inmation.exe -i server --corehost core.machine.com
To disable discovery, set this property to null.
- The Anonymous policy requires to set up a mapping from the anonymous user to an inmation profile.
- The User policy configures the server instance to authenticate the user name and password provided by the client against the inmation profiles.
The Endpoint can be configured for secure communication with different security policy options. The different options are:
Every Endpoint security policy except None requires a UA server certificate. The Server component creates a UA server certificate automatically when the first UA Server instance is created.
The server can be configured to automatically Trust or Reject client certificates (see Certificate Management). For a successful secure client connection, the UA client certificate needs to be either manually or automatically copied into the following folder:
Depending on the UA client used to connect to the inmation UA server, the UA servers certificate may have to be installed in the clients public key infrastructure manually. The UA server certificate is located at:
Depending on the secuity policy configured for a UA server endpoint, connecting to the inmation UA server via an external client may require the provision of a security certificate from the client.
The certificate management options make it possible to automatically trust or reject self-signed certificates from clients that connect to the server. The user can configure the inmation UA server so that self-signed certificates are directed to the desired location in a local certificate store (the "rejected" or "certs" folder in the "certificates" location in the "inmation.root" directory).
For more information on configuring the Certificate Management in DataStudio, please visit the DataStudio documentation tutorial. The decision to trust or reject client certificates can also be done using a Lua script with customized logic.
Both the rejection and acceptance of certificates is indicated in the log for the UA server.
The following Trust Mode Options are available.
- Reject: All client self-signed certificates are rejected and connection will not be made. The Rejected property will be updated with information about the rejected certificate and a log entry is created. Certificate is moved to the rejected folder in the inmation.root > certificates directory.
- Trust: All client self-signed certificates are trusted and connection will be made. If the certificate was previously rejected (therefore updated in the Rejected) the connection will be initially not be made, the certificate is moved from Rejected to Trusted, then the reconnection will be successful. A log entry about the certificate being trusted will also be created.
- Script: The client self-signed certificate will be trusted or rejected based on the Lua script logic contained in the Script Trust Mode properties. See below for more details
By selecting the Script Trust Mode, the logic behind certificate management can be customized using a Lua script. Everytime a client connects using an untrusted application instance certificate, the Lua script will be invoked.
The script receives 3 paramenters:
- A string containing the PEM encoded untrusted application instance certificate from the client
- A string containing the security policy URI for the current secure channel, as specified in OPC UA
- An integer identifying the security mode of the secure channel ( 0 = invalid, 1 = none, 2 = sign, 4 = signandencrypt)
An example script may look like the below example:
local x509 = require 'ssl.x509' local der_cert, sec_policy, sec_mode = ... local cert = x509.load(der_cert) if not cert then error("could not load certificate") end for _, entry in pairs(cert:subject()) do if entry.name == "commonName" and entry.value == "UaExpert" then return true end end return false
A boolean "true" return value indicates that the certificate should be trusted. Any other value rejects the certificate.