What's new in QuickOPC 2023.1
From OPC Labs Knowledge Base
See also: Versions; Previous version: What's new in QuickOPC 2022.2
Internal version number: 5.71
Key changes:
- UA Administration & PKI
Targeting
- .NET runtimes: Added support for .NET 7.
- .NET runtimes: Removed support for .NET Core 3.1.
Component Improvements
OPC UA Client-Server
- When the effective endpoint selection policy only allows connection with no message security, the client instance certificate is not used when creating the OPC UA session.
Specialized Client Objects
- Added GetCertificateGroupElement method to the IEasyUACertificateManagement interface. The method returns the certificate group element for a given certificate group Id.
- Added BrowseCertificateTypeTree method to the IEasyUACertificateManagement interface. The method browses the certificate types available in the Certificate Manager.
- Added static UACertificateGroupIds class. The class that declares constants for certificate group Ids.
- Added static UACertificateTypeIds class. The class that declares constants for certificate type Ids.
OPC UA Administration and PKI
- It is now possible to protect the private key of the client instance certificate with a password. The password can be set using the UAClientServerApplicationParameters.InstanceCertificatePrivateKeyPassword property. In addition, the relevant operations on the IEasyUAApplication interface now also have an additional argument for the private key password.
- Added operations on the IEasyUAApplication interface for protecting or unprotecting private keys of existing certificates. The methods and extension methods names are ProtectOrUnprotectOwnCertificate, ProtectOwnCertificate, and UnprotectOwnCertificate.
- Created a new object, CertificateGenerationParameters, with settings that influence how the certificates are generated. You can set the maximum expiration date of the generated certificate, its minimum key size, and/or the validity period in months. For creation of application instance certificates, these parameters can be changed in the new InstanceCertificateGenerationParameters property of the UAClientServerApplicationParameters object.
- The auto-generation of client instance certificate is now skipped when the effective endpoint selection policy only allows connections with no message security.
- The IEasyUAApplication.RemoveOwnCertificate method now takes an additional boolean argument, specifying whether the certificate must be present in the certificate store. An extension method without the additional argument is also available.
- Changed return type of the IEasyUAApplication.RemoveOwnCertificate method from void to Boolean. The return value indicates whether the certificate has been removed.
- When the application instance certificate is removed, its copies in the trusted peers certificate store, if any, are now removed as well.
- It is now possible to specify the default format of the application URI (which is used unless the application URI string is specified in the application manifest). The format can be set in the UAClientServerApplicationParameters.ApplicationUriTemplateString property. See OPC UA Application URI Derivation for the template syntax, and more details about how the application URI is determined.
- In common cases, shortened the auto-generated application URI string by leaving out tokens that are at their default ("0.0.0.0" for Version or FileVersion, "neutral" for Culture, and "Language Neutral" for Language).
- Added CreateOwnCertificate method to the IEasyUAApplication interface. The method creates the instance certificate the application is currently configured to use. It is possible to specify whether the instance certificate must not be present prior to the operation, or whether the operation will be able to replace it.
- Added ValidateOwnCertificate method to the IEasyUAApplication interface. The method validates the instance certificate the application is currently configured to use.
- Added AutoGenerateInstanceCertificate property to the UAClientServerApplicationParameters object (defaults to true). The property determines whether the application will automatically generate its instance certificate when not present.
- Added ValidateOwnInstanceCertificate property to the UAClientServerApplicationParameters object. The property determines whether the application will validate its own instance certificate before a connection with the other party is established.
- Methods on the IEasyUAApplication interface that work with the application instance certificate now have a new argument, a string certificate sub-id. It allows the OPC UA application to work with multiple own instance certificates (needed in advanced scenarios). The sub-id of the default instance certificate is an empty string. Extensions methods are provided with the certificate sub-id argument omitted.
- Added CertificateSubId property to the UAEndpointDescriptor object. This property allows you to select own application instance certificate which will be used when establishing the connection, in case the application uses multiple own instance certificates (needed in advanced scenarios).
- Added ListCertificateSubIds method to the IEasyUAApplication interface. The method finds certificate sub-ids of all application certificates in the certificate store.
- Added extension method AssureOwnCertificate to the IEasyUAApplication interface. The method assures presence of the instance certificate the application is currently configured to use. If the instance certificate does not exist in the certificate store prior to the operation, the method creates it. Otherwise, the method also checks whether the instance certificate is present in the trusted peers certificate store, and if it is absent, it copies it there.
- Added IEasyUAApplication.RemoveOwnCertificates method (notice the plural in the name), which allows to remove application certificates with sub-ids that conform to the specified pattern (you can use e.g. "*" to remove certificates with any sub-id).
- Allowed easy setting of more attribute values in generated certificate subject names, by adding properties to the UAApplicationManifest class. The new properties are CountryName (for C=), LocationName (for L=), OrganizationName (for O=), OrganizationalUnitName (for OU=), and StateOrProvinceName (for S=).
- The automatically generated certificate subject names now include the organization name (O=), taken from the application [AssemblyCompany] attribute, or application version info.
- The state of the OPC UA application (the application IDs obtained from the GDS endpoints) is now persisted on the disk. This means that when the application is terminated and then started again, the state information from the previous run will be reused. The state is persisted in the UAApplication.ini file.
- Added IEasyUAApplication.GetCertificateSubjectNameDictionary extension method. The method gets a dictionary of certificate subject names corresponding to all application certificate sub-ids.
