Support Portal

Application /Product Knowledge

Field Analytics - Resolving OPC UA Connection Issues Due to SHA-1 Certificate in Kepware

Article No: KA-09927
Version: 1.2
Subject to change without notice
When attempting to connect to an OPC UA server using Field Analytics 1.3.2, the connection may fail due to certificate validation issues. This occurs when the OPC UA server (e.g., Kepware) uses a certificate signed with the SHA-1 hashing algorithm, which is now considered deprecated and insecure. Some versions of Kepware may still use SHA-1 by default.
Related Products
AN-64500, FA, 1 - 3 SYSTEMS, PER SYSTEM
FieldAnalytics
application software
Attachments
OPCUA SHA1.png

Table of Contents

Issue Summary

When attempting to connect to an OPC UA server using Field Analytics 1.3.2, the connection may fail due to certificate validation issues. This occurs when the OPC UA server (e.g., Kepware) uses a certificate signed with the SHA-1 hashing algorithm, which is now considered deprecated and insecure. Some versions of Kepware may still use SHA-1 by default.

Root Cause

Field Analytics rejects certificates signed with SHA-1 by default for security reasons. Additionally, the minimum certificate key size may be set too high to accept legacy certificates.

Resolution Steps

To allow communication with servers using SHA-1 signed certificates, follow the steps below:

  1. Locate Configuration File:

    Navigate to the following directory on the machine running the PubSub services:

     

    C:\Program Files\SICK\FieldAnalytics\PubSubBridge\uOPCPubSub.API
    C:\Program Files\SICK\FieldAnalytics\PubSubBridge\uOPCPubSub

  2. Edit the Configuration File:

    Open the file named in each of the directories above.

    C:\Program Files\SICK\FieldAnalytics\PubSubBridge\uOPCPubSub.API\OPC.UA.UServer.Config.xml
    C:\Program Files\SICK\FieldAnalytics\PubSubBridge\uOPCPubSub\OPC.UA.UServer.Config.xml

  3. Modify/Add the Following XML Lines:

    Insert the following lines within the appropriate <SecurityConfiguration> section of the XML file:

     

    <RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates> <MinimumCertificateKeySize>1024</MinimumCertificateKeySize>
    *Please see image attached at the end of article for reference

  4. Restart Services:
    After saving the file, restart the PubSubBridge services to apply the changes.

Validation

This fix has been successfully tested in a virtual environment using the same Kepware SHA-1 certificate scenario. After applying the change and restarting services, the OPC UA connection was established without errors.

Notes for Support Personnel

  • Ensure that the issue is related to SHA-1 certificate rejection before applying this fix.

  • This fix is only a temporary workaround; upgrading the server to use SHA-256 certificates is strongly recommended for enhanced security.

  • If further issues occur or the certificate cannot be located, verify certificate trust settings and ensure the client certificate is added to the server's trusted list.
 
Keywords:
Field Analytics, FA1.3.2, OPC UA connections, Kepware Servers, OPC UA
Create request