0

I’ve written an OPC UA Client and i’m using ProSys OPC UA Simulator Server to test it. Running in Anonymous mode my client connects and i can browse the server. however when I configure my client to use a Username and Password it fails with No Suitable UserTokenPolicy found for the possible endPoints. I’ve debugged it and it appears that http://opcfoundation.org/UA/Se…..olicy#None is not in the endpoints userIdentityTokens array, although in ProSys it states it is.

I’ve set up a user in The OPC UA Simulator Username & Passord box is ticked Security Modes = None Security Policies = None are ticked

The list of server EndPoints Security Mode = None Security Policy = None So i would expect to see it in userIdentityTokens array.

My Client is written using the Open62541 libraries

Any help would be appreciated.

Thanks

NOZ77
  • 69
  • 6

1 Answers1

0

I haven't used the Open62541 libraries, but it seems the standard allows the OPC server to require that the username and password are encrypted even when the rest of the transport is not signed or encrypted.

It appears that at some point in time (and maybe still), Open62541 doesn't handle encrypting the password. Here are a couple of related github issues:

https://github.com/open62541/open62541/issues/934

https://github.com/open62541/open62541/issues/1548

https://github.com/open62541/open62541/issues/2757

I am working on a node.js OPC UA client based on the node-opcua library, and I was able to verify that I can connect to the ProSys OPC-UA simulation server with the security mode set to none and user authentication set to username & password. I do not know what type of password encryption node-opcua is doing behind the scenes, but it works.

----- Additional info -------

I found another forum with some clarification: https://forum.prosysopc.com/forum/opc-ua/clarification-on-opensecurechannel-messages-and-x509identitytoken-specifications/

The key part:

If passwords are sent, they will be encrypted as defined by the UserTokenPolicy (which is separate from SecurityPolicy, but similar). The Application Instance Certificates will be used for the encryption in this case – and therefore they are required to be exchanged even when MessageSecurityMode=None.

bruceceng
  • 1,844
  • 18
  • 23