HIVEMQ EDGE OPC-UA: Connection issue

HI All
I’ve installed the hivemq-edge container and trying to us OPC-UA adapter. I’m getting error when I start up the adapter as following:

2024-11-07 09:53:23,842 INFO - Starting protocol-adapter ‘Sim172291685’.
2024-11-07 09:53:23,888 WARN - Failed to initialize a channel. Closing: [id: 0xe5ca31a7]
org.eclipse.milo.opcua.stack.core.UaException: no KeyPair configured


2024-11-07 09:53:23,892 ERROR - Not able to connect and subscribe to OPC-UA server opc.tcp://10.0.0.9:4840/XXXXX
java.util.concurrent.CompletionException: io.netty.channel.StacklessClosedChannelException


2024-11-07 09:53:23,895 WARN - Protocol-adapter ‘Sim172291685’ could not be started, reason: io.netty.channel.StacklessClosedChannelException
java.util.concurrent.CompletionException: io.netty.channel.StacklessClosedChannelException

My conf file looks as following:

    <opc-ua-client>
        <overrideUri>true</overrideUri>
        <subscriptions>
            <subscription>
                <publishing-interval>1000</publishing-interval>
                <qos>0</qos>
                <server-queue-size>1</server-queue-size>
                <node>ns=4;i=6131:UnitTime</node>
                <mqtt-topic>UnitTimeMQTT</mqtt-topic>
            </subscription>
        </subscriptions>
        <uri>opc.tcp://10.0.0.9:4840/XXXX</uri>
        <auth>
            <basic>
                <username>XXXX</username>
                <password>XXXX</password>
            </basic>
        </auth>
        <tls>
            <enabled>true</enabled>
            <keystore>
                <path>/home/digital/certstore/client-keystore.pem</path>
                <password></password>
                <private-key-password>XXXX</private-key-password>
            </keystore>
            <truststore>
                <path></path>
                <password></password>
            </truststore>
        </tls>
        <security>
            <policy>BASIC256SHA256</policy>
        </security>
        <id>Sim172291685</id>
    </opc-ua-client>
</protocol-adapters>

I’ve created self singed certificate, which are located in mentioned path. I also tried using not keystore info but that also doesn’t work.

I know that the OPCUA server is available and can be access with the credentials provided.

I have no name!@a8968f9015e3:/opt/hivemq$ openssl s_client -connect 10.0.0.9:4840
CONNECTED(00000003)

Any idea?

Update-
I’ve now created the .jsk for keystore. Now I’m getting a different error.

2024-11-07 17:04:44,821 ERROR - Not able to start OPC-UA client for server opc.tcp://10.0.0.9:4840/GFUnitServer
com.hivemq.edge.adapters.opcua.util.SslException: Not able to recover key from KeyStore, please check your private-key-password and your keyStorePassword

Following is my keytool verifcation output, which seems to be fine

docker run --rm -v $(pwd):/mnt openjdk:11 keytool -list -keystore /mnt/client-keystore.jks -storepass “yourKeystorePassword” -keypass “yourKeyPassword”
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
clientkey, Nov 7, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 11:DA:21:CD:59:84:D8:09:BB:58:58:E5:A8:1D:09:AC:B7:CC:4C:46:B3:BF:1A:32:81:78:FC:45:7E:AA:7F:B0
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /mnt/client-keystore.jks -destkeystore /mnt/client-keystore.jks -deststoretype pkcs12”.

And here is my config.xml

I have no name!@a8968f9015e3:/opt/hivemq$ ls
bin client-keystore.jks conf data extensions license log modules README.txt text.txt third-party-licenses

My conf file looks as following:

    <uri>opc.tcp://10.0.0.9:4840/GFUnitServer</uri>
        <auth>
            <basic>
                <username>user</username>
                <password>password</password>
            </basic>
        </auth>
        <tls>
            <enabled>true</enabled>
            <keystore>
                <path>client-keystore.jks</path>
                <password>yourKeystorePassword</password>
                <private-key-password>yourKeyPassword</private-key-password>
            </keystore>
        </tls>

Hello @PP_GFMS

Welcome to the HiveMQ Community! To get started, could you let us know what type of OPC-UA server implementation you’re using?

Additionally, could you provide a screenshot of the OPC-UA server’s endpoint configuration and share the commands you’re using to create the client keystore? This information will help us better assist you.

Kind regards,
Diego from HiveMQ Team

You can see the server properties below:

Please note when I connect using the UA expert I’ve to ignore certificate errror

following is how I create the certificate, I suspect this is the faulty part.

docker run --rm -v $(pwd):/mnt openjdk:11 keytool -genkey
-keyalg RSA
-alias hivemq
-keystore hivemq.jks
-storepass yourKeyPassword
-validity 360
-keysize 2048
-dname “CN=example.com, OU=IT, O=ExampleCorp, L=City, ST=State, C=US”
-v

The current error I’m getting is

2024-11-13 12:56:17,584 ERROR - Not able to start OPC-UA client for server opc.tcp://10.0.0.9:4840/GFUnitServer
com.hivemq.edge.adapters.opcua.util.SslException: Not able to recover key from KeyStore, please check your private-key-password and your keyStorePassword