Use certificate / encrypted communication using OPC UA Adapter

[dsdbusch]

For security reason we will need an encrypted communication between OPC-UA-Server and the adapter. Currently the OPC-UA-Server must allow "security none" to work with your adapter. You will also need a certificate to authenticate the adapter when connecting to the OPC-UA-Server and use encrypted communication.

[dominikriemer]

HI @dsdbusch this has been recently added (although not yet released).
Please check if the approach described in the documentation works for you:
https://github.com/apache/streampipes/blob/dev/streampipes-extensions/streampipes-connectors-opcua/src/main/resources/org.apache.streampipes.connect.iiot.adapters.opcua/documentation.md

[dsdbusch]

I don't get it running. I created a certificate pfx file containing
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:PC-BU, DNS:localhost, IP Address:127.0.0.1, URI:urn:PC-BU:dsd-automation.industream
I also defined the following environment variables inside the docker's yml file:
- SP_OPCUA_SECURITY_DIR=/media/dsd/certificates
- SP_OPCUA_KEYSTORE_FILE=/media/dsd/certificates/myCertificate.pfx
- SP_OPCUA_KEYSTORE_PASSWORD=securePassword
- SP_OPCUA_APPLICATION_URI=urn:PC-BU:dsd-automation.industream

SP_OPCUA_SECURITY_DIR seems to be okay, as /media/dsd/certificates/pki/issuers/certs and crl will be created while trying to connect to an OPCUA server.

I don't get any connection - all i get is an non-saying error message: io.netty.channel.StacklessClosedChannelException

What about the OPC-Server's certificate (.der file)? I copied it manually to pki/trusted/certs - no changes

[dsdbusch]

It seems accessing and reading my pfx-file is working fine.
I changed SP_OPCUA_KEYSTORE_FILE=myCertificate.pfx - i got the same message.
When renaming the pfx file in the provided directory to something else I get an errormessage "Failed to load keystore - check that all required environment variables are defined and the keystore exists" and in details the full path is written: Error Details - Probable cause - /media/dsd/certificates/myCertificate.pfx

[dominikriemer]

One thing you can try to ensure the proper key is chosen is to check the alias of your key and provide the proper alias as an environment variable: SP_OPCUA_KEYSTORE_ALIAS.
Can you connect to the server with other OPC UA clients?

[dsdbusch]

What do you mean with "alias of your key"? I can connect to the same OPC server using no security as i did before. Other applications like "dataFEED OPC UA client" can connect using security options

[dominikriemer]

When running keytool -list -v -keystore keystore.pfx -storetype PKCS12, do you see something like Alias Name in the output?

[dsdbusch]

keytool gives the following output:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Jan 17, 2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=industream, O=DSD Automation, L=Trier, C=DE
Issuer: CN=industream, O=DSD Automation, L=Trier, C=DE
Serial number: 3da4911ce0b242eb
Valid from: Thu Jan 16 15:28:37 UTC 2025 until: Fri Jan 16 15:28:37 UTC 2026
Certificate fingerprints:
SHA1: 14:48:9B:62:48:D1:AA:01:DF:21:A6:89:60:C7:16:91:ED:DF:37:2E
SHA256: 59:77:D6:DC:06:61:35:80:7B:24:40:0A:29:40:74:68:13:9B:4D:77:7B:12:B5:85:5B:03:47:A6:24:E5:81:EE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Key_CertSign
]

#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: PC-BU
DNSName: localhost
IPAddress: 127.0.0.1
URIName: urn:PC-BU:dsd-automation.industream
]

---

---

Added - SP_OPCUA_KEYSTORE_ALIAS=1
It worked for me - BUT:
The opc-server's certificate (.der) had to be added MANUALLY to pki/trusted/certs

The opc-server shows as expected my generated certificate as untrusted and i had to add it to the trusted ones (as expected - alternatively i could add my certificate as a .der-file directly to the opc-servers trusted store

Thank you for your support!

[dominikriemer]

Would you prefer that all server certificates are trusted by default?

[dsdbusch]

You are right - i didn't had a look inside pki/rejected before. On the first connect OPC-server's certificate was automatically created here. I think this is the default way for security reasons. Softing's OPC-server does it in the same manner.

But here the adapter will be the initiatior for the communication / handshake. So it may be a good idea to trust the requested opc-server by default.

[dsdbusch]

Do i need the keytool stuff at any new certificate, or is this just a bug's workaround? Do i still need all the other env-variables?