Issue connecting python with KEPServerEX 6

[AndresParra11]

In KEPServerEX 6 I have the following configuration (OPC UA Configuration Manager):

In device 1 channel 1, I have two tags to test the connection:

I have Python 3.11 installed and I'm using Visual Studio Code (VSC). I already installed the asyncua library with the "pip install asyncua" command from the VSC terminal. And I have the following code:

import asyncio
from asyncua import Client

async def main():
    # Se crea el cliente OPC UA y se conecta al servidor
    client = Client("opc.tcp://127.0.0.1:49320")
    await client.connect()

    node = await client.get_node("ns=2;s=Chanel1.Device1.Tag1")
    value = await node.read_value()
    print("Valor inicial:", value)

    await client.disconnect()

if __name__ == "__main__":
    # Ejecuta el bucle de eventos de asyncio para el cliente OPC UA
    asyncio.run(main()) 

And it throws me the following errors:

Requested session timeout to be 3600000ms, got 60000ms instead
ServiceFault (BadIdentityTokenInvalid, diagnostics: DiagnosticInfo(SymbolicId=None, NamespaceURI=None, Locale=None, LocalizedText=None, AdditionalInfo=None, InnerStatusCode=None, InnerDiagnosticInfo=None)) from server received in response to ActivateSessionRequest
Traceback (most recent call last):
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\client.py", line 291, in connect
await self.activate_session(username=self._username, password=self._password, certificate=self.user_certificate)
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\client.py", line 600, in activate_session
return await self.uaclient.activate_session(params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\ua_client.py", line 339, in activate_session
data = await self.protocol.send_request(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\ua_client.py", line 165, in send_request
self.check_answer(data, f" in response to {request.class.name}")
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\ua_client.py", line 174, in check_answer
hdr.ServiceResult.check()
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\ua\uatypes.py", line 372, in check
raise UaStatusCodeError(self.value)
asyncua.ua.uaerrors._auto.BadIdentityTokenInvalid: "The user identity token is not valid."(BadIdentityTokenInvalid)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "c:\Users\user\Downloads\Prueba OPC\tempCodeRunnerFile.py", line 17, in
asyncio.run(main())
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "c:\Users\user\Downloads\Prueba OPC\tempCodeRunnerFile.py", line 7, in main
await client.connect()
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\client.py", line 294, in connect
await self.close_session()
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\client.py", line 672, in close_session
return await self.uaclient.close_session(True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\client\ua_client.py", line 362, in close_session
response.ResponseHeader.ServiceResult.check()
File "C:\Users\user\AppData\Local\Programs\Python\Python311\Lib\site-packages\asyncua\ua\uatypes.py", line 372, in check
raise UaStatusCodeError(self.value)
asyncua.ua.uaerrors._auto.BadSessionNotActivated: "The session cannot be used because ActivateSession has not been called."(BadSessionNotActivated)

I don't know what to do, if you can help me I appreciate it.

[schroeder-]

Security None just the secruity of the communication. You maybe still need a useser + password or a certificate, to login. That is what the errorcode BadIdentityTokenInvalid means.

[raskitoma]

Hi @rlabbeptc ,

Thanks for your help. I have managed to configure everything to a certain point following the documentation you kindly shared. I have also added one user to be able to connect to the service.

I have configured the endpoint to use a security police (Basic256Sha256, SignAndEncrypt) but I have problems with the certs. I have no idea but I tried to do the certs by myself, configuring the ssl.conf file to my needs, then creating the key.pem and with that I created the certificate.pem.

I'm trying to connect using:

import asyncio
from asyncua import Client, ua

async def main():
    # Define the endpoint URL
    endpoint_url = "opc.tcp://my_ip:my_port"

    # Create a client
    client = Client(url=endpoint_url)
    client.set_user('myuser')
    client.set_password('mypassword')

    # Have tried to use client.set_security_string with no success here.
   
    # Connect to the OPC UA server
    await client.connect()
    
   # always crashes here with errors

    print("Connected to OPC UA server")

    # Activate the session with an empty user identity token
    session = await client.create_session(user_identity_token=ua.UserIdentityToken())

    print("Session activated")

    # Do whatever you need to do with the server here

    if session:
        await session.close()
        print("Session closed")
    await client.disconnect()
    print("Disconnected from OPC UA server")

if __name__ == "__main__":
    asyncio.run(main())

The script I use for certificate generation is the one we have access in the project page.

I really appreciate any suggestions here.

