Upgrade 7.9.12 -> 7.9.13 : Opc Connection faulted

I’ve updated Ignition to version 7.9.13.
But I can no longer connect to Beckhoff UA OPC servers.
I have the following error:
nonce must be at least 32 bytes

UaException: status=Bad_NonceInvalid, message=nonce must be at least 32 bytes
	at org.eclipse.milo.opcua.stack.core.util.NonceUtil.validateNonce(NonceUtil.java:176)
	at org.eclipse.milo.opcua.stack.core.util.NonceUtil.validateNonce(NonceUtil.java:162)
	at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.activateSession(SessionFsmFactory.java:878)
	at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$configureActivatingState$17(SessionFsmFactory.java:345)
	at com.digitalpetri.strictmachine.dsl.ActionBuilder$PredicatedTransitionAction.execute(ActionBuilder.java:76)
	at com.digitalpetri.strictmachine.StrictMachine$PollAndEvaluate.lambda$run$0(StrictMachine.java:207)
	at java.util.ArrayList.forEach(Unknown Source)
	at com.digitalpetri.strictmachine.StrictMachine$PollAndEvaluate.run(StrictMachine.java:198)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

7.9.13 (b2019120915)
Oracle Corporation 1.8.0_191

Are there any ideas as to what the problem could be?

You’ll have to change the connection to use security for now.

An update to the OPC UA library included strict nonce validation and the Beckhoff server is sending an invalid nonce back according to the OPC UA spec.

I’m going to relax this check under certain circumstances in a subsequent update, but for now all you can do is switch to using security for the connection or go back to Ignition 7.9.12.

Alternatively, update the Beckhoff OPC UA servers (current versions don’t cause this issue; older ones do). But switching them to use security is a quick fix, and probably not a bad idea anyway. You just have to accept the certificates from Ignition in the Beckhoff OPC UA Configurator after switching to an encrypted endpoint (which is enabled by default on the Beckhoff OPC UA server).

Thank you very much.
The problem is solved with the option:
SecurityPolicy: Basic128Rsa15, MessageSecurity: SignAndEncrypt

Merry Christmas


+1 on relaxing the check, I have a Beijer HMI panel which doesn’t support encryption with the same problem, have to downgrade to 7.9.12.

Yup, same issue here… We are using unsecure connections to a vendor supplied OPC server that we can’t configure security on.

I don’t think we’re doing nightly builds in 7.9 so I think staying on 7.9.12 is the only solution for now. 7.9.14 will include a relaxed nonce validation for these non compliant servers.

I’m hoping to get it into an 8.0.8 nightly build in the next day or so.

Kevin, we are on 8.0.6 in our dev environment with no OPC connection issues - will 8.0.7 break the connections or will 8.0.8? Not sure what you meant by “Hoping to get it into an 8.0.8 build” - get the security in or the relaxed nonce validation?

The stricter nonce validation that caused this issue is in 8.0.7 I believe, if not already in 8.0.6. The relaxed nonce validation will go into an 8.0.8 nightly build.

This is only an issue with certain 3rd party servers when no security is used.

The relaxed nonce validation should land in tomorrow’s 8.0.8 nightly build.

It will eventually be part of 7.9.14 as well.

1 Like

I was on 8.0.6 and upgrade to .7. This made my OPC Connections Faulted

Go back to 8.0.6 or go forward to the nightly.

Resurrecting this thread, I can’t tell from the release notes, is this issue now fixed in 7.9.14?

Yes, not sure why it doesn’t have a change log entry.


Should it be possible to connect to a OPC UA -server with no encryption with Ignition 8.0.16?
Im getting the same error as mentioned above.

Yes, it should be under most circumstances. Are you trying to use a username and password with no security?

Correct, trying to connect to a Beijer iX Panel.

This configuration won’t work unless you get an update that fixed the nonce bug in the server.

No security with anonymous identity should work, or using security should work.

A post was split to a new topic: Connecting to Beckhoff OPC UA

A post was merged into an existing topic: Connecting to Beckhoff OPC UA