C++ Based OPC UA Client/Server SDK  1.5.4.349
Server Configuration

The Unified Automation C++ Server SDK provides different options for server configuration. See Configuring the SDK with CMake for configuration options at build time.

The figure Options for product specific configuration gives an overview of the SDK classes designed for this purpose.

The SDK provides the following classes:

ServerConfig

The class ServerConfig is the interface used by the SDK to access product specific configuration settings.

ServerConfigData

The class ServerConfigData implements the interface ServerConfig and provides configuration settings through the settings stored in the member variables of the class.

ServerConfigXml

The class ServerConfigXml loads the settings from an XML file and stores them in the members of ServerConfigData.

ServerConfigIni
The class ServerConfigIni loads the settings from an INI file and stores them in the members of ServerConfigData.

These classes offer the following options for integrating product specific configuration settings.

Option 1

A Product specific XML configuration file is loaded by the helper class ServerConfigXml. For more information, see XML Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.xml

Option 2

A Product specific INI configuration file is loaded by the helper class ServerConfigIni. For more information, see INI Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.ini

Option 3

The settings are loaded from an existing product configuration data base and stored in ServerConfigData members. This requires the implementation of a product specific class for loading the configuration settings, which is derived from ServerConfigData.

Option 4
A Product specific implementation of the ServerConfig interface is accessing a product specific configuration data base for every access to the interface ServerConfig.

server_config_options.png
Options for Server Configuration

XML Configuration File

An XML based example configuration file can be found in [Installation Directory]/bin.

Trace

The element <Trace> stores the trace settings for the OPC UA Stack and OPC UA Application. It contains the following child elements:

Element Description Default
UaStackTraceEnabled Enable or disable the UA stack trace; possible values are true or false. false
UaStackTraceLevel The UA stack trace level; possible values are
NONE
No Trace
ERROR
Critical errors, which require attention, i.e. unexpected errors and/or errors requiring external actions
WARNING
Non-critical faults, which should not go unnoticed but are handled internally
SYSTEM
Rare major events (good cases) like initializations, shutdown, etc.
INFO
Regular good case events, like connects, renews
DEBUG
Used for debugging purposes
CONTENT
Used to add additional content (i.e. whole message bodies) to debug traces
ALL
All outputs
NONE
UaAppTraceEnabled Enable or disable the UA server application trace; possible values are true or false false
UaAppTraceLevel The UA server application trace level; possible values are
NoTrace
No Trace
Errors
Unexpected errors
Warning
Unexpected behaviour that is not an error
Info
Information about important activities, like connection establishment
InterfaceCall
Calls to module interfaces
CtorDtor
Creation and destruction of objects
ProgramFlow
Internal program flow
Data
Data
NoTrace
UaAppTraceMaxEntries The maximum number of trace entries in one file 100000
UaAppTraceMaxBackup The maximum number of backup files 5
UaAppTraceDisableFlush If set to true, the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true. If you have issues with missing trace entries in case of an application crash, you should set this option to false. true
UaAppTraceFile The trace file; [TracePath] can be used as a placeholder for the path to the server application, e.g. [TracePath]/srvTrace.log. Set by define SERVERCONFIG_SERVERTRACEFILE
TraceEvents

Setting to allow clients to get the SDK trace outputs for trace levels Errors, Warning and Info via HistoryRead for events and/or Events from the server. Possible values are:

  • Disabled
  • History
  • HistoryAndEvents

See getTraceEventSettings for more details.

History

Default Application Certificate Store

This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a special configuration for a specific endpoint is required.

The configuration per Endpoint is no longer necessary. The default configuration is used if no Endpoint specific configuration is provided.

Please refer to Certificates, Certificate Store and Trust List for more information.

<DefaultApplicationCertificateStore>
<MaxTrustListSize>0</MaxTrustListSize>
<SendCertificateChain>true</SendCertificateChain>
<OpenSSLStore>
<CertificateTrustListLocation>[ConfigPath]/pkiserver/trusted/certs/</CertificateTrustListLocation>
<CertificateRevocationListLocation>[ConfigPath]/pkiserver/trusted/crl/</CertificateRevocationListLocation>
<IssuersCertificatesLocation>[ConfigPath]/pkiserver/issuers/certs/</IssuersCertificatesLocation>
<IssuersRevocationListLocation>[ConfigPath]/pkiserver/issuers/crl/</IssuersRevocationListLocation>
</OpenSSLStore>
<ServerCertificate>
<OpenSSLStore>
<ServerCertificate>[ConfigPath]/pkiserver/own/certs/uaservercpp.der</ServerCertificate>
<ServerPrivateKey>[ConfigPath]/pkiserver/own/private/uaservercpp.pem</ServerPrivateKey>
</OpenSSLStore>
<GenerateCertificate>true</GenerateCertificate>
<CertificateSettings>
<CommonName>[ServerName]</CommonName>
<DomainComponent>[NodeName]</DomainComponent>
<Organization>Organization</Organization>
<OrganizationUnit>Unit</OrganizationUnit>
<Locality>LocationName</Locality>
<State></State>
<Country>DE</Country>
<YearsValidFor>5</YearsValidFor>
<KeyLength>2048</KeyLength>
<CertificateType>RsaSha256</CertificateType>
<IPAddress>2a00:1158:400:407:0:0:0:1b2</IPAddress>
<IPAddress>213.95.4.190</IPAddress>
<DNSName>demo.unifiedautomation.com</DNSName>
<DNSName>[NodeName]</DNSName>
</CertificateSettings>
</ServerCertificate>
</DefaultApplicationCertificateStore>
ElementDescriptionDefault
MaxTrustListSize The maximum size of the trust list in bytes. 0 (unlimited)
SendCertificateChain For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. true
OpenSSLStore

