ANSI C Based OPC UA Client/Server/PubSub SDK
1.9.4.474
|
The Unified Automation ANSI C Server SDK provides different options for server configuration.
See Configuring the SDK for configuration options at compile time.
The configuration options at runtime are described in the following sections.
The server configuration is managed with the structure UaServer_Configuration.
The server configuration structure can be initialized and configured in code or the settings can be loaded from a configuration file.
The sample code for configuration in code is available in the Getting Started server lessons.
The ANSI C SDK Demo Server comes with an an example configuration file.
The configuration options are further described in the following section.
The section General
contains the general server configuration options. It consists of the following parameters:
Parameter | Description | Default |
---|---|---|
MaxProviderNodes | Maximum number of nodes per provider supported by the server. | 3700 |
MaxReferencesToReturn | Maximum number of references to return in a Browse/BrowseNext response. | 10000 |
MaxTranslateResults | Maximum number of nodes to return in a TranslateBrowsePathsToNodeIds response. | 10000 |
MaxSecureChannels | Maximum number of SecureChannels. The upper limit of this value depends on the CMake settings UASTACK_TCPLISTENER_MAX_CONNECTIONS and UASTACK_SOCKETMANAGER_NUMBER_OF_SOCKETS (equals OPCUA_TCPLISTENER_MAXCONNECTIONS and OPCUA_P_SOCKETMANAGER_NUMBEROFSOCKETS). Set to 0 for no limit. | 100 |
MaxSessions | Maximum total number of sessions. As most clients use one SecureChannel per session, the upper limits of MaxSecureChannels apply to this setting, too. Set to 0 for no limit. | 50 |
MaxSessionsPerClient | Maximum number of sessions the server allows per client. Set to 0 for no limit. | 25 |
MaxSubscriptions | Maximum total number of subscriptions. Set to 0 for no limit. | 0 |
MaxSubscriptionsPerSession | Maximum number of subscriptions per session. Set to 0 for no limit. | 20 |
MaxPublishPerSession | Maximum number of publish requests per session. | 10 |
MaxContinuationPointsPerSession | Maximum number of continuation points per session. | 5 |
MaxQueryContinuationPointsPerSession | Maximum number of continuation points per session for Query services. | 5 |
MaxHistoryContinuationPointsPerSession | Maximum number of continuation points per session for ReadHistory services. | 5 |
MinSessionTimeout | Minimum session timeout in milliseconds. Set to 0 for no limit. | 0 |
MaxSessionTimeout | Maximum session timeout in milliseconds. Set to 0 for no limit. | 0 |
SessionTimeoutResolution | Session timeout resolution in milliseconds. Set to 0 for no limitation. | 0 |
MinPublishingInterval | The minimum supported publishing interval. | 50 |
MaxPublishingInterval | The maximum supported publishing interval. | 3600000 |
MinKeepAliveInterval | The minimum supported KeepAliveInterval for subscriptions. | 500 |
MaxKeepAliveInterval | The maximum supported KeepAliveInterval for subscriptions. | 1200000 |
MinLifetimeInterval | The minimum supported Lifetime for subscriptions. Should be at least 3 * MinKeepAliveInterval. | 1500 |
MaxLifetimeInterval | The maximum supported Lifetime for subscriptions. Should be at least 3 * MaxKeepAliveInterval. | 3600000 |
MaxMonitoredItems | Maximum total number of monitored items. Set to 0 for no limit. | 0 |
MaxMonitoredItemsPerSubscription | Maximum number of monitored items per subscription. Set to 0 for no limit. | 1000 |
GuaranteedMonitoredItemsPerSubscription | Guaranteed minimum number of monitored items a subscription can create. | 0 |
MaxMonitoredItemsPerSession | Maximum number of monitored items per session. Set to 0 for no limit. | 0 |
MaxMonitoredItemsQueueSize | Maximum queue size for data monitored items. | 10000 |
MaxEventMonitoredItemsQueueSize | Maximum queue size for event monitored items. | 10000 |
MaxDataLoggerSubscriptionItems | Maximum number of monitored items for the subscription containing the data logger nodes. | 1000 |
DataLoggerSubscriptionPublishingInterval | Publishing interval of the subscription containing the data logger nodes. | 500 |
DisableServerStateChange | Disable server state change method. | false |
The section Trace
contains the trace settings for the OPC UA Stack and OPC UA Application. It consists of the following parameters:
Parameter | Description | Default |
---|---|---|
Enabled | Enable the trace. | false |
Level | Trace level (possible values: None, Error, Warning, System, Info, Debug, Content, All). | Warning |
LocalTimeTrace | Use local time instead of UTC in the trace. | false |
PrintDateInTrace | Print the date in addition to the time. | false |
ConsoleTraceEnabled | Enable tracing to the console on stdout. | true |
FileTraceEnabled | Enable tracing to a file. | false |
FileTraceFilename | File to use for tracing. | trace.log |
FileTraceMaxEntries | Maximum number of trace entries in one file. | 1000 |
FileTraceNumBackupFiles | Maximum number of backup files. | 5 |
FileTraceFlushDisabled | Do not flush the file after each trace entry. The trace file is flushed automatically from time to time anyway.
