Issue connecting 3rd party OPC-UA Client to Ignition OPC-UA Server

Taylor_Ketchum · January 24, 2024, 3:26pm

I am currently developing an OPC-UA Client in C++ using the Open62541 library. I am able to connect and read tag values when I attempt this with Ignition v7.9, but am having issues when attempting the same thing in Ignition v8.1. Below are the log messages from each:

Ignition v7.9

[2024-01-23 20:27:06.462 (UTC-0800)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.
[2024-01-23 20:27:06.478 (UTC-0800)] info/channel       Connection 296 | SecureChannel 3 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-23 20:27:06.478 (UTC-0800)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-23 20:27:06.479 (UTC-0800)] info/client        Use the EndpointURL opc.tcp://127.0.0.1:4096/discovery returned from FindServers
[2024-01-23 20:27:06.480 (UTC-0800)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good
[2024-01-23 20:27:06.484 (UTC-0800)] info/channel       Connection 296 | SecureChannel 4 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-23 20:27:06.484 (UTC-0800)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-23 20:27:06.485 (UTC-0800)] warn/client        The server returned Endpoints with a different EndpointUrl opc.tcp://127.0.0.1:4096/discovery than was used to initialize the connection: opc.tcp://127.0.0.1:4096/discovery. Some servers require a complete match of the EndpointUrl/DiscoveryUrl (including the path) to return all endpoints.
[2024-01-23 20:27:06.485 (UTC-0800)] info/client        Selected endpoint 0 in URL opc.tcp://127.0.0.1:4096/iaopcua/None with SecurityMode None and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-23 20:27:06.485 (UTC-0800)] info/client        Selected UserTokenPolicy anonPolicy with UserTokenType Anonymous and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-23 20:27:06.490 (UTC-0800)] info/client        Client Status: ChannelState: Open, SessionState: Created, ConnectStatus: Good
[2024-01-23 20:27:06.491 (UTC-0800)] info/client        Client Status: ChannelState: Open, SessionState: Activated, ConnectStatus: Good
[2024-01-23 20:27:06.492 (UTC-0800)] info/userland      date is: 24-1-2024 4:27:6.491

[2024-01-23 20:27:06.492 (UTC-0800)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good

Ignition v8.1

[2024-01-24 09:40:11.635 (UTC-0600)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.
[2024-01-24 09:40:11.648 (UTC-0600)] info/channel       Connection 240 | SecureChannel 27 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Use the EndpointURL opc.tcp://127.0.0.1:62541/discovery returned from FindServers
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.649 (UTC-0600)] info/channel       Connection 292 | SecureChannel 28 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-24 09:40:11.649 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.650 (UTC-0600)] warn/client        The server returned Endpoints with a different EndpointUrl opc.tcp://127.0.0.1:62541/discovery than was used to initialize the connection: opc.tcp://127.0.0.1:62541/discovery. Some servers require a complete match of the EndpointUrl/DiscoveryUrl (including the path) to return all endpoints.
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Selected endpoint 0 in URL opc.tcp://127.0.0.1:62541 with SecurityMode None and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Selected UserTokenPolicy anonymous with UserTokenType Anonymous and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Received a ServiceFault response
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        The ServiceResult has the StatusCode BadServiceUnsupported
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: BadServiceUnsupported
[2024-01-24 09:40:11.651 (UTC-0600)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadServiceUnsupported

The difference is that it is able to create a session with v7.9, but gets the error message "Received a ServiceFault response". Are there any major differences in Ignition v8.1 that would cause issues with creating a session to the OPC-UA Server?

The C++ code is the same for both situations (shown below):

int main(void) {
    UA_Client *client = UA_Client_new();
    UA_ClientConfig_setDefault(UA_Client_getConfig(client));
    UA_StatusCode retval = UA_Client_connect(client, "opc.tcp://127.0.0.1:62541");
    UA_Client_delete(client);

    return 0;
}

Kevin.Herron · January 24, 2024, 3:29pm

Sure, quite a few changes. The endpoint URL of the server changed, the default bind address changed, the default security settings changed.

The thing that gives most 3rd party clients trouble is that, by default, Ignition only allows secured connections to the session endpoint.

There is a discovery endpoint at opc.tcp://localhost:62541/discovery that you can connect to without security to call GetEndpoints. The endpoints returned from this will have endpoint URLs pointing to opc.tcp://localhost:62541.

This is the "session endpoint". You must connect with security to this endpoint. (unless you modify the Ignition OPC UA server settings and add "None" to the allowed security policies)

Taylor_Ketchum · January 24, 2024, 3:32pm

Hey Kevin thanks for the quick update. I should have posted in the original topic that I have already configured the Ignition Gateway to allow a security of None. Here are the settings for the Ignition 8.1 Gateway

Kevin.Herron · January 24, 2024, 3:34pm

Taylor_Ketchum:

[2024-01-24 08:37:57.868 (UTC-0600)] info/client        Rejecting UserTokenPolicy 0 (anonymous) in endpoint 0: configuration doesn't match
[2024-01-24 08:37:57.868 (UTC-0600)] info/client        Rejecting UserTokenPolicy 1 in endpoint 0: security policy 'http://opcfoundation.org/UA/SecurityPolicy#Basic256' not available
[2024-01-24 08:37:57.868 (UTC-0600)] error/client       No suitable UserTokenPolicy found for the possible endpoints

Not sure what this means, but seems like something you should be looking at.

Maybe a Wireshark capture would clear things up.

Taylor_Ketchum · January 24, 2024, 3:41pm

Sorry I seemed to have uploaded the wrong log info for the v8.1. Here is the current log message I am getting:

[2024-01-24 09:40:11.635 (UTC-0600)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.
[2024-01-24 09:40:11.648 (UTC-0600)] info/channel       Connection 240 | SecureChannel 27 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Use the EndpointURL opc.tcp://127.0.0.1:62541/discovery returned from FindServers
[2024-01-24 09:40:11.648 (UTC-0600)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.649 (UTC-0600)] info/channel       Connection 292 | SecureChannel 28 | SecureChannel opened with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None and a revised lifetime of 600.00s
[2024-01-24 09:40:11.649 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good
[2024-01-24 09:40:11.650 (UTC-0600)] warn/client        The server returned Endpoints with a different EndpointUrl opc.tcp://127.0.0.1:62541/discovery than was used to initialize the connection: opc.tcp://127.0.0.1:62541/discovery. Some servers require a complete match of the EndpointUrl/DiscoveryUrl (including the path) to return all endpoints.
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Selected endpoint 0 in URL opc.tcp://127.0.0.1:62541 with SecurityMode None and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Selected UserTokenPolicy anonymous with UserTokenType Anonymous and SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Received a ServiceFault response
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        The ServiceResult has the StatusCode BadServiceUnsupported
[2024-01-24 09:40:11.650 (UTC-0600)] info/client        Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: BadServiceUnsupported
[2024-01-24 09:40:11.651 (UTC-0600)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadServiceUnsupported

I like the wireshark idea. I will give that a try and see if I get an more information.

Kevin.Herron · January 24, 2024, 3:43pm

I'm pretty sure the problem is your client is trying to open a session against the discovery endpoint. Wireshark would confirm this.

Taylor_Ketchum · January 26, 2024, 2:54pm

Update: This issue has been resolved by building the C++ open62541 library with different build options. Thank you for the support