Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support user/password identity on unsecure connection #132

Closed
ralphlange opened this issue Feb 17, 2022 · 4 comments
Closed

Support user/password identity on unsecure connection #132

ralphlange opened this issue Feb 17, 2022 · 4 comments
Assignees
@ralphlange
Labels
enhancement New feature or request
Milestone
0.10 release

Comments

@ralphlange
Copy link
Member

Reported by Markus Meyer (HZDR):

I recently started to test around with the opcua epics module in https://github.com/epics-modules/opcua.
I have a Siemens S7-1500 where only the "None" security endpoint is enabled but a user login is configured while the anonymous user is disabled. I successfully tested the connection with UaExpert.

I use tag v0.9.3 and uasdk version 1.7.3 on windows-64 (MSVC 2019 64 bit) for this test.

I tried the following to connect the endpoint:

  1. Create a session and a subscription
  2. Set "sec-mode=None"
  3. Set "sec-id" to a file with "user=root" and pass="secret"
  4. The output is the following:
OPC UA Client Device Support 0.9.3 (v0.9.3-0-g20fd88c); using Unified
Automation C++ Client SDK v1.7.3-505
OPC UA: Autoconnecting sessions
Session OPC2: (disconnect) already disconnected (Disconnected)
Session OPC2: (setupClientSecurityInfo) setting up PKI provider
Session OPC2: (setupClientSecurityInfo) no client certificate configured
Session OPC2: (setupSecurity) no security configured
OPC UA session OPC2: connection status changed from Disconnected to
ConnectionErrorApiReconnect
Session OPC2: connect service succeeded
iocRun: All initialization complete
epics> Session OPC UA session OPC2: connection status changed from
ConnectionErrorApiReconnect to Disconnected
OPC2: disconnect service ok
@ralphlange ralphlange added the enhancement New feature or request label Feb 17, 2022
@ralphlange ralphlange added this to the 0.10 pre-release milestone Feb 17, 2022
@ralphlange ralphlange self-assigned this Feb 17, 2022
@ralphlange
Copy link
Member Author

As of now, the unsecured connection only supports the anonymous identity.

If UaExpert (using the same SDK) support a user/password identity on an unsecured connection, this sounds like a useful and reasonable extension.

@ralphlange
Copy link
Member Author

More details (from Markus):

The Siemens PLC only offers the unsecured endpoint. Anonymous access is disabled; instead, a user/password has been configured.

Using "none" on the IOC is correct. If the server certificate is downloaded and trusted, it is used to encrypt the password (UaExpert does it that way).

Screenshots

  1. Adding the server. Security "none" and user/pass authentification.
  2. Wireshark trace post connect, only the "none" endpoint is available, with UserName identity token.
  3. In UaExpert I have to enter the credentials and trust the server certificate.
  4. Wireshark trace after trusting the server cert. ActivateSessionRequest contains the encrypted password.

Adding setupIdentity(); after line

opcua/devOpcuaSup/UaSdk/SessionUaSdk.cpp

Line 722 in 9dbb2a7

securityInfo.setAnonymousUserIdentity();
seems to work.

01_add_server
02_wireshark_endpoint_request_before_login
03_trust_certificate
04_wireshark_active_session_with_password

@ralphlange ralphlange changed the title Support Support user/password identity on unsecure connection Feb 17, 2022
@ralphlange
Copy link
Member Author

Abel Cano (UGR) is reporting the same issue:

I am trying to connect with the PLC using an unsecured connection and an username/password (via identity file with "user" and "pass"), but I can't find the way to do it. Because the autoconnect option is enabled by default, the IOC tries to connect with the PLC continuosly, but with no success.

@ralphlange
Copy link
Member Author

As Abel was not able to test the fix suggested by Markus, I have set up an S7 1500 for verification. I am on it.

ralphlange added a commit to ralphlange/opcua that referenced this issue Mar 20, 2022
@ralphlange
uasdk: allow user/pass identities on unsecured connection
9662b8b 
- Allow the use of user/pass identity (also token - untested)
  on unencrypted connections.
  If the server certificated is trusted, it will be used to
  encrypt the password - this setup is indeed secure.
- fixes epics-modules#132
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ralphlange ralphlange

Labels
enhancement New feature or request
Projects
None yet
Milestone
0.10 release
Development

No branches or pull requests
1 participant
@ralphlange