I am trying to use Ignition to work with Rockwell’s Studio 5000 Emulate.
I have been able to get Ignition to work with the emulator without signing and encrytption.
However, when I try to set up a connection using Basic256Sha256 and SignAndEncrypt
I always get the error below.
Any help would be greatly appreciated.
Thanks
UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
at org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtil.validateApplicationUri(CertificateValidationUtil.java:305)
at com.inductiveautomation.ignition.gateway.opcua.client.ClientManager.initializeObject(ClientManager.kt:123)
at com.inductiveautomation.ignition.gateway.opcua.client.ClientManager$initializeObject$1.invokeSuspend(ClientManager.kt)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:241)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
8.0.4 (b2019091612)
Azul Systems, Inc. 11.0.4
The most likely cause for this is that their certificate contains an invalid application URI, specifically, one that contains whitespace or some other character that is supposed to be URL-encoded but hasn’t been.
When Ignition parses this field in the certificate as a URI it fails and causes a security check that compares the URI in the certificate to the one in the ApplicationDescription in the server endpoints to fail as well.
You should contact Rockwell to 1) let them know this is an issue, 2) figure out if you can change some setting that influences the value of the application URI.
Until the certificate is generated without an invalid URI you won’t be able to connect with security enabled.
If you want to upload the server certificate I can verify that this is what’s happening.
Thank you Kevin,
The system is not allowing me to upload the .der file.
Is there another way I can send it to you?
Confirmed the certificate does have an application URI that contains spaces.
Can I modify the certificate or should I change the application and regenerate the certificate ?
Thanks
I don’t think it’s possible to modify the certificate. Unless you can get the application name changed in Studio 5000 and generate a new certificate with a valid URI there’s not much else you can do.
Kevin
I was able to change the URI generated by the Rockwell application.
This Is the uri from the application:
urn:ZSU-WN-T-SS-02:FactoryTalkServer
This is the dump from the certUtil with the URL :
URL=urn:ZSU-WN-T-SS-02:FactoryTalkServer
They look exactly the same to me.
I tried to create the connection in Ignition again but I am getting the error
UaException: status=Bad_CertificateUriInvalid, message=The URI specified in the ApplicationDescription does not match the URI in the Certificate.
So at this point not sure what to look for.
Can you offer any guidance ?
Thanks
Are you able to get a Wireshark capture of the connection attempts? Did you restart or reinitialize the server after you changed the URI?
Is there a way to restart Ignition without restarting the PC ?
Yes, but I meant have you restarted FactoryTalk yet?
I restarted the whole box. No change.
Can you get a Wireshark capture of Ignition attempting to connect?
I suspect now what’s wrong is what this security check is actually supposed to catch in the first place - you changed the application URI in the certificate but the URI in the ApplicationDescription in the endpoints returned by the server’s GetEndpoints does not match.
OK I’ll take a crash course in WireShark momentarily, but I notice there is no certificate from Ignition in FactoryTalk Gateway. Where can I find the Ignition server certificate ? I’m going to try and import that into FT Gateway.
You can find it on the gateway config section, under OPC UA > Security, on the Server tab (because you’re viewing certificates the Ignition server trusts). It will have a Common Name of “Ignition OPC UA Client” and you can download it with the icon on the far right.
I would think that FactoryTalk would have a quarantine area to trust client certificates that it populates as clients connect and that you just aren’t getting far enough into the connection process to see it yet.
Also I’m not all sure about using wireshark to monitor a secure connections
Yes there is a quarantine area, It never gets the cert
By the way, I was able to get Ignition to see FT Gateway if I had created the endpoint with no security poilcy. I verified that data coming through by using OPC Quick Client.
But if f I add security, ie Basic 256 Sign & Encrypt, I’ll get that message
Generally it's not very useful, but the exchange I need to see happens before a secure connection is set up, calling the server's GetEndpoints service.
Yes, because no security policy means no certificate validation (unless you're using a username/password, in which case it can still come into play). As soon as you try to secure the connection all your certificate issues need to be fixed before it will work.
OK I’ve started wire shark. To reduce the trafiic I need to set a filter. Should that be the IP of Ignition ?