Error occurred while using security mode is Sign to connect to OPC-UA server

[lindseysimple]

🐞 Bug Report

Affected Services [REQUIRED]

The issue is located in device-opc-ua service.

Is this a regression?

No.

Description and Minimal Reproduction [REQUIRED]

1. Followed the instructions on the GettingStarted guide and used the predefined OPC-UA device and profile to setup the environment.
2. Update the device-opc-ua section on the docker compose file to update the security config of the OPC-UA connection.

device-opc-ua:
  ...
  environment:
    ...
    EDGEX_OVERWRITE_CONFIG: true
    WRITABLE_LOGLEVEL: DEBUG
    OPCUASERVER_POLICY: Aes256Sha256RsaPss
    OPCUASERVER_MODE: Sign
    OPCUASERVER_CERTFILE: /certs/rsa_cert.pem
    OPCUASERVER_KEYFILE: /certs/rsa_private.pem
  volumes:
    ...
    - "${PWD}/certs:/certs"

3. Start EdgeX services by running docker compose up -d
4. Update the SimulationServer device metadata to use the correct host IP of Prosys OPC-UA server on my machine.
5. Invoke the GET command: https://localhost:59882/api/v3/device/name/SimulationServer/Counter

🔥 Exception or Error

level=DEBUG ts=2025-03-05T12:48:24.291697403+08:00 app=device-opcua source=readhandler.go:26 msg="Driver.HandleReadCommands: protocols: map[opcua:map[Endpoint:opc.tcp://192.168.1.102:53530/OPCUA/Simulatio
nServer]] resource: Counter attributes: map[nodeId:ns=3;i=1002]"                                                                                                                                            
level=WARN ts=2025-03-05T12:48:24.301201643+08:00 app=device-opcua source=readhandler.go:36 msg="Driver.HandleReadCommands: Failed to connect OPCUA client, %!s()"
level=ERROR ts=2025-03-05T12:48:24.301277138+08:00 app=device-opcua source=restrouter.go:170 X-Correlation-ID=16650b8c-2a84-4a8d-a43f-a48af2bdc259 msg="error reading Regex DeviceResource(s) Counter for Si
mulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"
level=DEBUG ts=2025-03-05T12:48:24.301315844+08:00 app=device-opcua source=restrouter.go:171 X-Correlation-ID=16650b8c-2a84-4a8d-a43f-a48af2bdc259 msg="[github.com/edgexfoundry/device-sdk-go/v4@v4.0.0-dev
.25/internal/application/command.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.GetCommand(line 68):  -> [github.com/edgexfoundry/device-sdk-go/v4@v4.0.0-dev.25/internal/application/com
mand.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.readDeviceResourcesRegex(line 208): error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does no
t meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"                                                                                                                    

Note: Have verified with security mode is None and the connection can be established successfully.

🌍 Your Environment

Deployment Environment:

EdgeX Version [REQUIRED]: 4.0.dev

Anything else relevant?

[lindseysimple]

@jiekechoo Based on the document PR, the security mode with value Sign and all the security policy values are all supported.
Could you please provide some suggestions on how to config the security related settings? Thanks.

[jrtitus]

@lindseysimple You might want to check the Endpoints tab of the SimulationServer to ensure the support for Aes256Sha256RsaPss is enabled. I can't remember exactly, but I think the first time I tried using that policy the boxes were unchecked like in the image below:

Alternatively, it might be because the last two policies are not found in the configuration for this device service:

device-opc-ua/internal/driver/config.go

Lines 52 to 57 in ba2c2be

	var policies map[string]int = map[string]int{
	"None": 1,
	"Basic128Rsa15": 2,
	"Basic256": 3,
	"Basic256Sha256": 4,
	}

...but I think you would have seen another error, during Initialize() (unless the call to Validate() was bypassed somehow):

device-opc-ua/internal/driver/driver.go

Lines 67 to 69 in ba2c2be

	if err := d.serviceConfig.OPCUAServer.Validate(); err != nil {
	return errors.NewCommonEdgeXWrapper(err)
	}

[lindseysimple]

@jrtitus Thanks a lot for the suggestions, that was really helpful!

I modified the envrionement variable in the compose as below to use the Basic256Sha256 security policy instead of Aes256Sha256RsaPss, and it works nicely.

