OPC UA: Unsupported security policy

[FHatCSW]

Relevant telegraf.conf

[[inputs.opcua]]
  ## Metric name
  name = "opcua"
  #
  ## OPC UA Endpoint URL
  endpoint = "opc.tcp://192.168.88.101:4840"

  ## Maximum time allowed to establish a connect to the endpoint.
  connect_timeout = "30s"

  ## Security policy, one of "None", "Basic128Rsa15", "Basic256",
  ## "Basic256Sha256", or "auto"
  security_policy = "auto"

  ## Security mode, one of "None", "Sign", "SignAndEncrypt", or "auto"
  security_mode = "auto"

  ## Authentication Method, one of "Certificate", "UserName", or "Anonymous".  To
  ## authenticate using a specific ID, select 'Certificate' or 'UserName'
  auth_method = "Certificate"

  ## Path to cert.pem. Required when security mode or policy isn't "None".
  ## If cert path is not supplied, self-signed cert and key will be generated.
  certificate = "/etc/telegraf/opc-client.cert.pem"
  #
  ## Path to private key.pem. Required when security mode or policy isn't "None".
  ## If key path is not supplied, self-signed cert and key will be generated.
  private_key = "/etc/telegraf/opc-client.key.pem"

  ## Option to select the metric timestamp to use. Valid options are:
  ##     "gather" -- uses the time of receiving the data in telegraf
  ##     "server" -- uses the timestamp provided by the server
  ##     "source" -- uses the timestamp provided by the source
  timestamp = "gather"

  ## Node ID configuration
  ## name              - field name to use in the output
  ## namespace         - OPC UA namespace of the node (integer value 0 thru 3)
  ## identifier_type   - OPC UA ID type (s=string, i=numeric, g=guid, b=opaque)
  ## identifier        - OPC UA ID (tag as shown in opcua browser)
  ## tags              - extra tags to be added to the output metric (optional)
  ## Example:
  nodes = [
      {name="Sample", namespace="2", identifier_type="i", identifier="2"}

