Search in sources :

Example 1 with SecurityPolicy

use of com.prosysopc.ua.stack.transport.security.SecurityPolicy in project FAAAST-Service by FraunhoferIOSB.

the class Server method startup.

/**
 * Starts the server
 */
public void startup() {
    try {
        String hostName;
        hostName = InetAddress.getLocalHost().getHostName();
        ApplicationIdentity.setActualHostName(hostName);
        // *** Create the server
        server = new UaServer();
        // currently without IPv6
        server.setEnableIPv6(true);
        // Use PKI files to keep track of the trusted and rejected client
        // certificates...
        final PkiDirectoryCertificateStore applicationCertificateStore = new PkiDirectoryCertificateStore("PKI/CA");
        final PkiDirectoryCertificateStore applicationIssuerCertificateStore = new PkiDirectoryCertificateStore("PKI/CA/issuers");
        final DefaultCertificateValidator applicationCertificateValidator = new DefaultCertificateValidator(applicationCertificateStore, applicationIssuerCertificateStore);
        server.setCertificateValidator(applicationCertificateValidator);
        // ...and react to validation results with a custom handler
        applicationCertificateValidator.setValidationListener(validationListener);
        // Handle user certificates
        final PkiDirectoryCertificateStore userCertificateStore = new PkiDirectoryCertificateStore("USERS_PKI/CA");
        final PkiDirectoryCertificateStore userIssuerCertificateStore = new PkiDirectoryCertificateStore("USERS_PKI/CA/issuers");
        final DefaultCertificateValidator userCertificateValidator = new DefaultCertificateValidator(userCertificateStore, userIssuerCertificateStore);
        userValidator = new AasUserValidator(userCertificateValidator);
        // ...and react to validation results with a custom handler
        userCertificateValidator.setValidationListener(userCertificateValidationListener);
        // *** Application Description is sent to the clients
        ApplicationDescription appDescription = new ApplicationDescription();
        // 'localhost' (all lower case) in the ApplicationName and
        // ApplicationURI is converted to the actual host name of the computer
        // (including the possible domain part) in which the application is run.
        // (as available from ApplicationIdentity.getActualHostName())
        // 'hostname' is converted to the host name without the domain part.
        // (as available from
        // ApplicationIdentity.getActualHostNameWithoutDomain())
        appDescription.setApplicationName(new LocalizedText(APPLICATION_NAME + "@hostname"));
        appDescription.setApplicationUri(APPLICATION_URI);
        appDescription.setProductUri("urn:de:fraunhofer:iosb:opcua:aas:server");
        appDescription.setApplicationType(ApplicationType.Server);
        // *** Server Endpoints
        // TCP Port number for the UA TCP protocol
        server.setPort(Protocol.OpcTcp, tcpPort);
        // TCP Port for the HTTPS protocol - currently disabled
        // server.setPort(Protocol.OpcHttps, httpsPort);
        // optional server name part of the URI (default for all protocols)
        // server.setServerName("OPCUA/" + applicationName);
        // Optionally restrict the InetAddresses to which the server is bound.
        // You may also specify the addresses for each Protocol.
        // The default is binding to IPv6 wildcard '[::]' when isEnableIPv6 is true
        // or to IPv4 wildcard '0.0.0.0' otherwise.
        // Alternatively, the Server can be bound to all available InetAddresses.
        // isEnableIPv6 defines whether IPv6 address should be included in the bound addresses.
        // Note that it requires Java 7 or later to work in practice in Windows
        // server.setBindAddresses(EndpointUtil.getInetAddresses(server.isEnableIPv6()));
        // *** Certificates
        logger.info("Loading certificates..");
        File privatePath = new File(applicationCertificateStore.getBaseDir(), "private");
        // Define a certificate for a Certificate Authority (CA) which is used
        // to issue the keys. Especially
        // the HTTPS certificate should be signed by a CA certificate, in order
        // to make the .NET applications trust it.
        // 
        // If you have a real CA, you should use that instead of this sample CA
        // and create the keys with it.
        // Here we use the IssuerCertificate only to sign the HTTPS certificate
        // (below) and not the Application Instance Certificate.
        KeyPair issuerCertificate = ApplicationIdentity.loadOrCreateIssuerCertificate("FraunhoferIosbSampleCA@" + ApplicationIdentity.getActualHostNameWithoutDomain() + "_https_" + CERT_KEY_SIZE, privatePath, "opcua", 3650, false, CERT_KEY_SIZE);
        int[] keySizes = new int[] { CERT_KEY_SIZE };
        // If you wish to use big certificates (4096 bits), you will need to
