This is an automated email from the ASF dual-hosted git repository.
riemer pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/streampipes-website.git
The following commit(s) were added to refs/heads/dev by this push:
new 08c8a9c70 Add blog post about OPC-UA certificates (#220)
08c8a9c70 is described below
commit 08c8a9c7086590cc6f66bfa2c9f0ec0bfcedd6cb
Author: Dominik Riemer <[email protected]>
AuthorDate: Tue Jun 3 17:32:34 2025 +0200
Add blog post about OPC-UA certificates (#220)
---
website-v2/blog/2025-02-15-release-097.md | 2 +
website-v2/blog/2025-03-25-file-stream-adapter.md | 2 +
website-v2/blog/2025-04-09-javascript-processor.md | 2 +
website-v2/blog/2025-04-28-prompt-processor.md | 4 +-
website-v2/blog/2025-05-20-opc-ua-certificates.md | 188 +++++++++++++++++++++
.../img/blog/2025-05-20/opc-ua-configuration.png | Bin 0 -> 95015 bytes
.../img/blog/2025-05-20/opcua-available-nodes.png | Bin 0 -> 41063 bytes
.../img/blog/2025-05-20/opcua-connection-error.png | Bin 0 -> 45906 bytes
.../img/blog/2025-05-20/opcua-security-dir.png | Bin 0 -> 7998 bytes
.../img/blog/2025-05-20/opcua-server-rejected.png | Bin 0 -> 19266 bytes
10 files changed, 197 insertions(+), 1 deletion(-)
diff --git a/website-v2/blog/2025-02-15-release-097.md
b/website-v2/blog/2025-02-15-release-097.md
index 9dcd69c8f..cdb3effa8 100644
--- a/website-v2/blog/2025-02-15-release-097.md
+++ b/website-v2/blog/2025-02-15-release-097.md
@@ -17,6 +17,8 @@ In total, the new release closes 159 issues including new
features, bug fixes an
Read on to discover what’s new in StreamPipes 0.97.0!
+<!--truncate-->
+
## Adapters & Pipeline Elements
### Adapter & Pipeline as Code
StreamPipes now supports managing adapters and pipelines programmatically
using compact Json or YAML definitions.
diff --git a/website-v2/blog/2025-03-25-file-stream-adapter.md
b/website-v2/blog/2025-03-25-file-stream-adapter.md
index 72c762324..40b667f96 100644
--- a/website-v2/blog/2025-03-25-file-stream-adapter.md
+++ b/website-v2/blog/2025-03-25-file-stream-adapter.md
@@ -11,6 +11,8 @@ Are you excited to explore Apache StreamPipes but find
yourself without any sens
Or maybe you're looking to validate StreamPipes for your use case and kick off
a Proof of Concept (PoC) but the hardware is not yet available?
No worries—the **File Stream Adapter** is here to save the day!
+<!--truncate-->
+
With the File Stream Adapter, you can upload a file containing sensor data in
various formats (JSON, CSV, XML) and replay this data, giving you a hands-on
way to dive into StreamPipes.
It's not meant for production use, but it's perfect for experimenting with
StreamPipes using your own data.
diff --git a/website-v2/blog/2025-04-09-javascript-processor.md
b/website-v2/blog/2025-04-09-javascript-processor.md
index b6fd74be0..2520fbbad 100644
--- a/website-v2/blog/2025-04-09-javascript-processor.md
+++ b/website-v2/blog/2025-04-09-javascript-processor.md
@@ -12,6 +12,8 @@ Don’t worry—we’ve got just the thing for you.
The **JavaScript Evaluator Processor** in Apache StreamPipes allows you to
define custom event logic with just a few lines of JavaScript. Whether you want
to modify values, filter events, or even add stateful logic, this processor
empowers you to do just that—without writing a full processing element in Java.
+<!--truncate-->
+
Let’s take a closer look at how it works, what the configuration options are,
and how you can use it in three different ways.
diff --git a/website-v2/blog/2025-04-28-prompt-processor.md
b/website-v2/blog/2025-04-28-prompt-processor.md
index 6f6bc21f4..be724993e 100644
--- a/website-v2/blog/2025-04-28-prompt-processor.md
+++ b/website-v2/blog/2025-04-28-prompt-processor.md
@@ -13,6 +13,8 @@ Need a quick sentiment check, a rolling summary, or a safety
rule that’s just
With the **Multi-Model Prompt Processor** you can drop the full might of
OpenAI, Anthropic, or your own Llama into any
Apache StreamPipes pipeline—no extra code required.
+<!--truncate-->
+
Below you’ll find:
* A quick tour of the options
@@ -183,4 +185,4 @@ o1-preview-2024-09-12 o3-mini-2025-01-31
Whether you need a lightweight rule engine, live summaries, or just a smarter
filter, the Multi-Model Prompt Processor
drops straight into your pipeline and starts working within minutes.
