Using OpcCmd Utility to work with OPC UA Security Key Service (SKS)

From OPC Labs Knowledge Base
Revision as of 07:06, 16 March 2021 by User (talk | contribs) (→‎Tutorial)
Jump to navigation Jump to search

For general information about the OpcCmd tool, see Category:OpcCmd Utility.

Tutorial

If you execute the commands listed in the tutorial below, you will get an overview of basic operations that can be made with an OPC UA Server that provides OPC UA Security Key Service (SKS).

This tutorial works with Unified Automation C++ SDK Demo Server. You should be able to use the principles explained in this tutorial with other OPC UA servers that provide the Security Key Service, by modifying the relevant parameters used in the commands.


  1. Start the Unified Automation C++ SDK Demo Server. In Windows, type start uaservercpp.exe at the operating system command prompt.
    Uaservercpp.png

  2. Start the OpcCmd utility in interactive mode. The interactive mode is always in effect e.g. when you use ClickOnce, or when running the utility from QuickOPC Launcher/Start menu. In other cases, you need to use the -i (or --interactive) option on the command line.

  3. Using an external tool, configure a security group with Id "TestGroup" inside the Security Key Service (SKS) of the server. How this is done is outside of the scope of this article. You can e.g.
    • use a generic OPC UA client and call the AddSecurityGroup method on the Objects/Server/PublishSubscribe/SecurityGroups object, or
    • use a dedicated OPC UA PubSub configuration tool, or
    • copy a ready-made "pubsubconfig.uabinary" file to the server's instalation folder (Media:Pubsubconfig-testgroup.zip).

  4. At the OpcCmd> prompt, enter uaPublishSubscribeClient accessSecurityKeyService opc.tcp://localhost:48010 --EndpointAllowedMessagedSecurity SecuritySignAndEncrypt --EndpointUser root:secret, or shortened: uapsc asks opc.tcp://localhost:48010 -eams SecuritySignAndEncrypt -eu root:secret>. This command tells the utility that from now on, we will be accessing the Security Key Service in the specified OPC UA server, using a secured connection and authenticating as the specified user (these are common security requirements as the SKS itself is a security sensitive component). The programs responds with a confirmation of the command.

    All following commands are entered at the uaPubSubSecurityKeyService> prompt. You can enter -?, -h or --help (possibly preceded by the command name) at any time to obtain help for this prompt (or its commands).

  5. In order to obtain information security groups configured in the SKS, enter browseSecurityGroups (browseSecurityGroups can be shortened to bsg).
    If this is the first operation made from this client on the server, you will most likely receive an error, caused by the fact that the server does not trust the client. In order to establish the trust:
    1. The Unified Automation C++ SDK Demo Server will have a copy of the rejected client certificate in its "rejected certificates" folder. Under the installation folder of the server, copy the rejected client certificate from pkiserver/rejected folder to pkiserver/trusted/certs folder.
    2. Enter the browseSecurityGroups command again.

  6. The OpcCmd Utility will now ask you whether you want the client to trust the server certificate (this is the inverse to the trust established above). Press Y for "Yes".
    After the certificate is accepted, the browseSecurityGroups proceeds.
    Opccmd-uapubsubsecuritykeyservice-browsesecuritygroups.png
    As you can see, the command outputs a table with information available about each security group configured in the SKS (more precisely, in the security groups root folder).

  7. If there are multiple security groups in the SKS< you might be interested in getting information about a specific security group only. For example, to get information about the "TestGroup" security group, enter getSecurityGroupElement TestGroup (getSecurityGroupElement can be shortened to gsge). The command will output configuration information for the specified security group.

  8. In more complicated servers, the security groups are organized into security group folders, which form a tree structure (a hierarchy). To view the tree of all available security group folders, and the security groups in them, enter browseTree (browseTree can be shortened to bt).
    Opccmd-uapubsubsecuritykeyservice-browsetree.png

  9. TODO: getSecurityKeys TestGroup 0 10 (getSecurityKeys can be shortened to gsk).

  10. TODO: getSecurityKeys TestGroup 3 5

  11. TODO: getSecurityKeys TestGroup 0 10 !repeat Infinite 0:0:15 !wait Infinite

Other Commands

Other commands at the uaPubSubSecurityKeyService> prompt, not used in this tutorial, include:

  • listSecurityGroupFolderNames
  • listSecurityGroupIds