| true |
EventTraceMode | Activate trace events for trace levels System, Warning and Error. Requires OPCUA_TRACE_RAW to be enabled. Possible values are: Disabled, History, HistoryAndEvents. | Disabled |
The section UaStack
contains the serializer, transport and thread pool settings for the OPC UA Client/Server protocol stack. The stack is handling the Client/Server secure channels and the basic service request and response message processing. It consists of the following parameters:
Parameter | Description | Default |
---|---|---|
Serializer_MaxAlloc | The largest size for a memory block the serializer can do when deserializing a message. | 16777216 |
Serializer_MaxStringLength | The largest string accepted for any decoded string. | 16646145 |
Serializer_MaxByteStringLength | The largest byte string accepted for any decoded byte string. | 16646145 |
Serializer_MaxArrayLength | Maximum number of elements in an array accepted for any decoded array. | 65536 |
Serializer_MaxMessageSize | The maximum number of bytes per decoded message in total. | 16777216 |
TcpListener_DefaultChunkSize | The default and maximum size for message chunks in the server. Affects network performance and memory usage. | 65536 |
TcpTransport_MaxMessageLength | The default and maximum size for messages. Affects memory usage. | 16777216 |
TcpTransport_MaxChunkCount | The default and maximum number of message chunks per message. Affects memory usage. | 256 |
SecureListener_ThreadPool_OpenSecureChannel_Enabled | Controls whether the secure listener uses a thread pool to dispatch open secure channel requests. | false |
SecureListener_ThreadPool_OpenSecureChannel_MinThreads | The minimum number of threads in the secure listeners open secure channel thread pool. | 2 |
SecureListener_ThreadPool_OpenSecureChannel_MaxThreads | The maximum number of threads in the secure listeners open secure channel thread pool. | 2 |
SecureListener_ThreadPool_OpenSecureChannel_MaxJobs | The length of the queue with open secure channel jobs waiting for a free thread. | 10 |
The section Endpoints
contains the endpoint configuration options.
Each EndpointURL has a configuration in the list. The URL multiplied with the SecurityPolicies and the MessageSecurities configured for the policies results in the EndpointDescriptions provided by the Server in GetEndpoints.
Endpoints/size should be set to the number of endpoints.
Example configuration for two endpoints:
The following table gives an overview of the configurable parameters for each endpoint:
Parameter | Description | Default |
---|---|---|
EndpointURL | URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no BindURL is configured. [gethostname] can be used as placeholder for the computer name. | - |
BindURL | Optional URL that allows to define a specific address the stack should use to bind to. Can be used to bind the endpoint to a specific network card or to localhost only. [gethostname] can be used as placeholder for the computer name. | - |
SecurityPolicies | The SecurityPolicies the endpoint shall offer. [Endpoints]
..
Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256
..
[SecurityPolicy_None]
Url = http://opcfoundation.org/UA/SecurityPolicy#None
MessageSecurity = None
[SecurityPolicy_Basic256Sha256]
Url = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
MessageSecurity = Sign, SignAndEncrypt
| - |
UserTokenPolicies | The UserTokenPolicies the endpoint shall offer. [Endpoints]
..