    OPCUASERVER_POLICY: Basic256Sha256
    OPCUASERVER_MODE: SignAndEncrypt

The service started with OPC-UA device connected successfully and subscription established:

level=INFO ts=2025-03-12T11:39:03.964417685+08:00 app=device-opcua source=message.go:50 msg="Service dependencies resolved..."                                                                                    
level=INFO ts=2025-03-12T11:39:03.964433144+08:00 app=device-opcua source=message.go:51 msg="Starting device-opcua 0.0.0 "                                                                                        
level=INFO ts=2025-03-12T11:39:03.964441352+08:00 app=device-opcua source=message.go:55 msg="opcua device service started"                                                                                        
level=INFO ts=2025-03-12T11:39:03.964448477+08:00 app=device-opcua source=message.go:58 msg="Service started in: 8.176038004s"                                                                                    
level=INFO ts=2025-03-12T11:39:03.964459394+08:00 app=device-opcua source=bootstrap.go:254 msg="SecuritySecretsRequested metric registered and will be reported (if enabled)"                                     
level=INFO ts=2025-03-12T11:39:03.964468102+08:00 app=device-opcua source=bootstrap.go:254 msg="SecuritySecretsStored metric registered and will be reported (if enabled)"                                        
level=DEBUG ts=2025-03-12T11:39:03.964126852+08:00 app=device-opcua source=callback.go:84 msg="System event received on message queue. Topic: edgex/system-events/core-metadata/device/add/device-opcua/OPCUA-Serv
er, Correlation-id: d040ea0e-4e19-446f-82c1-c4607d336420"                                                                                                                                                         
level=INFO ts=2025-03-12T11:39:03.965620228+08:00 app=device-opcua source=clients.go:209 msg="Using registry for URL for 'core-metadata': http://edgex-core-metadata:59881"                                       
level=INFO ts=2025-03-12T11:39:03.966603478+08:00 app=device-opcua source=devices.go:75 msg="LastConnected-SimulationServer metric has been registered and will be reported (if enabled)"                         
level=DEBUG ts=2025-03-12T11:39:03.966648395+08:00 app=device-opcua source=callback.go:88 msg="device SimulationServer added"                                                                                     
level=DEBUG ts=2025-03-12T11:39:03.96666702+08:00 app=device-opcua source=driver.go:117 msg="Device SimulationServer is added"                                                                                    
level=DEBUG ts=2025-03-12T11:39:03.966686353+08:00 app=device-opcua source=callback.go:93 msg="Invoked driver.AddDevice callback for SimulationServer"                                                            
level=DEBUG ts=2025-03-12T11:39:03.966695395+08:00 app=device-opcua source=callback.go:103 msg="starting AutoEvents for device SimulationServer"                                                                  
level=INFO ts=2025-03-12T11:39:04.230039104+08:00 app=device-opcua source=subscriptionlistener.go:177 msg="[Incoming listener] Start incoming data listening for Counter."                                        
level=INFO ts=2025-03-12T11:39:04.236494441+08:00 app=device-opcua source=subscriptionlistener.go:177 msg="[Incoming listener] Start incoming data listening for Random."                                         
level=INFO ts=2025-03-12T11:39:04.711023668+08:00 app=device-opcua source=subscriptionlistener.go:222 msg="[Incoming listener] Incoming reading received: name=SimulationServer deviceResource=Counter value=-0.39
68071"                                                                                                                                                                                                            
level=INFO ts=2025-03-12T11:39:04.711295252+08:00 app=device-opcua source=subscriptionlistener.go:222 msg="[Incoming listener] Incoming reading received: name=SimulationServer deviceResource=Random value=1.6"  
...

However, after invoking the GET command curl 'http://localhost:59882/api/v3/device/name/SimulationServer/Counter', the following error occurred:

