Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in COM
- Connection, Reconnections, Certificates
- BadSecurityChecksFailed error
BadSecurityChecksFailed error
01 Nov 2021 12:17 #10332
by support
Replied by support on topic BadSecurityChecksFailed error
Please create a separate forum thread for the new issue.
Please Log in or Create an account to join the conversation.
01 Nov 2021 11:24 #10330
by Mirhaj
Replied by Mirhaj on topic BadSecurityChecksFailed error
Hi,
Ok, thanks. I have now a new issue that I noticed today;
I have implemented the client on a real time application. The application had an computation of approximately 40 milliseconds per frame. When adding the client with reading 4 and writing 5 values to the OpcUa server (values are of the types Boolean, integer and float), the computation time has increased to 200 to 250 milliseconds per frame. Did I do something not efficient with calling read/write functions of the sdk? Is there a Sleep() method used inside the sdk that makes this to happen? The following is how I read and write from and to the server;
***Writing to the server;
_client.WriteValue("opc.tcp://92.220.119.221:4840", "ns=6;i=4", (float)(MyDoubleParameter));
***Reading from the server;
DoubleParameter = Convert.ToDouble(_client.Read("opc.tcp://92.220.119.221:4840", "ns=5;i=4").Value);
And I repeat the lines above for every node that I read from and write to.
Best,
Ahmad
Ok, thanks. I have now a new issue that I noticed today;
I have implemented the client on a real time application. The application had an computation of approximately 40 milliseconds per frame. When adding the client with reading 4 and writing 5 values to the OpcUa server (values are of the types Boolean, integer and float), the computation time has increased to 200 to 250 milliseconds per frame. Did I do something not efficient with calling read/write functions of the sdk? Is there a Sleep() method used inside the sdk that makes this to happen? The following is how I read and write from and to the server;
***Writing to the server;
_client.WriteValue("opc.tcp://92.220.119.221:4840", "ns=6;i=4", (float)(MyDoubleParameter));
***Reading from the server;
DoubleParameter = Convert.ToDouble(_client.Read("opc.tcp://92.220.119.221:4840", "ns=5;i=4").Value);
And I repeat the lines above for every node that I read from and write to.
Best,
Ahmad
Please Log in or Create an account to join the conversation.
01 Nov 2021 11:14 #10329
by support
Replied by support on topic BadSecurityChecksFailed error
Yes, this should work in general.
One source of potential conflict would be if the two branches happen to produce the same certificate subject name (QuickOPC determines it automatically from info such as assembly name assembly description etc.). This can be resolved by setting the name from the code - see the example I pointed to earlier. But, even if they "share" the same certificate, which is technically not right, you will probably not notice a difference.
Regards
One source of potential conflict would be if the two branches happen to produce the same certificate subject name (QuickOPC determines it automatically from info such as assembly name assembly description etc.). This can be resolved by setting the name from the code - see the example I pointed to earlier. But, even if they "share" the same certificate, which is technically not right, you will probably not notice a difference.
Regards
Please Log in or Create an account to join the conversation.
01 Nov 2021 10:13 #10328
by Mirhaj
Replied by Mirhaj on topic BadSecurityChecksFailed error
Hi,
Thanks for your comprehensive reply in this regard;
I left with one more concern about this; I have two different branches of my code that both have the QuickOPC based client implemented on (it's long story why it has been done like this). So I need to run the two clients from these two branches which are running on the same PC. (sometime from one branch and some other time from the other branch - this will be temporarily for testing purposes). Will everything regarding certificates trust related thing be working fine as both clients are using (or refering to) the same CertificateStores?
Best,
Ahmad
Thanks for your comprehensive reply in this regard;
I left with one more concern about this; I have two different branches of my code that both have the QuickOPC based client implemented on (it's long story why it has been done like this). So I need to run the two clients from these two branches which are running on the same PC. (sometime from one branch and some other time from the other branch - this will be temporarily for testing purposes). Will everything regarding certificates trust related thing be working fine as both clients are using (or refering to) the same CertificateStores?
Best,
Ahmad
Please Log in or Create an account to join the conversation.
29 Oct 2021 08:59 #10322
by support
Replied by support on topic BadSecurityChecksFailed error
Actually, there is more to it.
First of all, if you have two or more "copies" of the same application, in the OPC UA world they should have, for security reasons, different instance certificates. Things will probably appear to work just fine even if you reuse the same certificate, but it would still not be the correct way to do it.
So, strictly speaking, the approach described in the previous post is correct if you "move" the application from the development computer to the production computer (never use it from the development computer again), but not if you "copy" it (ever intend to use them both).
Then, there is another thing I have not considered in my previous reply: By default, the QuickOPC application looks for its own instance certificate using a name which I think includes the computer name it is running on. This means that it may not find your copied certificate on the new machine anyway. if this happens, the solutions are:
1) Give the machines the same name
2) Let QuickOPC auto-generate a new certificate on the new machine (as opposed to my advice in the previous post) - and pass that new certificate to the party that runs server, so that they can trust it (and they remove the older ones that should no longer be able to connect, etc.). This is what I would recommend to do.
3) Tell QuickOPC not to use the default name generation, but instead specify the name directly in your code - so that it won't change based on the computer it is running on. opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...he%20client%20certificate.html . As in (2), this will generate a certificate that needs to be passed to and trusted by the party that runs the server (but it can be the same one from the moment it is implemented, regardless of the machine it runs on).
Regards
First of all, if you have two or more "copies" of the same application, in the OPC UA world they should have, for security reasons, different instance certificates. Things will probably appear to work just fine even if you reuse the same certificate, but it would still not be the correct way to do it.
