eclipse milo opcua client connection to prosys server problems

Question

I am trying to connect to Prosys opcua simulation server using milo (0.4.2)

1. I generated certificates/keys for user using openssl
2. I generated certificate for application using given example from milo sdk and exported them as certificate file and unencrypted pkcs 8 pem file.
3. I copied both certificates to prosys folders

/home/user/.prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs

/home/user/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs

4. I checked that in prosys ui both certificates appeared & look trusted

5. finally when I am making connection with auth mode as certificate and transport security as Sign (using all generated on step 1 keys & cerificates) then I run into rather funny exception inside of milo like

Exception in thread "main" java.util.concurrent.ExecutionException: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
    at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
    at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
    at de.api.snippets.derReader.main(derReader.java:68)
Caused by: UaException: status=Bad_SecurityChecksFailed, message=unknown securityAlgorithmUri: null
    at org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm.fromUri(SecurityAlgorithm.java:143)
    at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory.lambda$createSession$49(SessionFsmFactory.java:852)
    at org.eclipse.milo.opcua.sdk.client.session.SessionFsmFactory$$Lambda$2643/0000000000000000.apply(Unknown Source)
    at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1072)

And I actually see that these fields come from prosys empty

Basically here I am stuck, as you can see from picture that I requested endpoint with security mode and receive in response I dunno what. I tried all available SecurityPolicy that milo provides but in all cases I ran into the same situation.

So first question is what must be specified in this securityAlgorithmUri and is anyway to point for prosys to fill it right ?

Answer 1

As a reminder: the issue with prosys really was due to usage of opc over https protocol to connect to server.

So after I switched to opc over tcp I managed to discover endpoints that made use of certificate to authenticate user and message level security sign&encrypt.

btw: if somebody will be in search of script to generate user certificate using opensssl here is a sample conf file:

openssl req -x509 -config openssl_cert.conf -extensions 'my server exts' -nodes \
            -days 365 -newkey rsa:2048 -keyout user.key -out user.crt

and file content:

[ req ]
prompt             = no
distinguished_name = my dn

[ my dn ]
# The bare minimum is probably a commonName
            commonName = user
           countryName = DE
          localityName = DE
      organizationName = comp
organizationalUnitName = comp Dept.
   stateOrProvinceName = DE
          emailAddress = user@example.com
                  name = user
               surname = user
             givenName = user
              initials = uu
           dnQualifier = some

[ my server exts ]
extendedKeyUsage = clientAuth, codeSigning
keyUsage = digitalSignature, keyAgreement, keyEncipherment, nonRepudiation, dataEncipherment, keyCertSign

Answer 2

Best I can tell this is a bug in the Prosys stack or server.

It doesn’t seem to occur when using the standard UA TCP transport, so give that a try instead of HTTPS.