level=DEBUG ts=2025-03-12T11:39:23.972907362+08:00 app=device-opcua source=readhandler.go:26 msg="Driver.HandleReadCommands: protocols: map[opcua:map[Endpoint:opc.tcp://192.168.1.102:53530/OPCUA/SimulationServe
r]] resource: Counter attributes: map[nodeId:ns=3;i=1002]"                                                                                                                                                                                                                                                                                                                         
2025/03/12 11:39:23 http: panic serving 192.168.97.9:57468: runtime error: invalid memory address or nil pointer dereference                                                                                      
goroutine 175 [running]:                                                                                                                                                                                          
net/http.(*conn).serve.func1()                                                                                                                                                                                    
        net/http/server.go:1947 +0xb0                                                                                                                                                                             
panic({0xaaaac36ea220?, 0xaaaac43419f0?})                                                                                                                                                                         
        runtime/panic.go:791 +0x124                                                                                                                                                                               
net/http.(*timeoutHandler).ServeHTTP(0x4000118e40, {0xaaaac393db50, 0x4000499260}, 0x4000184a00)                                                                                                                  
        net/http/server.go:3675 +0x654                                                                                                                                                                            
github.com/edgexfoundry/go-mod-bootstrap/v4/bootstrap/handlers.(*HttpServer).BootstrapHandler.TimeoutWithConfig.TimeoutConfig.ToMiddleware.func9.1({0xaaaac39552e0, 0x4000130460})                                
        github.com/labstack/echo/v4@v4.13.3/middleware/timeout.go:126 +0x1ac                                                                                                                                      
github.com/edgexfoundry/go-mod-bootstrap/v4/bootstrap/handlers.(*HttpServer).BootstrapHandler.UrlDecodeMiddleware.func5.1({0xaaaac39552e0, 0x4000130460})                                                         
        github.com/edgexfoundry/go-mod-bootstrap/v4@v4.0.2/bootstrap/handlers/common_middleware.go:84 +0x260                                                                                                      
github.com/edgexfoundry/go-mod-bootstrap/v4/bootstrap/handlers.(*HttpServer).BootstrapHandler.LoggingMiddleware.func4.1({0xaaaac39552e0, 0x4000130460})                                                           
        github.com/edgexfoundry/go-mod-bootstrap/v4@v4.0.2/bootstrap/handlers/common_middleware.go:60 +0x394                                                                                                      
github.com/edgexfoundry/go-mod-bootstrap/v4/bootstrap/handlers.ManageHeader.func1({0xaaaac39552e0, 0x4000130460})                                                                                                 
        github.com/edgexfoundry/go-mod-bootstrap/v4@v4.0.2/bootstrap/handlers/common_middleware.go:40 +0x204                                                                                                      
github.com/labstack/echo/v4.(*Echo).ServeHTTP(0x40000f6008, {0xaaaac393d850, 0x40001a6700}, 0x400049c3c0)                                                                                                         
        github.com/labstack/echo/v4@v4.13.3/echo.go:668 +0x304                                                                                                                                                    
net/http.serverHandler.ServeHTTP({0x400003cba0?}, {0xaaaac393d850?, 0x40001a6700?}, 0x6?)                                                                                                                         
        net/http/server.go:3210 +0xbc                                                                                                                                                                             
net/http.(*conn).serve(0x4000742000, {0xaaaac393f8e0, 0x4000276fc0})                                                                                                                                              
        net/http/server.go:2092 +0x4fc                                                                                                                                                                            
created by net/http.(*Server).Serve in goroutine 62                                                                                                                                                               
        net/http/server.go:3360 +0x3dc

After digging into the code, it seems that it would always fall into the following code while HandleReadCommands or HandleWriteCommands is invoked and built a opc-ua client with MessageSecurityModeNone:

device-opc-ua/internal/driver/driver.go

Lines 184 to 187 in ba2c2be

	client, _ := opcua.NewClient(endpoint, opcua.SecurityMode(ua.MessageSecurityModeNone))
	if err := client.Connect(ctx); err != nil {
	return nil, err
	}

Do you have any insight on the issues? Thanks again for your help.

[jrtitus]

@lindseysimple Sorry for taking so long to get back to you. You're right - it looks like only the "none" mode is supported, and it seems like it's been that way for quite a while.. all the way back to ~4 years ago when I originally updated the repository for EdgeX v2.. and 6 years ago from the original implementation.

More interesting is the fact that this should work correctly with the subscription listener which doesn't use the client map. So some combination of Driver.buildClient() and Driver.getClient() should be able to resolve it.

[lindseysimple]

@jrtitus No problem and thanks for the clarification!

[thayoon]

Hello, I am experiencing the same issue. I followed the steps mentioned in the related issue, but the error below keeps occurring, so I would like to ask for your assistance.

My development environment:

• window 11 pro (Prosys OPC UA Simulation Server)
• WSL: Ubuntu-24.04 (Docker edgex-compose)
• Prosys OPC UA Simulation Server Setting
  • Endpoints
    • Security Modes: Sign, Sign&Encrypt
    • Security Policies: Basic128Rsa15, Basic256, Basic256Sha256, Aes128Sha256RsaOaep, Aes256Sha256RsaPss
  • Users
    • User Authentication Methodes: Username&Password, Certificate

The steps I followed:

1. Set up edgex-compose Docker environment in WSL

:~/edgex-test$ git clone https://github.com/edgexfoundry/edgex-compose.git
:~/edgex-test/edgex-compose$ sudo apt install make
:~/edgex-test/edgex-compose/compose-builder$ make gen no-secty ds-opc-ua
:~/edgex-test/edgex-compose/compose-builder$ make up
:~/edgex-test/edgex-compose/compose-builder$ docker compose down

2. Create a self-signed certificate

• Create a 'certs' folder on the host and mount it as a volume in the device-opc-ua container.

