Hello,
I have 1 OPC UA client configured under WinCC OA in a redundant configuration, this means that the OPC UA client runs on two different hosts.
In front of the client, there are redundant OPC UA servers.
I want to use certificates to encrypt communication between clients and servers (using basic256)
At the moment, I am using the predefined certificate provided by WinCC OA to install it on the OPC servers, but there is a certificate problem due to the hostname.
In the WinCC OA certificate, the SubjectAlternativeName field is equal to 'urn:host:ETMpc:WinC_OA_client' and the DNS name is not filled.
On WinCC OA, you can avoid checking the hostname via the configuration file (checkCertificateHost=0)
In the WinCC OA help, there is a paragraph on which it is written that a multiple IP address can be entered for the DNS name and IP addresses, separated by spaces.
It also seems possible to have a specific configuration in the configuration file, addressing different key values per applicationUri, depending on the host properties on which the OPC UA client is run.
Do you have examples to configure customer certificates for OPC UA communication?
Best regards
Emmanuel Michoux
OPC UA certificat for multiple client
Search
Re: OPC UA certificat for multiple client
As far as I have seen in the documentation the certificate is configured in the panel for the OPC UA connection.
https://www.winccoa.com/documentation/W ... ation.html
Best Regards
Leopold Knipp
Senior Support Specialist
https://www.winccoa.com/documentation/W ... ation.html
Best Regards
Leopold Knipp
Senior Support Specialist
Re: OPC UA certificat for multiple client
Thank you Leopold,
But do you have a concrete example?
If we use the opcuaDriver panel, it's possible to associate a certificate file to an opc ua client, but the redundant client (_2) is also attached to the same certificate file and this is a problem because the redundant client is not running on the same host machine, which is not referenced in the certificate file, then not accepted by the foreign OPC UA server.
Do you think, we need to modify directly the internal redundant datapoint (_2) and change the parameters to point on another certificate file?
Otherwise, how can we do to realize the changes through the "opcuaCertHdl" panel or the config file?
best regards
Emmanuel
But do you have a concrete example?
If we use the opcuaDriver panel, it's possible to associate a certificate file to an opc ua client, but the redundant client (_2) is also attached to the same certificate file and this is a problem because the redundant client is not running on the same host machine, which is not referenced in the certificate file, then not accepted by the foreign OPC UA server.
Do you think, we need to modify directly the internal redundant datapoint (_2) and change the parameters to point on another certificate file?
Otherwise, how can we do to realize the changes through the "opcuaCertHdl" panel or the config file?
best regards
Emmanuel
Re: OPC UA certificat for multiple client
Hi Emmanuel,
I dont see where is the problem. You are using the OPC UA client which has a field for certificate. This field refers to the cert used by the client towards the OPC UA server. This being a filename, then you just have to create for each of your redu server the same filename, but with different content. Then on a redu swap, as the system look into its local folder, it will pick this file with the matching content. You do not need to have differences between the redu servers, especially as those would be erased due to config.redu.
BR
Alex
I dont see where is the problem. You are using the OPC UA client which has a field for certificate. This field refers to the cert used by the client towards the OPC UA server. This being a filename, then you just have to create for each of your redu server the same filename, but with different content. Then on a redu swap, as the system look into its local folder, it will pick this file with the matching content. You do not need to have differences between the redu servers, especially as those would be erased due to config.redu.
BR
Alex
Re: OPC UA certificat for multiple client
Just add all WinCC OA IP-Adress and DNS-Name to the Certificate