File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
<OpenSSLStore> has the following child elements:

ElementDescription
CertificateTrustListLocation The folder where certificates of trusted applications and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. Each CA certificate in the CertificateTrustListLocation requires one and only one CRL file in this folder.
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. Each CA certificate in the IssuersCertificatesLocation requires one and only one CRL file in this folder.

See Certificates, Certificate Store and Trust List for background information and more details on the different directories.

The recommended file directory layout for the store has the following directories and subdirectories:

  • own (see element ServerCertificate in separate table).
    • certs: ServerCertificate
    • private: ServerPrivateKey
  • trusted
    • certs: CertificateTrustListLocation
    • crl: CertificateRevocationListLocation
  • issuers
    • certs: IssuersCertificatesLocation
    • crl: IssuersRevocationListLocation
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
<WindowsStore> has the following child elements:
ElementDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
ServerCertificate Application instance certificate for the Server. See the separate table for child elements.

Element ServerCertificate

ElementDescriptionDefault
OpenSSLStore File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
Certificates have to be stored in DER format (with file extension .der).
Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension).
The private key is encoded in PEM format (with .pem as file extension).
A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document).
<OpenSSLStore> has the following child elements:
ElementDescription
ServerCertificate The file containing the server certificate.
ServerPrivateKey The file containing the server private key.
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
<WindowsStore> has the following child elements:
ElementDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
GenerateCertificate Enable or disable server certificate creation if no certificate is available; possible values: true or false. true
CertificateSettings Settings for a certificate generated by the server; the information is stored in the following child elements:
ElementDescriptionDefault
CommonName Name of the application; [ServerName] can be used as a placeholder for the configured server name (see Server Instance Information). [ServerName]
DomainComponent DomainComponent as defined in RFC 2247. [NodeName] can be used as a placeholder for the hostname of the machine. [NodeName]
Organization Name of the organization using the OPC UA server
OrganizationUnit Name of the organization unit using the OPC UA server
Locality Name of the location where the OPC UA server is running
State State where the OPC UA server is running
Country Two letter code for country where the OPC UA server is running e.g. DE or US
YearsValidFor The number of years the certificate is valid for; the maximum accepted number is 20, but it is strongly recommended to use a shorter time interval. 5
KeyLength Key length (in bits) of the certificate to create; valid values are 1024 and 2048 for RsaMin, and 2048, 3072 and 4096 for RsaSha256 2048
CertificateType Defines the algorithm used to sign the certificate. Valid values are RsaMin and RsaSha256. Applications that support the Basic128Rsa15 and Basic256 profiles need a Certificate of type RsaMin. Applications that support the Basic256Sha256 profile need a Certificate of type RsaSha256. In this version of the SDK it is not possible to support multiple certificates for one Endpoint, thus it is not possible to support the RsaMin and the RsaSha256 profile at the same time. RsaSha256
IPAddress An application instance certificate needs to provide one or more DNSNames and/or IPAddresses at which the Endpoint can be reached. This information is added to the SubjectAlternativeName of the certificate. [NodeName] can be used as a placeholder for the hostname of the machine.
DNSName [NodeName]

Endpoint Configuration

This part of the configuration defines the OPC UA communication endpoints for the server and their security configurations.

List of Configured Endpoints

The configuration information for each Endpoint has to be stored in a separate XML element <UaEndpoint> using the child elements described later on.

The following code gives an example for a completely configured endpoint.