-Give it a try, and let us know what you build!
\ No newline at end of file
+Give it a try, and let us know what you build!
diff --git a/website-v2/blog/2025-05-20-opc-ua-certificates.md
b/website-v2/blog/2025-05-20-opc-ua-certificates.md
new file mode 100644
index 000000000..176b6536d
--- /dev/null
+++ b/website-v2/blog/2025-05-20-opc-ua-certificates.md
@@ -0,0 +1,188 @@
+---
+title: "Secure OPC-UA Integration with Apache StreamPipes: A Comprehensive
Guide"
+author: Dominik Riemer
+authorURL: "https://github.com/dominikriemer";
+authorImageURL: "/img/about/riemer.png"
+---
+
+With the release of Apache StreamPipes 0.97.0, the OPC UA adapter now supports
encrypted communication using
+certificates, enhancing security for Industrial IoT applications. This guide
walks you through generating certificates,
+configuring them in StreamPipes, and setting up your OPC UA server for secure
communication.
+
+<!--truncate-->
+
+# Introduction
+
+While an unencrypted security policy is the way most users try when they start
testing StreamPipes for their first time,
+production-grade scenarios typically require encrypted communication.
+
+In case you are already using Apache StreamPipes, you might have noticed that
the OPC UA adapter now supports encrypted
+security policies:
+
+<img src="/img/blog/2025-05-20/opc-ua-configuration.png" alt="OPC-UA adapter
configuration"/>
+
+
+In this guide, I'll show how to set up a secure connection between your OPC UA
server and Apache StreamPipes. This guide
+is intended to be a step-by-step-guide starting from certificate generation to
the configuration of the OPC UA adapter
+in StreamPipes.
+
+I'll show a working example on a local installation using Eclipse Milo as the
OPC UA server. The same steps can be
+applied to production systems by integrating certificates into the volume of
the extension service. There are other
+ways to configure OPC-UA secure connections, but this guide will focus on a
complete approach using self-signed
+certificates for beginners.
+
+# Prerequisites
+
+* Apache StreamPipes 0.97.0 or newer
+* An OPC-UA server supporting security policies `Sign` and `Sign & Encrypt`
+* OpenSSL installed on your system
+
+# Generate client certificates
+
+When creating a new OPC-UA adapter in Apache StreamPipes, the extension
service where the adapter is running in serves
+as the client.
+First, we need to create a client certificate for the client. In this example,
we'll create a self-signed certificate.
+
+```bash
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+x509_extensions = v3_ca
+distinguished_name = dn
+
+[dn]
+CN = stream-pipes-client
+
+[req_ext]
+subjectAltName = @alt_names
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment, keyCertSign
+extendedKeyUsage = serverAuth, clientAuth
+
+[v3_ca]
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
+subjectAltName = @alt_names
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment, keyCertSign
+extendedKeyUsage = serverAuth, clientAuth
+
+[alt_names]
+URI.1 = urn:org:apache:streampipes:opcua:client
+```
+
+When using a self-signed certificate, it is requried to to provide the
CA:false flag under basicConstraints.
+In addition, note the subject alternative name that later needs to be matched
by the application URI of the OPC-UA
+client.
+
+The next step is to generate the certificate and import it into a PKCS12
keystore. The keystore is used to store the key
+pair we are generating in the first step.
+
+```bash
+openssl req -x509 -nodes -days 365 \
+ -newkey rsa:2048 \
+ -keyout client.key \
+ -out client.crt \
+ -config cert.conf \
+ && openssl pkcs12 -export \
+ -in client.crt \
+ -inkey client.key \
+ -out client.p12 \
+ -name streampipes-client
+```
+
+When I was asked for a password, I chose `streampipes`. You can choose any
password you like, but make sure to remember
+it, as
+we will need it in the next step.
+
+Check that the keystore lists the correct key by executing:
+
+```bash
+keytool -list -v -storetype PKCS12 -keystore client.p12
+```
+
+You'll see the key you've just generated.
+
+# Configure StreamPipes to support encrypted connections
+
+To enable the OPC UA adapter to use the generated client certificate, we need
to provide a few environment variables to
+StreamPipes.
+
+Here is a list of all environment variables that are available:
+
+* SP_OPCUA_SECURITY_DIR (default: /streampipes-security/opcua): This is the
directory where the keystore and
+ trusted/rejected server certificates are stored.
+* SP_OPCUA_KEYSTORE_FILE (default: keystore.pfx): This is the keystore file
that contains the client certificate.
+* SP_OPCUA_KEYSTORE_PASSWORD (default: password): The password for the
keystore file.
