Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

OpcLabs doesn't cause client "jump" in Trusted Clients

More
10 Feb 2015 09:54 #2751 by support
Thank you once again. Yes I know the problem was with the client not showing in the trusted client list of Kepware server. Just to explain, my thinking was that perhaps the client certificate wasn't generated, but we have still attempted to connect to the server (without any client certificate), and of course that could not work, plus there would be no client certificate for the Kepware server to show.

Anyway, the requirements for the certificate generator (which belongs under Prerequisites) have changed between QuickOPC 5.30 and 5.32, that's right, and it is due to the newer of OPC UA stack from OPC Foundation that is used in 5.32. The necessary Prerequisites are listed in the Concepts document, and in case of further version upgrades, please pay attention to them.

Best regards

Please Log in or Create an account to join the conversation.

More
10 Feb 2015 07:30 #2750 by adid@contel.co.il
hello,

i was installed opcLabs 5.30 in production environment, and used version 5.32 in my winform so that exaplin why you see in the error log the certificate was not generated. i did a lot of test so maybe it was there before ( although i remember i delete the certificate from the Certificate store before i was using the winform ), but the problem was not with the certificate generator, the problem was with the client not showing in trusted client in Kepware.
adding port 49320 in "Manage Firewall Access" solved the problem, and cause the cient to show in trusted client.

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
09 Feb 2015 20:33 #2747 by admin
Hello,
I am glad that it works now. But I must say it is not clear to me what is happening.

Based on what I saw in the logs, I was about to investigate in the area of the certificate generation: There is an error that indicates that the version of the generator installed is not the one we need, and the certificate is not being generated. Maybe it was there already from some time before?

And the other thing that is unclear to me is why the step you have described has helped. We do not use the port described, as far as I know - unless it is explicitly specified somehow somewhere. Couldn't it be the other way round - so that the port was needed by the Kepware server and not being accessible, caused the issue?

Best regards
The following user(s) said Thank You: adid@contel.co.il

Please Log in or Create an account to join the conversation.

More
09 Feb 2015 15:10 #2746 by adid@contel.co.il
hello,

problem solved.
i enter to UA Configuration Tool, and under manage application tab select application to manage "Opc.Ua.DiscoveryServer" and than press the button "Manage Firewall Access" and add the port 49320 - this solved the problem.

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
09 Feb 2015 07:19 - 09 Feb 2015 20:17 #2743 by adid@contel.co.il
hello,

When this event log was captured, the certificate has been created in the certificate store ( as you mention in %CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications), but the client is not showing under trusted clients.

the winform is very simply winform just to add certificate, and to cause the client to appear in trusted client in Kepware.
here is the code after button cmdAddTrustedClient click :
private void cmdAddTrustedClient_Click(object sender, EventArgs e)
        {
            EasyUAClient easyUAClient = null;
            UAEndpointDescriptor uaEndpointDescriptor = null;
            UANodeElementCollection uaNodeElementCollection = null;
 
            try
            {
               EasyUAClient.SharedParameters.Engine.ApplicationCertificateSubject = m_ApplicationName;
                EasyUAClient.SharedParameters.Engine.ApplicationName = m_ApplicationName;
                EasyUAClient.SharedParameters.Engine.ApplicationUriString = m_ApplicationUriString;
                EasyUAClient.SharedParameters.Engine.ProductUriString = m_ApplicationUriString;
 
                easyUAClient = new EasyUAClient();
                uaEndpointDescriptor = new UAEndpointDescriptor(txtUAEndpointDescriptor.Text);
 
                uaNodeElementCollection = easyUAClient.BrowseDataNodes(uaEndpointDescriptor);
                txtResult.Text = "Success";
            }
            catch (Exception exception)
            {
                txtResult.Text = exception.Message;
            }
        }
where :

1. txtUAEndpointDescriptor.Text = opc.tcp://127.0.0.1:49154
2. m_ApplicationName = Contel-MES
3. m_ApplicationUriString = urn:adid-win7:Contel_Mes:1.0.0.0:neutral:null

thank you,
Adi Damty
Last edit: 09 Feb 2015 20:17 by admin. Reason: code formatting

Please Log in or Create an account to join the conversation.

