GitHub user dominikriemer added a comment to the discussion: Use certificate /
encrypted communication using OPC UA Adapter
Hi @jormus welcome!
Here are some things you can try to get it working:
There are a few environment variables related to OPC-UA that can be provisioned
to the extension service, I list these from the `Env` class in
`streampipes-commons`:
* SP_OPCUA_SECURITY_DIR( "/streampipes-security/opcua"),
* SP_OPCUA_KEYSTORE_FILE("keystore.pfx"),
* SP_OPCUA_KEYSTORE_PASSWORD("password"),
* SP_OPCUA_KEYSTORE_TYPE("PKCS12"),
* SP_OPCUA_KEYSTORE_ALIAS("apache-streampipes"),
* SP_OPCUA_APPLICATION_URI( "urn:org:apache:streampipes:opcua:client")
If you attach a volume to /streampipes-security/opcua, StreamPipes will try to
load the keystore from this directory. In the keystore, you should have a
KeyPair with the alias as defined in `SP_OPC_UA_KEYSTORE_ALIAS`. If you are
using a self-signed certificate, `CA=FALSE` needs to be set under Basic
Constraints. In addition, the Subject Alternative Name must be set to the same
value as defined in `SP_OPCUA_APPLICATION_URI`.
Here is an example for a valid certificate configuration:
<img width="613" alt="image"
src="https://github.com/user-attachments/assets/a90adb1a-ee84-49b5-b414-3165085f71ff";
/>
This is the setup needed for the client certificate.
To accept server certificates, the following directory structure will be
automatically created once you connect to an OPC-UA server for the first time
with encryption enabled:
<img width="228" alt="image"
src="https://github.com/user-attachments/assets/5945fb0a-0bdd-4039-a14f-8e597eec3d4b";
/>
By default, server certificates will be placed in the "rejected" folder. You
can move these to `trusted/certs` to trust the server.
So for the K8s setup, I'd recommend to create a single volume with this
directory layout. Currently, accepted certificates need to be manually placed
in the `trusted/certs` folder. In the future, we might improve this process so
that certificates can be managed over the UI.
Hope this helps!
GitHub link:
https://github.com/apache/streampipes/discussions/3423#discussioncomment-13135802
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
