There is something about the Ignition OPC UA loopback connection that I don't fully understand. Maybe someone can give me a hint.
- Per default, the tag system uses the 'Ignition OPC UA Server'- connection for OPC tags.
- Per default, the endpoint configuration of this connection is set to use the 'basic256sha256' security policy
- Per default, the OPC UA Server and Client certificates are added as trusted certificates
- I assume that they are also used for this connection, even though it is 'internal'
- The certificates expire after 3 years
Now my question is: What happens with this internal loopback connection after 3 years? Will it stop working until the certificates are renewed?
When the certificate eventually expires, the next time the connection is attempted it will fail. An existing connection will continue to work indefinitely until this happens (reboot, edit/save, whatever).
Edit: in case someone comes across this in the future, Iām not sure this is the correct behavior at the OPC UA level, and it may change some day to fail the next time the underlying secure channel is renewed.
So basically, this means that we need to update the certificates of every single Ignition instance with connected devices (which are accessed by the tag system through the internal OPC UA server) every 3 years?
Yes, just like an SSL/TLS certificate.
When you regenerate the certificate in the gateway UI (in 8.1.x, anyway), you have the option to set a custom validity period. Feel free to set it to 100 years or something.
Hm this is not something I was aware of (nor was the rest of our team), and it seems to cause a terrible amount of maintenance work because this affects basically every Ignition gateway we set up.
Regenerating the certificate with a validity period of 100 years seems to be an acceptable workaround as long as there are no external connections.
However, it would be very nice to mention this behavior in the documentation and training for the device connections.
Agreed, I'll talk to the documentation folks. I would have thought we already talked about it somewhere.
FWIW, this behavior is universal to all OPC UA clients and servers, and not something specific to ours. Both sides of any secured OPC UA connection have a certificate, whether one, both, or none of those parties are Ignition, and all of these certificates have an expiration date.
Right, and we are fully aware of this when we set up a dedicated OPC UA connection. But since we were "only" using device drivers to connect to PLC's we were not aware that we might run into troubles after 3 years. However, since the devices are made accessible via the internal OPC UA server, this behavior is absolutely logical. It is just unexpected.
I assume setting the security policy to "None" will also completely prevent the system from checking the certificates? On a completely closed system this would be acceptable solution since it only impacts the internal connection. I see that the security policy should never be set to None if we allow external connections to the server.
You would have to switch to None and enable "Allow anonymous" on the server and switch the connection to using Anonymous instead of a username and password. This is anonymous identity, not the same as allowing external connections. You would want to remain bound to localhost only.
The certificates are used to encrypt the username and password even when security is not enabled and they are validated before being used for this.
1 Like
So, there already was a mention of this expiration in the docs, and they've now added an explicit mention that even the loopback connection will stop working if the certificates expire or are otherwise invalid.
OPC UA Security - Ignition User Manual 8.1 - Ignition Documentation (inductiveautomation.com)
Thank you for all the clarifications, Kevin!