Logs from Telegraf

opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:Socket has closed connection
opc-client    | INFO:asyncua.client.client:connect
opc-client    | INFO:asyncua.client.ua_client.UaClient:opening connection
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:open_secure_channel
opc-client    | INFO:asyncua.client.ua_client.UaClient:create_session
opc-client    | INFO:asyncua.client.client:find_endpoint [EndpointDescription(EndpointUrl='opc.tcp://192.168.88.101:4840/freeopcua/server/', Server=ApplicationDescription(ApplicationUri='urn:freeopcua:python:server', ProductUri='urn:freeopcua.github.io:python:server', ApplicationName=LocalizedText(Locale=None, Text='Microfab OPC UA Server'), ApplicationType_=<ApplicationType.ClientAndServer: 2>, GatewayServerUri=None, DiscoveryProfileUri=None, DiscoveryUrls=['opc.tcp://0.0.0.0:4840/freeopcua/server/']), ServerCertificate=b'0\x82\x04H0\x82\x030\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000k1\x0b0\t\x06\x03U\x04\x06\x13\x02DE1\x0b0\t\x06\x03U\x04\x08\x0c\x02BW1\x0c0\n\x06\x03U\x04\x07\x0c\x03FDS1\x1a0\x18\x06\x03U\x04\n\x0c\x11CampusSchwarzwald1\x130\x11\x06\x03U\x04\x0b\x0c\nHackTheFab1\x100\x0e\x06\x03U\x04\x03\x0c\x07Test CA0\x1e\x17\r220715144540Z\x17\r491130144540Z0q1\x0b0\t\x06\x03U\x04\x06\x13\x02DE1\x0b0\t\x06\x03U\x04\x08\x0c\x02BW1\x0c0\n\x06\x03U\x04\x07\x0c\x03FDS1\x1a0\x18\x06\x03U\x04\n\x0c\x11CampusSchwarzwald1\x120\x10\x06\x03U\x04\x0b\x0c\tOPCSERVER1\x170\x15\x06\x03U\x04\x03\x0c\x0e192.168.88.1010\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xaaIZ\xd1\xcb\xe2\xa4\xd3\xc9\x81\xbbc\xc0\x19\xc1\xd5pQ\xccd=\xf8\xdbrc\xc3\xfc\x8c!\xfd\xa4;\xdb\xda\xc8\x06P0\xf3\xa8\x90\xfe\xee\r\xe2\xb7\x80\x9a\xfc\xa2}\x91\x14#(q\x96\x8a\xa1\xe5L\xe2i\x16\x01G\xcay\xa5!\xd6\xbbk/E53\x087t8\xa6;\x058\xa5\x9b\x8br\xe6\x0e\x19\x9c\xcc6\xd4|_\x8d\x06\xc5u\xa5<\x83\xde\x9d\x9af\x1cf\xb0\xca\x9c\xfa\xe6\'\xd5\xb7\x14I\x85\xceK \xdbx\xa0\xe5\xcd\x97\x18\xc9\x19\xealB\xcd\xbc\x13\xd82\xf8\xc1\xa7p\xc3\x0c\r\xf1\x7f\x9c\xb2-JL\xbe\x9d\xa4.\xdc\xf0\xf1\xbeE\x87\xbc\xbf\x07\xec=\xa2w\xb7\x94l8J$\xce)\xd1\xad\x1al\x93\xd7\xb7\xfd^e\x9e;Og \xd0/w\xd6\xe8\xe9\x06q\x8d\x9f\xda\xbc"V?\x99\xb14\xc5\xd5q{{J-I\xb5\x03\xe3\xb1$[O\xa7\xda\x0e\xa5J\xf1\x91\xdd\\6I\x89\xe1\xc4\t\x96[82\xffr\xf3\xb3\t\xfb\xbc!\x02\x03\x01\x00\x01\xa3\x81\xf00\x81\xed0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xdd4\\\xf1\xfa\x0f\x8b_\x16g\xbb)\xb1\x1f=\x7fLhk\x900\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14 I\xf75<\x9a$\xdf\x91\xc1rr\x83j\xd6\xb33\x8f\x10\x920\t\x06\x03U\x1d\x13\x04\x020\x000\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x05\xa00\x11\x06\t`\x86H\x01\x86\xf8B\x01\x01\x04\x04\x03\x02\x06\xc00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020+\x06\t`\x86H\x01\x86\xf8B\x01\r\x04\x1e\x16\x1cOpenSSL Generated Certificat04\x06\x03U\x1d\x11\x04-0+\x86#http://examples.freeopcua.github.io\x87\x04\xc0\xa8Xe0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00f\xc2\xa8\x8by\xd6/l>\xc3\x9e8\xda\xc1\xff\xcf\xd1E/\x01\t\xe2\xb1\x9c\'|\x12\xc4\xda\xe8\xfdu\x9eG\xf7\xe1\xd1\xbb4\xc1\x13\xde\xa8v\xb6m\x0e\x82\xe9\x91\xf7\xafV\x8ee\xa9z/\xc3\xd6Y\xce\x1e\xcd\xef#G\xc7N\xa1\x82\xf1\xd3\\ \xf3soD\xcbf\xf1s\xc9vc\x05@\xd2v|\xd0\x05\x86g8\xfd-l3\xfd\xfd$\x15>q\xe5"n\x16\xcf(\xde\xcf\x99(\x88\xb9sT\x9d\x9c\xd5\xcf\xa6/\x7f4XQ\xfd\x16\xdb\xbcG\xbc\xd8d\x9a\x0f\xef\xe3D<\x03\xb6\xbbT\xd8" \xba\x1c\xfd\xacI\x9b\xe6\x03G\x07F\xc5\xaa\xbb6\xd2\xaem\xe9`\x92\x05\t\x8dd\xbd\xfa\xeb`6\xf0\xf9\x8cB<\x16o|\xa1\xe4\x86\n\xeb`Le\xd0\xe7\xfd2\xdb\xa3\xd1-\x8d\xb1\x02~y\x8c/\xa1\x96\x9a\x93\xda\r\xd3s\x9b\xd8\x7f\xe9e\xce\xa7\xf2(\x1e\xd6\xceI\xd1\xaev{\xe6\xe29\x01\x10)\xef\x11%2\x9b/K\xcf\x94\x13Cq\xb3', SecurityMode=<MessageSecurityMode.SignAndEncrypt: 3>, SecurityPolicyUri='http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256', UserIdentityTokens=[UserTokenPolicy(PolicyId='anonymous', TokenType=<UserTokenType.Anonymous: 0>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None), UserTokenPolicy(PolicyId='certificate_basic256sha256', TokenType=<UserTokenType.Certificate: 2>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None), UserTokenPolicy(PolicyId='username', TokenType=<UserTokenType.UserName: 1>, IssuedTokenType=None, IssuerEndpointUrl=None, SecurityPolicyUri=None)], TransportProfileUri='http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary', SecurityLevel=0)] <MessageSecurityMode.SignAndEncrypt: 3> 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
opc-client    | INFO:asyncua.client.ua_client.UaClient:activate_session
opc-client    | INFO:asyncua.client.client:get_namespace_index <class 'list'> ['http://opcfoundation.org/UA/', 'urn:freeopcua:python:server', 'http://examples.freeopcua.github.io']
opc-client    | INFO:asyncua:Reading values from the server
opc-client    | INFO:asyncua:### Reading value Objects --> MyObject --> MyVariable = NodeClass: 1 / NodeId: 50229
opc-client    | INFO:asyncua:**** Option 2: My variable: >>1452.1999999997747<<
opc-client    | INFO:asyncua.client.client:disconnect
opc-client    | INFO:asyncua.client.ua_client.UaClient:close_session
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:close_secure_channel
opc-client    | INFO:asyncua.client.ua_client.UASocketProtocol:Request to close socket received
telegraf      | 2022-07-18T13:56:57Z D! [outputs.influxdb_v2] Wrote batch of 2 metrics in 10.111171ms
telegraf      | 2022-07-18T13:56:57Z D! [outputs.influxdb_v2] Buffer fullness: 0 / 10000 metrics
telegraf      | 2022-07-18T13:57:00Z I! error creating session signature: opcua: unsupported security policy 
telegraf      | 2022-07-18T13:57:00Z E! [inputs.opcua] Error in plugin: error in Client Connection: opcua: unsupported security policy

