OPC-UA Client connection issues

I'm trying to connect my MES software to read tags from ignition over OPC-UA. When i try to setup the MES as a client to talk with Ignition. I get the following error.

org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://hostname:62541, securityPolicy=None, securityMode=None
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:397)
at java.base/java.util.Optional.orElseThrow(Unknown Source)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:387)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:298)
at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:52)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

Notice the security policy and mode are set to None when in fact I have them set in the application to Basic256sha256 and SignAndEncrypt.

As a test, I installed UAExpert locally on the ignition server and got the same error trying to connect, anyone have any tips on figuring out why the ignition server thinks the security is missing when its actually being sent over? Thanks!

You may need to point the software at the discovery endpoint instead: opc.tcp://host:62541/discovery. This is at least what you would need to do with UaExpert via its "custom discovery" flow.

The server has two endpoints: one for discovery, one for sessions. The discovery endpoint is unsecured, and the session endpoint only allows secured connections by default. You're pointing your software at the session endpoint, and despite configuring it to use security, it's probably trying to start with an unsecured GetEndpoints request to look up the endpoint information.

Thanks, that got me closer with UAExpert, since its installed locally do I need to do anything with certificates?

I got an error that states server returned no cert, cert step will be skipped
Error BadInvalidArgument was returned during OpenSecureChannel

Nothing is listed in quarantined certs either

Thanks Again!

Whether it's local or not is irrelevant re: certificates. Both sides will need to trust the other side's certificates.

I don't know what that error is about. What version of Ignition are you using?

Its version 8.1.20, those errors are in UaExpert. SHould I expect a cert from UaExpert to be added/approved in ignition? Thanks again

the log in our MES shows the following:

error: unable to connect to server 'opc.tcp://hostname:62541/discovery' the connection has been rejected by the server

Please check that client certificate is trusted by server,

But i don't see the MES client cert in the quarantine, I'll try manually moving it in and see if that works.

Software is Critical Manufacturing MES

Yes, if the connection gets far enough. UaExpert is definitely able to connect to Ignition under normal circumstances.

Are there still errors in the Ignition Gateway logs when the MES software tries to connect?

Here is the error in the ignition log for the MES attempts to connect.

[remote=/MES_IP:60548] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_UnexpectedError, value=0x80010000, quality=bad}, reason=java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0}

Maybe a Wireshark capture and a full Ignition log export would help.

Here is the full error in the log, should I assume that once the MES connection is establish the cert should be in the quarantine for me to approve?

I'll have to get wireshark and set some time, this is a prod server.

io.netty.handler.codec.DecoderException: java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at java.base/jdk.internal.util.Preconditions.outOfBounds(Unknown Source)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Unknown Source)
at java.base/jdk.internal.util.Preconditions.checkIndex(Unknown Source)
at java.base/java.util.Objects.checkIndex(Unknown Source)
at java.base/java.util.ArrayList.get(Unknown Source)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:83)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:72)
at org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel.setRemoteCertificate(ServerSecureChannel.java:72)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:193)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:119)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
... 16 common frames omitted

This error is implying that the MES client is not sending a certificate while opening a secure channel with a security policy that requires one. Wireshark would probably show the same.

awesome thanks

one last question, can I manually import the mes client cert into ignition to get around if its not sending it with the connection? thanks again!

No, this error will still happen.

Thanks, I did import it and got the same error so i removed it. I have some confusion from the MES vendor on what cert needs to be sent. They have a pem and a private cert but the import only wanted a .der.

What do I need to tell them they need? sorry for the dumb questions.

It sounds like they need to get some support from whoever their OPC UA SDK vendor is. I’m not sure they know what they’re doing.


I agree, here is another question for you. I had then change the way they connect to ignition from client to server. When they did i got the cert in the quarantine.

I was thinking that ignition is the server and they are the client reading tags but am I thinking of this in reverse. Are they the server and ignition is the client? I think I'm talking myself in circles! haha

If they want to get data out of Ignition, into the MES, they should be client.

If you want to get data out of the MES system, into Ignition, they should be server.

1 Like

Thanks again, I was getting confused because when I connect UaExpert to ignition, its connecting and providing a server cert. I expected a client cert.

No, I think you're getting confused.

Under the "Server" section in Ignition you will see the Ignition OPC UA server certificate along with trusted or quarantined certificates of clients that have tried to connect or have connected.

Under the "Client" section you will see the Ignition OPC UA client certificate along with certificates of servers you have attempted to connect to from Ignition.