        // define two certificates for your application, since to interoperate
        // with old applications, you will also need to use a small certificate
        // (up to 2048 bits).
        // Also, 4096 bits can only be used with Basic256Sha256 security
        // profile, which is currently not enabled by default, so we will also
        // leave the the keySizes array as null. In that case, the default key
        // size defined by CertificateUtils.getKeySize() is used.
        // keySizes = new int[] { 2048, 4096 };
        // *** Application Identity
        // Define the Server application identity, including the Application
        // Instance Certificate (but don't sign it with the issuerCertificate as
        // explained above).
        final ApplicationIdentity identity = ApplicationIdentity.loadOrCreateCertificate(appDescription, "Fraunhofer IOSB", /* Private Key Password */
        "opcua", /* Key File Path */
        privatePath, /* Issuer Certificate & Private Key */
        null, /* Key Sizes for instance certificates to create */
        keySizes, /* Enable renewing the certificate */
        true);
        // Create the HTTPS certificate bound to the hostname.
        // The HTTPS certificate must be created, if you enable HTTPS.
        hostName = ApplicationIdentity.getActualHostName();
        identity.setHttpsCertificate(ApplicationIdentity.loadOrCreateHttpsCertificate(appDescription, hostName, "opcua", issuerCertificate, privatePath, true, CERT_KEY_SIZE));
        server.setApplicationIdentity(identity);
        // *** Security settings
        /*
             * Define the security modes to support for the Binary protocol.
             * Note that different versions of the specification might add/deprecate some modes, in this
             * example all the modes are added, but you should add some way in your application to configure
             * these. The set is empty by default, you must add at least one SecurityMode for the server to
             * start.
             */
        Set<SecurityPolicy> supportedSecurityPolicies = new HashSet<>();
        /*
             * This policy does not support any security. Should only be used in isolated networks.
             */
        supportedSecurityPolicies.add(SecurityPolicy.NONE);
        // Modes defined in previous versions of the specification
        supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_101);
        supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_102);
        supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_103);
        /*
             * Per the 1.04 specification, only these should be used. However in practice this list only
             * contains very new security policies, which most of the client applications as of today that
             * are used might not be unable to (yet) use.
             */
        supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_104);
        Set<MessageSecurityMode> supportedMessageSecurityModes = new HashSet<>();
        /*
             * This mode does not support any security. Should only be used in isolated networks. This is
             * also the only mode, which does not require certificate exchange between the client and server
             * application (when used in conjunction of only ANONYMOUS UserTokenPolicy).
             */
        supportedMessageSecurityModes.add(MessageSecurityMode.None);
        /*
             * This mode support signing, so it is possible to detect if messages are tampered. Note that
             * they are not encrypted.
             */
        supportedMessageSecurityModes.add(MessageSecurityMode.Sign);
        /*
             * This mode signs and encrypts the messages. Only this mode is recommended outside of isolated
             * networks.
             */
        supportedMessageSecurityModes.add(MessageSecurityMode.SignAndEncrypt);
        /*
             * This creates all possible combinations (NONE pairs only with None) of the configured
             * MessageSecurityModes and SecurityPolicies) for opc.tcp communication.
             */
        server.getSecurityModes().addAll(SecurityMode.combinations(supportedMessageSecurityModes, supportedSecurityPolicies));
        /*
             * NOTE! The MessageSecurityMode.None for HTTPS means Application level authentication is not
             * used. If used in combination with the UserTokenPolicy ANONYMOUS anyone can access the server
             * (but the traffic is encrypted). HTTPS mode is always encrypted, therefore the given
             * MessageSecurityMode only affects if the UA certificates are exchanged when forming the
             * Session.
             */
        server.getHttpsSecurityModes().addAll(SecurityMode.combinations(EnumSet.of(MessageSecurityMode.None, MessageSecurityMode.Sign), supportedSecurityPolicies));
