milo: The user identity token is valid but the server has rejected it with X509 certificate authentication

Hello Kevin, I am currently running into following issue, trying from past two days but no luck, any help or reference documentation is highly appreciated. I am using eclipse-milo v0.4 SDK in client and Prosys OPC UA server with certificate authentication enabled. I am using KeystoreLoader class from milo-examples to create certificate and key pair and I have added this certificate to the trusted ones on the Prosys server and tried connecting using client but I am unable to authenticate successfully and it throws “status=Bad_IdentityTokenRejected, description=The user identity token is valid but the server has rejected it.”

Client configuration

OpcUaClientConfigBuilder configBuilder = new OpcUaClientConfigBuilder();
            configBuilder.setApplicationName(LocalizedText.english("appName"));
            configBuilder.setIdentityProvider(new X509IdentityProvider(keyStoreLoader.getClientCertificate(), keyStoreLoader.getClientKeyPair().getPrivate()));
            configBuilder.setEndpoint(endpointDescriptions.get(0));
            configBuilder.setCertificate(keyStoreLoader.getClientCertificate());
            configBuilder.setKeyPair(keyStoreLoader.getClientKeyPair());
            configBuilder.setApplicationUri("urn:localhost:appName");
            opcUaClient = OpcUaClient.create(configBuilder.build());
            opcUaClient.connect().get();

Prosys server configuration image

image

Exception in client:

java.util.concurrent.ExecutionException: UaServiceFaultException: status=Bad_IdentityTokenRejected, message=The user identity token is valid but the server has rejected it.
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2070)
	at com.cat.ai.runtime.common.connection.daq.OpcUAConnection.connect(OpcUAConnection.java:200)
.......................	org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:414)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:515)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:847)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:877)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141)
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:744)
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:391)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:312)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1204)
	at com.cat.ai.services.edge.EdgeApplication.main(EdgeApplication.java:48)
Caused by: org.eclipse.milo.opcua.stack.core.UaServiceFaultException: status=Bad_IdentityTokenRejected, description=The user identity token is valid but the server has rejected it.
	at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:275)
	at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)

Thanks

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

Well I don’t know a lot about the Prosys server since it’s not my project, but this thread was originally about how the UI in Prosys is only for accepting the Application Instance Certificate, not any certificate that might be used for authenticating a user, which is a different thing that just also happens to use an X509 certificate as well (or there are other authentication mechanisms like username/password). So it was necessary to trust X509 certificates used for authenticating a user via moving the files since there is no UI.

+1
kevinherron on Mar 9, 2021
Read more comments on GitHub
← microprofile-open-api: Properties can not be defined in @Schema
mraa: Build failure with Node.js 12.x →