Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

UA Client Certificates

More
30 Jan 2014 10:41 #1698 by support
Replied by support on topic UA Client Certificates
The logging is a global thing. It is a static event on the EasyUAClient class, and a handler for it should be set up at the very beginning of the app, at least before the first EasyUAClient object *instance* is created. There is no need for it to be - and it should not be - tied to specific read/write operations or so.

We give the developer the event to be logged, including the message, severity, etc. BUT we do not provide any means of what to actually do with the event, where or how to log it, etc. This is up to the developer.

Here is a short description of what needs to be done in the app, taken from the "How to develop compliant OPC-UA client" document:

...you need to write a handler for the (static) EasyUAClient.LogEntry event, and display or physically log the messages that this event provides. The LogEntry event has an argument of type LogEntryEventArgs, which carries the log entry data, such as the numerical category and event ID, entry type (Error, Warning, Information, SuccessAudit, or FailureAudit), the event source, and most importantly, the actual Message string. For OPC compliance, as a minimum, the Message should be logged or displayed.


Reference doc:
If you need more information to the logging, let me know.

Re

What assembly title are you talking about in the first paragraph? Is that TOP Server or our application?

I mean the application assembly. The whole issue is about the client certificate. It has nothing to do with the server whatsoever.

I still do not fully understand this:

I meant that if I look in the default location where the Data-UA certificates are stored, the file date is from May 2013. The error occurred last week and it was resolved by running the application as admin and then re-issuing the certificate. Although, we don't seem to be issuing a new certificate (according to the file date) so it does not seem to be a problem with the certificate itself.


Please explain "we don't seem to be issuing a new certificate"? Are you referring to a moment when the problem has occurred, or to a moment after the app has been re-run as admin? Or are you talking about a server certificate?

Can you send me a "view" of the certificate store, listing the certificate subject names that exist there?

All in all, I just want to say that it is unlikely this is caused by a problem in the component. I still suspect an issue with permissions. But we need the logging info at least, so that we can verify both the User name, and the certificate subject name.

Please Log in or Create an account to join the conversation.

More
29 Jan 2014 13:18 #1697 by rsikes
Replied by rsikes on topic UA Client Certificates
We will try to implement the suggestions for EasyUAClient logging, but will need additional information to set this up in our project.

Also, these improvements will only be helpful the next time that we have problems with our project, which given our previous help desk requests could be months from now. Is there anything else that is helpful you could tell us without this additional logging that may help us in the short term? Also, where will we need to register for these events? Is this something that must happen with every read and write attempt or should the registry occur beforehand when the connection is initialized? Would there be a way to register these events in Event Viewer? In the short-term at least, this would be faster than modifying our code and would be something we could use in the meantime while this is developed if the problem crops up again.

We do not believe this is a permission problem because IIS is set up as the Application Pool Identity, which we believe should have the access it needs to check the certificate. Again, this is how our other machine that is working is using IIS and users at both locations should have similar access levels. What assembly title are you talking about in the first paragraph? Is that TOP Server or our application?

Regarding the other part of the reply: I meant that if I look in the default location where the Data-UA certificates are stored, the file date is from May 2013. The error occurred last week and it was resolved by running the application as admin and then re-issuing the certificate. Although, we don't seem to be issuing a new certificate (according to the file date) so it does not seem to be a problem with the certificate itself.

Please Log in or Create an account to join the conversation.

More
28 Jan 2014 15:00 #1693 by support
Replied by support on topic UA Client Certificates
Thank you for the additional information.

I have checked the code, it appears that the certificate is being looked up by its SubjectName, and when the developer does not set it otherwise, we attempt to obtain the [AssemblyTitle] attribute from the application assembly - whether that does no does not contain the minor version number has to be determined on the actual system. Also note that, as I have described, we may not succeed in determining the right assembly, and will instead take a system one such as the CLR - therefore I still recommend setting the application parameters from the code explicitly.

