This is an automated email from the ASF dual-hosted git repository. riemer pushed a commit to branch add-blog-post-opc-ua-certificates in repository https://gitbox.apache.org/repos/asf/streampipes-website.git
commit 8d05ac8a12c8ead57e3a262913373a652589fb74 Author: Dominik Riemer <[email protected]> AuthorDate: Tue May 20 16:04:39 2025 +0200 Add blog post about OPC-UA certificates --- website-v2/blog/2025-02-15-release-097.md | 2 + website-v2/blog/2025-03-25-file-stream-adapter.md | 2 + website-v2/blog/2025-04-09-javascript-processor.md | 2 + website-v2/blog/2025-04-28-prompt-processor.md | 4 +- website-v2/blog/2025-05-20-opc-ua-certificates.md | 188 +++++++++++++++++++++ .../img/blog/2025-05-20/opc-ua-configuration.png | Bin 0 -> 95015 bytes .../img/blog/2025-05-20/opcua-available-nodes.png | Bin 0 -> 41063 bytes .../img/blog/2025-05-20/opcua-connection-error.png | Bin 0 -> 45906 bytes .../img/blog/2025-05-20/opcua-security-dir.png | Bin 0 -> 7998 bytes .../img/blog/2025-05-20/opcua-server-rejected.png | Bin 0 -> 19266 bytes 10 files changed, 197 insertions(+), 1 deletion(-) diff --git a/website-v2/blog/2025-02-15-release-097.md b/website-v2/blog/2025-02-15-release-097.md index 9dcd69c8f..cdb3effa8 100644 --- a/website-v2/blog/2025-02-15-release-097.md +++ b/website-v2/blog/2025-02-15-release-097.md @@ -17,6 +17,8 @@ In total, the new release closes 159 issues including new features, bug fixes an Read on to discover what’s new in StreamPipes 0.97.0! +<!--truncate--> + ## Adapters & Pipeline Elements ### Adapter & Pipeline as Code StreamPipes now supports managing adapters and pipelines programmatically using compact Json or YAML definitions. diff --git a/website-v2/blog/2025-03-25-file-stream-adapter.md b/website-v2/blog/2025-03-25-file-stream-adapter.md index 72c762324..40b667f96 100644 --- a/website-v2/blog/2025-03-25-file-stream-adapter.md +++ b/website-v2/blog/2025-03-25-file-stream-adapter.md @@ -11,6 +11,8 @@ Are you excited to explore Apache StreamPipes but find yourself without any sens Or maybe you're looking to validate StreamPipes for your use case and kick off a Proof of Concept (PoC) but the hardware is not yet available? No worries—the **File Stream Adapter** is here to save the day! +<!--truncate--> + With the File Stream Adapter, you can upload a file containing sensor data in various formats (JSON, CSV, XML) and replay this data, giving you a hands-on way to dive into StreamPipes. It's not meant for production use, but it's perfect for experimenting with StreamPipes using your own data. diff --git a/website-v2/blog/2025-04-09-javascript-processor.md b/website-v2/blog/2025-04-09-javascript-processor.md index b6fd74be0..2520fbbad 100644 --- a/website-v2/blog/2025-04-09-javascript-processor.md +++ b/website-v2/blog/2025-04-09-javascript-processor.md @@ -12,6 +12,8 @@ Don’t worry—we’ve got just the thing for you. The **JavaScript Evaluator Processor** in Apache StreamPipes allows you to define custom event logic with just a few lines of JavaScript. Whether you want to modify values, filter events, or even add stateful logic, this processor empowers you to do just that—without writing a full processing element in Java. +<!--truncate--> + Let’s take a closer look at how it works, what the configuration options are, and how you can use it in three different ways. diff --git a/website-v2/blog/2025-04-28-prompt-processor.md b/website-v2/blog/2025-04-28-prompt-processor.md index 6f6bc21f4..be724993e 100644 --- a/website-v2/blog/2025-04-28-prompt-processor.md +++ b/website-v2/blog/2025-04-28-prompt-processor.md @@ -13,6 +13,8 @@ Need a quick sentiment check, a rolling summary, or a safety rule that’s just With the **Multi-Model Prompt Processor** you can drop the full might of OpenAI, Anthropic, or your own Llama into any Apache StreamPipes pipeline—no extra code required. +<!--truncate--> + Below you’ll find: * A quick tour of the options @@ -183,4 +185,4 @@ o1-preview-2024-09-12 o3-mini-2025-01-31 Whether you need a lightweight rule engine, live summaries, or just a smarter filter, the Multi-Model Prompt Processor drops straight into your pipeline and starts working within minutes. -Give it a try, and let us know what you build! \ No newline at end of file +Give it a try, and let us know what you build! diff --git a/website-v2/blog/2025-05-20-opc-ua-certificates.md b/website-v2/blog/2025-05-20-opc-ua-certificates.md new file mode 100644 index 000000000..176b6536d --- /dev/null +++ b/website-v2/blog/2025-05-20-opc-ua-certificates.md @@ -0,0 +1,188 @@ +--- +title: "Secure OPC-UA Integration with Apache StreamPipes: A Comprehensive Guide" +author: Dominik Riemer +authorURL: "https://github.com/dominikriemer"; +authorImageURL: "/img/about/riemer.png" +--- + +With the release of Apache StreamPipes 0.97.0, the OPC UA adapter now supports encrypted communication using +certificates, enhancing security for Industrial IoT applications. This guide walks you through generating certificates, +configuring them in StreamPipes, and setting up your OPC UA server for secure communication. + +<!