Server Configuration

Table of Contents

• Overview
• Configuration Parameters
  • General
  • Trace
  • UaStack
  • Endpoints
  • PKIStore
  • PKI
  • Discovery
  • Authentication
  • PubSub

The Unified Automation ANSI C Server SDK provides different options for server configuration.

See Configuring the SDK for configuration options at compile time.

The configuration options at runtime are described in the following sections.

Overview

The server configuration is managed with the structure UaServer_Configuration.

The server configuration structure can be initialized and configured in code or the settings can be loaded from a configuration file.

The sample code for configuration in code is available in the Getting Started server lessons.

The ANSI C SDK Demo Server comes with an an example configuration file.

The configuration options are further described in the following section.

Configuration Parameters

General

The section General contains the general server configuration options. It consists of the following parameters:

Parameter	Description	Default
MaxProviderNodes	Maximum number of nodes per provider supported by the server.	3700
MaxReferencesToReturn	Maximum number of references to return in a Browse/BrowseNext response.	10000
MaxTranslateResults	Maximum number of nodes to return in a TranslateBrowsePathsToNodeIds response.	10000
MaxSecureChannels	Maximum number of SecureChannels. The upper limit of this value depends on the CMake settings UASTACK_TCPLISTENER_MAX_CONNECTIONS and UASTACK_SOCKETMANAGER_NUMBER_OF_SOCKETS (equals OPCUA_TCPLISTENER_MAXCONNECTIONS and OPCUA_P_SOCKETMANAGER_NUMBEROFSOCKETS). Set to 0 for no limit.	100
MaxSessions	Maximum total number of sessions. As most clients use one SecureChannel per session, the upper limits of MaxSecureChannels apply to this setting, too. Set to 0 for no limit.	50
MaxSessionsPerClient	Maximum number of sessions the server allows per client. Set to 0 for no limit.	25
MaxSubscriptions	Maximum total number of subscriptions. Set to 0 for no limit.	0
MaxSubscriptionsPerSession	Maximum number of subscriptions per session. Set to 0 for no limit.	20
MaxPublishPerSession	Maximum number of publish requests per session.	10
MaxContinuationPointsPerSession	Maximum number of continuation points per session.	5
MaxQueryContinuationPointsPerSession	Maximum number of continuation points per session for Query services.	5
MaxHistoryContinuationPointsPerSession	Maximum number of continuation points per session for ReadHistory services.	5
MinSessionTimeout	Minimum session timeout in milliseconds. Set to 0 for no limit.	0
MaxSessionTimeout	Maximum session timeout in milliseconds. Set to 0 for no limit.	0
SessionTimeoutResolution	Session timeout resolution in milliseconds. Set to 0 for no limitation.	0
MinPublishingInterval	The minimum supported publishing interval.	50
MaxPublishingInterval	The maximum supported publishing interval.	3600000
MinKeepAliveInterval	The minimum supported KeepAliveInterval for subscriptions.	500
MaxKeepAliveInterval	The maximum supported KeepAliveInterval for subscriptions.	1200000
MinLifetimeInterval	The minimum supported Lifetime for subscriptions. Should be at least 3 * MinKeepAliveInterval.	1500
MaxLifetimeInterval	The maximum supported Lifetime for subscriptions. Should be at least 3 * MaxKeepAliveInterval.	3600000
MaxMonitoredItems	Maximum total number of monitored items. Set to 0 for no limit.	0
MaxMonitoredItemsPerSubscription	Maximum number of monitored items per subscription. Set to 0 for no limit.	1000
GuaranteedMonitoredItemsPerSubscription	Guaranteed minimum number of monitored items a subscription can create.	0
MaxMonitoredItemsPerSession	Maximum number of monitored items per session. Set to 0 for no limit.	0
MaxMonitoredItemsQueueSize	Maximum queue size for data monitored items.	10000
MaxEventMonitoredItemsQueueSize	Maximum queue size for event monitored items.	10000
MaxDataLoggerSubscriptionItems	Maximum number of monitored items for the subscription containing the data logger nodes.	1000
DataLoggerSubscriptionPublishingInterval	Publishing interval of the subscription containing the data logger nodes.	500
DisableServerStateChange	Disable server state change method.	false

