HIVEMQ EDGE OPC-UA: Connection issue

1

HI All
I’ve installed the hivemq-edge container and trying to us OPC-UA adapter. I’m getting error when I start up the adapter as following:

2024-11-07 09:53:23,842 INFO - Starting protocol-adapter ‘Sim172291685’.
2024-11-07 09:53:23,888 WARN - Failed to initialize a channel. Closing: [id: 0xe5ca31a7]
org.eclipse.milo.opcua.stack.core.UaException: no KeyPair configured


2024-11-07 09:53:23,892 ERROR - Not able to connect and subscribe to OPC-UA server opc.tcp://10.0.0.9:4840/XXXXX
java.util.concurrent.CompletionException: io.netty.channel.StacklessClosedChannelException


2024-11-07 09:53:23,895 WARN - Protocol-adapter ‘Sim172291685’ could not be started, reason: io.netty.channel.StacklessClosedChannelException
java.util.concurrent.CompletionException: io.netty.channel.StacklessClosedChannelException

My conf file looks as following:

    <opc-ua-client>
        <overrideUri>true</overrideUri>
        <subscriptions>
            <subscription>
                <publishing-interval>1000</publishing-interval>
                <qos>0</qos>
                <server-queue-size>1</server-queue-size>
                <node>ns=4;i=6131:UnitTime</node>
                <mqtt-topic>UnitTimeMQTT</mqtt-topic>
            </subscription>
        </subscriptions>
        <uri>opc.tcp://10.0.0.9:4840/XXXX</uri>
        <auth>
            <basic>
                <username>XXXX</username>
                <password>XXXX</password>
            </basic>
        </auth>
        <tls>
            <enabled>true</enabled>
            <keystore>
                <path>/home/digital/certstore/client-keystore.pem</path>
                <password></password>
                <private-key-password>XXXX</private-key-password>
            </keystore>
            <truststore>
                <path></path>
                <password></password>
            </truststore>
        </tls>
        <security>
            <policy>BASIC256SHA256</policy>
        </security>
        <id>Sim172291685</id>
    </opc-ua-client>
</protocol-adapters>

I’ve created self singed certificate, which are located in mentioned path. I also tried using not keystore info but that also doesn’t work.

I know that the OPCUA server is available and can be access with the credentials provided.

I have no name!@a8968f9015e3:/opt/hivemq$ openssl s_client -connect 10.0.0.9:4840
CONNECTED(00000003)

Any idea?

2

Update-
I’ve now created the .jsk for keystore. Now I’m getting a different error.

2024-11-07 17:04:44,821 ERROR - Not able to start OPC-UA client for server opc.tcp://10.0.0.9:4840/GFUnitServer
com.hivemq.edge.adapters.opcua.util.SslException: Not able to recover key from KeyStore, please check your private-key-password and your keyStorePassword

Following is my keytool verifcation output, which seems to be fine

docker run --rm -v $(pwd):/mnt openjdk:11 keytool -list -keystore /mnt/client-keystore.jks -storepass “yourKeystorePassword” -keypass “yourKeyPassword”
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
clientkey, Nov 7, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 11:DA:21:CD:59:84:D8:09:BB:58:58:E5:A8:1D:09:AC:B7:CC:4C:46:B3:BF:1A:32:81:78:FC:45:7E:AA:7F:B0
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /mnt/client-keystore.jks -destkeystore /mnt/client-keystore.jks -deststoretype pkcs12”.

And here is my config.xml

I have no name!@a8968f9015e3:/opt/hivemq$ ls
bin client-keystore.jks conf data extensions license log modules README.txt text.txt third-party-licenses

My conf file looks as following:

    <uri>opc.tcp://10.0.0.9:4840/GFUnitServer</uri>
        <auth>
            <basic>
                <username>user</username>
                <password>password</password>
            </basic>
        </auth>
        <tls>
            <enabled>true</enabled>
            <keystore>
                <path>client-keystore.jks</path>
                <password>yourKeystorePassword</password>
                <private-key-password>yourKeyPassword</private-key-password>
            </keystore>
        </tls>
3

Hello @PP_GFMS

Welcome to the HiveMQ Community! To get started, could you let us know what type of OPC-UA server implementation you’re using?

Additionally, could you provide a screenshot of the OPC-UA server’s endpoint configuration and share the commands you’re using to create the client keystore? This information will help us better assist you.

Kind regards,
Diego from HiveMQ Team

4

You can see the server properties below:

OPCUAServer
OPCUAServer411×622 16.5 KB

Please note when I connect using the UA expert I’ve to ignore certificate errror

OPCUAServerLogs
OPCUAServerLogs1028×801 51.4 KB

following is how I create the certificate, I suspect this is the faulty part.

docker run --rm -v $(pwd):/mnt openjdk:11 keytool -genkey
-keyalg RSA
-alias hivemq
-keystore hivemq.jks
-storepass yourKeyPassword
-validity 360
-keysize 2048
-dname “CN=example.com, OU=IT, O=ExampleCorp, L=City, ST=State, C=US”
-v

The current error I’m getting is

2024-11-13 12:56:17,584 ERROR - Not able to start OPC-UA client for server opc.tcp://10.0.0.9:4840/GFUnitServer
com.hivemq.edge.adapters.opcua.util.SslException: Not able to recover key from KeyStore, please check your private-key-password and your keyStorePassword

5

Hi @PP_GFMS

The error “Not able to recover key from KeyStore” suggests that the provided private-key-password or keystore password is incorrect or not set correctly.

Try listing the keystore contents again using:

docker run --rm -v $(pwd):/mnt openjdk:21 keytool -list -keystore /mnt/hivemq.jks -storepass yourKeystorePassword

Make sure the keystore contains a PrivateKeyEntry, not just a trusted certificate.

If the private key is missing, you might need to re-generate the keystore correctly.

Your key generation command lacks the -keypass argument, which might be causing issues. Try creating the keystore properly:

docker run --rm -v $(pwd):/mnt openjdk:21 keytool -genkeypair \
-alias hivemq \
-keyalg RSA \
-keysize 2048 \
-validity 360 \
-keystore /mnt/hivemq.jks \
-storepass yourKeystorePassword \
-keypass yourKeyPassword \
-dname "CN=example.com, OU=IT, O=ExampleCorp, L=City, ST=State, C=US"

After generating the keystore, extract the certificate:

docker run --rm -v $(pwd):/mnt openjdk:21 keytool -export -alias hivemq -keystore /mnt/hivemq.jks -storepass yourKeystorePassword -file /mnt/hivemq.crt

And import it into the truststore:

docker run --rm -v $(pwd):/mnt openjdk:21 keytool -import -trustcacerts -alias hivemq -file /mnt/hivemq.crt -keystore /mnt/truststore.jks -storepass yourKeystorePassword -noprompt

Make sure your config.xml reflects the correct settings:

<tls>
    <enabled>true</enabled>
    <keystore>
        <path>/opt/hivemq/hivemq.jks</path>
        <password>yourKeystorePassword</password>
        <private-key-password>yourKeyPassword</private-key-password>
    </keystore>
    <truststore>
        <path>/opt/hivemq/truststore.jks</path>
        <password>yourKeystorePassword</password>
    </truststore>
</tls>

Try running:

docker run --rm -v $(pwd):/mnt openjdk:21 keytool -list -keystore /mnt/hivemq.jks -storepass yourKeystorePassword -v

This should confirm if your keystore contains the correct key and certificate.

If errors persist, check your OPC-UA server logs to see if there are any TLS-related issues.

I hope this helps.
Best,
Dasha from The HiveMQ Team