--truncate--> + +# Introduction + +While an unencrypted security policy is the way most users try when they start testing StreamPipes for their first time, +production-grade scenarios typically require encrypted communication. + +In case you are already using Apache StreamPipes, you might have noticed that the OPC UA adapter now supports encrypted +security policies: + +<img src="/img/blog/2025-05-20/opc-ua-configuration.png" alt="OPC-UA adapter configuration"/> + + +In this guide, I'll show how to set up a secure connection between your OPC UA server and Apache StreamPipes. This guide +is intended to be a step-by-step-guide starting from certificate generation to the configuration of the OPC UA adapter +in StreamPipes. + +I'll show a working example on a local installation using Eclipse Milo as the OPC UA server. The same steps can be +applied to production systems by integrating certificates into the volume of the extension service. There are other +ways to configure OPC-UA secure connections, but this guide will focus on a complete approach using self-signed +certificates for beginners. + +# Prerequisites + +* Apache StreamPipes 0.97.0 or newer +* An OPC-UA server supporting security policies `Sign` and `Sign & Encrypt` +* OpenSSL installed on your system + +# Generate client certificates + +When creating a new OPC-UA adapter in Apache StreamPipes, the extension service where the adapter is running in serves +as the client. +First, we need to create a client certificate for the client. In this example, we'll create a self-signed certificate. + +```bash +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +x509_extensions = v3_ca +distinguished_name = dn + +[dn] +CN = stream-pipes-client + +[req_ext] +subjectAltName = @alt_names +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign +extendedKeyUsage = serverAuth, clientAuth + +[v3_ca] +subjectKeyIdentifier = hash +basicConstraints = CA:false +subjectAltName = @alt_names +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign +extendedKeyUsage = serverAuth, clientAuth + +[alt_names] +URI.1 = urn:org:apache:streampipes:opcua:client +``` + +When using a self-signed certificate, it is requried to to provide the CA:false flag under basicConstraints. +In addition, note the subject alternative name that later needs to be matched by the application URI of the OPC-UA +client. + +The next step is to generate the certificate and import it into a PKCS12 keystore. The keystore is used to store the key +pair we are generating in the first step. + +```bash +openssl req -x509 -nodes -days 365 \ + -newkey rsa:2048 \ + -keyout client.key \ + -out client.crt \ + -config cert.conf \ + && openssl pkcs12 -export \ + -in client.crt \ + -inkey client.key \ + -out client.p12 \ + -name streampipes-client +``` + +When I was asked for a password, I chose `streampipes`. You can choose any password you like, but make sure to remember +it, as +we will need it in the next step. + +Check that the keystore lists the correct key by executing: + +```bash +keytool -list -v -storetype PKCS12 -keystore client.p12 +``` + +You'll see the key you've just generated. + +# Configure StreamPipes to support encrypted connections + +To enable the OPC UA adapter to use the generated client certificate, we need to provide a few environment variables to +StreamPipes. + +Here is a list of all environment variables that are available: + +* SP_OPCUA_SECURITY_DIR (default: /streampipes-security/opcua): This is the directory where the keystore and + trusted/rejected server certificates are stored. +* SP_OPCUA_KEYSTORE_FILE (default: keystore.pfx): This is the keystore file that contains the client certificate. +* SP_OPCUA_KEYSTORE_PASSWORD (default: password): The password for the keystore file. +* SP_OPCUA_KEYSTORE_TYPE (default: PKCS12): The type of the keystore file. +* SP_OPCUA_KEYSTORE_ALIAS (default: apache-streampipes): The alias of the client certificate in the keystore. +* SP_OPCUA_APPLICATION_URI (default: urn:org:apache:streampipes:opcua:client): The application URI of the client + certificate. + +We could have made the previous configuration easier by reusing some of the defaults. For learning purposes, we used +some other names for the alias and keystore filename. + +In my setup, I've started a local StreamPipes instance. When using Docker, you can add the environment variables to the +extensions service (e.g., extensions-all-iiot). In my local instance, I just add the emnvironment variables to my IDE +settings. + +I add the following variables: + +```bash +SP_OPCUA_SECURITY_DIR=/home/user/streampipes-security/opcua +SP_OPCUA_KEYSTORE_FILE=client.p12 +SP_OPCUA_KEYSTORE_PASSWORD=streampipes +SP_OPCUA_KEYSTORE_ALIAS=streampipes-client +``` + +# Connecting to an OPC-UA server + +For this demo, I'm using the Eclipse Milo OPC UA server. You can download it from [here](https://github.com/digitalpetri/opc-ua-demo-server). +Once the server is running, you can connect to it using the following URL: + +```bash +opc.tcp://localhost:62541/milo +``` + +Now it's time to switch to StreamPipes! + +Go to **Connect** -> **New adapter** -> **OPC UA** and enter the following configuration: + +```bash +Pull interval 1000 +Incomplete Events Ignore +Security Mode Sign & Encrypt +Security Policy Basic256Sha256 +URL opc.tcp://localhost:62541/milo +``` + +Defocus the URL input field and wait for the OPC-UA server to connect. After a few seconds, you should see an error message appearing: + +<img src="/img/blog/2025-05-20/opcua-connection-error.png" alt="OPC-UA adapter connection error"/> + +This is expected, as we haven't added the client certificate to the trusted certificates of the OPC-UA server yet. +So we have to let Milo know that the client certificate can be trusted. In my local setup, I need to move the client certificate from the `rejected` to the `trusted/certs` folder as seen below: + +<img src="/img/blog/2025-05-20/opcua-server-rejected.png" alt="OPC-UA adapter rejected client certificate"/> + +So let's try again by clicking `Reload` in the `Available Nodes` section of the adapter configuration page. +We'll get another error saying that the server certificate is not trusted. +This is again expected, as we haven't added the server certificate to the trusted certificates of the OPC-UA client yet. + +To do that, we can have a look at the folder structure under `SP_OPC_UA_SECURITY_DIR`: + +<img src="/img/blog/2025-05-20/opcua-security-dir.png" alt="OPC-UA security directory"/> + +Several new folders have been created by the Apache StreamPipes OPC-UA client. +The `trusted` folder contains the trusted server certificates, while the `rejected` folder contains the rejected server certificates. +We'll move the server certificate from the `rejected` folder to the `trusted/certs` folder. + +No we'll try again - and this time, we should see the available nodes in the adapter configuration page: + +<img src="/img/blog/2025-05-20/opcua-available-nodes.png" alt="OPC-UA adapter available nodes"/> + +You'll see the beautiful tree view where you can navigate through all OPC-UA nodes. + +Now you can select the nodes you want to use in your adapter. + +That's it! You've successfully configured the OPC-UA adapter to use encrypted communication with self-signed certificates. diff --git a/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png b/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png new file mode 100644 index 000000000..34eaa724d Binary files /dev/null and b/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png differ diff --git a/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png b/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png new file mode 100644 index 000000000..b593b4ff3 Binary files /dev/null and b/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png differ diff --git a/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png b/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png new file mode 100644 index 000000000..9bf6e7e89 Binary files /dev/null and b/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png differ diff --git a/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png b/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png new file mode 100644 index 000000000..e85bc1593 Binary files /dev/null and b/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png differ diff --git a/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png b/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png new file mode 100644 index 000000000..25510cc68 Binary files /dev/null and b/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png differ