Endpoints/0/UserTokenPolicies = Anonymous, UserName_256Sha256, Certificate_256Sha256
..
[Anonymous]
PolicyId = Anonymous_Token
TokenType = Anonymous
[UserName_256Sha256]
PolicyId = UserName_256Sha256_Token
TokenType = UserName
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[Certificate_256Sha256]
PolicyId = Certificate_256Sha256_Token
TokenType = Certificate
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
| - |
PKIStore | The PKI Store section the endpoint shall use. Following two PKI Store sections are available in example configuration file: | - |
PKIStorePath | Root directory of the PKI store. One single root directory is needed for GDS PUSH functionality | - |
TrustAllClientCertificates | This option can be activated if certificates are used only for message security but not for application authentication. If set to true, all client certificates will be accepted automatically, and they are not stored. It is strongly recommended to use this option only together with user authentication. | false |
CreateSignatureWithChain | For calculating the server signature, the server appends the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting enabled, the server uses the complete certificate chain instead. This is not the recommended behaviour. Only set this flag to work around interoperability issues with misbehaving clients. | false |
CommissioningMode | If the commissioning mode is active, all client certificates will be accepted as long as there are no trusted certificates in the PKI store associated with the endpoint and the server's certificate is self signed. | false |
ReverseConnect | Optional list of clients operating with a reverse connect from the server. Endpoints/0/ReverseConnect/size = 2
Endpoints/0/ReverseConnect/0/Url = opc.tcp://localhost:48060
Endpoints/0/ReverseConnect/1/Url = opc.tcp://localhost:48061
| - |
DisableErrorCertificateTimeInvalid | Flag used to disable the client certificate validation error BadCertificateTimeInvalid. | false |
DisableErrorCertificateIssuerTimeInvalid | Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. | false |
DisableErrorCertificateRevocationUnknown | Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. | false |
DisableErrorCertificateIssuerRevocationUnknown | Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. | false |
DisableApplicationUriCheck | Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. | false |
DisableCertificateUsageCheck | Flag used to disable the check for compliant certificate usage entries. Default is false. | false |
DisableCertificateKeyLengthCheck | Flag used to disable the check if the certificate key length matches the requirements of the used SecurityPolicy. | false |
DisableCertificateAlgorithmCheck | Flag used to disable the check if the certificate signature algorithm matches the requirements of the used SecurityPolicy. | false |
The section(s) PKIStore
contains settings for a PKI store used in endpoint settings.
Following table gives an overview of the parameters:
Parameter | Description |
---|---|
PkiType | The PKI provider to use. OpenSSL is available on all platforms. |
CertificateFile | Server Certificate: Path to a PEM or DER encoded certificate file. This file may also contain multiple concatenated certificates (certificate chain). |
CertificateKeyFile | Server Private Key: Path to a PEM encoded private key file. This should not be password protected so that the server can start unattended. With a password protected file, the server will need to prompt the user to input the password to unlock the file, which is not possible when running as a service. |
AdditionalCertificates | Additional certificates to form the certificate chain. # Number of additional certificates to form the certificate chain.
AdditionalCertificates/size = 2
#Additional certificates that will be appended to the server certificate to form the certificate chain.
AdditionalCertificates/0/File = pki/own/rootcacert.der
AdditionalCertificates/1/File = pki/own/scacert.der
|
TrustListPath | Path to trusted certificates. This includes trusted CA certificates as well as self-signed certificates. |
CRLPath | Path to revocation lists for trusted certificates. |
IssuerTrustListPath | Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain. |
IssuerCRLPath | Path to revocation lists for untrusted CA certificates. |
GenerateCertificate | Enable server certificate creation if certificate is not available. |
CommonName | Name of the application - [ApplicationName] is the default value to use the configured ApplicationName. |
Organization | Name of the organization using the OPC UA server. |
OrganizationUnit | Name of the organization unit using the OPC UA server. |
Locality | Name of the location where the OPC UA server is running. |
State | State where the OPC UA server is running. |
Country | Two letter code for the country where the OPC UA server is running, e.g. DE or US. |
YearsValidFor | The number of years the certificate is valid for. The maximum accepted number is 20, but it is strongly recommended to use a shorter time. |
KeyLength | Key length of the certificate to create. |
SignatureAlgorithm | Signature algorithm to use for signing the certificate. |
The section PKI
contains the settings for rejected certificates and a list of all existing sections containing PKI store settings.
