0008982: Server certificate not included in endpoints, but included in CreateSessionResponse - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0008982	10000-004: Services	Spec	public	2023-05-25 16:27	2023-06-22 15:53

Reporter	Kevin Herron (Inductive Automation)	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	N/A
Status	closed	Resolution	fixed

Summary	0008982: Server certificate not included in endpoints, but included in CreateSessionResponse
Description	I recently had an interop issue with a server that was configured with only one endpoint, which did not use security nor did it include a server certificate, but all of its username/password UserTokenPolicy required encryption. It turns out that while this server did not include the certificate in the endpoints, it did include it in the CreateSessionResponse. I can't find enough details in the spec to determine if this is a valid configuration or not.
Tags	No tags attached.

Commit Version
Fix Due Date

Randy Armstrong 2023-05-31 15:07 administrator ~0019449 Last edited: 2023-05-31 15:08	CreateSessionResponse does not provide new information. Any Endpoints returned must match what is returned with GetEndpoints.

Matthias Damm 2023-06-16 12:14 developer ~0019494	The answer makes no sense for the question

Matthias Damm 2023-06-16 12:18 developer ~0019495	GetEndpoints states only the case where the server can ommit the ServerCertificate: If the securityPolicyUri is None and none of the UserTokenPolicies requires encryption, the Client shall ignore the ApplicationInstanceCertificate. But if this statement is not true, the server 'shall' provide the ServerCertificate. Otherwise the client is not able to encrypt the password. For CreateSession response, the server is recommended to not include the ServerCertificate: It is recommended that Servers only include the server.applicationUri, endpointUrl, securityMode, securityPolicyUri, userIdentityTokens, transportProfileUri and securityLevel with all other parameters set to null or empty. Only the recommended parameters shall be verified by the Client.

Matthias Damm 2023-06-16 12:23 developer ~0019496	Added the following clarification: If the securityPolicyUri is not None or one of the the UserTokenPolicies requires encryption, the Server shall include the ApplicationInstanceCertificate into the EndpointDescription.

Jim Luth 2023-06-19 15:27 administrator ~0019522	Agreed to changes in 1.03.05. Needs 1.04 Errata to close.

Randy Armstrong 2023-06-22 15:53 administrator ~0019649	Accepted in Virtual F2F

Date Modified	Username	Field	Change
2023-05-25 16:27	Kevin Herron (Inductive Automation)	New Issue
2023-05-31 15:07	Randy Armstrong	Assigned To	=> Randy Armstrong
2023-05-31 15:07	Randy Armstrong	Status	new => resolved
2023-05-31 15:07	Randy Armstrong	Resolution	open => no change required
2023-05-31 15:07	Randy Armstrong	Note Added: 0019449
2023-05-31 15:08	Randy Armstrong	Note Edited: 0019449
2023-06-16 12:14	Matthias Damm	Assigned To	Randy Armstrong => Matthias Damm
2023-06-16 12:14	Matthias Damm	Status	resolved => feedback
2023-06-16 12:14	Matthias Damm	Resolution	no change required => reopened
2023-06-16 12:14	Matthias Damm	Note Added: 0019494
2023-06-16 12:18	Matthias Damm	Note Added: 0019495
2023-06-16 12:23	Matthias Damm	Status	feedback => resolved
2023-06-16 12:23	Matthias Damm	Resolution	reopened => fixed
2023-06-16 12:23	Matthias Damm	Note Added: 0019496
2023-06-19 15:27	Jim Luth	Note Added: 0019522
2023-06-22 15:53	Randy Armstrong	Status	resolved => closed
2023-06-22 15:53	Randy Armstrong	Note Added: 0019649