Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to resolve it? #305

Closed
devicemate opened this issue Jan 3, 2020 · 7 comments
Closed

how to resolve it? #305

devicemate opened this issue Jan 3, 2020 · 7 comments

Comments

@devicemate
Copy link

Error Info: The user identity token is valid but the server has rejected it. StatusBadIdentityTokenRejected (0x80210000)
@devicemate
Copy link
Author

I have set the opc ua server trusted

@dwhutchison
Copy link
Collaborator

That sounds like your authorization profile isn't matching up with the server's.

Can you tell me which authorization method you're using (eg. Anonymous, Username)?

Can you also show the output of the crypto example on your server using the -list flag? It should tell you the valid combinations on all endpoints the server supports.

@devicemate
Copy link
Author

think you! the authorization method is Certificate.

  • list
    2020/01/06 09:03:56 Basic128Rsa15 | SignAndEncrypt | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic128Rsa15 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 None | None | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256 | SignAndEncrypt | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256Sha256 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256Sha256 | SignAndEncrypt | (UserName,Anonymous,Certificate)

sec-policy is Basic256,
sec-mode is SignAndEncrypt
auth-mode is Certificate
the authorization profile is auto generate by first , then I have set the opc ua server trusted.
The second time I use the generated authorization file to connect to OPC UA server
Errors still occur

@dwhutchison
Copy link
Collaborator

Thanks for the info. The server looks like it should support what you're trying to do.

Can you tell me which server you're using?

With Certificate auth, you typically need to also trust the user certificate as well as the policy certificate. You'll also need to use the Config option opcua.AuthCertificate(cert) to load the auth certificate separately from the policy certificate. Even if the same certificate is used for both purposes, the server will typically still require you to trust both (once as a client, the second time as a user).

If you've trusted both certificates and it's still not working, can you share your connection code and a wireshark dump of the connection attempt (I realize a lot of it will be encrypted but it still helps)? Find me on keybase (user: dwhutchison) if you don't want to post the files publicly.

@magiconair
Copy link
Member

I'll close this because of age. Please feel free to re-open if necessary.

@boundray
Copy link

boundray commented Aug 5, 2022

think you! the authorization method is Certificate.

  • list
    2020/01/06 09:03:56 Basic128Rsa15 | SignAndEncrypt | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic128Rsa15 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 None | None | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256 | SignAndEncrypt | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256Sha256 | Sign | (UserName,Anonymous,Certificate)
    2020/01/06 09:03:56 Basic256Sha256 | SignAndEncrypt | (UserName,Anonymous,Certificate)

sec-policy is Basic256, sec-mode is SignAndEncrypt auth-mode is Certificate the authorization profile is auto generate by first , then I have set the opc ua server trusted. The second time I use the generated authorization file to connect to OPC UA server Errors still occur

The same operation, encountered the same problem!
Take the liberty to ask, how did you solve it in the end?

@jackchenjc
Copy link
Contributor

jackchenjc commented Aug 23, 2023
edited

Same operation with similar configs faced same problem.

I have tried these:
configs: sec-policy is Basic128Rsa15, sec-mode is Sign, and auth-mode is Certificate

  • opcua.PrivateKey(clientPrivateKey), opcua.Certificate(clientCert), opcua.AuthCertificate(userCert)
    => The user identity token is valid but the server has rejected it. StatusBadIdentityTokenRejected (0x80210000)
  • opcua.PrivateKey(userPrivateKey), opcua.Certificate(clientCert), opcua.AuthCertificate(userCert)
    => EOF, like what I described in Failed to open a secure channel with AuthCertificate and different certificates #671

However, I found that this worked as expected:
configs: sec-policy is None, sec-mode is None, and auth-mode is Certificate

  • opcua.PrivateKey(userPrivateKey), opcua.Certificate(clientCert), opcua.AuthCertificate(userCert)

Note that clientCert is not the same certificate as userCert, which the example does not cover.
It seems that auth-mode: Certificate needs userPrivateKey to work?
Any thought or help would be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@magiconair @dwhutchison @boundray @jackchenjc @devicemate