Connection and read operation (code is provided; help with package usage)

[AVoronok]

Task

The final project in question is worker app (runtime: net6.0, target OS: Windows Server 2012R2) intended to be used as Windows Service to gather data from KEPServer, which is a proxy for internal system, using OPC UA protocol.

OPC UA server settings

Supported security policies:

1. Basic256Sha256: Sign; Sign and Encrypt.
2. Basic256: Sign; Sign and Encrypt.
3. Basic128Rsa15: Sign; Sign and Encrypt.

Server admin assured me that no certificates with private keys are used. Extension used are of .der type.

My configuration

Sensitive data has been substituted by dummy stub such as 'port', 'ip' due to security considerations.

<?xml version="1.0" encoding="utf-8"?>
<ApplicationConfiguration
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ua="http://opcfoundation.org/UA/2008/02/Types.xsd"
  xmlns="http://opcfoundation.org/UA/SDK/Configuration.xsd"
>
  <ApplicationName>OPCFoundationConsoleClient</ApplicationName>
  <ApplicationUri>urn:localhost:OPCFoundationConsoleClient</ApplicationUri>
  <ApplicationType>Client_1</ApplicationType>
  
  <SecurityConfiguration>

    <ApplicationCertificate>
      <StoreType>Directory</StoreType>
      <StorePath>%LocalFolder%/CertificateStores/pki/own</StorePath>
      <SubjectName>CN=MY_CLIENT, C=Country, S=City, O=organization, DC=opc.tcp://ip:port</SubjectName>
      <!--<Thumbprint>Some hash</Thumbprint>-->
    </ApplicationCertificate>

    <TrustedIssuerCertificates>
      <StoreType>Directory</StoreType>
      <StorePath>%LocalFolder%/CertificateStores/pki/issuer</StorePath>
    </TrustedIssuerCertificates>

    <TrustedPeerCertificates>
      <StoreType>Directory</StoreType>
      <StorePath>%LocalFolder%/CertificateStores/pki/trusted</StorePath>
    </TrustedPeerCertificates>

    <RejectedCertificateStore>
      <StoreType>Directory</StoreType>
      <StorePath>%LocalFolder%/CertificateStores/pki/rejected</StorePath>
    </RejectedCertificateStore>

    <AutoAcceptUntrustedCertificates>false</AutoAcceptUntrustedCertificates>

  </SecurityConfiguration>
  
  <TransportConfigurations></TransportConfigurations>
  
  <TransportQuotas>
    <OperationTimeout>120000</OperationTimeout>
    <MaxStringLength>4194304</MaxStringLength>
    <MaxByteStringLength>4194304</MaxByteStringLength>
    <MaxArrayLength>65535</MaxArrayLength>
    <MaxMessageSize>4194304</MaxMessageSize>
    <MaxBufferSize>65535</MaxBufferSize>
    <ChannelLifetime>300000</ChannelLifetime>
    <SecurityTokenLifetime>3600000</SecurityTokenLifetime>
  </TransportQuotas>

  <ClientConfiguration>
    <DefaultSessionTimeout>60000</DefaultSessionTimeout>
    
    <WellKnownDiscoveryUrls>
      <ua:String>opc.tcp://{0}:port</ua:String>
    </WellKnownDiscoveryUrls>
   
    <DiscoveryServers></DiscoveryServers>
    <MinSubscriptionLifetime>10000</MinSubscriptionLifetime>

    <OperationLimits>
      <MaxNodesPerRead>2500</MaxNodesPerRead>
      <MaxNodesPerHistoryReadData>1000</MaxNodesPerHistoryReadData>
      <MaxNodesPerHistoryReadEvents>1000</MaxNodesPerHistoryReadEvents>
      <MaxNodesPerWrite>2500</MaxNodesPerWrite>
      <MaxNodesPerHistoryUpdateData>1000</MaxNodesPerHistoryUpdateData>
      <MaxNodesPerHistoryUpdateEvents>1000</MaxNodesPerHistoryUpdateEvents>
      <MaxNodesPerMethodCall>2500</MaxNodesPerMethodCall>
      <MaxNodesPerBrowse>2500</MaxNodesPerBrowse>
      <MaxNodesPerRegisterNodes>2500</MaxNodesPerRegisterNodes>
      <MaxNodesPerTranslateBrowsePathsToNodeIds>2500</MaxNodesPerTranslateBrowsePathsToNodeIds>
      <MaxNodesPerNodeManagement>2500</MaxNodesPerNodeManagement>
      <MaxMonitoredItemsPerCall>2500</MaxMonitoredItemsPerCall>
    </OperationLimits>

  </ClientConfiguration>
  
</ApplicationConfiguration>

So far so good. The subject is set. Paths to storage folders are set. I also added KEPServer's certificate to .CertificatesStores/pki/issuer/certs. App certificate has been passed to server admin to be added to the trusted list.

