diff options
| -rw-r--r-- | readme.md | 19 | ||||
| -rw-r--r-- | tests/aes256_anon/client.conf | 9 | ||||
| -rw-r--r-- | tests/aes256_anon/server_lds.conf | 11 | ||||
| -rw-r--r-- | tests/aes256_anon/server_register.conf | 12 | ||||
| -rw-r--r-- | tests/aes256_anon/server_register_client.conf | 12 |
5 files changed, 59 insertions, 4 deletions
@@ -28,8 +28,11 @@ cd opcua_c The programs use TLS certificates for mutual authentication. ServerLDS and ServerRegister can also run without certificates (SecurityPolicy#None only) by omitting the `certificate`, `privateKey`, and `trustStore` keys from their -config files. For encrypted operation, four identities are needed — run these -from the project root: +config files. + +For encrypted operation, four identities are needed. Each call to +`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate +(`<name>_cert.der`) and private key (`<name>_key.der`) in the given directory: ```sh tools/generate_certificate.sh certs ServerLDS @@ -38,10 +41,18 @@ tools/generate_certificate.sh certs ServerRegisterClient tools/generate_certificate.sh certs ClientFindServers ``` +| Identity | Used by | Purpose | +|----------|---------|---------| +| `ServerLDS` | ServerLDS | Server certificate for the LDS | +| `ServerRegister` | ServerRegister | Server certificate for the registering server | +| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS | +| `ClientFindServers` | Client | Client certificate for all client operations | + ### Populate the trust stores -Each program trusts a specific set of peers. Create symlinks to the -certificates in the trust store directories so they can find each other: +OPC UA applications only accept connections from peers whose certificate is in +their trust store. Create the trust store directories and symlink each peer's +certificate: ```sh mkdir -p certs/trust/{server_lds,server_register,server_register_client,client} diff --git a/tests/aes256_anon/client.conf b/tests/aes256_anon/client.conf new file mode 100644 index 0000000..2818355 --- /dev/null +++ b/tests/aes256_anon/client.conf @@ -0,0 +1,9 @@ +# Client — test: aes256_anon + +applicationUri = urn:localhost:bobink:ClientFindServers +certificate = certs/ClientFindServers_cert.der +privateKey = certs/ClientFindServers_key.der +securityMode = SignAndEncrypt +securityPolicy = Aes256_Sha256_RsaPss +authMode = anonymous +trustStore = certs/trust/client diff --git a/tests/aes256_anon/server_lds.conf b/tests/aes256_anon/server_lds.conf new file mode 100644 index 0000000..587820f --- /dev/null +++ b/tests/aes256_anon/server_lds.conf @@ -0,0 +1,11 @@ +# ServerLDS — test: aes256_anon + +port = 14840 +applicationUri = urn:localhost:bobink:ServerLDS +certificate = certs/ServerLDS_cert.der +privateKey = certs/ServerLDS_key.der +cleanupTimeout = 60 + +authMode = anonymous + +trustStore = certs/trust/server_lds diff --git a/tests/aes256_anon/server_register.conf b/tests/aes256_anon/server_register.conf new file mode 100644 index 0000000..a2ce852 --- /dev/null +++ b/tests/aes256_anon/server_register.conf @@ -0,0 +1,12 @@ +# ServerRegister server config — test: aes256_anon + +port = 14841 +applicationUri = urn:localhost:bobink:ServerRegister +certificate = certs/ServerRegister_cert.der +privateKey = certs/ServerRegister_key.der + +registerInterval = 10 + +authMode = anonymous + +trustStore = certs/trust/server_register diff --git a/tests/aes256_anon/server_register_client.conf b/tests/aes256_anon/server_register_client.conf new file mode 100644 index 0000000..46e8659 --- /dev/null +++ b/tests/aes256_anon/server_register_client.conf @@ -0,0 +1,12 @@ +# ServerRegister client config — test: aes256_anon + +applicationUri = urn:localhost:bobink:ServerRegister +certificate = certs/ServerRegisterClient_cert.der +privateKey = certs/ServerRegisterClient_key.der + +securityMode = SignAndEncrypt +securityPolicy = Aes256_Sha256_RsaPss + +authMode = anonymous + +trustStore = certs/trust/server_register_client |
