Secure Policy

Security policy determines what encryption and signature algorithms is applied to messages. The configuration file defines the list of security policies that the server or client can use.

None

Secure policy None does not apply any protection to messages. Use this secure policy only for testing purposes. The following example shows how to configure a client with the ability to communicate with the server without encryption:

local ua = require("opcua.api")

local config = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:opcua-lua:example",
  productUri = "urn:opcua-lua:example",
  securePolicies = {
    { -- #1
      securityPolicyUri = ua.Types.SecurityPolicy.None
    }
  }
}

local client = ua.newClient(config)
trace("connecting to server")
local endpointUrl = "opc.tcp://localhost:4841"
local err = client:connect(endpointUrl)
if err ~= nil then
  trace("connection failed: "..err)
else
  trace("Connected sucessfully")
end

client:disconnect()

Full source

Basic128Rsa15

Secure policy Basic128Rsa15 applies the following algorithms to messages:

  • Asymmetric encryption RSAES-PKCS1-v1_5 with key size 1024 or 2048 bits.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA-1 hash function

  • Symmetric encryption AES-128-CBC

Warning

This policy is considered deprecated and should be used only for compatibility with old systems.

The following example shows how to configure Basic128Rsa15 secure policy:

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Basic128Rsa15,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Aes128_Sha256_RsaOaep

Secure policy Aes128_Sha256_RsaOaep applies the next algorithms to messages:

  • Asymmetric encryption RSAES-OAEP wirh SHA-1 hash function.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA2-256 hash function

  • Symmetric encryption AES-128-CBC

The following example shows how to configure Aes128_Sha256_RsaOaep secure policy:

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Aes128_Sha256_RsaOaep,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Basic256Sha256

Secure policy Basic256Sha256 applies the following algorithms to messages:

  • Asymmetric encryption RSAES-OAEP with SHA-1 hash function.

  • Asymmetric signature algorithm RSASSA-PKCS1-v1_5 with SHA2-256 hash function

  • Symmetric encryption AES-128-CBC

The following example shows how to configure Basic256Sha256 secure policy:

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  io = _G.io,
  certificate = mako.cfgdir.."/../certs/client.pem",
  key =         mako.cfgdir.."/../certs/client.key",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    },
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Basic256Sha256,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
    }
  },
}

Full source

Establishing secure connection

When a client connects to a server, it must open a secure channel and specify a secure policy. To discover the exact secure policy parameters, the client can use a GetEndpoints request. In the GetEndpoints response, the server will return all known endpoints with applicable secure policies. The following example shows how to discover an endpoint with the secure policy Basic128Rsa15:

local c = ua.newClient(clientConfig)

-- Connecto to server
err = c:connect("opc.tcp://localhost:4841")
if err ~= nil then error(err) end

-- Open channel with secure policy None. In this mode server
-- should allow to call endpoint services
resp, err = c:openSecureChannel(3600000,
  ua.Types.SecurityPolicy.None, ua.Types.MessageSecurityMode.None)

-- Select endpoints
resp, err = c:getEndpoints()
if err ~= nil then error(err) end

-- close secure channel (TCP connection is still alive)
err = c:closeSecureChannel()

-- Search secure policy
local basic128rsa15
for _, endpoint in ipairs(resp.Endpoints) do
  if endpoint.SecurityPolicyUri == ua.Types.SecurityPolicy.Basic128Rsa15 then
    basic128rsa15 = endpoint
    break
  end
end

if not basic128rsa15 then
  error("Cannot find Basic128Rsa15 policy on the server")
end

-- Open secure channel. Specify secure policy and server certificate
resp, err = c:openSecureChannel(
  3600000,
  ua.Types.SecurityPolicy.Basic128Rsa15, ua.Types.MessageSecurityMode.SignAndEncrypt,
  basic128rsa15.ServerCertificate)

Full source This policy is considered deprecated and should be used only for compatibility with old systems.