It can be a permission problem e.g. if the Web app in IIS is configured to impersonate the end user credentials in some cases (with Basic authentication or Windows authentication). Then, some users may have the access and some not; the behavior will be even less predictable, because only the first user who will access the Web app after it is started will be the one under whose credentials the certificate will be accessed. Such IIS configuration should be avoided.

I suggest that the customer adds a handler for the static EasyUAClient.LogEntry event, and stores all events to a file or somewhere. This will give us at least following useful information:
  • whether the dates/times of the problem correspond to when the component's engine is started (which will roughly correspond to when the Web app starts) - EventId 101 and some more
  • The user credentials used - EventId 114
  • client certificate parameters - EventId 121 - very important !

Note: I do not quite understand this part of your reply

when checking the file dates on the certificates in the default folder (for QuickOPC UA) the date does not correspond to the last date that the error occurred. Therefore, we do not believe the server is reissuing the certificate.

- because we are dealing here with a *client* certificate problem, not a server certificate.

Please Log in or Create an account to join the conversation.

More
28 Jan 2014 13:45 #1692 by rsikes
Replied by rsikes on topic UA Client Certificates
Hello,

Thank you for the detailed information. The behavior of this specific application does not seem to apply to the potential causes that you listed. I have included some additional information below.

- the application is a web application.
- the UA code is isolated in one .dll file, which contains all of the classes and methods necessary for performing OPC operations.

- when checking the file dates on the certificates in the default folder (for QuickOPC UA) the date does not correspond to the last date that the error occurred. Therefore, we do not believe the server is reissuing the certificate.

This indicates that it could be a permissions related problem. However, the application is running on multiple machines and is not occurring on all of them. The machine that is not having the problem has the same permissions as the machine that does have the problem. Also, if it is a problem with the default user permissions I do not understand why the problem would only exist sometimes and not each time.

Also, would minor version numbers alter the certificate parameters?

Please Log in or Create an account to join the conversation.

More
26 Jan 2014 16:25 #1686 by support
Replied by support on topic UA Client Certificates
It can have several reasons:

- the certificate might have been removed from the store
- the certificate may be in the store, but it is not accessible (permissions)
- something has changed in the application parameters, causing it to look for a certificate with different parameters, thus not finding it.

What kind of applications are we talking about (desktop-WinForms, a Windows service, a Web app or a Web service, etc.)?
How is it structured in terms of physical assemblies? Is the code that uses the OPC-UA isolated in just one assembly, or more? Is it the main assembly, or a different one?

By default, the certificate parameters are generated so that they depend on things such as the main assembly name, its version, etc. For an application that has been already built and just run over and over, those are things that should not change. However, there are situations where this gets more complicated. Specifically, in hosted environments (such as Web app/service under IIS), it is difficult or impossible to tell what is the "main" assembly, so under these environments the built-in algorithm may pick it wrong (though, from what I have seen, it picks the MSCORLIB typically, and that's the one that stays stable anyway).

If you suspect that the built-in mechanism may be picking different certificate parameters, you can force the certificate parameters to be whatever you like, from the code. Actually I would recommend it for production-grade software anyway; the built-in "automation" exists only so that we do not put to many obstacles to the beginner.

Here is a related topic that contains the instructions: www.opclabs.com/forum/quickopc-ua18/1299-browse-data-nodes?start=12

and here I am quoting the most relevant part:

OPC-UA requires that both parties (client and server) mutually identify themselves using application certificates. The certificates are supposed to be unique for each application (instance), and therefore cannot be a constant part of the "toolkit" (such as QuickOPC), and need to be generated. In order to make this process invisible (in common cases) to the developer, QuickOPC
a) determines the parameters of the certificate automatically, using values such as the EXE name or the calling assembly name,
b) attempts to look up the certificate in the certificate store,
c) if not found, it attempts to create it, and save it into the certificate store.

