Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPC UA: Unsupported security policy #11511

Closed
FHatCSW opened this issue Jul 18, 2022 · 6 comments
Closed

OPC UA: Unsupported security policy #11511

FHatCSW opened this issue Jul 18, 2022 · 6 comments
Labels
bug unexpected problem or unintended behavior

Comments

@FHatCSW
Copy link

FHatCSW commented Jul 18, 2022
edited
Loading

Relevant telegraf.conf

[[inputs.opcua]]
  ## Metric name
  name = "opcua"
  #
  ## OPC UA Endpoint URL
  endpoint = "opc.tcp://192.168.88.101:4840"

  ## Maximum time allowed to establish a connect to the endpoint.
  connect_timeout = "30s"

  ## Security policy, one of "None", "Basic128Rsa15", "Basic256",
  ## "Basic256Sha256", or "auto"
  security_policy = "auto"

  ## Security mode, one of "None", "Sign", "SignAndEncrypt", or "auto"
  security_mode = "auto"

  ## Authentication Method, one of "Certificate", "UserName", or "Anonymous".  To
  ## authenticate using a specific ID, select 'Certificate' or 'UserName'
  auth_method = "Certificate"

  ## Path to cert.pem. Required when security mode or policy isn't "None".
  ## If cert path is not supplied, self-signed cert and key will be generated.
  certificate = "/etc/telegraf/opc-client.cert.pem"
  #
  ## Path to private key.pem. Required when security mode or policy isn't "None".
  ## If key path is not supplied, self-signed cert and key will be generated.
  private_key = "/etc/telegraf/opc-client.key.pem"

  ## Option to select the metric timestamp to use. Valid options are:
  ##     "gather" -- uses the time of receiving the data in telegraf
  ##     "server" -- uses the timestamp provided by the server
  ##     "source" -- uses the timestamp provided by the source
  timestamp = "gather"

  ## Node ID configuration
  ## name              - field name to use in the output
  ## namespace         - OPC UA namespace of the node (integer value 0 thru 3)
  ## identifier_type   - OPC UA ID type (s=string, i=numeric, g=guid, b=opaque)
  ## identifier        - OPC UA ID (tag as shown in opcua browser)
  ## tags              - extra tags to be added to the output metric (optional)
  ## Example:
  nodes = [
      {name="Sample", namespace="2", identifier_type="i", identifier="2"}