More
08 Feb 2015 20:26 - 09 Feb 2015 07:11 #2739 by support
Many thanks for this.

1. When this event log was captured, has the certificate been created in the cert store (%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications)?

2. What is the first method on EasyUAClient you call please (e.g. Read, SubscribeMonitoredItems, or something else)?

3. Are the logs somehow from two runs? I am asking that there is one sequence between 10:45:50 - 10:45:51, then a pause of almost one minute, and then another sequence that starts at 10:46:47. Or, If it is from two runs, there appear to be parts of the log missing. If it is from one run, do you have a comment to the one minute delay? - is it that you manually wanted before you proceeded to a next step (which?), or has the app somehow been blocked, without your influence, during that time?

4. Do you set the certificate parameters from your code, and if so, at which place?

Thank you in advance
Best regards
Last edit: 09 Feb 2015 07:11 by support.
The following user(s) said Thank You: adid@contel.co.il

Please Log in or Create an account to join the conversation.

More
08 Feb 2015 08:54 #2738 by adid@contel.co.il
hello,

thank you for your answer.
i used the newest version of OPC-UA opcLabs ( 5.32.505.1 ) and use event logging in production as you mention.
i check telnet 127.0.0.1 43154 in production and it's works fine.
than i operate my winform and try to connect local to Kepware in the same computer ( both winform and Kepware located at the same computer ) - the result is i get "BadSecureChannelClosed" but i don't see the client under trusted clients in Kepware.
below attached the log file.

thank you,
Adi Damty


/*********************************** log file *************************************************/
2015-02-08 10:45:50 – OPC-UA engine application info 'Environment' -> Is64BitOperatingSystem: True, SystemDirectory: "C:\Windows\system32".
2015-02-08 10:45:50 – OPC-UA engine application info 'Clr' -> Version: '4.0.30319.18408', PtrSize: 4.
2015-02-08 10:45:50 – OPC-UA engine application info 'Debugger' -> IsAttached: False.
2015-02-08 10:45:50 – OPC-UA engine application info 'User' -> Name: "Contel.Israel", DomainName: "ZFASAPP20001", Interactive: True.
2015-02-08 10:45:50 – Licensing for EasyUAClient component started, license serial number 1953000002, issuer name "OPC Labs", subject name "Contel Group".
2015-02-08 10:45:50 – OPC-UA engine application info 'OSConfiguration' -> MachineName: "ZFASAPP20001", SystemPageSize: 4096.
2015-02-08 10:45:50 – OPC-UA engine application info 'AssemblyAttributes' -> AssemblyConfiguration: "Release".
2015-02-08 10:45:50 – OPC-UA engine application info 'OperatingSystem' -> VersionString: "Microsoft Windows NT 6.1.7601 Service Pack 1".
2015-02-08 10:45:50 – OPC-UA engine application info 'Process' -> Is64BitProcess: False, CurrentDirectory: "C:\Users\Contel.Israel\Desktop\Release", Id: 392492.
2015-02-08 10:45:50 – OPC-UA engine application info 'Computer' -> ProcessorCount: 12.
2015-02-08 10:45:50 – OPC-UA engine application info 'AssemblyProperties' -> FullName: "OpcLabs.BaseLib, Version=5.32.505.1, Culture=neutral, PublicKeyToken=6faddca41dacb409", Location: "C:\Users\Contel.Israel\Desktop\Release\OpcLabs.BaseLib.dll", GlobalAssemblyCache: False.
2015-02-08 10:45:50 – The OPC-UA engine is connecting to the underlying subsystems.
2015-02-08 10:45:50 – OPC-UA engine SDK configuration provider "OpcLabs.EasyOpc.UA.Toolkit.AppConfigSdkConfigurationProvider" failed
OpcLabs.EasyOpc.UA.UAServiceException: OPC-UA service result - Could not load configuration file.
---- SERVICE RESULT ----
StatusCode: {BadConfigurationError} = 0x80890000 (2156462080)
Description: Could not load configuration file.

