cancel
Showing results for 
Search instead for 
Did you mean: 
SOLVED

Connecting Node RED OPC UA Client with SmartFunctionKit Handling

Connecting Node RED OPC UA Client with SmartFunctionKit Handling

David08
Long-established Member

Hello,

I'm trying to connect a CtrlX Core to another CtrlX Core with the SmartFunctionKit Handling application. SFK4H has an OPC UA server and I want to send Commands from another CtrlX Core with Node Red.

With the OPC UA Contrib palette and the OPC UA client node I have a certificate failure (Picture attached).
This same connection to a XM without security works perfectly.
I understand that I have to install some certificates in the CtrlX Core client, in the Certificates & Keys/Node Red?
I have to specify the path in the Node Red node (Picture 2)?.

A short guide to what certificates I need and where to store them could be provided.

Thanks in advance.

3 REPLIES 3

CodeShepherd
Community Moderator
Community Moderator
Provide your own Certificate Authority

!!!Using self-signed certificates is only recommended for test, not for production!!!

If you're client certificate is not selfs-signed, you have to

  • Provide a CA with assigned Revocation List (RVL) and a derived client certificate from.
  • Upload all of your CA- and intermediate certificates to the Node-RED PKI storage of the ctrlX as trusted certificates.
  • If the CA specifies a Revokation List, upload the Revocation List to the UA Server PKI store of the ctrlX via UI (if supported) or manually using SSH (Root permissions required).

Prerequisites

Ensure openssl to be installed on the system and the path added to your environment path variable.

Ensure Node.js to be installed on the system. We recommend to use the latest LTS version.

Install node-opcua-pki

Intructions
  • Generate batch out of following code:
    ::----------------------------------------------------------------------------------------------------------------------------------------------------------------
    :: GENERATES A CA CERTIFICATE AND A DERIVED OR SELF-SIGNED CERTIFICATE FOR OPC UA USAGE (*.PEM FORMAT, INCLUDING PRIVATE KEYS) USING NODE-OPCUA-PKI AND OPENSSL 
    ::----------------------------------------------------------------------------------------------------------------------------------------------------------------
    @echo off
    
    ::https://github.com/node-opcua/node-opcua-pki
    
    ::setup
    ::--------------------------------------------------------
    ::Create self-signed certificate enabled: 0/1
    set CREATE_SELFSIGNED_ENABLED=1
    
    set CRYPTO_SCRIPT_PATH=.\node_modules\node-opcua-pki\bin
    set CRYPTO_SCRIPT=node %CRYPTO_SCRIPT_PATH%\crypto_create_CA.js 
    
    set CA_DIR=%CD%\CA
    set PKI_DIR=%CD%\PKI
    set CERT_DIR=%CD%\certs
    set KEYSIZE=2048
    set VALIDITY_DAYS=3650
    
    ::CA
    set CA_SUBJECT_NAME=xxxMyNamexxx
    set CA_SUBJECT=/C=DE/ST=xxxMyStatexxx/L=xxxMyTownxxx/O=xxxMyOrganisationxxx/CN=%CA_SUBJECT_NAME%/emailAddress=xxxMy@Mailadress.xxx
    set CA_CERT_PATH=%CA_DIR%\public\cacert.pem
    set KEY_PATH=%PKI_DIR%\own\private\private_key.pem
    
    ::client  
    set CLIENT_SUBJECT_NAME=NodeOPCUA-Client@xxxMyHostNamexxx
    set CLIENT_KEY_PWD=xxxMyKeyPasswordxxx
    set CLIENT_SUBJECT=/C=DE/ST=xxxMyStatexxx/L=xxxMyTownxxx/O=xxxMyOrganisationxxx/CN=%CLIENT_SUBJECT_NAME%/emailAddress=xxxMy@Mailadress.xxx
    set CLIENT_APPLICATION_URI=urn:xxxMyHostNamexxx:NodeOPCUA-Client
    set CLIENT_CERT_NAME=%CLIENT_SUBJECT_NAME%.pem
    ::--------------------------------------------------------
    
    echo GENERATES A CA CERTIFICATE AND A DERIVED OR SELF-SIGNED CERTIFICATE FOR OPC UA USAGE (*.PEM FORMAT, INCLUDING PRIVATE KEYS) USING NODE-OPCUA-PKI AND OPENSSL
    echo Please edit this script to setup, first!
    