Logs from Telegraf

opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:Socket has closed connection
opc-client    | INFO:asyncua.client.client:connect
opc-client    | INFO:asyncua.client.ua_client.UaClient:opening connection
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:open_secure_channel
opc-client    | INFO:asyncua.client.ua_client.UaClient:create_session
opc-client    | INFO:asyncua.client.client:find_endpoint [EndpointDescription(EndpointUrl='opc.tcp://192.168.88.101:4840/freeopcua/server/', Server=ApplicationDescription(ApplicationUri='urn:freeopcua:python:server', ProductUri='urn:freeopcua.github.io:python:server', ApplicationName=LocalizedText(Locale=None, Text='Microfab OPC UA Server'), ApplicationType_=<ApplicationType.ClientAndServer: 2>, GatewayServerUri=None, DiscoveryProfileUri=None, DiscoveryUrls=['opc.tcp://0.0.0.0:4840/freeopcua/server/']), ServerCertificate=b'0\x82\x04H0\x82\x030\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000k1\x0b0\t\x06\x03U\x04\x06\x13\x02DE1\x0b0\t\x06\x03U\x04\x08\x0c\x02BW1\x0c0\n\x06\x03U\x04\x07\x0c\x03FDS1\x1a0\x18\x06\x03U\x04\n\x0c\x11CampusSchwarzwald1\x130\x11\x06\x03U\x04\x0b\x0c\nHackTheFab1\x100\x0e\x06\x03U\x04\x03\x0c\x07Test CA0\x1e\x17\r220715144540Z\x17\r491130144540Z0q1\x0b0\t\x06\x03U\x04\x06\x13\x02DE1\x0b0\t\x06\x03U\x04\x08\x0c\x02BW1\x0c0\n\x06\x03U\x04\x07\x0c\x03FDS1\x1a0\x18\x06\x03U\x04\n\x0c\x11CampusSchwarzwald1\x120\x10\x06\x03U\x04\x0b\x0c\tOPCSERVER1\x170\x15\x06\x03U\x04\x03\x0c\x0e192.168.88.1010\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xaaIZ\xd1\xcb\xe2\xa4\xd3\xc9\x81\xbbc\xc0\x19\xc1\xd5pQ\xccd=\xf8\xdbrc\xc3\xfc\x8c!\xfd\xa4;\xdb\xda\xc8\x06P0\xf3\xa8\x90\xfe\xee\r\xe2\xb7\x80\x9a\xfc\xa2}\x91\x14#(q\x96\x8a\xa1\xe5L\xe2i\x16\x01G\xcay\xa5!\xd6\xbbk/E53\x087t8\xa6;\x058\xa5\x9b\x8br\xe6\x0e\x19\x9c\xcc6\xd4|_\x8d\x06\xc5u\xa5<\x83\xde\x9d\x9af\x1cf\xb0\xca\x9c\xfa\xe6\'\xd5\xb7\x14I\x85\xceK \xdbx\xa0\xe5\xcd\x97\x18\xc9\x19\xealB\xcd\xbc\x13\xd82\xf8\xc1\xa7p\xc3\x0c\r\xf1\x7f\x9c\xb2-JL\xbe\x9d\xa4.\xdc\xf0\xf1\xbeE\x87\xbc\xbf\x07\xec=\xa2w\xb7\x94l8J$\xce)\xd1\xad\x1al\x93\xd7\xb7\xfd^e\x9e;Og \xd0/w\xd6\xe8\xe9\x06q\x8d\x9f\xda\xbc"V?\x99\xb14\xc5\xd5q{{J-I\xb5\x03\xe3\xb1$[O\xa7\xda\x0e\xa5J\xf1\x91\xdd\\6I\x89\xe1\xc4\t\x96[82\xffr\xf3\xb3\t\xfb\xbc!\x02\x03\x01\x00\x01\xa3\x81\xf00\x81\xed0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xdd4\\\xf1\xfa\x0f\x8b_\x16g\xbb)\xb1\x1f=\x7fLhk\x900\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14 I\xf75<\x9a$\xdf\x91\xc1rr\x83j\xd6\xb33\x8f\x10\x920\t\x06\x03U\x1d\x13\x04\x020\x000\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x05\xa00\x11\x06\t`\x86H\x01\x86\xf8B\x01\x01\x04\x04\x03\x02\x06\xc00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020+\x06\t`\x86H\x01\x86\xf8B\x01\r\x04\x1e\x16\x1cOpenSSL Generated