[ERROR] UascServerAsymmetricHandler

Hi,
in the beta build b2019010702, I found many errors in the gateway logs as:

[remote=/127.0.0.1:49159] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=status=Bad_SecurityChecksFailed, description=An error occurred verifying security.}.

Any idea to solve this issue?

These are errors connecting to an external OPC UA server.

You’ll have to make sure Ignition’s certificate is trusted by the server as well as mark that server’s certificate trusted in Ignition.

On the Ignition side, look under data/opcua/client/security/pki in the Ignition install directory and move the the server certificate from rejected to trusted/certs.

There should be a UI available to do this before release.

Thank you Kevin.
Actually I do not have a connection to an external OPC UA server. I have only the Ignition OPC UA Server connection, that is in the Connected status.

Hmm, yes, I got that message backwards.

Something appears to be connecting to the Ignition OPC UA server instead.

See if there’s a certificate under data/opcua/server/security/pki/rejected. (note the change from client to server in path)

If you aren’t expecting this, then your server is being probed, possibly maliciously. Is it exposed to the internet?

Always worth looking into.

In this case, however, the connection is from /127.0.0.1:49159, so it’s either the loopback connection not working right or some other software on the machine.

Oops. Should have looked a little closer.

Yes, under data/opcua/server/security/pki/rejected there is a security certificate.

I moved that security certificate to the relative “trusted/certs” folder and then the error disappeared.
Thank you.

1 Like

Kevin,

I’m getting
UascClientAcknowledgeHandler [remote=/127.0.0.1:49320] Received error message: ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=An error occurred verifying security.}

I checked data/opcua/client/security/pki/rejected, but didn’t find anything. Is this a different connection?

Joe,

What version of Ignition are you using?

That error (Bad_SecurityChecksFailed) is from a server you’re connecting to. Judging from the host and port, it’s Kepware on the local machine. You’ll have to go into KSE and tell it to trust Ignition’s client certificate.

1 Like

8.0.2 (We’re upgrading to .3 later).

Okay.

Well, you need to make sure Ignition’s client certificate is trusted in KSE.

You also need to make sure KSE’s server certificate is trusted in Ignition. It’s on the gateway under Configure > OPC UA > Security. Then go to the Client tab and you should see the KSE server certificate there with a button to mark it as trusted.

Then, after all this, there’s a possibility you’re running a version of KSE with a bug that generates invalid application URIs in the certificate. This manifests as a Bad_CertificateUriInvalid error, the same as described in this post. If this is happening you need to upgrade KSE to a 6.1+ version and generate the certificate.

1 Like