My code sample

After having taken a look at "ConsoleReferenceClient" from UA-.NETStandard-Samples (as it seems the most appropriate to me) repo, I've dropped the following lines of code:

using System.Text.Json;
using Opc.Ua;
using Opc.Ua.Client;
using Opc.Ua.Configuration;
using Microsoft.Extensions.Configuration;
using Models;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography;

const string tagsDataSettingsName = "tagsDataSettings.json"; // tags' ID list and other relevant settings

try {
 /* configuration handling logic */
  var configuration = await application.LoadApplicationConfiguration(silent: false); 
  var haveAppCertificate = await application.CheckApplicationInstanceCertificate(true, 2048);
  if (!haveAppCertificate) {
    throw new Exception("Application certificate isn't found."); 
  } 
  var endpointDescription = CoreClientUtils.SelectEndpoint(configuration, tds.Host.Address, true); // tds is a custom settings variable
  endpointDescription.SecurityMode = (MessageSecurityMode)tds.Host.SecurityMode;
  endpointDescription.SecurityPolicyUri = tds.Host.SecurityPolicyUri;  
  var endpointConfiguration = EndpointConfiguration.Create(configuration);  
  ConfiguredEndpoint endpoint = new(null, endpointDescription, endpointConfiguration); 
  var certificate = configuration.SecurityConfiguration.ApplicationCertificate.Certificate;
  using (var session = await TraceableSessionFactory.Instance.CreateAsync(configuration: configuration, endpoint: endpoint, updateBeforeConnect: true, checkDomain: false, sessionName: "", sessionTimeout: 60000, identity: new UserIdentity(certificate), preferredLocales: null)) {
    if (session!.Connected) {
      var readValues = tds.TagGroups?.Aggregate(new ReadValueIdCollection(), 
        (final, current) => {
          Array.ForEach(current.Tags!, 
            id => {
              var tag = new ReadValueId() 
              { 
                NodeId = new NodeId(id), 
                AttributeId = Attributes.Value 
              };
              final.Add(tag);
             });
          return final;
        });
      var response = await session.ReadAsync(null, 0, TimestampsToReturn.Both, readValues, CancellationToken.None);
      var formattedData = response.Results.Aggregate("", 
        (final, current) => { 
          var tagData = $"[{current.SourceTimestamp}]: status code: {current.StatusCode}; value: {current.Value}";
          final = (final == "") ? $"{tagData}" : $"{final}\n{tagData}"; 
          return final;
        });
      Console.WriteLine(formattedData);
      await session!.CloseAsync();
    }
  }
  Console.ReadKey();
} catch (AggregateException agrErr) {
  foreach (var ie in agrErr.InnerExceptions) {
    Console.WriteLine($"AggregatedException.InnerExceptions error: {ie.Message}"); 
  }
  Console.ReadKey();
} catch (Exception err) {
  Console.WriteLine($"Error: {err.Message}"); 
  Console.ReadKey();
}
var i = 2;
while (i > 0) {
  Console.WriteLine($"The application shuts down in {i} s");
  await Task.Delay(1000);
  i--;
} 

Issue description

When I deploy and start my app at a production server I get an error: Endpoint doesn't support the user identity type provided. Application certificates are created: .der in own subfolder and .pfx - private. As far as I understand, the message is straightforward: server doesn't want to allow connection.

I tried to test connection with UaExpert program, but when I set Authentication Settings => Certificate, I get error that says X509 certificate private key isn't found. The program also doesn't allow to use generated .pfx certificate. Only .pem is allowed in file browser. So it gave me no significant results. When chosing policy, I can use the mentioned above in Server settings block only.

certificate.PrivateKey returns true, but as per requirements of the admin I'm not allowed to use it.

certificate.GetHashString() returns the correct hash. I suppose app tries to use .pfx certificate, but how can I make use regular .der one?

What should I do? Convert .der to .pem? .pfx is keys storage, so I can extract key from it somehow? I wish there was more detailed specification.

So, I can sum up the following:

1. How to get opened connection using such input parameters?
2. How to set certificate expiration date, if it's possible at all? Some subject attributes (I haven't found relative tips)? Will I be pushed to pass new certificate to admin every following year (by default, it's 1 year from creation date)?
3. When I try to format the output of server response, I don't see any ID property. How could I add tag ID data to response string? How to distinguish tag values, if they are to be written to DB?

[AVoronok]

To anyone who could possibly face the same issue. Certificate created by library is for application and not user identity. To put it simple, one of Opc.Ua.UserIdentity constructor's overloads takes X509 certificate as an argument, so I used to pass application certificate as in the example provided above. In my particular case administrator just didn't gave me login and password to pass authentication. Moreover I put the server's certificate to the trusted/certs folder, not issuer/certs.