So, strictly speaking, the approach described in the previous post is correct if you "move" the application from the development computer to the production computer (never use it from the development computer again), but not if you "copy" it (ever intend to use them both).
Then, there is another thing I have not considered in my previous reply: By default, the QuickOPC application looks for its own instance certificate using a name which I think includes the computer name it is running on. This means that it may not find your copied certificate on the new machine anyway. if this happens, the solutions are:
1) Give the machines the same name
2) Let QuickOPC auto-generate a new certificate on the new machine (as opposed to my advice in the previous post) - and pass that new certificate to the party that runs server, so that they can trust it (and they remove the older ones that should no longer be able to connect, etc.). This is what I would recommend to do.
3) Tell QuickOPC not to use the default name generation, but instead specify the name directly in your code - so that it won't change based on the computer it is running on. opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...he%20client%20certificate.html . As in (2), this will generate a certificate that needs to be passed to and trusted by the party that runs the server (but it can be the same one from the moment it is implemented, regardless of the machine it runs on).
Regards
Please Log in or Create an account to join the conversation.
29 Oct 2021 08:45 #10320
by support
Replied by support on topic BadSecurityChecksFailed error
I am glad that it works.
Yes, precisely so.
And ideally you would do this before you first start the app there. Because otherwise it will auto-generate its own instance certificate, so you would end up with 2 of them (the auto-generated one, and the one you place there manually), which may lead to unpredictable behavior as long as they are both valid. And you would have to remove the auto-generated one anyway.
Regards
Yes, precisely so.
And ideally you would do this before you first start the app there. Because otherwise it will auto-generate its own instance certificate, so you would end up with 2 of them (the auto-generated one, and the one you place there manually), which may lead to unpredictable behavior as long as they are both valid. And you would have to remove the auto-generated one anyway.
Regards
Please Log in or Create an account to join the conversation.
29 Oct 2021 08:30 #10319
by Mirhaj
Replied by Mirhaj on topic BadSecurityChecksFailed error
Hi,
I changed the file suffix to .der and it worked for me as well finally. I also copied this cert into trusted peer store and removed the AcceptAnyCertificate from the code.
Now all these steps for me to connect to this server was from the PC that the client is running in development environment. Sometime later I will have to install the executable (that includes the client) on a different PC. Should I copy the issuer's certificate into trusted peer and trusted issuer stores on that PC? And I probably need to copy the certificate in the default application store into the trusted peers store as well (if it does not already exist there) ... Am I correct?
Best,
Ahmad
I changed the file suffix to .der and it worked for me as well finally. I also copied this cert into trusted peer store and removed the AcceptAnyCertificate from the code.
Now all these steps for me to connect to this server was from the PC that the client is running in development environment. Sometime later I will have to install the executable (that includes the client) on a different PC. Should I copy the issuer's certificate into trusted peer and trusted issuer stores on that PC? And I probably need to copy the certificate in the default application store into the trusted peers store as well (if it does not already exist there) ... Am I correct?
Best,
Ahmad
Please Log in or Create an account to join the conversation.
28 Oct 2021 16:25 - 28 Oct 2021 16:26 #10317
by support
Replied by support on topic BadSecurityChecksFailed error
Note that - unless you want to keep using AcceptAnyCertificate - you should also place a copy of the issuer's certificate (.DER, again) into the Trusted peers store.
Last edit: 28 Oct 2021 16:26 by support.
Please Log in or Create an account to join the conversation.
28 Oct 2021 16:22 #10316
by support
Replied by support on topic BadSecurityChecksFailed error
Hello.
I repeated your steps, and I got the same error.
I then renamed the issuer's certificate form .CER to .DER.
I was then able to connect to your server and read its data:
Regards
I repeated your steps, and I got the same error.
I then renamed the issuer's certificate form .CER to .DER.
I was then able to connect to your server and read its data:
Regards
Attachments:
Please Log in or Create an account to join the conversation.
28 Oct 2021 15:43 #10315
by Mirhaj
Replied by Mirhaj on topic BadSecurityChecksFailed error
Hi,
I asked the customer to send me the CA signed cert and he sent me the attached one. What I did then I unzipped it and then made a folder in CertificateStore and called it UA Certificate Authorities (there are already two other folders Machine Default and UA Applications). Inside this folder created sub-folder certs and then put this .cer file into the folder. Then ran the client and got the same error again; “Certificate chain not complete. SubjectName: O=Siemens, C=DE, CN=PLC-Model/OPCUAServerClient IssuerName: O=Siemens, C=DE, CN=Siemens TIA Project(Qiang-sha256)”
Did I do everything right? I have sent you the cert on email attachment.
Best,
Ahmad
I asked the customer to send me the CA signed cert and he sent me the attached one. What I did then I unzipped it and then made a folder in CertificateStore and called it UA Certificate Authorities (there are already two other folders Machine Default and UA Applications). Inside this folder created sub-folder certs and then put this .cer file into the folder. Then ran the client and got the same error again; “Certificate chain not complete. SubjectName: O=Siemens, C=DE, CN=PLC-Model/OPCUAServerClient IssuerName: O=Siemens, C=DE, CN=Siemens TIA Project(Qiang-sha256)”
Did I do everything right? I have sent you the cert on email attachment.
Best,
Ahmad
Please Log in or Create an account to join the conversation.
Moderators: support
- Forum
- Discussions
- QuickOPC-UA in COM
- Connection, Reconnections, Certificates
- BadSecurityChecksFailed error
Time to create page: 0.078 seconds