Difference between revisions of "Using OpcCmd Utility to work with OPC UA Security Key Service (SKS)"

From OPC Labs Knowledge Base
Jump to navigation Jump to search
Line 10: Line 10:
 
# Start the OpcCmd utility in interactive mode. The interactive mode is always in effect e.g. when you use ClickOnce, or when running the utility from QuickOPC Launcher/Start menu. In other cases, you need to use the <code>-i</code> (or <code>--interactive</code>) option on the command line.<br/><br/>
 
# Start the OpcCmd utility in interactive mode. The interactive mode is always in effect e.g. when you use ClickOnce, or when running the utility from QuickOPC Launcher/Start menu. In other cases, you need to use the <code>-i</code> (or <code>--interactive</code>) option on the command line.<br/><br/>
 
# Using an external tool, configure a security group with Id "'''TestGroup'''" inside the Security Key Service (SKS) of the server. How this is done is outside of the scope of this article. You can use e.g. a generic OPC UA client and call the '''AddSecurityGroup''' method on the '''Objects/Server/PublishSubscribe/SecurityGroups''' object.<br/><br/>
 
# Using an external tool, configure a security group with Id "'''TestGroup'''" inside the Security Key Service (SKS) of the server. How this is done is outside of the scope of this article. You can use e.g. a generic OPC UA client and call the '''AddSecurityGroup''' method on the '''Objects/Server/PublishSubscribe/SecurityGroups''' object.<br/><br/>
# At the {{Style=label|OpcCmd>}} prompt, enter {{Style=keyboard|uaPubSubClient accessSecurityKeyService opc.tcp://localhost:48010 --EndpointAllowedMessagedSecurity SecuritySignAndEncrypt --EndpointUser root:secret}}, or shortened: <code>uapsc asks opc.tcp://localhost:48010 -eams SecuritySignAndEncrypt -eu root:secret</code>. This command tells the utility that from now on, we will be accessing the Security Key Service in the specified OPC UA server, using a secured connection and authenticating as the specified user (these are common security requirements as the SKS itself is a security sensitive component). The programs responds with a confirmation of the command.<br/><br/>All following commands are entered at the {{Style=label|uaPubSubSecurityKeyService>}} prompt. You can enter <code>-?</code>, <code>-h</code> or <code>--help</code> (possibly preceded by the command name) at any time to obtain help for this prompt (or its commands).<br/><br/>
+
# At the {{Style=label|OpcCmd>}} prompt, enter {{Style=keyboard|uaPubSubClient accessSecurityKeyService opc.tcp://localhost:48010 --EndpointAllowedMessagedSecurity SecuritySignAndEncrypt --EndpointUser root:secret}}, or shortened: {{Style=keyboard|uapsc asks opc.tcp://localhost:48010 -eams SecuritySignAndEncrypt -eu root:secret}}>. This command tells the utility that from now on, we will be accessing the Security Key Service in the specified OPC UA server, using a secured connection and authenticating as the specified user (these are common security requirements as the SKS itself is a security sensitive component). The programs responds with a confirmation of the command.<br/><br/>All following commands are entered at the {{Style=label|uaPubSubSecurityKeyService>}} prompt. You can enter <code>-?</code>, <code>-h</code> or <code>--help</code> (possibly preceded by the command name) at any time to obtain help for this prompt (or its commands).<br/><br/>
 
+
# In order to obtain information security groups configured in the SKS, enter {{Style=keyboard|browseSecurityGroups}} (<code>browseSecurityGroups</code> can be shortened to <code>bsg</code>).<br/>If this is the first operation made from this client on the server, you will most likely receive an error, caused by the fact that the server does not trust the client. In order to establish the trust:
browseSecurityGroups
+
## The Unified Automation C++ SDK Demo Server will have a copy of the rejected client certificate in its "rejected certificates" folder. Under the installation folder of the server, copy the rejected client certificate from '''pkiserver/rejected''' folder to '''pkiserver/trusted/certs''' folder.
 
+
## Enter the {{Style=keyboard|browseSecurityGroups}} command again.<br/><br/>
Get an error. Copy client certificate from pkiserver/rejected to pkiserver/trusted/certs
+
# The OpcCmd Utility will now ask you whether you want the client to trust the server certificate (this is the inverse to the trust established above). Press {{Style=keyboard|Y}} for "Yes".
  
 
  browseSecurityGroups
 
  browseSecurityGroups

Revision as of 20:33, 15 March 2021

For general information about the OpcCmd tool, see Category:OpcCmd Utility.

Tutorial

If you execute the commands listed in the tutorial below, you will get an overview of basic operations that can be made with an OPC UA Server that provides OPC UA Security Key Service (SKS).

This tutorial works with Unified Automation C++ SDK Demo Server. You should be able to use the principles explained in this tutorial with other OPC UA servers that provide the Security Key Service, by modifying the relevant parameters used in the commands.


  1. Start the Unified Automation C++ SDK Demo Server. In Windows, type start uaservercpp.exe at the operating system command prompt.
    Uaservercpp.png

  2. Start the OpcCmd utility in interactive mode. The interactive mode is always in effect e.g. when you use ClickOnce, or when running the utility from QuickOPC Launcher/Start menu. In other cases, you need to use the -i (or --interactive) option on the command line.

  3. Using an external tool, configure a security group with Id "TestGroup" inside the Security Key Service (SKS) of the server. How this is done is outside of the scope of this article. You can use e.g. a generic OPC UA client and call the AddSecurityGroup method on the Objects/Server/PublishSubscribe/SecurityGroups object.

  4. At the OpcCmd> prompt, enter uaPubSubClient accessSecurityKeyService opc.tcp://localhost:48010 --EndpointAllowedMessagedSecurity SecuritySignAndEncrypt --EndpointUser root:secret, or shortened: uapsc asks opc.tcp://localhost:48010 -eams SecuritySignAndEncrypt -eu root:secret>. This command tells the utility that from now on, we will be accessing the Security Key Service in the specified OPC UA server, using a secured connection and authenticating as the specified user (these are common security requirements as the SKS itself is a security sensitive component). The programs responds with a confirmation of the command.

    All following commands are entered at the uaPubSubSecurityKeyService> prompt. You can enter -?, -h or --help (possibly preceded by the command name) at any time to obtain help for this prompt (or its commands).

  5. In order to obtain information security groups configured in the SKS, enter browseSecurityGroups (browseSecurityGroups can be shortened to bsg).
    If this is the first operation made from this client on the server, you will most likely receive an error, caused by the fact that the server does not trust the client. In order to establish the trust:
    1. The Unified Automation C++ SDK Demo Server will have a copy of the rejected client certificate in its "rejected certificates" folder. Under the installation folder of the server, copy the rejected client certificate from pkiserver/rejected folder to pkiserver/trusted/certs folder.
    2. Enter the browseSecurityGroups command again.

  6. The OpcCmd Utility will now ask you whether you want the client to trust the server certificate (this is the inverse to the trust established above). Press Y for "Yes".
browseSecurityGroups
getSecurityGroupElement TestGroup

Accept server certificate

browseTree


getSecurityKeys TestGroup 0 10


getSecurityKeys TestGroup 3 5


getSecurityKeys TestGroup 0 10 !repeat Infinite 0:0:15 !wait Infinite