Upgrade 7.9.12 -> 7.9.13 : Opc Connection faulted

y.pfister · December 23, 2019, 2:19pm

I’ve updated Ignition to version 7.9.13.
But I can no longer connect to Beckhoff UA OPC servers.
I have the following error:
nonce must be at least 32 bytes

UaException: status=Bad_NonceInvalid, message=nonce must be at least 32 bytes
	at org.eclipse.milo.opcua.stack.core.util.NonceUtil.validateNonce(NonceUtil.java:176)
	at org.eclipse.milo.opcua.stack.core.util.NonceUtil.validateNonce(NonceUtil.java:162)
	at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.activateSession(SessionFsmFactory.java:878)
	at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$configureActivatingState$17(SessionFsmFactory.java:345)
	at com.digitalpetri.strictmachine.dsl.ActionBuilder$PredicatedTransitionAction.execute(ActionBuilder.java:76)
	at com.digitalpetri.strictmachine.StrictMachine$PollAndEvaluate.lambda$run$0(StrictMachine.java:207)
	at java.util.ArrayList.forEach(Unknown Source)
	at com.digitalpetri.strictmachine.StrictMachine$PollAndEvaluate.run(StrictMachine.java:198)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

7.9.13 (b2019120915)
Oracle Corporation 1.8.0_191

Are there any ideas as to what the problem could be?

Kevin.Herron · December 23, 2019, 2:21pm

You’ll have to change the connection to use security for now.

An update to the OPC UA library included strict nonce validation and the Beckhoff server is sending an invalid nonce back according to the OPC UA spec.

I’m going to relax this check under certain circumstances in a subsequent update, but for now all you can do is switch to using security for the connection or go back to Ignition 7.9.12.

witman · December 23, 2019, 3:28pm

Alternatively, update the Beckhoff OPC UA servers (current versions don’t cause this issue; older ones do). But switching them to use security is a quick fix, and probably not a bad idea anyway. You just have to accept the certificates from Ignition in the Beckhoff OPC UA Configurator after switching to an encrypted endpoint (which is enabled by default on the Beckhoff OPC UA server).

y.pfister · December 24, 2019, 11:07pm

Thank you very much.
The problem is solved with the option:
SecurityPolicy: Basic128Rsa15, MessageSecurity: SignAndEncrypt

Merry Christmas

edm · January 8, 2020, 2:25pm

+1 on relaxing the check, I have a Beijer HMI panel which doesn’t support encryption with the same problem, have to downgrade to 7.9.12.

dstauft · January 8, 2020, 4:43pm

Yup, same issue here… We are using unsecure connections to a vendor supplied OPC server that we can’t configure security on.

Kevin.Herron · January 8, 2020, 4:51pm

I don’t think we’re doing nightly builds in 7.9 so I think staying on 7.9.12 is the only solution for now. 7.9.14 will include a relaxed nonce validation for these non compliant servers.

I’m hoping to get it into an 8.0.8 nightly build in the next day or so.

dstauft · January 8, 2020, 5:23pm

Kevin, we are on 8.0.6 in our dev environment with no OPC connection issues - will 8.0.7 break the connections or will 8.0.8? Not sure what you meant by “Hoping to get it into an 8.0.8 build” - get the security in or the relaxed nonce validation?

Kevin.Herron · January 8, 2020, 5:57pm

The stricter nonce validation that caused this issue is in 8.0.7 I believe, if not already in 8.0.6. The relaxed nonce validation will go into an 8.0.8 nightly build.

This is only an issue with certain 3rd party servers when no security is used.

Kevin.Herron · January 9, 2020, 9:31pm

The relaxed nonce validation should land in tomorrow’s 8.0.8 nightly build.

It will eventually be part of 7.9.14 as well.

jespinmartin1 · February 3, 2020, 10:25pm

I was on 8.0.6 and upgrade to .7. This made my OPC Connections Faulted

pturmel · February 3, 2020, 10:34pm

Go back to 8.0.6 or go forward to the nightly.

edvin · April 29, 2020, 6:06am

Resurrecting this thread, I can’t tell from the release notes, is this issue now fixed in 7.9.14?

Kevin.Herron · April 29, 2020, 12:46pm

Yes, not sure why it doesn’t have a change log entry.

Kleppe85 · September 4, 2020, 10:32am

Should it be possible to connect to a OPC UA -server with no encryption with Ignition 8.0.16?
Im getting the same error as mentioned above.

Kevin.Herron · September 4, 2020, 12:23pm

Yes, it should be under most circumstances. Are you trying to use a username and password with no security?

Kleppe85 · September 9, 2020, 6:10am

Correct, trying to connect to a Beijer iX Panel.

Kevin.Herron · September 9, 2020, 11:42am

This configuration won’t work unless you get an update that fixed the nonce bug in the server.

No security with anonymous identity should work, or using security should work.

Kevin.Herron · October 8, 2020, 11:53pm

A post was split to a new topic: Connecting to Beckhoff OPC UA

Kevin.Herron · October 8, 2020, 11:55pm

A post was merged into an existing topic: Connecting to Beckhoff OPC UA