Bad Session Channel Closed exception when trying to connect OpcUaClient to server using X509IdentityProvider

[jchirantan]

Description
I am using the Eclipse-milo SDK to establish a secured connection with the server.
I am able to establish a username-password-based connection with the server using UsernameProvider.

I am trying to establish certificate-based connection to server (Security Mode: SignAndEncrypt, Security Policy: Basic256Sha256) using X509IdentityProvider

Following is the code snippet I am using:

                            OpcUaClientConfig config = OpcUaClientConfig.builder()
					.setApplicationName("SessionName")
	                .setEndpoint(this.endpoint)
	                .setCertificateValidator(validator)
	                .setIdentityProvider(new X509IdentityProvider(X509Certificate, PrivateKey)
	                .build();
			
			try {
				clientLocal = OpcUaClient.create(config);
				clientLocal.connect().get();
				setDsConnected(true);
			} catch (UaException | InterruptedException | ExecutionException e) {
				// TODO Auto-generated catch block
				e.printStackTrace();
			}

clientLocal.connect().get() method is throwing the exception "Bad_SessionChannelClosed" (I think it is not opening the session).

I have already added the certificate to the "cert" folder of the server.

Expected behavior
When the certificate is added to the cert folder, the connection should be established and client should connect to server.

If the certificate is not already accepted, it should appear to the server for accepting.

Logs and Packet Captures

Additional context

Eclipse Milo version: 0.6.16
OPC Ua server: Prosys Simulation Server free edition.

[kevinherron]

Are you using a separate certificate for the X509 authentication than the one you use for the secure channel connection? Have you configured this user certificate in the Prosys simulation server somehow?

I am trying to establish certificate-based connection to server (Security Mode: SignAndEncrypt, Security Policy: Basic256Sha256) using X509IdentityProvider

All connections that use security are "certificate-based". Using the X509IdentityProvider means using another, separate, certificate that is used to identify and authenticate the user of the Session.

[jchirantan]

Yes @kevinherron, I am using a different certificate for authentication with a private key.

I have copied this certificate in Prosys server's PKI/cert directory and I can this certificate trusted in Prosys Simulation server UI

[kevinherron]

It would need to be in the separate USERS_PKI directory Prosys uses for user certificates.

and I think they require the certificate in DER format, with PEM being used for private keys, which you would not provide to the server in this case.

[jchirantan]

Ok, I will check on this.
Thanks!!

[jchirantan]

Hi @kevinherron,
I tried to copy the ".der" certificate in the Users_Pki directory. Still getting the same exception (Bad Session Channel closed). This exception comes only when I use "X509IdentityProvider".

My requirement is to build the client with an application instance certificate, which will go to the server, and when we accept that certificate in the server, then a connection will be established.

So instead of the default certificate, I want to use my certificate to establish a client-server connection.

Is this possible?

[jchirantan]

Hi @kevinherron,

Any updates?

[kevinherron]

My requirement is to build the client with an application instance certificate, which will go to the server, and when we accept that certificate in the server, then a connection will be established.

When you describe it like this, it doesn't sound like you need X509IdentityProvider at all. It sounds like you're talking about the standard application instance certificate that is used in the secure channels.

Get rid of the X509IdentityProvider and just try configuring the KeyPair and certificate/chain when building OpcUaClientConfig. There's even an existing client example for connecting to the Prosys simulation server: https://github.com/eclipse-milo/milo/blob/1.0/milo-examples/client-examples/src/main/java/org/eclipse/milo/examples/client/EventSubscriptionExampleProsys.java

[jchirantan]

Hi @kevinherron, Thanks for your help!!

The steps you mentioned above solved my issue, and I am now able to connect to the server with the generated certificate.

I just wanted to know what the significance of "certificateChain" in configuration is.
Can we just skip it if we have a single certificate?

[kevinherron]

You only need to call one or the other. Calling setCertificate is the same as calling setCertificateChain with only one certificate in the chain.

[jchirantan]

Okay, got it!!
Thanks for such great help!!