OPC: UaExpert & AXC-2152 client unable to discover AXC-1152 servers - BadSecurityChecksFailed error
I've followed the instructions and worked according to Frank's video tutorial/presentation: https://www.youtube.com/watch?v=7AeJLXIGrhY
However, I'm hitting a wall because I can't figure out exactly what's wrong. Using the UaExpert Client, I can't discover my servers that should be online. I'm getting the error: Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel.
Even when I set the client and server (PLCnext controllers) in debug mode, with a retain on a (receiving) specific variable... where I toggle the remote variable (boolean) from FALSE to TRUE, both the one read by the client from the server and the one used by the client to write to the server stay FALSE.
I've copied the correct OPC self-signed certificates from the Identity Stores to the Trust Stores wherever necessary.
I'm stuck... does anyone have suggestions?
I'm trying to set up the AXC-2152 as the client and two AXC-1152s as the servers. All three units are running firmware 2023.0 LTS and I'm using PLCnext Engineer 2023.3.
Comments
Just starting with UaExpert - if you disable both of these options on the OPC UA Server, does that make a difference?
If so - and if you want to enable these options - then is the client certificate from UaExpert in the OPC UA server's Trust Store?
Thank you for your suggestions!
I disabled the options "Use the truststore for client authentication" and "Check application URI against client certificate" as you recommended. After that, I was able to successfully connect to the server with UaExpert, and the boolean values now update correctly when changed on both the server and the UaClient.
However, the AXC-2152, which is set up as the client, does not detect these changes and also does not push any boolean updates back to the servers. What could be causing this? I don’t think it’s the 4-hour license limit, since after uploading a modified project, the OPC-UA functionality should reset for another 4 hours of testing, is this correct?
Regarding the UaClient trust certificate, it is not yet added to the PLCs. I tried to add the PLCnext certificate to UaClient and vice versa, but there seems to be a format issue (.crt vs. .der). But I see there are conversion tools available for this.
Is it safe to assume that the URI check can remain disabled when using IP addresses instead of DNS? Eventually, I want to enable the truststore for client authentication. Could you advise on the next steps for achieving this?
Lastly, on the AXC-2152 (the client), only the OPC UA Client system service is enabled, while the OPC UA Server is disabled. On the two AXC-1152s, the opposite is true. Is this setup correct?
Any further suggestions to resolve this would be much appreciated.
Okay, I read this: "Without license limited to 4 h after powerup." I tried again, just to be sure, to get data both in and out of the PLCnext OPC UA Client to/from the servers, but it didn't make a difference.
after uploading a modified project, the OPC-UA functionality should reset for another 4 hours of testing, is this correct?
Yes, this is correct.
I tried to add the PLCnext certificate to UaClient and vice versa, but there seems to be a format issue (.crt vs. .der). But I see there are conversion tools available for this.
Yes, you will probably need to convert the certificate. That was discussed here:
Lastly, on the AXC-2152 (the client), only the OPC UA Client system service is enabled, while the OPC UA Server is disabled. On the two AXC-1152s, the opposite is true. Is this setup correct?
Yes, this is correct.
As for the remaining issue: I haven't followed Frank's video myself but, as an alternative, this Makers Blog post seems to have worked for a good few people:
Remember that changes to the OPC UA Server configuration in PLCnext Engineer may result in a new Server Certificate being generated, so be sure to copy the Server cert to the client's Trust Store whenever that happens. Also, the server URL you use on the client should use the same IP address that was used as the "Endpoint IP Address" in the Server configuration:
In this example, the server URL in the client will be
opc.tcp://192.168.1.10:4840