open62541 client connect to remote Kepware OPCUA - how to install client certificate

[iquest.c...@gmail.com]

Hi open62541 team,

I am using open62541 to write a simple OPCUA client running on raspberry Pi. I want to connect to a remote Kepware Server running on windows. 

The requirement is to use secure communications, i.e. certificates. 

I am able to connect and read data as long as server endpoint isn't checking for certificates, i.e. "none" is checked for endpoint security in Kepware. 

However if I uncheck "none" for the endpoint on Kepware (and check Basic 128/256) , the client cannot connect, throws the error: "no suitable endpoint found". I believe this is because I need to configure the client to use the Server's certificate, but I don't know how to "tell" the client to use the certificate  (.der file) I exported from Kepware. 

I did place the .der file exported from Kepware into the SSL certs folder, but not sure this is enough. I assume I have to somehow tell the client to use it. 

So, can someone tell me how I need to configure the client to use a certificate in order to connect to a remote server. 

Thanks!!

Bob Meads

[Sten Grüner]

Hello Bob,

the simple answer is unfortunately that we do not support encryptions profiles yet (except "none" security profile). Therefore, client just rejects endpoints that require any security level that is higher than "none".

I am aware of some work in this direction, however no ETA can be currently given (c.f. "Roadmap" question on the mailing list recently).

Sorry

-Sten

--
You received this message because you are subscribed to the Google Groups "open62541" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open62541+...@googlegroups.com.
To post to this group, send email to open...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/open62541/3365f80e-b074-49a8-82c6-ed8b499a198f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Sten Grüner
Research Associate
Chair of Process Control Engineering
RWTH Aachen University

Turmstrasse 46, 52064 Aachen, Germany
Tel. +49 (0) 241 80-97745
Fax  +49 (0) 241 80-92238

www.plt.rwth-aachen.de 

[Bob Meads]

Sten

Thanks for your quck reply. It wasn't clear to me that client code didn't support certificates. Yikes! 

I will keep checking back to see if there is some work on this, I think its really important that your client supports encryption; because of Stuxnet and other attacks plants are really going to OPCUA and using encryption / security to make sure everything is secure. 

[Julius Pfrommer]

Bob,

> I will keep checking back to see if there is some work on this, I think its really important that your client supports encryption; because of Stuxnet and other attacks plants are really going to OPCUA and using encryption / security to make sure everything is secure.

I supervise the student who is currently developing encryption for his thesis.
ETA of the code is in 2-3 months. However, as things go with thesis projects, we need to see how much cleanup / code review is necessary before this lands in the master branch.

Encryption is definitiely not going to be in the next release v0.2.

Best regards,
Julius