The Interoperability Standard
for Industrial Automation
| Welcome | OPC Foundation Online | Certification | Technology | News | https://gitHub.com/OPCFoundation |
Unified Architecture Technology Sample Applications
The Interoperability Standard
for Industrial Automation
| Welcome | OPC Foundation Online | Certification | Technology | News | https://gitHub.com/OPCFoundation |
Unified Architecture Technology Sample Applications
In this tutorial we will only use the applications supplied by the OPC Foundation.
By default, all applications installed by this package trust each other. We will begin our tutorial by isolating one application and removing it from the trust-list. Once we have seen the effects of this, we will add the application back into the trust list.
In this tutorial we will use isolate the Data Access Client by removing it from the trust-list, thus preventing it from making a connection to any of the UA Servers installed within this package.
Launch the DA Server and DA Client applications and make sure a connection can be established. Then shutdown the DA Server, leaving the DA Client running.
Launch the Configuration Tool and select any application.
Click on the Manage Security tab (if not already selected).
Click on the View_Trusted_Certificates button.
The "Manage Certificates in Certificate Store" dialog will open:
Select "Quickstart DataAccess Client" in the list and then right-click on it.
Choose "Delete" from the context-menu.
You will be prompted to verify the request; click the "Yes" button.
Click the "Cancel" button to close the dialog.
Launch the DA Server .
In the DA Client you will click the "Connect" button (make sure the "Use Security" checkbox is checked).
The connection will fail and the following error shown:
Note: If you clear the "Use Security" box the connection will succeed.
There are 2 ways that you can configure trusting an application:
Attempt the connection while expecting it to fail. You then move the certificate from the untrusted store to the trusted store. Easiest method!
Export the certificate from the first application, and then import into the trust list of the other application.
In this tutorial we will use idea #1 above.
Launch the Configuration Tool, then activate the Manage Security tab, and then click the "Select Certificate to Trust..." button.
The "Manage Certificates in Certificate Store" dialog will display a list of certificates in the "MachineDefault" store. We need to change the "Store Path" to show the "RejectedCertificates":
Within the list you will select "Quickstart Data Access Client" and click the "OK" button.
You will see a message that the certificate is now trusted. However, the certificate is also still not trusted.
Repeat steps 2 and 3 (above) and this time you will select the "Quickstart Data Access Client" by right-clicking on it and choosing "Delete" from the context-menu; you will need to confirm the request.
Click the "Cancel" button to close the "Manage Certificates in Certificate Store" dialog.
Minimize the Configuration Tool.
In the DA Client, check the "Use Security" box and then click the "Connect" button.
The connection between the Client and Server should be established.
In this example we saw how you can remove an application from a trust-list, and how to add it to the trust list. We focussed on the Client only. In the real world you will need to make sure that the Server trusts the Client (as we did here) and also that the Client trust the Server, which you can do by following the same steps as described above.
The OPC Foundation UA .NET API sample applications are configured to use a shared/common certificate repository. Therefore, when we removed the Data Access Client from the certificate list we also prevented this client from connecting to any Server that is configured to use this repository.
When developing your own applications you may decide to separate trust-lists on a per-application basis.