Kepware OPC UA Status Faulted

James_Dean · June 19, 2024, 5:16pm

Hello,

I'm currently facing an issue where the KEPServerEX OPC UA connection I'm trying to create constantly has the status of Faulted with this error being shown:

UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
   at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.onError(UascClientAcknowledgeHandler.java:258)
   at org.eclipse.milo.opcua.stack.client.transport.uasc.UascClientAcknowledgeHandler.decode(UascClientAcknowledgeHandler.java:167)
   at io.netty.handler.codec.ByteToMessageCodec$1.decode(ByteToMessageCodec.java:42)
   at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
   at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
   at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
   at io.netty.handler.codec.ByteToMessageCodec.channelRead(ByteToMessageCodec.java:103)
   at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
   at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
   at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
   at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
   at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
   at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
   at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
   at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
   at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
   at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
   at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
   at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
   at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
   at java.base/java.lang.Thread.run(Unknown Source)
8.1.37 (b2024013011)
Azul Systems, Inc. 17.0.9".

Here is another log error from the status > logs page every time Ignition tries to connect:

[remote=/127.0.0.1:49320] Received error message: ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=An error occurred verifying security.}

A couple things worth noting:

I have trusted the incoming Ignition client certification on The KepServerEX side of things.
I have trusted the KepServerEX/UA Server certification on the Ignition side of things under Config > Opcua > Security located on the gateway's config webpage.

The customer I am working with is currently using Ignition 8.1.37 and KEPServerEX 6.6. I'm stumped on what the solution might be since I've tested this on my work laptop and was able to connect to a test KEPServer from my local gateway just fine. If any more details are needed I'd be happy to provide them, thanks any help is appreciated!

michael.flagler · June 19, 2024, 5:28pm

There's lots of other posts about KepServer and I believe even Inductive University videos.

The step it sounds like you may be missing is the creation of a user inside KepServer with the right role/permissions.

James_Dean · June 19, 2024, 6:09pm

Hi Michael,

I have looked through the Inductive University video, specifically the one called "Connecting to Kepware OPC-UA". In that video they don't have any user created in their KEPServerEX setup.

I did create a new administrator account called "Ignition" as shown here, and input that username and password into their respective fields when setting up the OPC UA connection again, but I get the same error.

michael.flagler · June 19, 2024, 8:31pm

I'm not sure then. I'd just search the forums and try any other fixes, otherwise reach out to support and see if they can help out.

matt.eaton · June 19, 2024, 8:43pm

Anything from a kepware manual about this message specifically? it's not necessarily a missing cert...

Kevin.Herron · June 19, 2024, 8:55pm

Can you supply your Ignition logs?

Usually this means one of the sides doesn't trust the other's certificate, but it can sometimes mean one side thinks there is something fundamentally wrong with the certificate as well.

James_Dean · June 20, 2024, 2:15pm

Would I be able to email/message them to you? They are on a customer's server.

Kevin.Herron · June 20, 2024, 2:37pm

If you need to keep it confidential then it's best to open a support ticket.