View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0010250CTT UA Binary1 - Script Issuepublic2025-03-21 14:272025-03-25 14:41
ReporterFranck ETIENNE Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformLinuxOSRedHatOS Version8.7
Product Version1.11.0.411 
Summary0010250: Authentication Issue with Certificates – BadIdentityTokenRejected
Description

I am facing an issue with certificate-based authentication.
The connection fails with a BadIdentityTokenRejected error, even though the same certificates work fine with UAExpert.
After analyzing the traffic with Wireshark, I noticed that the certificate is sent without being signed.
I also found that the certificate.js file is missing, and I am wondering if this could be related.

Steps To Reproduce

Connect to OPCUA server in mode 2 sign and encrypt basic256sha256.
select certificate for UserAuthenticationPolicy

Additional Information

Version of UACTT tool : V1.04.11-01.00.508-x86_64

TagsNo tags attached.
Attached Files
image.png (129,956 bytes)   
image.png (129,956 bytes)   
image-2.png (77,593 bytes)   
image-2.png (77,593 bytes)   
ServerSide.png (420,563 bytes)
Files Affected

Activities

Paul Hunkar

2025-03-21 16:01

administrator   ~0022554

This is not about creating a secure channel (sign and encrypt ) it is about User authentication. It appear that what is being reported is a problem with Authenticating a User using the X.509 certificate - most application use username/Password.

Franck ETIENNE

2025-03-21 16:22

reporter   ~0022555

Our OPCUA server is for a specific client where authentication by usr/passwd is forbidden.
Our OPCUA server refuse authentication with usr/passwd.
Do we need to open authentication with usr/passwd ?

Paul Hunkar

2025-03-25 14:41

administrator   ~0022564

User Authentication can be accomplished by using Username/password, X509 certificates, or tokens (OAuth2 - JWT). The CTT currently tests User Authentication for Username/Password and for X509, it does not yet test for oAuth2/JWT. this still needs to be added and will be added under a different mantis issue. The tests for Username/Password and X509 work correctly and have not issues. This issue is about a Server that requires User Authentication when running. A number of test (not security related) do not work for using X509 user certificates for all connection to the Server.

A work around is to use UsernamePassword or Anonymous

Issue History

Date Modified Username Field Change
2025-03-21 14:27 Franck ETIENNE New Issue
2025-03-21 14:27 Franck ETIENNE File Added: image.png
2025-03-21 14:27 Franck ETIENNE File Added: image-2.png
2025-03-21 14:27 Franck ETIENNE File Added: ServerSide.png
2025-03-21 16:01 Paul Hunkar Note Added: 0022554
2025-03-21 16:22 Franck ETIENNE Note Added: 0022555
2025-03-25 14:33 Paul Hunkar Steps to Reproduce Updated
2025-03-25 14:41 Paul Hunkar Note Added: 0022564