Secure Connections with Qt OPC UA

Starting with the Qt 5.13 release, due end of May, the Qt OPC UA API in combination with the Unified Automation backend officially supports secure connections to servers (Sign or SignAndEncrypt message security mode). The following article outlines the changes to the Qt OPC UA API and shows how to get secure connections also with the open62541 backend.

Security related QOpcUaClient API changes

To enable secure connections a number of changes to the API of the QOpcUaClient were necessary – some of them preventing existing code from compiling. In summary:

  • The connectToEndpoint() method which takes a QUrl parameter has been removed. The only supported way to specify which server to connect to is now via an endpoint description retrieved using requestEndpoints().
  • supportedSecurityPolicies() returns a list with the OPC UA security policies supported by the current backend.
  • setPkiConfiguration() is used to configure QOpcUaClient with a client certificate, a corresponding private key and the necessary data to verify server certificates.
  • setIdentity() configures the identity information QOpcUaClient provides to the server during the connect. This information can also be initialized from the client certificate.
  • Up to Qt 5.12, login credentials were supplied to QOpcUaClient by encoding username and password in the URL. setAuthenticationInformation() replaces this by a clean API which can be used to select anonymous, username and password or X509 certificate based authentication.
  • The connectError() signal is emitted when a connection to a server fails. Depending on the error, the connected slot is able to override it (for example an untrusted or no longer valid server certificate).
  • If the private key is protected with a password, the passwordForPrivateKeyRequired() signal is emitted. The user can then supply the password in the connected slot.

State of the open62541 backend

The open62541 backend does not support secure connections in Qt 5.13 because this requires open62541 v0.4 which is not released yet.

A preview of security support based on the open62541 master branch has already been implemented and is available on gerrit.
The preview implements secure connections with the following security policies

  • http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

and the following user authentication token types

  • Anonymous
  • UserName

Using password protected private keys and overriding certificate checking errors is not available yet.

Give it a try

In addition to the usual dependencies of Qt OPC UA, the preview requires mbedTLS which must be available in the system’s library search path.

The source code of the preview is available on gerrit. The easiest way to build it is following the instructions in our overall Qt OPC UA tutorial. As an additional step, the last patch set from gerrit must be downloaded via the Anonymous HTTP checkout command (See the gerrit-link above for the details).

Make sure the output of the qmake step contains “mbedtls …. yes”. If this is not the case, the open62541 backend will be built without security support. In this case, the config.log file should be consulted to find out why detecting the mbedTLS library has failed.

Outlook

We are working towards officially enabling secure connections for the open62541 backend in a later release of Qt. Till then we encourage you to try out this preview and to provide feedback on its current state.

Leave a Reply

Your email address will not be published. Required fields are marked *