OPC UA Client Security

dencla

I have been able to build bothe the client and server example application. I created both the example client an server applications. they connected to each other and to UaExpert no problem. Bur when I tried the KEPware Srever I could not connect. I was not worried about that at the time. Then, a few weeks ago and was able to get a device to connect the new client that i created to its opc ua Server and it kept failing. I was successful using MinGW 64 6.9.1, but then I was told that that version did not include security and I needed to use MSVC 2019 x64. I have been trying to rebuild it ever since under MSVC 6.10.1 64 with out success, I keep gettin build errors of all sorts. I fix one thing then I get another. Are there instructions on how to build OPC UA under either platform with security enabled?

dencla

I was told MinGW does not have security. that is why I switched.

SGaist

Hi,

What does "MinGW does not have security" mean exactly ?

avalynn

Clone: git clone https://github.com/open62541/open62541.git && cd open62541 && git checkout v1.4.5
Open ready-made solution: build\open62541.sln
Select configuration Release-SECURE or Debug-SECURE
Build → Build Solution

Done. Full encryption (mbedTLS) enabled, works with KEPServerEX and all commercial servers.
(Do not use CMake or MinGW if you want zero hassle with MSVC security.)

dencla

I have been able to rebuild the open62541 backend successfully for both to enable security, but when I run the backend I only get "none" as an option. Here is the test program that I'm running:

code_text

#include <QCoreApplication>
#include <QOpcUaProvider>
#include <QOpcUaClient>

#include <QPluginLoader>
#include <QDir>

void listOpcUaPlugins()
{
    qDebug() << "---- Qt OPCUA Secure Policy Test ----";

    QOpcUaProvider provider;

    // List plugins
    auto backends = provider.availableBackends();
    qDebug() << "Available backends:" << backends;

    if (!backends.contains("open62541")) {
        qDebug() << "ERROR: secure backend not found";
        return;
    }

    auto client = provider.createClient("open62541");

    if (!client) {
        qDebug() << "ERROR: Could not load secure backend";
        return;
    }

    qDebug() << "Backend loaded OK";

    // List supported security policies
    auto policies = client->supportedSecurityPolicies();
    qDebug() << "Supported security policies:" << policies;

    qDebug() << "--------------------------------------";

}

int main(int argc, char *argv[])
{
    QCoreApplication app(argc, argv);


    listOpcUaPlugins();

    qDebug() << "Library paths:" << QCoreApplication::libraryPaths();
/*****
    QStringList paths = QCoreApplication::libraryPaths();
    for (const QString& p : paths) {
        QDir dir(p + "/opcua");
        if (dir.exists()) {
            qDebug() << "Checking:" << dir.absolutePath();
            for (const QString &file : dir.entryList(QStringList() << "*.dll")) {
                qDebug() << "  Plugin found:" << file;
            }
        }
    }

    QCoreApplication::addLibraryPath("C:/Qt/6.9.1/mingw_64/plugins");

    QOpcUaProvider provider;

    auto backends = provider.availableBackends();
    qDebug() << "Available backends:" << backends;

    for (const QString& backend : backends) {
        qDebug() << "Backend:" << backend
                 << "Path:" << provider.backendPath(backend);
    }

     // Choose a backend (open62541)
    QString backend = "open62541";
    auto client = provider.createClient(backend);

    if (!client) {
        qDebug() << "Failed to load backend.";
        return -1;
    }

    qDebug() << "Backend loaded:" << backend;

    qDebug() << "Supported security policies:"
             << client->supportedSecurityPolicies();
****/
    return 0;
}

Ther results are as follows:

19:14:18: Starting C:\Qt\Projects\OPCtest\build\Desktop_Qt_6_9_1_MinGW_64_bit-Release\release\OPCtest.exe...
---- Qt OPCUA Secure Policy Test ----
Available backends: QList("open62541")
Backend loaded OK
Supported security policies: QList("http://opcfoundation.org/UA/SecurityPolicy#None")
--------------------------------------
Library paths: QList("C:/Qt/6.9.1/mingw_64/plugins", "C:/Qt/Projects/OPCtest/build/Desktop_Qt_6_9_1_MinGW_64_bit-Release/release")
19:14:18: The command "C:\Qt\Projects\OPCtest\build\Desktop_Qt_6_9_1_MinGW_64_bit-Release\release\OPCtest.exe" finished successfully.

When I did the rebuild I used the following .bat file to produce the security update for opcua, including the modifications to mbedtls:

@echo off
setlocal

REM ===== Qt paths =====
set QT_DIR=C:\Qt\6.9.1
set QT_SRC=%QT_DIR%\Src\qtopcua

REM ===== secure open62541 paths =====
set OPEN62541_INC=C:\Qt\open62541-mingw-secure\include
set OPEN62541_LIB=C:\Qt\open62541-mingw-secure\lib\libopen62541.a

REM ===== Required compiler tools =====
REM Put MinGW FIRST so cmake can detect gcc
set PATH=C:\Qt\Tools\mingw1310_64\bin;%PATH%

REM Then Qt runtime DLLs
set PATH=C:\Qt\6.9.1\mingw_64\bin;%PATH%

REM Then CMake
set PATH=C:\Qt\Tools\CMake_64\bin;%PATH%

echo Using Qt from: %QT_DIR%
echo Using MinGW from: C:\Qt\Tools\mingw1310_64\bin
echo Using CMake from: C:\Qt\Tools\CMake_64\bin

REM ===== Create clean build folder =====
set BUILD_DIR=C:\Qt\qtopcua_secure_build
rmdir /s /q "%BUILD_DIR%" 2>nul
mkdir "%BUILD_DIR%"
cd "%BUILD_DIR%"

echo.
echo === Running CMake ===
cmake -G "MinGW Makefiles" ^
  -DCMAKE_BUILD_TYPE=Release ^
  -DQT_FEATURE_opcua_security=ON ^
  -DQT_FEATURE_opcua_open62541_custom=ON ^
  -DQT_FEATURE_opcua_open62541=OFF ^
  -DOpcUa_OPEN62541_INCLUDE_DIR="%OPEN62541_INC%" ^
  -DOpcUa_OPEN62541_LIBRARY="%OPEN62541_LIB%" ^
  "%QT_SRC%"

IF %ERRORLEVEL% NEQ 0 (
    echo *** ERROR: CMake failed ***
    pause
    exit /b 1
)

echo.
echo === Building QtOpcUa Secure Backend ===
mingw32-make -j4

IF %ERRORLEVEL% NEQ 0 (
    echo *** ERROR: Build failed ***
    pause
    exit /b 1
)

echo.
echo === Installing plugin ===
mingw32-make install

echo.
echo ==========================================================
echo   QtOpcUa SECURE backend successfully built!
echo   Installed plugin at:
echo   %QT_DIR%\mingw_64\plugins\opcua\
echo ==========================================================

pause

It appears that there is something in qtcreator that is overiding what I am producing. Does anyone have any Ideas? I'm running out.

dencla

@SGaist OPCUA security "pki"

SGaist

So you want an OpenSSL enabled OPC UA ?
Did you follow the guide related to that ?

Not seeing anything related to OpenSSL in your build script I would guess not.

dencla

@SGaist Thank you,
that is very helpful. Can OpenSSL be installed from the Maintenance Tool?

dencla

@SGaist I have downloaded from the Shining Light Productions link. Thanks again.