opc ua - Understanding OPC-UA Security using Eclipse Milo

Question

I am new to this OPC-UA world and Eclipse Milo. I do not understand how the security works here, Discussing about client-example provided by eclipse-milo

I see few properties of security being used to connect to the OPCUA Server:

SecurityPolicy, MessageSecurityMode, clientCertificate, clientKeyPair, setIdentityProvider,

1. How the above configurations are linked with each other?

I was trying to run client-examples -> BrowseNodeExample. This example internally runs the ExampleServer. ExampleServer is configured to run with Anonymous and UsernamePassword Provider. It is also bound to accept SecurityPolicy.None, Basic128Rsa15, Basic256, Basic256Sha256 with MessageSecurityMode as SignandEncrypt except for SecurityPolicy.None where MessageSecurityMode is None too.

2. The problem is with AnonymousProvider I could connect to the server with all SecurtiyPolicy and MessageSecurityMode pair mentioned above (without client certificates provided). But I could not do the same for UsernameProvider, For UsernameProvider only SecurityPolicy MessageSecurityMode pair with None runs successfully. All others pairs throw security checks failed exception (when certificate provided) else user access denied (when client certificate not provided). How to make this work?

Lastly, It would be really nice if someone could point me to proper User documentation for Eclipse Milo. Since I could not see any documentation except examples codes, and they are not documented.

Answer 1

SecurityPolicy and MessageSecurityMode go hand-in-hand. The security policy dictates the set of algorithms that will be used for signatures and encryption, if any. The message security mode determines whether the messages will be signed, signed and encrypted, or neither in the case where no security is used.

clientCertificate and clientKeyPair must be configured if you plan to use security. You can't use encryption or signatures if you don't have a certificate and private key, after all.

IdentityProvider used to provide the credentials that identify the user of the session, if any.

When the ExampleServer starts up it logs that its using a temporary security directory, something like this: security temp dir: /var/folders/z5/n2r_tpbn5wd_2kf6jh5kn9_40000gn/T/security. When a client connects using any kind of security its certificate is not initially trusted by the server, resulting in the Bad_SecurityChecksFailed errors you're seeing. Inside this directory you'll find a folder rejected where rejected client certificates are stored. If you move the certificate(s) to the trusted folder the client should then be able to connect using security.