Example configuration:
The following table gives an overview of the parameters:
Parameter | Description | Default |
---|---|---|
RejectedPath | Path to the folder containing rejected certificates. | pki/rejected |
MaxRejectedCertificates | Maximum number of rejected certificates. This prevents malicious programs from filling up available disk space by calling OpenSecureChannel with different certificates. | 100 |
MaxTrustListSize | Maximum size of the TrustList in bytes. 0 means no limit. | 0 |
AllowDeprecatedSecurityPolicies | By default, deprecated SecurityPolicies are rejected by the SDK when loading the configuration. For backwards compatibility with old applications this behavior can be overridden. Please consider carefully before turning this feature on. | false |
PKIStores | All groups containing PKI store settings (comma separated list of groups). This list of stores is needed for creating the certificates before starting up the server. | - |
The section Discovery
contains the settings for registration at the discovery server in regular intervals.
Example configuration:
Following table gives an overview of the parameters:
Parameter | Description |
---|---|
Register | If set to true, the server will register at the discovery server in regular intervals. Default is false. |
DiscoveryURL | The URL of the discovery server. |
DiscoveryInterval | The interval for registration at the discovery server in ms. |
The section Authentication
contains the user authentication settings.
Example configuration:
Following table gives an overview of the parameters:
Parameter | Description | Default |
---|---|---|
PasswdFilePath | File path to passwd file. | passwd |
GroupFilePath | File path to group file. | group |
RootUser | The ID of the root user. | 0 |
SecurityAdminGroup | The ID of the security administrator group. | 0 |
FallbackSecurityPolicy | SecurityPolicy to use for UserTokens on non-secure endpoints where no SecurityPolicy or SecurityPolicy::None is set. | http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 |
UserCertsDir | The folder containing accepted user certificates for X509 authentication tokens. | auth_pki/trusted/certs |
UserCrlDir | The folder containing certificate revocation lists for X509 authentication tokens. | auth_pki/trusted/crl |
UserIssuerCertsDir | The folder containing issuer certificates for X509 authentication tokens. | auth_pki/issuers/certs |
UserIssuerCrlDir | The folder containing issuer revocation lists for X509 authentication tokens. | auth_pki/issuers/crl |
DisableErrorUserTokenTimeInvalid | Flag used to disable the X509 user token validation error BadCertificateTimeInvalid. | false |
DisableErrorUserTokenIssuerTimeInvalid | Flag used to disable the X509 user token validation error BadCertificateIssuerTimeInvalid. | false |
DisableErrorUserTokenRevocationUnknown | Flag used to disable the X509 user token validation error BadCertificateRevocationUnknown. | false |
DisableErrorUserTokenIssuerRevocationUnknown | Flag used to disable the X509 user token validation error BadCertificateIssuerRevocationUnknown. | false |
The section PubSub
contains the PubSub settings.
Example configuration:
Following table gives an overview of the parameters:
Parameter | Description |
---|---|
ConfigFilePath | File containing a PubSub configuration to load on startup. |
TraceEnabled | Enables the PubSub module trace. Default is true. |
TraceLevel | PubSub module trace level, comma separated combination of the following: DEBUG, DATA, INFO, FUNC_ENTER, FUNC_LEAVE, FUNC , NOTICE, WARNING, ERROR, INSANE |
TraceFacility | PubSub module trace facility, the sum of one or more of the following: PLATFORM, NETWORK, CRYPTO, IPC, BASE, MEMORY, UATCP, ENCODER, SESSION, PROVIDER APPLICATION, ADDRSPACE, TIMER, PKI, SUBSCRIPTION, CLIENT, USERAPPLICATION, FILEFORMAT |