No suitable endpoint found + BadIdentityTokenRejected

General Discussion
1

I cannot figure out why I get the error message (No suitable endpoint found + BadIdentityTokenRejected). Please help me out. Do I have a configuration error? Does my
certificate have a problem?

image
image1781×1151 186 KB

image
image1920×1020 68.8 KB

image
image609×773 102 KB

image
image1920×1199 301 KB

2

It looks like you've made some progress since the other day and now you have client certificate and your actually attempting to connect.

Provide a Wireshark capture of the connection attempt and I'll take a look at it. You're not trying to connect without security any more - intentional? In the last post you had the Ignition server configured with just "None" for Security Policies.

3

Yes, I make some progress! I am working with both client and Ignition apps on one local windows platform. I am still able to use wireshark?

4

Yes, Wireshark can capture traffic on loopback/localhost.

5

Here is the file.
localhost_data.pcapng (72.7 KB)

6

Ah, looks like your client isn't getting as far as I thought. It's able to connect and call FindServers and GetEndpoints:

Screenshot 2025-05-30 at 07.17.59 (2)
Screenshot 2025-05-30 at 07.17.59 (2)1920×1080 144 KB

It never tries to connect again after that.

The endpoint has this UserTokenPolicy available:

[0]: UserTokenPolicy
    PolicyId: username
    UserTokenType: UserName (0x00000001)
    IssuedTokenType: [OpcUa Null String]
    IssuerEndpointUrl: [OpcUa Null String]
    SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256

All I can infer from your logs is that this isn't a matching token policy for your client's configuration. I don't know enough about the SDK you're using to suggest anything else.

7 
I am using the SDK (https://github.com/open62541/open62541).
Could you show me a correct UserTokenPolicy or SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256?
I am using the sample code at the site https://github.com/open62541/open62541/blob/6f2aeaf040b311d04a5561eb3d4e6400b118adbc/examples/client_connect.c

-username cye -password Smash123@1 -securityMode 3 -cert D:\dev\MutexStudy\OpcUaTriggerCertificate.cer -key D:\dev\MutexStudy\OpcUaTriggerPrivateKey.pem -trustList D:\dev\MutexStudy\ignition-server.der -securityPolicy http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 opc.tcp://localhost:62541/discovery

localhost_data_02.pcapng (96.3 KB)

8

How can I disable the following security policy?

(http://opcfoundation.org/UA/SecurityPolicy#Basic256)

I finally find the reason. The particular security policy is removed from client SDK. See the below code snippet:

/* Basic128Rsa15 should no longer be used */
/* retval = UA_SecurityPolicy_Basic128Rsa15(&config->securityPolicies[config->securityPoliciesSize], */
/*                                          localCertificate, decryptedPrivateKey, config->logging); */
/* if(retval == UA_STATUSCODE_GOOD) { */
/*     ++config->securityPoliciesSize; */
/* } else { */
/*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
/*                    "Could not add SecurityPolicy#Basic128Rsa15 with error code %s", */
/*                    UA_StatusCode_name(retval)); */
/* } */

/* Basic256 should no longer be used */
/* retval = UA_SecurityPolicy_Basic256(&config->securityPolicies[config->securityPoliciesSize], */
/*                                     localCertificate, decryptedPrivateKey, config->logging); */

/* if(retval == UA_STATUSCODE_GOOD) { */
/*     ++config->securityPoliciesSize; */
/* } else { */
/*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
/*                    "Could not add SecurityPolicy#Basic256 with error code %s", */
/*                    UA_StatusCode_name(retval)); */
/* } */

However, Ignition OPC UA server still returns the unsupported Basic256, which leads to BadIdentityTokenRejected.

9

This isn't something that you can change the configuration of in Ignition, but it has been changed to Basic256Sha256 in Ignition 8.3.

10

How can I get Ignition 8.3? I can only download [ignition-8.1.48-windows-64-installer.exe]

11

See the below image. I set it to Basic256Sha256 by default. Why I still get the security policy Basic256 from Ignition server?

image
image1035×549 45 KB

12

You are configuring Basic256Sha256 as the SecurityPolicy for the SecureChannel

The SecurityPolicy specified by the UserTokenPolicy can be different than the one used by the channel, and in this case it's configured as Basic256.

Ignition 8.3 is an upcoming release later this year, it's not available yet.

13

I have to use the old open62541 SDK version 1.4.5 now instead of the latest version!

14

You should ask the open62541 mailing list or whatever support they have if there's a way to enable it in the current version.

It's very common for Clients to continue supporting the deprecated security policies. There's many old servers out there that will never be updated. It's one thing not to support them in a new Server product, but a different all together for a Client product.