Trace

The section Trace contains the trace settings for the OPC UA Stack and OPC UA Application. It consists of the following parameters:

Parameter	Description	Default
Enabled	Enable the trace.	false
Level	Trace level (possible values: None, Error, Warning, System, Info, Debug, Content, All).	Warning
LocalTimeTrace	Use local time instead of UTC in the trace.	false
PrintDateInTrace	Print the date in addition to the time.	false
ConsoleTraceEnabled	Enable tracing to the console on stdout.	true
FileTraceEnabled	Enable tracing to a file.	false
FileTraceFilename	File to use for tracing.	trace.log
FileTraceMaxEntries	Maximum number of trace entries in one file.	1000
FileTraceNumBackupFiles	Maximum number of backup files.	5
FileTraceFlushDisabled	Do not flush the file after each trace entry. The trace file is flushed automatically from time to time anyway. For maximum trace performance you should set this option to true. If you have issues with missing trace entries in case of an application crash, you should set this option to false.	true
EventTraceMode	Activate trace events for trace levels System, Warning and Error. Requires OPCUA_TRACE_RAW to be enabled. Possible values are: Disabled, History, HistoryAndEvents.	Disabled

UaStack

The section UaStack contains the serializer, transport and thread pool settings for the OPC UA Client/Server protocol stack. The stack is handling the Client/Server secure channels and the basic service request and response message processing. It consists of the following parameters:

Parameter	Description	Default
Serializer_MaxAlloc	The largest size for a memory block the serializer can do when deserializing a message.	16777216
Serializer_MaxStringLength	The largest string accepted for any decoded string.	16646145
Serializer_MaxByteStringLength	The largest byte string accepted for any decoded byte string.	16646145
Serializer_MaxArrayLength	Maximum number of elements in an array accepted for any decoded array.	65536
Serializer_MaxMessageSize	The maximum number of bytes per decoded message in total.	16777216
TcpListener_DefaultChunkSize	The default and maximum size for message chunks in the server. Affects network performance and memory usage.	65536
TcpTransport_MaxMessageLength	The default and maximum size for messages. Affects memory usage.	16777216
TcpTransport_MaxChunkCount	The default and maximum number of message chunks per message. Affects memory usage.	256
SecureListener_ThreadPool_OpenSecureChannel_Enabled	Controls whether the secure listener uses a thread pool to dispatch open secure channel requests.	false
SecureListener_ThreadPool_OpenSecureChannel_MinThreads	The minimum number of threads in the secure listeners open secure channel thread pool.	2
SecureListener_ThreadPool_OpenSecureChannel_MaxThreads	The maximum number of threads in the secure listeners open secure channel thread pool.	2
SecureListener_ThreadPool_OpenSecureChannel_MaxJobs	The length of the queue with open secure channel jobs waiting for a free thread.	10

Endpoints

The section Endpoints contains the endpoint configuration options.

Each EndpointURL has a configuration in the list. The URL multiplied with the SecurityPolicies and the MessageSecurities configured for the policies results in the EndpointDescriptions provided by the Server in GetEndpoints.

Endpoints/size should be set to the number of endpoints.

Example configuration for two endpoints:

[Endpoints]
Endpoints/size = 2

Endpoints/0/EndpointURL = opc.tcp://[gethostname]:48020
Endpoints/0/BindURL = opc.tcp://[gethostname]:48020
Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256, SecurityPolicy_Aes128, SecurityPolicy_Aes256
Endpoints/0/UserTokenPolicies = Anonymous, UserName_256Sha256, UserName_Aes128, UserName_Aes256, Certificate_256Sha256, Certificate_Aes128, Certificate_Aes256
Endpoints/0/PKIStore = PKIStore_OpenSSL
Endpoints/0/PKIStorePath = pki0