        // The TLS security policies to use for HTTPS
        Set<HttpsSecurityPolicy> supportedHttpsSecurityPolicies = new HashSet<>();
        // (HTTPS was defined starting from OPC UA Specification 1.02)
        supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_102);
        supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_103);
        // Only these are recommended by the 1.04 Specification
        supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_104);
        server.getHttpsSettings().setHttpsSecurityPolicies(supportedHttpsSecurityPolicies);
        // Number of threads to reserve for the HTTPS server, default is 10
        // server.setHttpsWorkerThreadCount(10);
        // Define the certificate validator for the HTTPS certificates;
        // we use the same validator that we use for Application Instance Certificates
        server.getHttpsSettings().setCertificateValidator(applicationCertificateValidator);
        // Define the supported user authentication methods
        server.addUserTokenPolicy(UserTokenPolicies.ANONYMOUS);
        server.addUserTokenPolicy(UserTokenPolicies.SECURE_USERNAME_PASSWORD);
        server.addUserTokenPolicy(UserTokenPolicies.SECURE_CERTIFICATE);
        // Define a validator for checking the user accounts
        server.setUserValidator(userValidator);
        // currently skip discovery
        // // Register to the local discovery server (if present)
        // try {
        // server.setDiscoveryServerUrl(DISCOVERY_SERVER_URL);
        // }
        // catch (URISyntaxException e) {
        // logger.error("DiscoveryURL is not valid", e);
        // }
        // *** 'init' creates the service handlers and the default endpoints
        // *** according to the settings defined above
        server.init();
        initBuildInfo();
        // "Safety limits" for ill-behaving clients
        server.getSessionManager().setMaxSessionCount(500);
        // one hour
        server.getSessionManager().setMaxSessionTimeout(3600000);
        server.getSubscriptionManager().setMaxSubscriptionCount(50);
        /*
             * Safety limits for XXXContinuationPoints. Note! These are the current defaults. Technically a
             * value of 0 (unlimited) is allowed by the OPC UA Specification, but our implementation does
             * allocate server-side memory, thus do not use value of 0 (or you can run out of memory).
             * Future SDK releases may improve this.
             */
        ServerCapabilitiesTypeNode serverCapabilities = server.getAddressSpace().getNodeManagerRoot().getServerData().getServerCapabilitiesNode();
        serverCapabilities.setMaxBrowseContinuationPoints(UnsignedShort.MAX_VALUE);
        serverCapabilities.setMaxQueryContinuationPoints(UnsignedShort.MAX_VALUE);
        serverCapabilities.setMaxHistoryContinuationPoints(UnsignedShort.MAX_VALUE);
        // You can do your own additions to server initializations here
        createAddressSpace();
        server.start();
        running = true;
    } catch (Throwable ex) {
        logger.error("startup Exception", ex);
    }
}
Also used : DefaultCertificateValidator(com.prosysopc.ua.stack.cert.DefaultCertificateValidator) KeyPair(com.prosysopc.ua.stack.transport.security.KeyPair) MessageSecurityMode(com.prosysopc.ua.stack.core.MessageSecurityMode) ApplicationIdentity(com.prosysopc.ua.ApplicationIdentity) UaServer(com.prosysopc.ua.server.UaServer) ServerCapabilitiesTypeNode(com.prosysopc.ua.types.opcua.server.ServerCapabilitiesTypeNode) ApplicationDescription(com.prosysopc.ua.stack.core.ApplicationDescription) LocalizedText(com.prosysopc.ua.stack.builtintypes.LocalizedText) PkiDirectoryCertificateStore(com.prosysopc.ua.stack.cert.PkiDirectoryCertificateStore) HttpsSecurityPolicy(com.prosysopc.ua.stack.transport.security.HttpsSecurityPolicy) SecurityPolicy(com.prosysopc.ua.stack.transport.security.SecurityPolicy) HttpsSecurityPolicy(com.prosysopc.ua.stack.transport.security.HttpsSecurityPolicy) File(java.io.File) HashSet(java.util.HashSet)

Aggregations

ApplicationIdentity (com.prosysopc.ua.ApplicationIdentity)1 UaServer (com.prosysopc.ua.server.UaServer)1 LocalizedText (com.prosysopc.ua.stack.builtintypes.LocalizedText)1 DefaultCertificateValidator (com.prosysopc.ua.stack.cert.DefaultCertificateValidator)1 PkiDirectoryCertificateStore (com.prosysopc.ua.stack.cert.PkiDirectoryCertificateStore)1 ApplicationDescription (com.prosysopc.ua.stack.core.ApplicationDescription)1 MessageSecurityMode (com.prosysopc.ua.stack.core.MessageSecurityMode)1 HttpsSecurityPolicy (com.prosysopc.ua.stack.transport.security.HttpsSecurityPolicy)1 KeyPair (com.prosysopc.ua.stack.transport.security.KeyPair)1 SecurityPolicy (com.prosysopc.ua.stack.transport.security.SecurityPolicy)1 ServerCapabilitiesTypeNode (com.prosysopc.ua.types.opcua.server.ServerCapabilitiesTypeNode)1 File (java.io.File)1 HashSet (java.util.HashSet)1