Re: [D] Use certificate / encrypted communication using OPC UA Adapter

Tue, 13 May 2025 12:56:25 -0700 


GitHub user dominikriemer added a comment to the discussion: Use certificate / 
encrypted communication using OPC UA Adapter

Hi @jormus welcome!

Here are some things you can try to get it working:

There are a few environment variables related to OPC-UA that can be provisioned 
to the extension service, I list these from the `Env` class in 
`streampipes-commons`:
* SP_OPCUA_SECURITY_DIR( "/streampipes-security/opcua"),
* SP_OPCUA_KEYSTORE_FILE("keystore.pfx"),
* SP_OPCUA_KEYSTORE_PASSWORD("password"),
* SP_OPCUA_KEYSTORE_TYPE("PKCS12"),
* SP_OPCUA_KEYSTORE_ALIAS("apache-streampipes"),
* SP_OPCUA_APPLICATION_URI( "urn:org:apache:streampipes:opcua:client")

If you attach a volume to /streampipes-security/opcua, StreamPipes will try to 
load the keystore from this directory. In the keystore, you should have a 
KeyPair with the alias as defined in `SP_OPC_UA_KEYSTORE_ALIAS`. If you are 
using a self-signed certificate, `CA=FALSE` needs to be set under Basic 
Constraints. In addition, the Subject Alternative Name must be set to the same 
value as defined in `SP_OPCUA_APPLICATION_URI`.

Here is an example for a valid certificate configuration:

<img width="613" alt="image" 
src="https://github.com/user-attachments/assets/a90adb1a-ee84-49b5-b414-3165085f71ff";
 />

This is the setup needed for the client certificate.

To accept server certificates, the following directory structure will be 
automatically created once you connect to an OPC-UA server for the first time 
with encryption enabled:

<img width="228" alt="image" 
src="https://github.com/user-attachments/assets/5945fb0a-0bdd-4039-a14f-8e597eec3d4b";
 />

By default, server certificates will be placed in the "rejected" folder. You 
can move these to `trusted/certs` to trust the server.

So for the K8s setup, I'd recommend to create a single volume with this 
directory layout. Currently, accepted certificates need to be manually placed 
in the `trusted/certs` folder. In the future, we might improve this process so 
that certificates can be managed over the UI.

Hope this helps!

GitHub link: 
https://github.com/apache/streampipes/discussions/3423#discussioncomment-13135802

----
This is an automatically sent email for dev@streampipes.apache.org.
To unsubscribe, please send an email to: dev-unsubscr...@streampipes.apache.org

Reply via email to