Endpoints/1/EndpointURL = https://[gethostname]:48021
Endpoints/1/BindURL = https://[gethostname]:48021
Endpoints/1/SecurityPolicies = SecurityPolicy_None
Endpoints/1/UserTokenPolicies = Anonymous
Endpoints/1/PKIStore = PKIStore_OpenSSL
Endpoints/1/PKIStorePath = pki1

The following table gives an overview of the configurable parameters for each endpoint:

Parameter	Description	Default
EndpointURL	URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no BindURL is configured. [gethostname] can be used as placeholder for the computer name.	-
BindURL	Optional URL that allows to define a specific address the stack should use to bind to. Can be used to bind the endpoint to a specific network card or to localhost only. [gethostname] can be used as placeholder for the computer name.	-
SecurityPolicies	The SecurityPolicies the endpoint shall offer. It is configured as a comma separated list of sections. In these sections, the Url and the MessageSecurity modes are configured for the policy. For policy None, only the mode none is possible. For other policies, the modes Sign and SignAndEncrypt are available. The SecurityPolicies 'Basic128Rsa15' and 'Basic256' are deprecated. They are no longer considered as secure. An administrator should be involved to enable them for backward compatibility. Example configuration: [Endpoints] .. Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256 .. [SecurityPolicy_None] Url = http://opcfoundation.org/UA/SecurityPolicy#None MessageSecurity = None [SecurityPolicy_Basic256Sha256] Url = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 MessageSecurity = Sign, SignAndEncrypt	-
UserTokenPolicies	The UserTokenPolicies the endpoint shall offer. It is configured as a comma separated list of sections. In these sections, the PolicyId, the user TokenType and the SecurityPolicyUri for the token type are configured. Possible token types are Anonymous, UserName and Certificate. Example configuration: [Endpoints] .. Endpoints/0/UserTokenPolicies = Anonymous, UserName_256Sha256, Certificate_256Sha256 .. [Anonymous] PolicyId = Anonymous_Token TokenType = Anonymous [UserName_256Sha256] PolicyId = UserName_256Sha256_Token TokenType = UserName SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 [Certificate_256Sha256] PolicyId = Certificate_256Sha256_Token TokenType = Certificate SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256	-
PKIStore	The PKI Store section the endpoint shall use. Following two PKI Store sections are available in example configuration file: PKIStore_OpenSSL PKIStore_None.	-
PKIStorePath	Root directory of the PKI store. One single root directory is needed for GDS PUSH functionality	-
TrustAllClientCertificates	This option can be activated if certificates are used only for message security but not for application authentication. If set to true, all client certificates will be accepted automatically, and they are not stored. It is strongly recommended to use this option only together with user authentication.	false
CreateSignatureWithChain	For calculating the server signature, the server appends the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting enabled, the server uses the complete certificate chain instead. This is not the recommended behaviour. Only set this flag to work around interoperability issues with misbehaving clients.	false
CommissioningMode	If the commissioning mode is active, all client certificates will be accepted as long as there are no trusted certificates in the PKI store associated with the endpoint and the server's certificate is self signed.	false
ReverseConnect	Optional list of clients operating with a reverse connect from the server. Example configuration: Endpoints/0/ReverseConnect/size = 2 Endpoints/0/ReverseConnect/0/Url = opc.tcp://localhost:48060 Endpoints/0/ReverseConnect/1/Url = opc.tcp://localhost:48061	-
DisableErrorCertificateTimeInvalid	Flag used to disable the client certificate validation error BadCertificateTimeInvalid.	false
DisableErrorCertificateIssuerTimeInvalid	Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid.	false
DisableErrorCertificateRevocationUnknown	Flag used to disable the client certificate validation error BadCertificateRevocationUnknown.	false
DisableErrorCertificateIssuerRevocationUnknown	Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown.	false
DisableApplicationUriCheck	Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri.	false
DisableCertificateUsageCheck	Flag used to disable the check for compliant certificate usage entries. Default is false.	false
DisableCertificateKeyLengthCheck	Flag used to disable the check if the certificate key length matches the requirements of the used SecurityPolicy.	false
DisableCertificateAlgorithmCheck	Flag used to disable the check if the certificate signature algorithm matches the requirements of the used SecurityPolicy.	false

PKIStore

The section(s) PKIStore contains settings for a PKI store used in endpoint settings.