  :~/edgex-test/edgex-compose/compose-builder$ mkdir certs
  :~/edgex-test/edgex-compose/compose-builder$ cd certs

• Create a certificate config file (opc.config)

  [ req ]
  default_bits = 2048
  default_md = sha256
  distinguished_name = subject
  req_extensions = req_ext
  x509_extensions = req_ext
  string_mask = utf8only
  prompt = no
  
  [ req_ext ]
  basicConstraints = critical, CA:FALSE
  keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
  extendedKeyUsage = clientAuth
  subjectAltName = URI:urn:DESKTOP-2T5PGAK:EdgexTest:Edgex, DNS:DESKTOP-2T5PGAK, IP:127.0.0.1
  subjectKeyIdentifier = hash
  authorityKeyIdentifier=keyid:always,issuer:always
  
  [ subject ]
  countryName = KR
  stateOrProvinceName = Seoul
  localityName = Seoul
  organizationName = EdgexTest
  commonName = MyOpcUaClient
  

• Generate the certificate
  :~/edgex-test/edgex-compose/compose-builder/certs$ openssl req -new -x509 -config opc.config -newkey rsa:2048 -keyout opcua-client-key.pem -nodes -outform pem -out opcua-client-cert.pem -days 365

3. Copy the res/configuration.yaml file from the device-opc-ua container to the host

:~/edgex-test/edgex-compose/compose-builder$ mkdir device-opc-ua-res
:~/edgex-test/edgex-compose/compose-builder$ docker cp edgex-device-opc-ua:/res/configuration.yaml ./device-opc-ua-res/configuration.yaml

• Modify OPCUAServer section in compose-builder/device-opc-ua-res/configuration.yaml

  OPCUAServer:
    DeviceName: SimulationServer
    Policy: Basic256Sha256
    Mode: SignAndEncrypt
    CertFile: './certs/opcua-client-cert.pem'
    KeyFile: './certs/opcua-client-key.pem'
    Writable:
      Resources: 'Counter,Random'

4. Modify compose-builder/docker-compose.yaml and set up volumes

  device-opc-ua:
    ...
    environment:
      EDGEX_SECURITY_SECRET_STORE: "false"
      SERVICE_HOST: edgex-device-opc-ua
      EDGEX_OVERWRITE_CONFIG: true
      WRITABLE_LOGLEVEL: DEBUG
      OPCUASERVER_POLICY: Basic256Sha256
      OPCUASERVER_MODE: SignAndEncrypt
      OPCUASERVER_CERTFILE: /certs/opcua-client-cert.pem
      OPCUASERVER_KEYFILE: /certs/opcua-client-key.pem
    ...
    volumes:
      - ./certs:/certs
      - type: bind
        source: ./device-opc-ua-res/configuration.yaml
        target: /res/configuration.yaml
    ...

5. Restart Docker Compose
   :~/edgex-test/edgex-compose/compose-builder$ docker compose up -d

Connection logs

:~/edgex-test/edgex-compose/compose-builder$ docker logs -f edgex-device-opc-ua
...
level=INFO ts=2025-11-14T14:12:13.125867327+09:00 app=device-opcua source=config.go:745 msg="Loading configuration file from res/configuration.yaml"
level=INFO ts=2025-11-14T14:12:13.126335544+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'Writable/LogLevel' by environment variable: WRITABLE_LOGLEVEL=DEBUG"
level=INFO ts=2025-11-14T14:12:13.126378096+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'OPCUAServer/Mode' by environment variable: OPCUASERVER_MODE=SignAndEncrypt"
level=INFO ts=2025-11-14T14:12:13.126386966+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'OPCUAServer/Policy' by environment variable: OPCUASERVER_POLICY=Basic256Sha256"
level=INFO ts=2025-11-14T14:12:13.126393109+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'Service/Host' by environment variable: SERVICE_HOST=edgex-device-opc-ua"
level=INFO ts=2025-11-14T14:12:13.126399507+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'OPCUAServer/CertFile' by environment variable: OPCUASERVER_CERTFILE=/certs/opcua-client-cert.pem"
level=INFO ts=2025-11-14T14:12:13.126404854+09:00 app=device-opcua source=variables.go:463 msg="Variables override of 'OPCUAServer/KeyFile' by environment variable: OPCUASERVER_KEYFILE=/certs/opcua-client-key.pem"
...

