I’m assuming theres something really simple that I am missing here. A colleague of mine is atttempting to connect to an ignition OPC UA server using a third party application(embarcadero using Kassls dOPC Toolkit). I believe we have everything set up on the ignition side properly as you can see in the images attached we are getting a “no public certificate found” error.
We have the Security mode in the third party application set for Sign and Encrypt with the Basic256Sha256 security policy enabled & downloaded the certificate file from the ignition gateway under the client tab and used that file in the embarcadero application for the cerficate file. We have also typed the credentials for the OPC UA user that we configured under the user tab. Could someone point me in the right direction to figure out what I am missing here? I am using version 8.013.
I think you might need to contact the vendor for this client.
Try using UaExpert to connect as a sanity check.
I can tell you that the endpoint at opc.tcp://localhost:62541/discoverydoes not have a certificate, and that’s intentional. The discovery endpoint is unsecured. The endpoints it returns will point to opc.tcp://localhost:62541, which do have a certificate, and if you have not enabled the “None” security policy, will only offer secured endpoints.
If the client you’re using can’t do discovery against one URL and then actually follow the URLs returned in the endpoints then it’s deficient and needs to be fixed by the vendor.
You might try pointing your client directly at opc.tcp://localhost:62541 and see if it works.
Thanks, Reached out to the vendor, And made some progress, but still having issues. I attached an image of the security settings on the gateway & the error message that I am receiving when trying to validate the connection.
The discovery endpoint (when the URL ends with “/discovery”) does not offer security but your client is trying to connect with security.
Have you tried removing “/discovery” from the endpoint URL you use to connect? Did you ever modify the Ignition server configuration to allow unsecured connections or is it still security only?
Sorry, I’ve been in and out, of the office, and was finally able to get a wireshark capture from my coworker. Also, When I said discovery Earlier in reference to Point 4840, that section of the window is for searching for a list available UA servers on the port that you type in to that field. When you find a valid one and select it, it will populate the fields at the bottom(Server).
In response to Kevin, we tried removing the /disocvery, but received the same error message. attached is a wireshark capture(WireSharkData.zip (4.9 KB) .pcapng file). Not sure if this is the file format you need, please let me know how you would like it to be formatted.
This client is still trying to open a secure channel against the discovery endpoint (opc.tcp://127.0.0.1:62541/discovery) for some reason. Did you get in touch with the vendor of this client yet?
My only issue with this is that your allowing unsecured connections to your opc endpoint. I'd suggest being very careful about slamming None into your opc-ua server endpoint config. I have a ticket right now open with ignition about this. As of 8.1 it appears the endpoint always issues a server cert you need to accept on the client regardless of the security mode. If you accept this cert store it in UaExpert and export the client cert and store it in the ignitoin client store as trusted update the security mode back to Basic256Sha256 it should work as UaExpert has already trusted the server cert and you've manually added the client cert. However all you get is a BadConnection status and the same logged error as the OP. Something is wrong on the OPC-UA module's side.
There's nothing actually wrong with the OPC UA module, it's just configured in a way that exposed a bunch of clients that didn't know what they were doing This configuration is changing for 8.3.
Thank you very much for the context Kevin! I better understand the issue now. Also I see that UaExpert handles the connection differently using the discovery wizard vs manually entering the endpoint in the advanced section. My advice going forward is to add the discovery endpoint in the wizard with None then trust the ignition server cert it throws at you anyway. Remove the None from your ignition opc-ua server settings and restart your module then let UaExpert attempt to connect using the Basic256Sha256 security mode. You'll now see the cert for your client show up under the quarantine certification section in ignition. Trust it. Should now be good to go.