Certificat04\x06\x03U\x1d\x11\x04-0+\x86#http://examples.freeopcua.github.io\x87\x04\xc0\xa8Xe0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00f\xc2\xa8\x8by\xd6/l>\xc3\x9e8\xda\xc1\xff\xcf\xd1E/\x01\t\xe2\xb1\x9c\'|\x12\xc4\xda\xe8\xfdu\x9eG\xf7\xe1\xd1\xbb4\xc1\x13\xde\xa8v\xb6m\x0e\x82\xe9\x91\xf7\xafV\x8ee\xa9z/\xc3\xd6Y\xce\x1e\xcd\xef#G\xc7N\xa1\x82\xf1\xd3\\ \xf3soD\xcbf\xf1s\xc9vc\x05@\xd2v|\xd0\x05\x86g8\xfd-l3\xfd\xfd$\x15>q\xe5"n\x16\xcf(\xde\xcf\x99(\x88\xb9sT\x9d\x9c\xd5\xcf\xa6/\x7f4XQ\xfd\x16\xdb\xbcG\xbc\xd8d\x9a\x0f\xef\xe3D<\x03\xb6\xbbT\xd8" \xba\x1c\xfd\xacI\x9b\xe6\x03G\x07F\xc5\xaa\xbb6\xd2\xaem\xe9`\x92\x05\t\x8dd\xbd\xfa\xeb`6\xf0\xf9\x8cB<\x16o|\xa1\xe4\x86\n\xeb`Le\xd0\xe7\xfd2\xdb\xa3\xd1-\x8d\xb1\x02~y\x8c/\xa1\x96\x9a\x93\xda\r\xd3s\x9b\xd8\x7f\xe9e\xce\xa7\xf2(\x1e\xd6\xceI\xd1\xaev{\xe6\xe29\x01\x10)\xef\x11%2\x9b/K\xcf\x94\x13Cq\xb3', SecurityMode=<MessageSecurityMode.SignAndEncrypt: 3>, SecurityPolicyUri='http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256', UserIdentityTokens=[UserTokenPolicy(PolicyId='anonymous', TokenType=<UserTokenType.Anonymous: 0>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None), UserTokenPolicy(PolicyId='certificate_basic256sha256', TokenType=<UserTokenType.Certificate: 2>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None), UserTokenPolicy(PolicyId='username', TokenType=<UserTokenType.UserName: 1>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None)], TransportProfileUri='http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary', SecurityLevel=0)] <MessageSecurityMode.SignAndEncrypt: 3> 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
opc-client    | INFO:asyncua.client.ua_client.UaClient:activate_session
opc-client    | INFO:asyncua.client.client:get_namespace_index <class 'list'> ['http://opcfoundation.org/UA/', 'urn:freeopcua:python:server', 'http://examples.freeopcua.github.io']
opc-client    | INFO:asyncua:Reading values from the server
opc-client    | INFO:asyncua:### Reading value Objects --> MyObject --> MyVariable = NodeClass: 1 / NodeId: 50229
opc-client    | INFO:asyncua:**** Option 2: My variable: >>1452.1999999997747<<
opc-client    | INFO:asyncua.client.client:disconnect
opc-client    | INFO:asyncua.client.ua_client.UaClient:close_session
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:close_secure_channel
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:Request to close socket received
telegraf      | 2022-07-18T13:56:57Z D! [outputs.influxdb_v2] Wrote batch of 2 metrics in 10.111171ms
telegraf      | 2022-07-18T13:56:57Z D! [outputs.influxdb_v2] Buffer fullness: 0 / 10000 metrics
telegraf      | 2022-07-18T13:57:00Z I! error creating session signature: opcua: unsupported security policy 
telegraf      | 2022-07-18T13:57:00Z E! [inputs.opcua] Error in plugin: error in Client Connection: opcua: unsupported security policy