Error Logs

• Data collection error due to Writable settings in device-opc-ua container's res/configuration.yaml

  level=DEBUG ts=2025-11-14T11:19:15.85457968+09:00 app=device-opcua source=readhandler.go:26 msg="Driver.HandleReadCommands: protocols: map[opcua:map[Endpoint:opc.tcp://192.168.123.123:53530/OPCUA/SimulationServer]] resource: Counter attributes: map[nodeId:ns=3;i=1002]"
  level=WARN ts=2025-11-14T11:19:15.938894521+09:00 app=device-opcua source=readhandler.go:36 msg="Driver.HandleReadCommands: Failed to connect OPCUA client, %!s(<nil>)"
  level=ERROR ts=2025-11-14T11:19:15.93905737+09:00 app=device-opcua source=restrouter.go:170 X-Correlation-ID=dbb88715-dcde-4520-8f12-f23b2c031e38 msg="error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"
  level=DEBUG ts=2025-11-14T11:19:15.939092682+09:00 app=device-opcua source=restrouter.go:171 X-Correlation-ID=dbb88715-dcde-4520-8f12-f23b2c031e38 msg="[github.com/edgexfoundry/device-sdk-go/v4@v4.1.0-dev.42/internal/application/command.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.GetCommand(line 68):  -> [github.com/edgexfoundry/device-sdk-go/v4@v4.1.0-dev.42/internal/application/command.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.readDeviceResourcesRegex(line 208): error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"

• Error when AutoEvent occurs (AutoEvent was configured in the UI)

  level=DEBUG ts=2025-11-14T11:47:35.049415976+09:00 app=device-opcua source=executor.go:64 msg="AutoEvent - reading Constant"
  level=DEBUG ts=2025-11-14T11:47:35.049784778+09:00 app=device-opcua source=readhandler.go:26 msg="Driver.HandleReadCommands: protocols: map[opcua:map[Endpoint:opc.tcp://192.168.123.123:53530/OPCUA/SimulationServer]] resource: Constant attributes: map[nodeId:ns=3;i=1001]"
  level=WARN ts=2025-11-14T11:47:35.062691486+09:00 app=device-opcua source=readhandler.go:36 msg="Driver.HandleReadCommands: Failed to connect OPCUA client, %!s(<nil>)"
  level=ERROR ts=2025-11-14T11:47:35.06296553+09:00 app=device-opcua source=executor.go:67 msg="AutoEvent - error occurs when reading resource Constant: error reading Regex DeviceResource(s) Constant for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"

• Error occurs when testing command get

  level=DEBUG ts=2025-11-14T11:52:26.716292427+09:00 app=device-opcua source=readhandler.go:26 msg="Driver.HandleReadCommands: protocols: map[opcua:map[Endpoint:opc.tcp://192.168.123.123:53530/OPCUA/SimulationServer]] resource: Counter attributes: map[nodeId:ns=3;i=1002]"
  level=WARN ts=2025-11-14T11:52:26.723219062+09:00 app=device-opcua source=readhandler.go:36 msg="Driver.HandleReadCommands: Failed to connect OPCUA client, %!s(<nil>)"
  level=ERROR ts=2025-11-14T11:52:26.723334079+09:00 app=device-opcua source=restrouter.go:170 X-Correlation-ID=910e0287-ea12-4f63-ae6a-fd282146a716 msg="error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"
  level=DEBUG ts=2025-11-14T11:52:26.723351737+09:00 app=device-opcua source=restrouter.go:171 X-Correlation-ID=910e0287-ea12-4f63-ae6a-fd282146a716 msg="[github.com/edgexfoundry/device-sdk-go/v4@v4.1.0-dev.42/internal/application/command.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.GetCommand(line 68):  -> [github.com/edgexfoundry/device-sdk-go/v4@v4.1.0-dev.42/internal/application/command.go]-github.com/edgexfoundry/device-sdk-go/v4/internal/application.readDeviceResourcesRegex(line 208): error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)"

Common error:
error reading Regex DeviceResource(s) Counter for SimulationServer -> The security policy does not meet the requirements set by the server. StatusBadSecurityPolicyRejected (0x80550000)

Questions

• Is there any mistake in my configuration or the steps I followed?
• Is there a way to resolve this error?
• Also, is it possible to connect to OPC UA using the Username & Password authentication method?

Any help would be appreciated. Thanks!

[vunguyentanpy]

@thayoon
You connect to OPC UA ok ?

[thayoon]

@vunguyentanpy I’m currently not using certificates and allowing anonymous access for all connections.