2015-02-08 10:45:50 – OPC-UA engine SDK configuration successfully provided by "OpcLabs.EasyOpc.UA.Toolkit.InternalSdkConfigurationProvider".
2015-02-08 10:45:50 – The OPC-UA engine has determined the client certificate parameters as listed below.
SubjectName: CeaserstoneCreateCertificateForWebsite
ApplicationName: CeaserstoneCreateCertificateForWebsite
ApplicationUri: urn:ZFASAPP20001:CeaserstoneCreateCertificateForWebsite:1.0.0.2:neutral:null
ProductUri: urn:literal:string:CeaserstoneCreateCertificateForWebsite

2015-02-08 10:45:51 – The OPC-UA engine failed at tick 334165061 and will retry in 600000 milliseconds.
2015-02-08 10:45:51 – The OPC-UA engine failed to connect to the underlying subsystems.
OPC-UA service result - Could not create a certificate via a proxy: -error Unprocessed arguments exist possible syntax error: -hashSize .
---- SERVICE RESULT ----
StatusCode: {Bad} = 0x80000000 (2147483648)
.
2015-02-08 10:46:47 – The OPC-UA engine is connecting to the underlying subsystems.
2015-02-08 10:46:47 – OPC-UA engine SDK configuration provider "OpcLabs.EasyOpc.UA.Toolkit.AppConfigSdkConfigurationProvider" failed
OpcLabs.EasyOpc.UA.UAServiceException: OPC-UA service result - Could not load configuration file.
---- SERVICE RESULT ----
StatusCode: {BadConfigurationError} = 0x80890000 (2156462080)
Description: Could not load configuration file.

2015-02-08 10:46:47 – OPC-UA engine SDK configuration successfully provided by "OpcLabs.EasyOpc.UA.Toolkit.InternalSdkConfigurationProvider".
2015-02-08 10:46:49 – The OPC-UA engine has determined the client certificate parameters as listed below.
SubjectName: CN=Contel-MES, DC=ZFASAPP20001
ApplicationName: Contel-MES
ApplicationUri: urn:TAPUZ.GAT.LOCAL:Contel_Mes:1.0.0.0:neutral:null
ProductUri: urn:adid-win7:Contel_Mes:1.0.0.0:neutral:null

2015-02-08 10:46:49 – The OPC-UA engine has successfully connected to the underlying subsystems.
2015-02-08 10:46:49 – The OPC-UA client session is connecting to endpoint URL "opc.tcp://127.0.0.1:49154".
2015-02-08 10:46:49 – The OPC-UA client session failed to connect to endpoint URL "opc.tcp://127.0.0.1:49154".
OPC-UA service result - BadSecureChannelClosed.
---- SERVICE RESULT ----
StatusCode: {BadSecureChannelClosed} = 0x80860000 (2156265472)
StatusCode: {BadSecureChannelClosed} = 0x80860000 (2156265472)
---- REMARKS ----
The server may have rejected the connection because it does not trust the client (e.g. certificate problem); check the diagnostics on the server side, if possible.
A possible cause of this error could also be that the OPC-UA server is not running, or that it has rejected the connection due to security reasons.

2015-02-08 10:46:49 – The OPC-UA client session on endpoint URL "opc.tcp://127.0.0.1:49154" failed at tick 334222860 and will retry in 10000 milliseconds.
2015-02-08 10:46:49 – The status subscription for an OPC-UA session on endpoint URL "opc.tcp://127.0.0.1:49154" is in failure. Further such warnings on this session will not be logged.
OPC-UA service result - BadSecureChannelClosed.
---- SERVICE RESULT ----
StatusCode: {BadSecureChannelClosed} = 0x80860000 (2156265472)
StatusCode: {BadSecureChannelClosed} = 0x80860000 (2156265472)
---- REMARKS ----
The server may have rejected the connection because it does not trust the client (e.g. certificate problem); check the diagnostics on the server side, if possible.
A possible cause of this error could also be that the OPC-UA server is not running, or that it has rejected the connection due to security reasons.