Example configuration:

[PKIStore_OpenSSL]

PkiType = OpenSSL
CertificateFile = pki/own/uaservercert.der
CertificateKeyFile = pki/own/uaserverkey.nopass.pem
AdditionalCertificates/size = 0
TrustListPath = pki/trusted/certs
CRLPath = pki/trusted/crl
IssuerTrustListPath = pki/issuers/certs
IssuerCRLPath = pki/issuers/crl

GenerateCertificate = true
CommonName = [ApplicationName]
Organization = Unified Automation GmbH
OrganizationUnit = 
Locality = Nuremberg
State = Bavaria
Country = DE
YearsValidFor = 5
KeyLength = 2048
SignatureAlgorithm = Sha256

[PKIStore_None]

PkiType = None

Following table gives an overview of the parameters:

Parameter	Description
PkiType	The PKI provider to use. OpenSSL is available on all platforms.
CertificateFile	Server Certificate: Path to a PEM or DER encoded certificate file. This file may also contain multiple concatenated certificates (certificate chain).
CertificateKeyFile	Server Private Key: Path to a PEM encoded private key file. This should not be password protected so that the server can start unattended. With a password protected file, the server will need to prompt the user to input the password to unlock the file, which is not possible when running as a service.
AdditionalCertificates	Additional certificates to form the certificate chain. Example configuration: # Number of additional certificates to form the certificate chain. AdditionalCertificates/size = 2 #Additional certificates that will be appended to the server certificate to form the certificate chain. AdditionalCertificates/0/File = pki/own/rootcacert.der AdditionalCertificates/1/File = pki/own/scacert.der
TrustListPath	Path to trusted certificates. This includes trusted CA certificates as well as self-signed certificates.
CRLPath	Path to revocation lists for trusted certificates.
IssuerTrustListPath	Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain.
IssuerCRLPath	Path to revocation lists for untrusted CA certificates.
GenerateCertificate	Enable server certificate creation if certificate is not available.
CommonName	Name of the application - [ApplicationName] is the default value to use the configured ApplicationName.
Organization	Name of the organization using the OPC UA server.
OrganizationUnit	Name of the organization unit using the OPC UA server.
Locality	Name of the location where the OPC UA server is running.
State	State where the OPC UA server is running.
Country	Two letter code for the country where the OPC UA server is running, e.g. DE or US.
YearsValidFor	The number of years the certificate is valid for. The maximum accepted number is 20, but it is strongly recommended to use a shorter time.
KeyLength	Key length of the certificate to create.
SignatureAlgorithm	Signature algorithm to use for signing the certificate.

PKI

The section PKI contains the settings for rejected certificates and a list of all existing sections containing PKI store settings.

Example configuration:

[PKI]
RejectedPath = pki/rejected
MaxRejectedCertificates = 50
MaxTrustListSize = 0
AllowDeprecatedSecurityPolicies = false
PKIStores = PKIStore_OpenSSL

The following table gives an overview of the parameters:

Parameter	Description	Default
RejectedPath	Path to the folder containing rejected certificates.	pki/rejected
MaxRejectedCertificates	Maximum number of rejected certificates. This prevents malicious programs from filling up available disk space by calling OpenSecureChannel with different certificates.	100
MaxTrustListSize	Maximum size of the TrustList in bytes. 0 means no limit.	0
AllowDeprecatedSecurityPolicies	By default, deprecated SecurityPolicies are rejected by the SDK when loading the configuration. For backwards compatibility with old applications this behavior can be overridden. Please consider carefully before turning this feature on.	false
PKIStores	All groups containing PKI store settings (comma separated list of groups). This list of stores is needed for creating the certificates before starting up the server.	-

Discovery

The section Discovery contains the settings for registration at the discovery server in regular intervals.

