Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The user identity token is valid but the server has rejected it with X509 certificate authentication

See original GitHub issue

Hello Kevin, I am currently running into following issue, trying from past two days but no luck, any help or reference documentation is highly appreciated. I am using eclipse-milo v0.4 SDK in client and Prosys OPC UA server with certificate authentication enabled. I am using KeystoreLoader class from milo-examples to create certificate and key pair and I have added this certificate to the trusted ones on the Prosys server and tried connecting using client but I am unable to authenticate successfully and it throws “status=Bad_IdentityTokenRejected, description=The user identity token is valid but the server has rejected it.”

Client configuration

OpcUaClientConfigBuilder configBuilder = new OpcUaClientConfigBuilder();
            configBuilder.setApplicationName(LocalizedText.english("appName"));
            configBuilder.setIdentityProvider(new X509IdentityProvider(keyStoreLoader.getClientCertificate(), keyStoreLoader.getClientKeyPair().getPrivate()));
            configBuilder.setEndpoint(endpointDescriptions.get(0));
            configBuilder.setCertificate(keyStoreLoader.getClientCertificate());
            configBuilder.setKeyPair(keyStoreLoader.getClientKeyPair());
            configBuilder.setApplicationUri("urn:localhost:appName");
            opcUaClient = OpcUaClient.create(configBuilder.build());
            opcUaClient.connect().get();

Prosys server configuration

Exception in client:

java.util.concurrent.ExecutionException: UaServiceFaultException: status=Bad_IdentityTokenRejected, message=The user identity token is valid but the server has rejected it.
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2070)
	at com.cat.ai.runtime.common.connection.daq.OpcUAConnection.connect(OpcUAConnection.java:200)
.......................	org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:414)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:515)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:847)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:877)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141)
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:744)
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:391)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:312)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1204)
	at com.cat.ai.services.edge.EdgeApplication.main(EdgeApplication.java:48)
Caused by: org.eclipse.milo.opcua.stack.core.UaServiceFaultException: status=Bad_IdentityTokenRejected, description=The user identity token is valid but the server has rejected it.
	at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:275)
	at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)

Thanks

Issue Analytics

State:
Created 3 years ago
Comments:15 (7 by maintainers)

Top GitHub Comments

1reaction

kevinherroncommented, Mar 9, 2021

Well I don’t know a lot about the Prosys server since it’s not my project, but this thread was originally about how the UI in Prosys is only for accepting the Application Instance Certificate, not any certificate that might be used for authenticating a user, which is a different thing that just also happens to use an X509 certificate as well (or there are other authentication mechanisms like username/password). So it was necessary to trust X509 certificates used for authenticating a user via moving the files since there is no UI.

0reactions

KishanKishorecommented, Mar 9, 2021

You can’t programmatically force a server to accept or trust your client’s certificates, that would defeat the purpose.

You can programmatically accept the server’s certificate in your client, but how you would do that depends on the library you are using.

I understand that.
What I don’t get is that when the client generates a new certificate and presents it to the server (ProSys Simulation Server) and from the server we accept that certificate even after that why would I need to copy it to the USERS_PKI folder manually.
I want the connection to work once the certificate has been accepted from the UI.
Perhaps I need to read more about this. Thanks for your replies though. Really helpful.

Top Results From Across the Web

KB5014754—Certificate-based authentication changes on ...

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a strong...

X.509 Certificate or Basic Authentication Schemes - TechDocs

Encourage users who have valid certificates to use them when accessing resources in a deployment that includes a mixture of realms protected by ......

Error while connecting Kepware UA wrapper - Prosys Forum

I was trying to connect a Kepware UA server with the sample client ... “The user identity token is valid but the server...

Device authentication and authorization for AWS IoT Greengrass

509 certificates are digital certificates that use the X.509 public key infrastructure standard to associate a public key with the identity contained in...

What is an X.509 certificate? - TechTarget

A PKI, moreover, is the underlying framework that enables entities like users and servers to securely exchange information using digital certificates.