Reputation: 51
How is possible that a Client OPC UA (like InformationObject) can connect to an encrypted server UA without asking where are cert.pem and key.pem?
I set up a python opcua server with security string "Basic256Sha256,SignAndEncrypt,cert.pem,key.pem". If I take InformationObject OPC client I can connect to the server by given the following information: Endpoint url, Trnsport Protocol (opc.tcp),Message Encoding (Binary), Security Mode (Sign _Encript), Security Policy (Basic256Sha256), User: Anonymous but I don't give any cert or key pem path. How is this possible? Is there a handshake where the server share cert and key to the client? How is possible to implement this kind of behavior in a Client made by Python opcua?
Upvotes: 1
Views: 1886
Answers (1)
Reputation: 1134
You need a certificate when using an Security Policy other then None. See for https://reference.opcfoundation.org/v104/Core/docs/Part7/6.6.165/ it states that you need a pki infracstructure. In the client context you need to provide a application certificate (DER public key, PEM private key).
The reason is to block clients with untrusted certificates from connecting to a server. With out pki anybody can start a ManInTheMiddle attack and would defeat any encryption.
To generate a certificate use the example script provided by python opcua https://github.com/FreeOpcUa/python-opcua/blob/master/examples/generate_certificate.sh.
Upvotes: 1
Related Questions
- Connect to OPCUA server with username and password
- How to get OPC UA Client certificate (.NET)
- Python opc-ua communication using self signed certificate and basic128rsa15 encryption
- How to connect to an OPC-UA server which requires certificate based user authentication using node-opcua based client
- opc ua client to server
- How to get connected clients and client certificate in node-opcua server
- OPC UA client data access to server
- Opc Ua client documentation
- OPC UA Secure Connection C#
- Why isn't Opc.Ua.UserIdentity sending the password cleanly to the OPC server?