OPC-UA Security

Encrypted Connections

The OPC-UA Device Service also supports signed and encrypted connections with the following security levels:

None (default)
Basic128Rsa15
Basic256Sha256

Key/Certificate Pair

You can provide the key/certificate pair as .der files, in the /keys directory in the container. To generate a private key and certificate, enter the following commands:

If several key/certificate pairs are provided, the specific certificate and key to use can be specified during device provisioning, allowing different devices to use different key/certificate pairs. If not specified during device provisioning, the certificate defaults to certificate.der and the private key defaults to private_key.der.

The key/certificate pair persists for the life of the container.

Any server that you connect to must set the certificate used by the Device Service as trusted.

Generating a Key/Certificate

The Open62541 OPC-UA library contains a script for generating a Key and Certificate for use with Prosys OPC-UA Simulation Server. Both the create_self-signed.py and localhost.cnf files should be downloaded from this repository. Once saved, run the following command to generate the key and certificate:

python3 create_self-signed.py

Once generated, save the key and certificate to a keys/ directory on your computer. It may be necessary to create a new directory for this.

Assigning the keys directory

To configure the OPC-UA Service to find these keys, create a local docker-compose.yml file with the following content:

version: '3.7'

services:
  device-opc-ua:
    volumes:
      - /your/path/to/keys:/keys

Replace "/your/path/to/keys with the path to your keys directory.

Establishing a secure connection with Prosys OPC-UA Simulation Server

Start the device service and provision your device as described on the OPC-UA Security Example page.

It is likely that the connection will be rejected by the OPC-UA device service. This is because the certificate is not trusted and has been rejected by Prosys.

Fix this by going to Prosys and switching to "Expert Mode" under "Options". Navigate to "Certificates", you should see your certificate on the left. Right-click on the rejected certificate and select "Trust".

Next time the device service attempts to connect, a secure connection will be made with the trusted certificate. This can be achieved with a GET or PUT request.

Troubleshooting

The key and certificate files must have the correct permission code (644). If you encounter any errors when starting the OPC-UA Device Service in secure mode, ensure these have the correct permissions with the following:

chmod 644 server_cert.der
chmod 644 server_key.der