Authentication to Ignition OPC UA Server

I’m assuming theres something really simple that I am missing here. A colleague of mine is atttempting to connect to an ignition OPC UA server using a third party application(embarcadero using Kassls dOPC Toolkit). I believe we have everything set up on the ignition side properly as you can see in the images attached we are getting a “no public certificate found” error.

We have the Security mode in the third party application set for Sign and Encrypt with the Basic256Sha256 security policy enabled & downloaded the certificate file from the ignition gateway under the client tab and used that file in the embarcadero application for the cerficate file. We have also typed the credentials for the OPC UA user that we configured under the user tab. Could someone point me in the right direction to figure out what I am missing here? I am using version 8.013.

ignition images

Doesn’t sound like you’ve got anything set up wrong. Your screenshot didn’t make it as an attachment.

If you made any changes to Ignition’s OPC UA server settings you do need to restart the module or gateway for them to take effect.

What endpoint URL are you configuring the client with?

Sorry, original Images have been added, We just tried restarting the pc a few minutes ago, but havent had any luck.

I think you might need to contact the vendor for this client.

Try using UaExpert to connect as a sanity check.

I can tell you that the endpoint at opc.tcp://localhost:62541/discovery does not have a certificate, and that’s intentional. The discovery endpoint is unsecured. The endpoints it returns will point to opc.tcp://localhost:62541, which do have a certificate, and if you have not enabled the “None” security policy, will only offer secured endpoints.

If the client you’re using can’t do discovery against one URL and then actually follow the URLs returned in the endpoints then it’s deficient and needs to be fixed by the vendor.

You might try pointing your client directly at opc.tcp://localhost:62541 and see if it works.

Make sure your OPC URL endpoint is set up correctly and that the server isn’t faulted in Config > OPC Client > OPC Connections.

Are you sure you need the colon before the port?

Thanks, Reached out to the vendor, And made some progress, but still having issues. I attached an image of the security settings on the gateway & the error message that I am receiving when trying to validate the connection.

IgnitionImage1|690x69 IgnitionImage3

Can you click the “+” next to the UascServerAsymmetricHandler error and copy/paste everything here?

Is it possible for you to get a Wireshark capture of this also?

your bind port in the screenshot of the gateway settings is 62541 yet you are trying to access through 4840.

Working with My colleague to get a wireshark capture. Will post when he is able to.

That is for discovery, it is auto populated as soon as the window is open, it is not the actual port that we are using to connect.

The discovery endpoint (when the URL ends with “/discovery”) does not offer security but your client is trying to connect with security.

Have you tried removing “/discovery” from the endpoint URL you use to connect? Did you ever modify the Ignition server configuration to allow unsecured connections or is it still security only?

Sorry, I’ve been in and out, of the office, and was finally able to get a wireshark capture from my coworker. Also, When I said discovery Earlier in reference to Point 4840, that section of the window is for searching for a list available UA servers on the port that you type in to that field. When you find a valid one and select it, it will populate the fields at the bottom(Server).

In response to Kevin, we tried removing the /disocvery, but received the same error message. attached is a wireshark capture( (4.9 KB) .pcapng file). Not sure if this is the file format you need, please let me know how you would like it to be formatted.

This client is still trying to open a secure channel against the discovery endpoint (opc.tcp:// for some reason. Did you get in touch with the vendor of this client yet?

If anyone is curious, I Ended up finding the solution to the Security Token Issue that I was having in this post.

I suspect if anyone is curious, they’ll also be curious about how you solved it. Details, please?

1 Like

Changing the config of the server to allow ‘None,Basic256Sha256’ for the security policy got rid of my issue.

1 Like