+* SP_OPCUA_KEYSTORE_TYPE (default: PKCS12): The type of the keystore file.
+* SP_OPCUA_KEYSTORE_ALIAS (default: apache-streampipes): The alias of the
client certificate in the keystore.
+* SP_OPCUA_APPLICATION_URI (default: urn:org:apache:streampipes:opcua:client):
The application URI of the client
+ certificate.
+
+We could have made the previous configuration easier by reusing some of the
defaults. For learning purposes, we used
+some other names for the alias and keystore filename.
+
+In my setup, I've started a local StreamPipes instance. When using Docker, you
can add the environment variables to the
+extensions service (e.g., extensions-all-iiot). In my local instance, I just
add the emnvironment variables to my IDE
+settings.
+
+I add the following variables:
+
+```bash
+SP_OPCUA_SECURITY_DIR=/home/user/streampipes-security/opcua
+SP_OPCUA_KEYSTORE_FILE=client.p12
+SP_OPCUA_KEYSTORE_PASSWORD=streampipes
+SP_OPCUA_KEYSTORE_ALIAS=streampipes-client
+```
+
+# Connecting to an OPC-UA server
+
+For this demo, I'm using the Eclipse Milo OPC UA server. You can download it
from [here](https://github.com/digitalpetri/opc-ua-demo-server).
+Once the server is running, you can connect to it using the following URL:
+
+```bash
+opc.tcp://localhost:62541/milo
+```
+
+Now it's time to switch to StreamPipes!
+
+Go to **Connect** -> **New adapter** -> **OPC UA** and enter the following
configuration:
+
+```bash
+Pull interval 1000
+Incomplete Events Ignore
+Security Mode Sign & Encrypt
+Security Policy Basic256Sha256
+URL opc.tcp://localhost:62541/milo
+```
+
+Defocus the URL input field and wait for the OPC-UA server to connect. After a
few seconds, you should see an error message appearing:
+
+<img src="/img/blog/2025-05-20/opcua-connection-error.png" alt="OPC-UA adapter
connection error"/>
+
+This is expected, as we haven't added the client certificate to the trusted
certificates of the OPC-UA server yet.
+So we have to let Milo know that the client certificate can be trusted. In my
local setup, I need to move the client certificate from the `rejected` to the
`trusted/certs` folder as seen below:
+
+<img src="/img/blog/2025-05-20/opcua-server-rejected.png" alt="OPC-UA adapter
rejected client certificate"/>
+
+So let's try again by clicking `Reload` in the `Available Nodes` section of
the adapter configuration page.
+We'll get another error saying that the server certificate is not trusted.
+This is again expected, as we haven't added the server certificate to the
trusted certificates of the OPC-UA client yet.
+
+To do that, we can have a look at the folder structure under
`SP_OPC_UA_SECURITY_DIR`:
+
+<img src="/img/blog/2025-05-20/opcua-security-dir.png" alt="OPC-UA security
directory"/>
+
+Several new folders have been created by the Apache StreamPipes OPC-UA client.
+The `trusted` folder contains the trusted server certificates, while the
`rejected` folder contains the rejected server certificates.
+We'll move the server certificate from the `rejected` folder to the
`trusted/certs` folder.
+
+No we'll try again - and this time, we should see the available nodes in the
adapter configuration page:
+
+<img src="/img/blog/2025-05-20/opcua-available-nodes.png" alt="OPC-UA adapter
available nodes"/>
+
+You'll see the beautiful tree view where you can navigate through all OPC-UA
nodes.
+
+Now you can select the nodes you want to use in your adapter.
+
+That's it! You've successfully configured the OPC-UA adapter to use encrypted
communication with self-signed certificates.
diff --git a/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png
b/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png
new file mode 100644
index 000000000..34eaa724d
Binary files /dev/null and
b/website-v2/static/img/blog/2025-05-20/opc-ua-configuration.png differ
diff --git a/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png
b/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png
new file mode 100644
index 000000000..b593b4ff3
Binary files /dev/null and
b/website-v2/static/img/blog/2025-05-20/opcua-available-nodes.png differ
diff --git a/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png
b/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png
new file mode 100644
index 000000000..9bf6e7e89
Binary files /dev/null and
b/website-v2/static/img/blog/2025-05-20/opcua-connection-error.png differ
diff --git a/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png
b/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png
new file mode 100644
index 000000000..e85bc1593
Binary files /dev/null and
b/website-v2/static/img/blog/2025-05-20/opcua-security-dir.png differ
diff --git a/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png
b/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png
new file mode 100644
index 000000000..25510cc68
Binary files /dev/null and
b/website-v2/static/img/blog/2025-05-20/opcua-server-rejected.png differ