Meanwhile, with your previos suggestion I found how to configure the API so I will try to access the  model to see if I'm able to access the data I need to review.

[rlabbeptc]

Looking at this example. It doesn't seem that the client is being setup to use a secure connection. I won't be able to do any testing today, but I would assume this example would be the place to start.

https://github.com/FreeOpcUa/opcua-asyncio/blob/master/examples/client-with-encryption.py

You would need to ensure the client certificate is being used by your client and make sure that your client trust store has the Kepware UA server instance certificate. After an initial connection attempt that fails, trust the client certificate in Kepware UA Configuration, and you should be good to go.

[raskitoma]

Thanks!

I was able to actually do all the steps including the "trusting" of the self certificate on the server. That was a progress.. but:

I received this:

ValueError: error parsing asn1 value: ParseError { kind: InvalidValue, location: ["AuthorityKeyIdentifier::authority_cert_serial_number"] }

it happens when it tries to process:

async with client:

btw, I also added the user and password.

I don't know, but I think it could be a problem with the uri definition.

[raskitoma]

Doing more research, as I'm creating a client certificate, I saw that I could change the value of USE_TRUST_STORE to False.

I regenerated the certificates, have connection to Kepware (trusted the new certificate, but I receive the same ValueError: error parsing asn1 value: ParseError { kind: InvalidValue, location: ["AuthorityKeyIdentifier::authority_cert_serial_number"] }

I'm gonna do more research about this.

[rlabbeptc]

I was able to test with the example successfully. Did you export the server certificate from Kepware and use that for the validation? I'm not sure how the validation works in this package.

I did just use the example certificates as client certs in this repo and tested with adding a user and password with success. I was able to even use the TrustStore as long as you put the certificate in the trust store path defined. Example code looks at the relative path ./examples/certificates/trusted/certs

Here's the code I used just to print the root nodes.

import asyncio
import logging
import sys
import socket
from pathlib import Path
from cryptography.x509.oid import ExtendedKeyUsageOID
sys.path.insert(0, "..")
from asyncua import Client
from asyncua.crypto.security_policies import SecurityPolicyBasic256Sha256
from asyncua.crypto.cert_gen import setup_self_signed_certificate
from asyncua.crypto.validator import CertificateValidator, CertificateValidatorOptions
from asyncua.crypto.truststore import TrustStore
from asyncua import ua


logging.basicConfig(level=logging.INFO)
_logger = logging.getLogger(__name__)

USE_TRUST_STORE = True

cert_idx = 1
cert_base = Path(__file__).parent
cert = Path(cert_base / f"certificates/peer-certificate-example-{cert_idx}.der")
private_key = Path(cert_base / f"certificates/peer-private-key-example-{cert_idx}.pem")

async def task(loop):
    host_name = socket.gethostname()
    client_app_uri = f"urn:{host_name}:foobar:myselfsignedclient"
    url = "opc.tcp://127.0.0.1:49320/"

    await setup_self_signed_certificate(private_key,
                                        cert,
                                        client_app_uri,
                                        host_name,
                                        [ExtendedKeyUsageOID.CLIENT_AUTH],
                                        {
                                            'countryName': 'CN',
                                            'stateOrProvinceName': 'AState',
                                            'localityName': 'Foo',
                                            'organizationName': "Bar Ltd",
                                        })
    client = Client(url=url)
    client.set_user('test')
    client.set_password('PUTTESTPASSWORDHERE')
    client.application_uri = client_app_uri
    await client.set_security(
        SecurityPolicyBasic256Sha256,
        certificate=str(cert),
        private_key=str(private_key),
        server_certificate="df292b0eedc09436c8dd293f3cdf3fe9d681d031.der"
    )

    if USE_TRUST_STORE:
        trust_store = TrustStore([Path('examples') / 'certificates' / 'trusted' / 'certs'], [])
        await trust_store.load()
        validator =CertificateValidator(CertificateValidatorOptions.TRUSTED_VALIDATION|CertificateValidatorOptions.PEER_SERVER, trust_store)
    else:
        validator =CertificateValidator(CertificateValidatorOptions.EXT_VALIDATION|CertificateValidatorOptions.PEER_SERVER)
    client.certificate_validator = validator
    try:
        async with client:
            objects = client.nodes.objects
            children = await objects.get_children()
            print(children)
    except ua.UaError as exp:
        _logger.error(exp)


def main():
    loop = asyncio.get_event_loop()
    loop.set_debug(True)
    loop.run_until_complete(task(loop))
    loop.close()


if __name__ == "__main__":
    main()