- When using certificates obtained from the Certificate Manager, the application state now also remembers the mapping between the requested and actual certificate subject names, because the Certificate Manager may modify the requested subject name when issuing a new certificate. The mappings are also persisted in the UAApplication.ini file. This allows the application to find its own instance certificate even if the certificate subject name has been modified by the Certificate Manager.
- A certificate can now also be found in the certificate store using a "relaxed" method, in which case it is only enough when there is a match in the common name (CN=) of the certificate. This is useful when certificates are obtained from a Certificate Manager which modifies the subject names, and at the same time, the persistence of subject name mappings (in the UAApplication.ini) is not available. This method can be controlled using the new UAClientServerApplicationParameters.RelaxedCertificateSearch property (defaults to 'true').
- Improved the algorithm used to find the application assembly, which is then used to auto-generate application URI strings, and certificate subject names. The algorithm now works more reliably and gives better results under hosted environments such as ASP.NET (e.g. in IIS, IIS Express).
- Added an ability to specify the type of certificate to be obtained by the IEasyUAApplication.BeginObtainNewCertificate and IEasyUAApplicationExtension.ObtainNewCertificate methods. The certificate type Id can set in the UAObtainNewCertificateArguments.CertificateType property in the arguments object passed to the methods.
- Added ListCertificateTypeElements method to the IEasyUAApplication interface. The method retrieves node elements for of certificate types available for a given application store kind.
- Added arguments to IEasyUAApplication.CreateOwnCertificate, IEasyUAApplication.ObtainNewCertificate and IEasyUAApplication.RemoveOwnCertificate methods that allow to control whether the trusted peers certificate store will also be updated correspondingly. Added UAClientServerApplicationParameters.AutoTrustInstanceCertificate property with the same semantics, applied when a client instance certificate is automatically generated.
Component Refactorings
Specialized Client Objects
- Renamed IEasyUACertificateManagement.GetCertificateGroups method to GetCertificateGroupIds.
OPC UA Administration and PKI
- The default lifetime of auto-generated application instance certificate is now 60 months (5 years), regardless of whether you target .NET Framework, or .NET 6+. Previously, the default was 600 months (50 years) for .NET Framework, and 12 months (1 year) otherwise.
- The property UAClientServerApplicationParameters.AllowOwnCertificatePrompt has been renamed to AllowUserInteraction and moved to the CertificateGenerationParameters class.
- The method IEasyUAApplication.RemoveInstanceCertificate has been renamed to RemoveOwnCertificate.
- Set non-empty default paths for HTTPS trusted and issuer certificate stores.
Development Productivity
Code Analysis
- When the Visual Studio extension is installed, it provides additional code analysis specifically aimed at the proper usage of QuickOPC APIs, and OPC in general. Affected places are marked up with "squiggles" directly in the code, and also appear as warnings (or other message severities) in the Error List window.
Tools and Online Services
Connectivity Explorer
- Added "Create Instance Certificate" and "Validate Instance Certificate" commands to the root OPC Unified Architecture (Client-Server) connectivity node.
OpcCmd Utility
OPC UA Client-Server
- The command uaClientApplication removeInstanceCertificate has been renamed to removeOwnCertificate.
- The uaClientApplication removeOwnCertificates command now has an additional option, -me|-mustExist <bool>, specifying whether the certificate must be present in the certificate store.
- Added createOwnCertificate and validateOwnCertificate commands to the uaClientApplication command.
- Added option --certificateSubId|-csi <string> to uaClientApplication commands that work with the application instance certificate. The option allows to enter the certificate sub-id, in case the application uses multiple own instance certificates. In some cases there is --certificateSubIdPattern|-csip <string> option instead.
- Added listCertificateSubIds command to the uaClientApplication command. The command finds and displays sub-ids of all application certificates in the certificate store.
- Added option --EndpointCertificateSubId|-ecsi <string> to commands that take OPC UA endpoint descriptor as an input. The option allows to enter the sub-id of the application instance certificate which will be used when establishing the connection.
- Added assureOwnCertificate command to the uaClientApplication command. The command assures presence of the instance certificate the application is currently configured to use.
- Added options to uaClientApplication createOwnCertificate and uaClientApplication validateOwnCertificate commands that allow you to parameterize the operation, such as choosing the minimum key size, or the certificate validity period in months.
- Added uaClientApplication getCertificateSubjectNameDictionary command. The command displays certificate subject names corresponding to all application certificate sub-ids.
- Added uaClientApplication listCertificateTypeElements command. The command list the certificate type elements available in the CM.
- Added commands related to certificate private key password protection to uaClientApplication. The commands are: HasPrivateKeyPassword, SetPrivateKeyPassword, RemovePrivateKeyPassword, ProtectOwnCertificate, and UnprotectOwnCertificate.
All Command-Line Tools
- The .NET build configurations of the command-line tools now target .NET 7.
- In table output, values in columns with data of enumerated types are now automatically colorized, allowing quick visual distinction between the distinct enum values.
Examples
OPC UA Client-Server
- Added C# example showing how to set the validity period of the auto-generated application instance certificate.
- Added C# example showing how to assure presence of the own application certificate, and display its thumbprint.
- Added C# example showing how to browse and display the certificate groups available in the Certificate Manager.
- Added Python example showing how to subscribe to changes of multiple monitored items, pull events, and display each change.