UascServerAsymmetricHandler Error when connecting to Ignition 8.1.2

swathik.kumara · August 1, 2021, 1:00am

Hi,

I am getting UascServerAsymmetricHandler error in the logs whenever I am trying to connect an external OPC UA Client (UA Expert) to Ignition. As mentioned above I am running version 8.1.2.

The security policy is set to Basic256Sha256. But for some reason in the logs it shows up as securityPolicy=None

I imported the Client certificate into Ignition and vice versa on the UA Expert side. When I try to establish a connection I get the following error:

But when I add Basic128Rsa15,None ( because I am using this to connect Kepware OPC UA client to Ignition elsewhere) to the security policy, I am able to connect UA expert to Ignition.

Another thing I noticed is whenever a UA client tries to connect to Ignition, its client certificate shows up under the "Quarantined Certificates" section and I need to trust them. But when I have the security policy to Basic256Sha256. nothing of that sort happens. I had to manually exchange the UA Client certificate and Ignition Server certificate between UA Expert and Ignition. But if I change the security policy to Basic256Sha256,Basic128Rsa15,None, then the certificates are automatically exchange and I just have to trust them at the client and server end.

31Jul2021 19:34:03 Error installing security token: StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}
org.eclipse.milo.opcua.stack.core.UaException: no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://localhost:62541, securityPolicy=None, securityMode=None

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$3(UascServerAsymmetricHandler.java:407)

at java.base/java.util.Optional.orElseThrow(Unknown Source)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:397)

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$1(UascServerAsymmetricHandler.java:301)

at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:57)

at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

Thanks

Kevin.Herron · August 1, 2021, 1:30am

When Ignition’s server is only configured with Basic256Sha256 SecurityPolicy then most clients will need to be configured with the “discovery” URL, which for Ignition is opc.tcp://hostname:62541/discovery.

To get UaExpert connected you’ll need to be using the latest version (1.5.1) and use this discovery URL and the “custom discovery” option, not manually configure the endpoint details.

Kepware’s client is broken and unable to connect unless the “None” SecurityPolicy option is also configured.

swathik.kumara · August 1, 2021, 2:11am

Thanks for letting me know about Kepware. Do you know if this is an issue with any particular version? I used 6.9.xxx but no luck with the discovery in the URL. The certificate exchanged automatically but no connection. Planning to try with their latest version and see if that will work.

Kevin.Herron · August 1, 2021, 2:13am

All versions as far as I know. With Kepware you can use the non-discovery URL but you must have Ignition’s server configured to allow unsecured connections, even if you do end up configuring it to connect with security.

Any change to the Ignition OPC UA server settings does require a restart of the UA module or entire gateway to take effect.