Secure Connections with Qt OPC UA

Table of Contents
Qt OPC UA

Starting with the Qt 5.13 release, due end of May, the Qt OPC UA API in combination with the Unified Automation backend officially supports secure connections to servers (Sign or SignAndEncrypt message security mode). The following article outlines the changes to the Qt OPC UA API and shows how to get secure connections also with the open62541 backend.

Qt OPC UA

Security related QOpcUaClient API changes

To enable secure connections a number of changes to the API of the QOpcUaClient were necessary – some of them preventing existing code from compiling. In summary:

  • The connectToEndpoint() method which takes a QUrl parameter has been removed. The only supported way to specify which server to connect to is now via an endpoint description retrieved using requestEndpoints().
  • supportedSecurityPolicies() returns a list with the OPC UA security policies supported by the current backend.
  • setPkiConfiguration() is used to configure QOpcUaClient with a client certificate, a corresponding private key and the necessary data to verify server certificates.
  • setIdentity() configures the identity information QOpcUaClient provides to the server during the connect. This information can also be initialized from the client certificate.
  • Up to Qt 5.12, login credentials were supplied to QOpcUaClient by encoding username and password in the URL. setAuthenticationInformation() replaces this by a clean API which can be used to select anonymous, username and password or X509 certificate based authentication.
  • The connectError() signal is emitted when a connection to a server fails. Depending on the error, the connected slot is able to override it (for example an untrusted or no longer valid server certificate).
  • If the private key is protected with a password, the passwordForPrivateKeyRequired() signal is emitted. The user can then supply the password in the connected slot.

State of the open62541 backend

The open62541 backend does not support secure connections in Qt 5.13 because this requires open62541 v0.4 which is not released yet.

A preview of security support based on the open62541 master branch has already been implemented and is available on gerrit.
The preview implements secure connections with the following security policies

  • http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

and the following user authentication token types

  • Anonymous
  • UserName

Using password protected private keys and overriding certificate checking errors is not available yet.

Give it a try

In addition to the usual dependencies of Qt OPC UA, the preview requires mbedTLS which must be available in the system’s library search path.

The source code of the preview is available on gerrit. The easiest way to build it is following the instructions in our overall Qt OPC UA tutorial. As an additional step, the last patch set from gerrit must be downloaded via the Anonymous HTTP checkout command (See the gerrit-link above for the details).

Make sure the output of the qmake step contains “mbedtls …. yes”. If this is not the case, the open62541 backend will be built without security support. In this case, the config.log file should be consulted to find out why detecting the mbedTLS library has failed.

Outlook

We are working towards officially enabling secure connections for the open62541 backend in a later release of Qt. Till then we encourage you to try out this preview and to provide feedback on its current state.

5 Responses

  1. Hello,

    I wanted to know if it is possible to include this library update in the QT 5.12.5 Version of QtOpcUa. If it is, how would i go about to apply the patch, as it didnt seem to work for me.
    When running qmake, theres no line avaiable for the mbedTLS library, and according to the log files it doesnt even get searched.

    Kind Regards

    • Well, in the end it was kind of my own stupidity that stopped me from doing this properly. I applied the patch the wrong way which resulted in all kinds of mistakes. I had to add LIBS+= -lmbedtls -lmbedx509 -lmbedcrypto to the open62541.pri file, to make it properly nmake.

      In the end I still think something went wrong along the way, as client.supportedSecurityPolicies returns only 1, which is none.

      • I just keep posting problems and then solving them a day later, but at least I can maybe help if anyone else has this problem.
        This time the problem was once again applying the patch incorrectly. With no experience with gerrit, i thought it would be sufficient to install only the linked patch, which was not the case.
        In reality, I also need the other one, thats linked on the right side of the gerrit page.

  2. I would like to install and try out this patch but I’m running into some problems.
    After a lot of working to get qmake to finally accept my mbed libs and giving me the long awaited mbedtls…..yes, the nmake step fails.

    I get this error:
    mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp__CryptAcquireContextA@20 referenced in function _mbedtls_platform_entropy_poll

    I followed your tutorial on building Qt OPC UA, although i used vcvarsamd64_x86 instead of vcvarsx86_amd64, as I am building for a QT 32-bit version.

    After cloning the qtopcua directory, I run
    git fetch “https://codereview.qt-project.org/qt/qtopcua” refs/changes/11/226111/33 && git checkout FETCH_HEAD
    to apply the Patch
    226111: Fix build and tests with the current open62541 v1.0.

    Do you know ehre i could have made a mistake in these Steps ? Or is it possible that my mbedtls libs are corrupt in some way ?

    I hope for feedback

    Many thanks

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Jannis Völker

Jannis Völker

Jannis Völker is a software engineer at basysKom GmbH in Darmstadt. After joining basysKom in 2017, he has been working in connectivity projects for embedded devices, Azure based cloud projects and has made contributions to Qt OPC UA and open62541. He has a background in embedded Linux, Qt and OPC UA and holds a master's degree in computer science from the University of Applied Sciences in Darmstadt.
Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on xing
Share on email
Share on stumbleupon
Share on whatsapp
Share on pocket