OPC-UA Client connection issues

drewdin · September 28, 2023, 4:25pm

I'm trying to connect my MES software to read tags from ignition over OPC-UA. When i try to setup the MES as a client to talk with Ignition. I get the following error.

org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://hostname:62541, securityPolicy=None, securityMode=None
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:397)
at java.base/java.util.Optional.orElseThrow(Unknown Source)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:387)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:298)
at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:52)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

Notice the security policy and mode are set to None when in fact I have them set in the application to Basic256sha256 and SignAndEncrypt.

As a test, I installed UAExpert locally on the ignition server and got the same error trying to connect, anyone have any tips on figuring out why the ignition server thinks the security is missing when its actually being sent over? Thanks!

Kevin.Herron · September 28, 2023, 4:27pm

You may need to point the software at the discovery endpoint instead: opc.tcp://host:62541/discovery. This is at least what you would need to do with UaExpert via its "custom discovery" flow.

The server has two endpoints: one for discovery, one for sessions. The discovery endpoint is unsecured, and the session endpoint only allows secured connections by default. You're pointing your software at the session endpoint, and despite configuring it to use security, it's probably trying to start with an unsecured GetEndpoints request to look up the endpoint information.

drewdin · September 28, 2023, 5:30pm

Thanks, that got me closer with UAExpert, since its installed locally do I need to do anything with certificates?

I got an error that states server returned no cert, cert step will be skipped
Error BadInvalidArgument was returned during OpenSecureChannel

Nothing is listed in quarantined certs either

Thanks Again!

Kevin.Herron · September 28, 2023, 5:32pm

Whether it's local or not is irrelevant re: certificates. Both sides will need to trust the other side's certificates.

I don't know what that error is about. What version of Ignition are you using?

drewdin · September 28, 2023, 7:28pm

Its version 8.1.20, those errors are in UaExpert. SHould I expect a cert from UaExpert to be added/approved in ignition? Thanks again

drewdin · September 28, 2023, 7:34pm

the log in our MES shows the following:

error: unable to connect to server 'opc.tcp://hostname:62541/discovery' the connection has been rejected by the server

Please check that client certificate is trusted by server,

But i don't see the MES client cert in the quarantine, I'll try manually moving it in and see if that works.

Software is Critical Manufacturing MES

Kevin.Herron · September 28, 2023, 7:40pm

Yes, if the connection gets far enough. UaExpert is definitely able to connect to Ignition under normal circumstances.

Are there still errors in the Ignition Gateway logs when the MES software tries to connect?

drewdin · September 28, 2023, 7:44pm

Here is the error in the ignition log for the MES attempts to connect.

[remote=/MES_IP:60548] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_UnexpectedError, value=0x80010000, quality=bad}, reason=java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0}

Kevin.Herron · September 28, 2023, 7:44pm

Maybe a Wireshark capture and a full Ignition log export would help.

drewdin · September 28, 2023, 7:49pm

Here is the full error in the log, should I assume that once the MES connection is establish the cert should be in the quarantine for me to approve?

I'll have to get wireshark and set some time, this is a prod server.

io.netty.handler.codec.DecoderException: java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at java.base/jdk.internal.util.Preconditions.outOfBounds(Unknown Source)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Unknown Source)
at java.base/jdk.internal.util.Preconditions.checkIndex(Unknown Source)
at java.base/java.util.Objects.checkIndex(Unknown Source)
at java.base/java.util.ArrayList.get(Unknown Source)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:83)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:72)
at org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel.setRemoteCertificate(ServerSecureChannel.java:72)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:193)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
... 16 common frames omitted

Kevin.Herron · September 28, 2023, 7:51pm

This error is implying that the MES client is not sending a certificate while opening a secure channel with a security policy that requires one. Wireshark would probably show the same.

drewdin · September 28, 2023, 7:54pm

awesome thanks

drewdin · September 29, 2023, 12:50pm

one last question, can I manually import the mes client cert into ignition to get around if its not sending it with the connection? thanks again!

Kevin.Herron · September 29, 2023, 1:09pm

No, this error will still happen.

drewdin · September 29, 2023, 1:40pm

Thanks, I did import it and got the same error so i removed it. I have some confusion from the MES vendor on what cert needs to be sent. They have a pem and a private cert but the import only wanted a .der.

What do I need to tell them they need? sorry for the dumb questions.

Kevin.Herron · September 29, 2023, 2:08pm

It sounds like they need to get some support from whoever their OPC UA SDK vendor is. I’m not sure they know what they’re doing.

drewdin · September 29, 2023, 7:18pm

I agree, here is another question for you. I had then change the way they connect to ignition from client to server. When they did i got the cert in the quarantine.

I was thinking that ignition is the server and they are the client reading tags but am I thinking of this in reverse. Are they the server and ignition is the client? I think I'm talking myself in circles! haha

Kevin.Herron · September 29, 2023, 8:43pm

If they want to get data out of Ignition, into the MES, they should be client.

If you want to get data out of the MES system, into Ignition, they should be server.

drewdin · September 29, 2023, 8:56pm

Thanks again, I was getting confused because when I connect UaExpert to ignition, its connecting and providing a server cert. I expected a client cert.

Kevin.Herron · September 29, 2023, 9:12pm

No, I think you're getting confused.

Under the "Server" section in Ignition you will see the Ignition OPC UA server certificate along with trusted or quarantined certificates of clients that have tried to connect or have connected.

Under the "Client" section you will see the Ignition OPC UA client certificate along with certificates of servers you have attempted to connect to from Ignition.