

OK I’ve started wire shark. To reduce the trafiic I need to set a filter. Should that be the IP of Ignition ?

Try tcp.port==4840 or whatever port FactoryTalk is using for OPC UA.

If you don’t see any traffic you may need to make sure you’re selecting the right network adapter, or the loopback adapter if they are on the same machine and you’re connecting via localhost.

OK looks like it is port 4990

I set the filter to tcp.port==4990. There was no traffic.
I then recreated the connection in Ignition. Still no traffic observed

OK I checked and I did not have local loopback
Changed to the Loop Back adapter and I see traffic on tcp.port==4990

What would you like me to capture ?

Start the capture and then do an edit/save on the connection in Ignition or just wait long enough that it has attempted to reconnect again. You should see among other things a GetEndpointsRequest and GetEndpointsResponse pair.

edit: actually you may not be able to see what they are if you don’t have Wireshark configured to interpret 4990 as OPC UA, but if you have a bunch of back and forth traffic you can send it my way and I’ll see if it’s what is needed.

OK I captured a block of data.
I’m emailing you the file.

Kevin, did the file I sent you contain any useful data ?

I didn’t get an email from you yesterday. Maybe one of our mail filters gobbled it up?

Did the file make it through ?

No, I PM’d you a dropbox link you can upload to instead.

Confirmed, the server is now legitimately sending a mismatched URI:

It would be great if you could contact Rockwell about this. They may actually fix it since you are presumably a customer.

Or modify the batch file to encode spaces in the subject alternate name as %20 instead of removing them. Since it is a batch file, you’ll probably have to double the percent signs to avoid environment substitution.

I don’t know if that will work, but it’s worth a shot.

Ah, I needed a good laugh today. Thank you! :slight_smile:

1 Like

FWIW, a near-future versions is going to have the ability to suppress this check on a per-connection basis, as well as disable client-side certificate validation all together on a per-connection basis, for connecting to those servers that just can’t get it together.

In the past we’ve always been able to manage to get the server configured correctly somehow when this popped up but there’s been a couple cases now where that isn’t true.