Secure Policy

Security policy determines what encryption and signature algorithms is applied to messages. The list of security policies that can be used by the server or client is defined in the configuration file.

None

Secure policy None does not apply any protection to messages. Use this secure policy only for testing purposes. The following example shows how to configure client with ability to communicate with server without encryption:

local ua = require("opcua.api")

local config = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:opcua-lua:example",
  productUri = "urn:opcua-lua:example",
  securePolicies = {
    { -- #1
      securityPolicyUri = ua.Types.SecurityPolicy.None
    }
  }
}

local client = ua.newClient(config)
trace("connecting to server")
local endpointUrl = "opc.tcp://localhost:4841"
local err = client:connect(endpointUrl)
if err ~= nil then
  trace("connection failed: "..err)
else
  trace("Connected sucessfully")
end

client:disconnect()

Full source

Basic128Rsa15

Secure policy Basic128Rsa15 applies the next algorithms to messages:

  • Asymmetric encryption RSAES-PKCS1-v1_5 with key size 1024 or 2048 bits.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA-1 hash function

  • Symmetric encryption AES-128-CBC

Warning

This policy is considered as deprecated and should be used only for compatibility with old systems.

The next example shows how to configure Basic128Rsa15 secure policy

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Basic128Rsa15,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Aes128_Sha256_RsaOaep

Secure policy Aes128_Sha256_RsaOaep applies the next algorithms to messages:

  • Asymmetric encryption RSAES-OAEP wirh SHA-1 hash function.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA2-256 hash function

  • Symmetric encryption AES-128-CBC

The next example shows how to configure Aes128_Sha256_RsaOaep secure policy

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Aes128_Sha256_RsaOaep,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Basic256Sha256

Secure policy Basic256Sha256 applies the next algorithms to messages:

  • Asymmetric encryption RSAES-OAEP wirh SHA-1 hash function.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA2-256 hash function

  • Symmetric encryption AES-128-CBC

The next example shows how to configure Basic256Sha256 secure policy

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Basic256Sha256,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Establishing secure connection

When client connects to server it must open secure channel and specify a secure policy to use. To discover exact secure policy parameters client can use a GetEndpoints request. In response on GetEndpoints request the server will return all known endpoints with applicable secure policies. The following example shows how to discover an endpoint with secure policy Basic128Rsa15:

local c = ua.newClient(clientConfig)

-- Connecto to server
err = c:connect("opc.tcp://localhost:4841")
if err ~= nil then error(err) end

-- Open channel with secure policy None. In this mode server
-- should allow to call endpoint services
resp, err = c:openSecureChannel(3600000,
  ua.Types.SecurityPolicy.None, ua.Types.MessageSecurityMode.None)

-- Select endpoints
resp, err = c:getEndpoints()
if err ~= nil then error(err) end

-- close secure channel (TCP connection is still alive)
err = c:closeSecureChannel()

-- Search secure policy
local basic128rsa15
for _, endpoint in ipairs(resp.Endpoints) do
  if endpoint.SecurityPolicyUri == ua.Types.SecurityPolicy.Basic128Rsa15 then
    basic128rsa15 = endpoint
    break
  end
end

if not basic128rsa15 then
  error("Cannot find Basic128Rsa15 policy on the server")
end

-- Open secure channel. Specify secure policy and server certificate
resp, err = c:openSecureChannel(
  3600000,
  ua.Types.SecurityPolicy.Basic128Rsa15, ua.Types.MessageSecurityMode.SignAndEncrypt,
  basic128rsa15.ServerCertificate)

Full source