RE: OPCUA SSL problem

[Majer Karel via Tech-talk <tech-talk at aps.anl.gov>]

Hi Ralph,

 

I built the device support with UASdk, but the IOC crashes on startup with Segmentation fault:

 

#!../../bin/linux-x86_64/opcua

< envPaths

epicsEnvSet("IOC","iocopcua")

epicsEnvSet("TOP","/usr/EPICS/IOCs/opcua")

epicsEnvSet("EPICS_BASE","/usr/EPICS/epics-base")

epicsEnvSet("OPCUA","/usr/EPICS/support/opcua")

cd "/usr/EPICS/IOCs/opcua"

## Register all support components

dbLoadDatabase "dbd/opcua.dbd"

opcua_registerRecordDeviceDriver pdbbase

opcuaSession PLC opc.tcp://192.168.0.250:4840

|0x84275B80| 08:59:26.822Z OpcUa_P_Socket_InitializeNetwork: RLIMIT_NOFILE:1048576 larger than supported FD_SETSIZE:1024

opcuaOptions PLC debug=1

Session PLC: setting option debug to 1

opcuaSetupPKI /usr/PKI

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/certs)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/crl)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/certs)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/crl)

opcuaClientCertificate /usr/openssl/cert.der /usr/openssl/key.pem

opcuaOptions PLC sec-policy=Basic256Sha256

Session PLC: setting option sec-policy to Basic256Sha256

opcuaSubscription RockwellPSI PLC 100

dbLoadRecords("db/FCT-RockwellPSI.db")

cd "/usr/EPICS/IOCs/opcua/iocBoot/iocopcua"

iocInit

Starting iocInit

############################################################################

## EPICS R7.0.8

## Rev. 2024-05-07T19:43+0000

## Rev. Date build date/time:

############################################################################

OPC UA Client Device Support 0.10.0-dev (-); using Unified Automation C++ Client SDK v1.8.4-632

iocRun: All initialization complete

OPC UA: Autoconnecting sessions

Session PLC: (disconnect) already disconnected (Disconnected)

Session PLC: (setupIdentity) setting Anonymous token

Session PLC: (setupSecurity) no security configured

Segmentation fault (core dumped)

 

I could download only evaluation version 1.8.4 of UASdk and noticed that the device support should work up to version 1.7. Is there anything I can try to get this running?

 

Kind regards,

 

Karel

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Ralph Lange via Tech-talk
Sent: Friday, October 4, 2024 12:58 PM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: Re: OPCUA SSL problem

 

Hi Karel,

 

The low-level client, Open62541 in your case, indeed handles most of the dealing with OpenSSL for the Secure OPC UA connections.

 

Hmmm... more things you could try:

• In your container, install the evaluation bundle of the UA SDK. (The evaluation bundle has full features, just limited to one hour of runtime.) Build the OPCUA Device Support against that.
  The two IOC binaries (linked against Open62541 and UASDK-Eval) are drop-in compatible and you can run either one of them against your server. The Wireshark captures should be directly comparable. (UAExpert also uses the UASDK as its low-level client.)
• Do the same thing on an older Linux version (using OpenSSL1) with the Open62541 client against one of the "binary distribution" tars (that have a fully working version of the OPCUA  Support with UASDK using OpenSSL1) to see if behavior changes between the OpenSSL versions.
• Use the UASDK demo server (part of the mentioned bundle), where you have full access to the server certificates. You can create and configure the server with self-signed or CA-signed certificates and check how the IOC needs to be set up to be able to connect.

 

The key thing to find out is if the issue is caused by how the Device Support handles the open62541 client or by how the open62541 client handles OpenSSL or by the server acting differently from other servers.

Thanks for your help and patience!

 

Cheers,

~Ralph