Example configuration:

[Discovery]
Register = false
DiscoveryURL = opc.tcp://localhost:4840/UADiscovery/discovery
DiscoveryInterval = 30000

Following table gives an overview of the parameters:

Parameter	Description
Register	If set to true, the server will register at the discovery server in regular intervals. Default is false.
DiscoveryURL	The URL of the discovery server.
DiscoveryInterval	The interval for registration at the discovery server in ms.

Authentication

The section Authentication contains the user authentication settings.

Example configuration:

[Authentication]
PasswdFilePath = passwd
GroupFilePath = group
RootUser = 0
SecurityAdminGroup = 0
FallbackSecurityPolicy = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
UserCertsDir = auth_pki/trusted/certs
UserCrlDir = auth_pki/trusted/crl
UserIssuerCertsDir = auth_pki/issuers/certs
UserIssuerCrlDir = auth_pki/issuers/crl
DisableErrorUserTokenTimeInvalid = false
DisableErrorUserTokenIssuerTimeInvalid = false
DisableErrorUserTokenRevocationUnknown = false
DisableErrorUserTokenIssuerRevocationUnknown = false

Following table gives an overview of the parameters:

Parameter	Description	Default
PasswdFilePath	File path to passwd file.	passwd
GroupFilePath	File path to group file.	group
RootUser	The ID of the root user.	0
SecurityAdminGroup	The ID of the security administrator group.	0
FallbackSecurityPolicy	SecurityPolicy to use for UserTokens on non-secure endpoints where no SecurityPolicy or SecurityPolicy::None is set.	http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
UserCertsDir	The folder containing accepted user certificates for X509 authentication tokens.	auth_pki/trusted/certs
UserCrlDir	The folder containing certificate revocation lists for X509 authentication tokens.	auth_pki/trusted/crl
UserIssuerCertsDir	The folder containing issuer certificates for X509 authentication tokens.	auth_pki/issuers/certs
UserIssuerCrlDir	The folder containing issuer revocation lists for X509 authentication tokens.	auth_pki/issuers/crl
DisableErrorUserTokenTimeInvalid	Flag used to disable the X509 user token validation error BadCertificateTimeInvalid.	false
DisableErrorUserTokenIssuerTimeInvalid	Flag used to disable the X509 user token validation error BadCertificateIssuerTimeInvalid.	false
DisableErrorUserTokenRevocationUnknown	Flag used to disable the X509 user token validation error BadCertificateRevocationUnknown.	false
DisableErrorUserTokenIssuerRevocationUnknown	Flag used to disable the X509 user token validation error BadCertificateIssuerRevocationUnknown.	false

PubSub

The section PubSub contains the PubSub settings.

Example configuration:

[PubSub]
ConfigFilePath = pubsub.bin
TraceEnabled = true
TraceLevel = ERROR, WARNING, INFO
TraceFacility = PLATFORM, NETWORK, BASE, MEMORY, ENCODER, APPLICATION, TIMER, USERAPPLICATION

Following table gives an overview of the parameters:

Parameter	Description
ConfigFilePath	File containing a PubSub configuration to load on startup.
TraceEnabled	Enables the PubSub module trace. Default is true.
TraceLevel	PubSub module trace level, comma separated combination of the following: DEBUG, DATA, INFO, FUNC_ENTER, FUNC_LEAVE, FUNC , NOTICE, WARNING, ERROR, INSANE
TraceFacility	PubSub module trace facility, the sum of one or more of the following: PLATFORM, NETWORK, CRYPTO, IPC, BASE, MEMORY, UATCP, ENCODER, SESSION, PROVIDER APPLICATION, ADDRSPACE, TIMER, PKI, SUBSCRIPTION, CLIENT, USERAPPLICATION, FILEFORMAT