System info

Telegraf 1.23, Raspberry Pi 4B, Debian GNU/Linux 11 (bullseye)

Docker

version: "3"

services:
    influxdb:
        image: influxdb:latest
        container_name: influxdb
        env_file: selfsigned.env
        ports:
            - '8086:8086'
        volumes:
            - ./certs/influxdb:/etc/ssl/influxdb
            - influxdb_data:/var/lib/influxdb
        networks: 
            - "iotstack"

    mosquitto:
        image: eclipse-mosquitto:latest
        container_name: mosquitto
        ports:
            - '8883:8883'
            - '8884:8884'
        volumes:
            - ./certs/mqtt:/mosquitto/config/certs
            - ./mosquitto/config:/mosquitto/config
            - ./mosquitto/log:/mosquitto/log
            - ./mosquitto/data:/mosquitto/data
        user: "${USER_ID}:${GRP_ID}"
        links: 
            - telegraf
        restart: always
        networks: 
            - "iotstack"
    
    telegraf:
        image: telegraf:latest
        container_name: telegraf
        links: 
            - influxdb
        depends_on:
            - influxdb
        env_file: selfsigned.env
        user: "888"
        ports:
            - '8125:8125'
        restart: always
        volumes:
            - ./certs/telegraf:/etc/telegraf
            - ./telegraf/telegraf.toml:/etc/telegraf/telegraf.conf:ro
        networks: 
            - "iotstack"
    
    grafana:
        image: grafana/grafana:latest
        container_name: grafana
        env_file: selfsigned.env
        user: "472"
        ports:
            - '3000:3000'
        links: 
            - influxdb
        volumes: 
            - grafana_data:/var/lib/grafana
            - ./certs/grafana:/etc/ssl/certs
        networks: 
            - "iotstack"

    opc-client:
        build: opc
        container_name: opc-client
        restart: always
        volumes:
            - ./certs/opc:/app/certs
        links:
            - telegraf
        ports:
            - "8000:8000"
        networks:
            - "iotstack"


volumes: 
    influxdb_data:
    grafana_data:

networks: 
    iotstack:
        external: true

Steps to reproduce

...

Expected behavior

I have implemented an OPC UA client with certificate-based authentication in a Docker container (docker-compose). The values are to be passed via Telegraf to InfluxDB and then on to Grafana.

However the connection via the Python client works, the one via Telegraf does not. The identical certificates are used.

Actual behavior

The Python client connects to the stored self-signed certificates. However, via Telegraf I get an error:

creating session signature: opcua: unsupported security policy .

The complete connection setup and the Docker logs show the successful connection setup via Python as well as the failed setup via Telegraf. In addition to the OPC UA client, there is also an MQTT broker (also certificate-based) that works.

As can be seen in the logs, the security policy is as follows:

SecurityMode=<MessageSecurityMode.SignAndEncrypt: 3>, SecurityPolicyUri='http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'

Additional info

No response
@FHatCSW FHatCSW added the bug unexpected problem or unintended behavior label Jul 18, 2022
@powersj
Copy link
Contributor

powersj commented Jul 21, 2022

Hi,

/UA/SecurityPolicy#Basic256Sha256

If the reported security policy of your OPC UA server is Basic256Sha256 have you tried setting Telegraf to use the same instead of auto as well as the security mode to SignAndEncrypt?

@powersj powersj added the waiting for response waiting for response from contributor label Jul 21, 2022
@FHatCSW
Copy link
Author

FHatCSW commented Jul 22, 2022

Hi,

I also tried setting

security_policy = "Basic256Sha256"
and
security_mode = "SignAndEncrypt"

but got the same error

@telegraf-tiger telegraf-tiger bot removed the waiting for response waiting for response from contributor label Jul 22, 2022
@powersj
Copy link
Contributor

powersj commented Jul 22, 2022

@R290 is this something you have come across before?

@R290
Copy link
Contributor

R290 commented Jul 27, 2022
edited
Loading

Not something I've seen before... I can see that the error is coming from the gopcua library:

The uri of your security policy which should be displayed in the error is empty or ''. Which, in my opinion, does point to something funny going on...

@FHatCSW are you able to test your server using one of the gopcua library examples? Say: https://github.com/gopcua/opcua/blob/main/examples/read/read.go. This would allow us to determine if it is Telegraf or the Go OPC library.

@powersj powersj added the waiting for response waiting for response from contributor label Aug 11, 2022
@telegraf-tiger
Copy link
Contributor

Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Page. Thank you!

@alpex8
Copy link

alpex8 commented Jan 19, 2024

FYI: I think I ran into this issue recently. I was able to track it down and fixed for the specific server. I created a PR for it, but I can´t say if that´s a general improvement.

@telegraf-tiger telegraf-tiger bot removed the waiting for response waiting for response from contributor label Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@powersj @alpex8 @R290 @FHatCSW