    ::proceed?
    :again 
       set /p answer=Proceed (Y/n)?
       if /i "%answer:~,1%" EQU "Y" goto proceed
       if /i "%answer:~,1%" EQU "n" goto end
       goto again1
    :proceed
    
    ::echo initializing ...
    ::rmdir %PKI_DIR% /Q /S
    ::mkdir %PKI_DIR%
    
    ::rmdir %CA_DIR% /Q /S
    ::mkdir %CA_DIR%	
    	
    echo create certificate ...
    
    if %CREATE_SELFSIGNED_ENABLED%==1 (
    	%CRYPTO_SCRIPT% certificate --root=%CERT_DIR% --selfSigned --CAFolder="%CA_DIR%" --PKIFolder="%PKI_DIR%" --subject="%CLIENT_SUBJECT%" --validity=%VALIDITY_DAYS% --output="%CLIENT_CERT_NAME%" --applicationUri=%CLIENT_APPLICATION_URI%	
    ) else (
    	%CRYPTO_SCRIPT% certificate --root=%CERT_DIR% --CAFolder="%CA_DIR%" --PKIFolder="%PKI_DIR%" --subject="%CLIENT_SUBJECT%" --validity=%VALIDITY_DAYS% --output="%CLIENT_CERT_NAME%" --applicationUri=%CLIENT_APPLICATION_URI%
    ) 
    if %ERRORLEVEL% NEQ 0 (
    	goto error
    )
    	
    echo convert certificate to *.der format ...
    %CRYPTO_SCRIPT% toder "%CLIENT_CERT_NAME%"
    if %ERRORLEVEL% NEQ 0 (
    	goto error
    )
    echo dump ...
    %CRYPTO_SCRIPT% dump "%CLIENT_CERT_NAME%"
    if %ERRORLEVEL% NEQ 0 (
    	goto error
    )
    echo.
    echo fingerprint
    %CRYPTO_SCRIPT% fingerprint "%CLIENT_CERT_NAME%"
    if %ERRORLEVEL% NEQ 0 (
    	goto error
    )	
    echo.
    echo CA certificate
    echo %CA_CERT_PATH%
    echo.
    echo private key
    echo %KEY_PATH%
    echo.
    
    :end
    
    ::--------------------------------------
    :: ERROR HANDLING
    ::--------------------------------------
    ::echo %ERRORLEVEL%
    
    :success
    	:: Success
    	color A0
    	pause
    	exit 0
    	
    :error
    	:: Error
    	color C0
    	pause
    	exit /B %ERRORLEVEL%​
  • Put the script to any folder
  • Navigate to the folder
  • Install here node-opcua-pki: npm install node-opcua-pki
  • Edit the script (exchange all xxx...xxx)
  • Execute the script
  • Upload certificates via the WebUI of the ctrlX COREs (Settings -> Certificates & Keys -> Node-RED -> Certificates)
    • They will end up on following locations:
      • ca (certificate authority)
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/ca/certs/
      • own
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/own/certs/
      • trusted (other)
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/trusted/certs/
  • Upload keys via the WebUI of the ctrlX COREs (Settings -> Certificates & Keys -> Node-RED -> Keys)
    • They will end up on following locations:
      • ca (certificate authority)
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/ca/keys/
      • own
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/own/keys/
      • trusted (other)
        /var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/trusted/keys/
  • Insert the full path to your certificates in Node-RED by using the given paths appending your certificate name. If your server-certificate is self-signed, uncheck "Check server certificate".
    Node-RED OPC Ua certificate pathsNode-RED OPC Ua certificate paths
  • Deploy or restart the flow
  • The OPC UA connection will be rejected at first time, because of untrusted server certificate.
  • Trust certificates via ctrlX CORE WebUi, where OPC UA server is running (Settings -> Certificates & Keys -> OPC UA Server-> Certificates)

 

TheCodeCaptain
Community Moderator
Community Moderator

Hi David08,

the settings in the screenshots work for me, you can select eg. "AES128_Sha256_RsaOaep" and "self-signed certificate".

Also other settings should work, plaease see other screenshot.

You need to trust the certificate in the ctrlX CORE where the server is running. Settings --> Certificates&Keys --> OPC UA Server

 

If you want to use your own certificates on client side you can store them via the web interface in Settings --> Certificates&Keys --> Node-RED .

Access from Node-RED is with this path possible:

/var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/own/certs/YOURcert.crt

/var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/own/private/YOURKey.pem

/var/snap/ctrlx-node-red/common/package-certificates/ctrlx-node-red/node-RED/ca/YOURCAcert.crt

 

Alternatively you could use the ctrlX AUTOMATION Nodes to access the remote datalayer.

2022-06-29_11h14_44.png

2022-06-29_11h15_03.png

2022-06-29_11h19_53.png

TheCodeCaptain_0-1656494591630.png

 

   

David08
Long-established Member

Thanks CodeShepherd and TheCodeCaptain,

I have used the solution with Node Red CtrlX Automation Nodes. They work just like the OPC UA. I've done some tests with the certificate but it's a bit complicated for me and it didn't work for me. As I'm testing for a Demo I'm going to use the CtrlX Nodes.
Thank you very much for the quick reply to both of you

Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist