Error -356608 and -356610 When Creating a Server or Client With LabVIEW OPC UA Toolkit

Updated Aug 25, 2023

Reported In

Software

  • LabVIEW OPC UA Toolkit

Other

OPC UA Server

Issue Details

  • I am using the LabVIEW 2017 OPC UA Toolkit to create a client VI that will communicate with an external OPC UA server (like those hosted on another PC or a PLC). When I call the Connect VI from this toolkit to connect to the server.
  • When running the Data Access Server.vi included in the OPC UA Demo.lvproj (LabVIEW examples).
After following any of the steps above, I get one of the following errors even when I specify on both my client and server to not use a security policy:
  • Error -356608: The certificate is expired or is not yet valid.
error.png
  • Error -356610: The certificate is not trusted
 

Solution

To correct this issue, you can try the following:
  • Check the system time on both the client and server systems. Make sure your client system is set to an earlier time than your server.
  • Upgrade to LabVIEW and the OPC UA Toolkit version 2018 or later.
  • On the OPC Connect VI connect the Input “Trust any Server?” to a true constant. The default value is “False”, thus this may be the source of the trust issue.
  • It is possible that the OPC UA toolkit shows as an Untrusted Client on the OPC UA Server side. Changing that to Trusted Client can fix this issue.
  • On OPC UA Toolkit version prior to 2018, make sure you created a certificate for the connection.
  • When creating a server (NI OPC UA Server.lib:Create.vi) or client (NI OPC UA Client.lib:Connect.vi) a certificate file might be used (this is provided through the server certificate file and client certificate file inputs of the VIs previously mentioned). If no certificate is provided, a new default certificate is generated and used. In both scenarios (provided or default certificate) the certificate must not be more than 4 years old as explained in the Creating or Renewing OPC UA Certificates Using the LabVIEW OPC UA Toolkit article. Make sure the certificate used by the server or client has a valid date. 
Sol1.png
 

Additional Information

When certificates are generated, they use the current system time as a timestamp. As part of the handshake process to set up an OPC UA connection, the certificates are exchanged and evaluated by the receiving system. Part of this evaluation is checking to make sure the certificate's timestamp is valid.

If the server's certificate has a timestamp later than the client's current time, for example, the client will recognize that this timestamp must be incorrect, causing it to reject the certificate and abort the connection. Errors like the ones listed above can be thrown to alert you that the certificate is not valid.

If the system times appear to be compatible, you may be seeing a known issue with the 2017 version of the LabVIEW OPC UA Toolkit. These errors can be thrown even when specifying that a security policy, and therefore security certificates, should not be used. This behavior was fixed in the 2018 version and later of the toolkit. If you are unable to upgrade from 2017 to 2018, please contact NI Support .