System info

Telegraf 1.23, Raspberry Pi 4B, Debian GNU/Linux 11 (bullseye)

Docker

version: "3"

services:
    influxdb:
        image: influxdb:latest
        container_name: influxdb
        env_file: selfsigned.env
        ports:
            - '8086:8086'
        volumes:
            - ./certs/influxdb:/etc/ssl/influxdb
            - influxdb_data:/var/lib/influxdb
        networks: 
            - "iotstack"

    mosquitto:
        image: eclipse-mosquitto:latest
        container_name: mosquitto
        ports:
            - '8883:8883'
            - '8884:8884'
        volumes:
            - ./certs/mqtt:/mosquitto/config/certs
            - ./mosquitto/config:/mosquitto/config
            - ./mosquitto/log:/mosquitto/log
            - ./mosquitto/data:/mosquitto/data
        user: "${USER_ID}:${GRP_ID}"
        links: 
            - telegraf
        restart: always
        networks: 
            - "iotstack"
    
    telegraf:
        image: telegraf:latest
        container_name: telegraf
        links: 
            - influxdb
        depends_on:
            - influxdb
        env_file: selfsigned.env
        user: "888"
        ports:
            - '8125:8125'
        restart: always
        volumes:
            - ./certs/telegraf:/etc/telegraf
            - ./telegraf/telegraf.toml:/etc/telegraf/telegraf.conf:ro
        networks: 
            - "iotstack"
    
    grafana:
        image: grafana/grafana:latest
        container_name: grafana
        env_file: selfsigned.env
        user: "472"
        ports:
            - '3000:3000'
        links: 
            - influxdb
        volumes: 
            - grafana_data:/var/lib/grafana
            - ./certs/grafana:/etc/ssl/certs
        networks: 
            - "iotstack"

    opc-client:
        build: opc
        container_name: opc-client
        restart: always
        volumes:
            - ./certs/opc:/app/certs
        links:
            - telegraf
        ports:
            - "8000:8000"
        networks:
            - "iotstack"


volumes: 
    influxdb_data:
    grafana_data:

networks: 
    iotstack:
        external: true

Steps to reproduce

...

Expected behavior

I have implemented an OPC UA client with certificate-based authentication in a Docker container (docker-compose). The values are to be passed via Telegraf to InfluxDB and then on to Grafana.

However the connection via the Python client works, the one via Telegraf does not. The identical certificates are used.

Actual behavior

The Python client connects to the stored self-signed certificates. However, via Telegraf I get an error:

creating session signature: opcua: unsupported security policy .

The complete connection setup and the Docker logs show the successful connection setup via Python as well as the failed setup via Telegraf. In addition to the OPC UA client, there is also an MQTT broker (also certificate-based) that works.

As can be seen in the logs, the security policy is as follows:

SecurityMode=<MessageSecurityMode.SignAndEncrypt: 3>, SecurityPolicyUri='http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'

Additional info

No response

[powersj]

Hi,

/UA/SecurityPolicy#Basic256Sha256

If the reported security policy of your OPC UA server is Basic256Sha256 have you tried setting Telegraf to use the same instead of auto as well as the security mode to SignAndEncrypt?

[FHatCSW]

Hi,

I also tried setting

security_policy = "Basic256Sha256"
and
security_mode = "SignAndEncrypt"

but got the same error

[powersj]

@R290 is this something you have come across before?

[R290]

Not something I've seen before... I can see that the error is coming from the gopcua library:

• https://github.com/gopcua/opcua/blob/5102686c7bac4876be52783f1996a288b5f40444/uapolicy/securitypolicy.go#L35
• https://github.com/gopcua/opcua/blob/5102686c7bac4876be52783f1996a288b5f40444/uapolicy/securitypolicy.go#L45

The uri of your security policy which should be displayed in the error is empty or ''. Which, in my opinion, does point to something funny going on...

@FHatCSW are you able to test your server using one of the gopcua library examples? Say: https://github.com/gopcua/opcua/blob/main/examples/read/read.go. This would allow us to determine if it is Telegraf or the Go OPC library.

[telegraf-tiger]

Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Page. Thank you!

[alpex8]

FYI: I think I ran into this issue recently. I was able to track it down and fixed for the specific server. I created a PR for it, but I can´t say if that´s a general improvement.