Disable unencryped access to the server #1189

krasnyd · 2023-12-09T01:18:12Z

krasnyd
Dec 9, 2023

Hi.
I would like to disable the unencrypted access to my OPC server, so the clients would have to use the Basic256Sha256 policy. When I try to remove the noSecurityBuilder (ExampleServer.java:202) from the server example, I get this error, even when I configure the security policy on the client:
no matching endpoint found: transportProfile=TCP_UASC_UABINARY, endpointUrl=opc.tcp://localhost:12686/milo, securityPolicy=None, securityMode=None
Is there something that I also need to do? Is this even possible? I am using UaExpert as a client.

Thank you for the response.

kevinherron · 2023-12-09T01:24:01Z

kevinherron
Dec 9, 2023
Maintainer

Did you leave the discovery endpoint in place?

milo/milo-examples/server-examples/src/main/java/org/eclipse/milo/examples/server/ExampleServer.java

Lines 223 to 237 in f1ce134

    
                           /* 
        
                            * It's good practice to provide a discovery-specific endpoint with no security. 
        
                            * It's required practice if all regular endpoints have security configured. 
        
                            * 
        
                            * Usage of the  "/discovery" suffix is defined by OPC UA Part 6: 
        
                            * 
        
                            * Each OPC UA Server Application implements the Discovery Service Set. If the OPC UA Server requires a 
        
                            * different address for this Endpoint it shall create the address by appending the path "/discovery" to 
        
                            * its base address. 
        
                            */ 
        
                           EndpointConfiguration.Builder discoveryBuilder = builder.copy() 
        
                               .setPath("/milo/discovery") 
        
                               .setSecurityPolicy(SecurityPolicy.None) 
        
                               .setSecurityMode(MessageSecurityMode.None);

If so, you would need to make sure in UaExpert you are using the "Custom Discovery" option and then point it at the discovery endpoint URL and not the session endpoint URL.

3 replies

krasnyd Dec 9, 2023
Author

You are right, when I keep it there, I can connect with the "Custom Discovery".
But I am not really sure if I need the discovery endpoint. I have some experience with Kepware OPC Server, where I could just enable the security policy and connect directly to the endpoint, without dealing with some discovery.
When I remove the discovery endpoint, I get the same error as previously mentioned. Is there some option for disabling the discovery feature?

kevinherron Dec 9, 2023
Maintainer

There are zero clients I've ever seen in the real world that can connect to a server that truly allows no insecure connections.

All of them require that the Discovery Services are accessible without security at a minimum. In the 0.6.x series of Milo you must have a separate unsecured endpoint for Discovery if your main Session endpoint will not allow unsecured connections. This has changed for the 1.0 release but it's required otherwise.

krasnyd Jan 15, 2024
Author

Ok, thank you for your input.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable unencryped access to the server #1189

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Disable unencryped access to the server #1189

krasnyd Dec 9, 2023

Replies: 1 comment · 3 replies

kevinherron Dec 9, 2023 Maintainer

krasnyd Dec 9, 2023 Author

kevinherron Dec 9, 2023 Maintainer

krasnyd Jan 15, 2024 Author

krasnyd
Dec 9, 2023

Replies: 1 comment 3 replies

kevinherron
Dec 9, 2023
Maintainer

krasnyd Dec 9, 2023
Author

kevinherron Dec 9, 2023
Maintainer

krasnyd Jan 15, 2024
Author