Please Log in or Create an account to join the conversation.

More
05 Feb 2015 17:07 #2722 by admin
Thank you very much! I understand now what you are doing, and what is happening. But I do not know the cause yet.

I also understand the thinking behind manually copying the certificate to the server's trust list from the cert store. The idea itself makes some sense; however, the reason why the cert has not appeared automatically in the KEPware server "rejected certs" is probably because the client cannot reach the endpoint, and that it is what has to be resolved first (or only).

It should not be necessary to open a port other than the port indicated in the server's URL.

Would it be possible that you add event logging to your app? We have a static event in the component that you can hook to and write a handler to store the events into a text file, for example. I can help with that. This can give us internal information which may reveal the cause of the problem.

If you can, please use version 5.32 for any tests, as it has the most up-to-date code.

Best regards
The following user(s) said Thank You: adid@contel.co.il

Please Log in or Create an account to join the conversation.

More
05 Feb 2015 12:20 #2716 by adid@contel.co.il
hello,

may be i don't explained my self well i will try it again.

if i use my computer both client ( simple winform app ) and Kepware server, than client cause "BadSecureChannelClose" and i saw the client under trusted client, and i need to trust it - this works fine.

than i try the same operation at production.
both client ( the same winform app ) and Kepware server are located at the same computer in production. the winform app return "BadSecureChannelClose" but ( and this is the problem ) i don't see the client in the trusted client list in Kepware. i check telnet 127.0.0.1 49154 at production and it's open. i also try to export the certificate that was created in CertificateStore\UA Application and to import it to the Kepware - i succeed doing it, but the winform still return "BadSecureChannelClose".

what i try to explain earlier is that :
when i use in my computer the both client ( simple winform app ) and Kepware server, and i am not using any VPN - it's all works fine as described at the begining. than i go to the Kepware and delete the client was added to truted clients list, and go to the Certificate store and delete the certificate that was created. than i try the same operation when i connected to VPN :
again both client ( the same winform app ) and Kepware server are located my computer ( but what is different now that i am connected to VPN ). now i use the client application - it returns "BadSecureChannelClose" and i saw certificate was created. but when i go back to kepware now i don't see the client in the trusted client list.

because of that i ask if there is any way the VPN is blocking something ? if i need to make sure port is open beside the port 49154 ?

thank you,
Adi Damty

Please Log in or Create an account to join the conversation.

More
05 Feb 2015 10:39 #2712 by support
I am confused. Or maybe you are confused, or we both are.

The server side isn't really where our expertise should be, but as far as I know about Kepware, the "trusted client" :

1) Does not depend on the network location or port etc. of the client. The only thing it knows about is the client instance certificate. If the server receives a certificate that it does not trust, it rejects the connection, and stores the certificate and allows you to trust it.

2) The trusted clients are permanent - unless you specifically remove the trust, it stays trusted by the server.

On the client side, when we create a certificate for the application, we store it, and on the next run we just use the previously created certificate.

With this given, I understand practically nothing of you email. Here are the main points

A) "When I disconnect from client VPN" .... "it shows the client under trusted client...". If there is no connection from the client to the server, how can anything be affected on the server ??

B) "Then I connected ..." ..... " but I do not see the client under trusted client" . Does that mean that the client disappeared on itself from Kepware trusted client list ?? I do not think this is the way Kepware works.

C) ... is there any port the OpcLabs connect to the Kepware". I do not understand the question. The client attempts to connect using the port that you specify.

If you need help, please provide precise steps and precise information.

Best regards
The following user(s) said Thank You: adid@contel.co.il

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.089 seconds