The algorithm described above does not, however fit well wit hosted environments such as IIS, for two reasons:
- It is difficult to automatically determine reasonable and unique parameters for the certificate, because the hosting process is the IIS service, not "your" own application EXE.
- The page processing code in IIS typically runs with low privileges that do not allow it to call the necessary CertificateGenerator utility, and even less to save the new certificate to the store.

For usage in such environments, the recommendation is:
- Pre-generate the application certificate manually, and save it to the certificate store. This will remove the need for the application to create and save the certificate.
- In your application, set your own parameters of the certificate. The application will then use these parameters to look up the certificate.

Application certificate can be generated using Opc.Ua.CertificateGenerator.exe utility, typically located (after QuickOPC installation) at C:\Program Files (x86)\Common Files\OPC Foundation\UA\v1.0\Bin. Run it with "/?" to obtain usage instructions.

Setting the certificate parameters is done by modifying properties in EasyUAClient.SharedParameters.Engine (EasyUAClient.SharedParameteres is a static property, and you need to set the values before creating the first instance EasyUAClient, in order for it to have the desired effect). The properties of interest are:
- ApplicationCertificateSubject
- ApplicationName
- ApplicationUriString
- ProductUriString

The values should match those used when the certificate was generated, because they (or at least some of them) are used to look up the certificate in the store.

I understand that the above instructions may need further details or explanation; let me know which parts need more attention and I will try to help.

Best regards

Please Log in or Create an account to join the conversation.

More
24 Jan 2014 20:32 #1685 by rsikes
Hello,

I have a customer receiving occasional errors regarding the UA Client certificate. I have copied the error text below. To resolve this problem, we have determined that the customer can run the application as admin and reissue the client certificate.
However, this is not an optimal workaround because it requires some downtime and manual intervention when the error occurs.

Can you please provide some information on the error below, and more specifically what type of changes in the UA interface would require the server or the client to reissue its certificate (as the error indicates is necessary).

The version in use is 5.22 Build 322.1

OpcLabs.EasyOpc.UA.UAServiceException: OPC-UA service result - Could not create a certificate via a proxy: -error Could not initialize the platform layer.
---- SERVICE RESULT ----
StatusCode: {Bad} = 0x80000000 (2147483648)
---> OpcLabs.EasyOpc.UA.UAServiceException: OPC-UA service result - -error Could not initialize the platform layer.
---- SERVICE RESULT ----
StatusCode: {Bad} = 0x80000000 (2147483648)

--- End of inner exception stack trace ---
:OpcLabs.EasyOpc.UA.UAServiceException: OPC-UA service result - -error Could not initialize the platform layer.
---- SERVICE RESULT ----
StatusCode: {Bad} = 0x80000000 (2147483648)

: at Opc.Ua.CertificateFactory.CreateCertificateViaProxy(String executablePath, String storePath, String password, String applicationUri, String applicationName, String subjectName, IList`1 domainNames, UInt16 keySize, UInt16 lifetimeInMonths, Boolean isCA, Boolean usePEMFormat, String issuerKeyFilePath, String issuerKeyFilePassword)
at Opc.Ua.CertificateFactory.CreateCertificate(String storeType, String storePath, String password, String applicationUri, String applicationName, String subjectName, IList`1 domainNames, UInt16 keySize, UInt16 lifetimeInMonths, Boolean isCA, Boolean usePEMFormat, String issuerKeyFilePath, String issuerKeyFilePassword)
at Opc.Ua.Configuration.ApplicationInstance.CreateApplicationInstanceCertificate(ApplicationConfiguration configuration, UInt16 keySize, UInt16 lifetimeInMonths)
at Opc.Ua.Configuration.ApplicationInstance.CheckApplicationInstanceCertificate(Boolean silent, UInt16 minimumKeySize)
at OpcLabs.EasyOpc.UA.Toolkit.UAEngineBase.PerformSdkAction(UASdkCallType callType, Func`1 usingFunction, String name, Action sdkAction)
:Opc.Ua.Core

Thanks in advance,
SWTB Support

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.079 seconds