<SerializerType>Binary</SerializerType>
<Url>opc.tcp://[NodeName]:48010</Url>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicy>
<MessageSecurityMode>None</MessageSecurityMode>
</SecuritySetting>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicy>
<MessageSecurityMode>Sign</MessageSecurityMode>
<MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
</SecuritySetting>
<IsVisible>true</IsVisible>
<IsDiscoveryUrl>true</IsDiscoveryUrl>
<AutomaticallyTrustAllClientCertificates>false</AutomaticallyTrustAllClientCertificates>
<SecurityCheckOverwrites>
<DisableErrorCertificateTimeInvalid>false</DisableErrorCertificateTimeInvalid>
<DisableErrorCertificateIssuerTimeInvalid>false</DisableErrorCertificateIssuerTimeInvalid>
<DisableErrorCertificateRevocationUnknown>false</DisableErrorCertificateRevocationUnknown>
<DisableErrorCertificateIssuerRevocationUnknown>false</DisableErrorCertificateIssuerRevocationUnknown>
<DisableApplicationUriCheck>false</DisableApplicationUriCheck>
<DisableNonceLengthCheck>false</DisableNonceLengthCheck>
<DisableUserTokenPolicyIdCheck>false</DisableUserTokenPolicyIdCheck>
</SecurityCheckOverwrites>
ElementDescriptionDefault
SerializerType The data type encoding for network transport; currently, only Binary is supported
Url URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name.
The following configuration alternatives are available:
opc.tcp://[NodeName]:48010
for this URL, the SDK replaces [NodeName] with the host name. The stack binds to all IP addresses (on all network interfaces) of the host. If the host has a dual protocol enabled TCP/IP stack, this includes all network protocol families. If this functionality is not available, the configured preferred protocol (IPv4 of IPv6; part of the stack configuration) is used and the endpoint will only be reachable on network interfaces supporting this protocol type. The host name is returned in the discovery URL.
opc.tcp://MyComputer:48010
for this URL, the stack binds to all IP addresses (on all network interfaces) of the host. If the host has a dual protocol enabled TCP/IP stack, this includes all network protocol families. If this functionality is not available, the configured preferred protocol (IPv4 of IPv6; part of the stack configuration) is used and the endpoint will only be reachable on network interfaces supporting this protocol type. The URL with the host name is returned to clients during discovery.
opc.tcp://192.168.0.15:48010
for this URL, the stack binds just to the IPv4 address and the URL with the IP address is returned to clients during discovery.
opc.tcp://[fe80::20ec:3acb:55d9:a3da]:48010
for this URL, the stack binds just to the IPv6 address and the URL with the IP address is returned to clients during discovery.
StackUrl Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192.168.0.15:48010. It can be used to bind the endpoint to a specific network card or to localhost only.
SecuritySetting Each supported security setting has to be stored in a separate XML element <SecuritySetting> containing the following child elements:
ElementDescription
SecurityPolicy Possible values are #None, #Basic128Rsa15 (no longer considered as secure), #Basic256, and #Basic256Sha256 (see sample code above).
MessageSecurityMode The possible values depend on the security policy. Set value to None with security policy #None. When using security policies other than #None, you can choose between Sign and SignAndEncrypt. It is possible to allow Sign as well as SignAndEncrypt (by adding two MessageSecurityModes, see sample code above)).
IsVisible Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. true
IsDiscoveryUrl Flag indicating if the endpoint URL is provided as discovery URL. true
AutomaticallyTrustAllClientCertificates This option can be activated if certificates are only used for message security but not for application authentication. If set to true, all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. false
CreateSignatureWithChain For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. false
SecurityCheckOverwrites Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server through the following configuration options (create a separate child element for each check to enable/disable).
ElementDescriptionDefault
DisableErrorCertificateTimeInvalid Flag used to disable the client certificate validation error BadCertificateTimeInvalid. false
DisableErrorCertificateIssuerTimeInvalid Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. false
DisableErrorCertificateRevocationUnknown Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. false
DisableErrorCertificateIssuerRevocationUnknown Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. false
DisableApplicationUriCheck Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. false
DisableNonceLengthCheck Flag used to disable the client nonce length check in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a client nonce that is shorter than the required 32 bytes. false
DisableUserTokenPolicyIdCheck Flag used to disable the UserToken PolicyId check in ActivateSession. The check is required for compliant OPC UA servers but older clients may not provide the UserToken PolicyId. false
CertificateStore Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates.
This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. CertificateStore can have the same child elements as DefaultApplicationCertificateStore.

Server Settings

Element Description Default
MaxRequestAge The maximum age of a request (in milliseconds) the server allows. 0 (unlimited)
MaxSessionCount The maximum number of sessions allowed by the server; ; 0 is unlimited. 100
MaxSessionsPerClient The maximum number of sessions the server allows per client; 0 is unlimited. 0
MinSessionTimeout The minimum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 10000
MaxSessionTimeout The maximum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 3600000
MaxBrowseContinuationPoints The maximum number of Browse Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP;
default value: 10)
MaxBrowseResults The maximum number of Browse results for one browse operation. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS;
default value: 1000)
MaxNodesToBrowse The maximum number of nodes to browse the server will accept. 0 (unlimited)
MaxNodesPerHistoryReadData The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. 0 (unlimited)
MaxNodesPerHistoryReadEvents The maximum number of nodes accepted by the server for the HistoryRead service for Events. 0 (unlimited)
MaxNodesPerHistoryUpdateData The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. 0 (unlimited)
MaxNodesPerHistoryUpdateEvents The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. 0 (unlimited)
MaxHistoryContinuationPoints The maximum number of History Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP;
default value: 100)
MinPublishingInterval The minimum publishing interval (in milliseconds) the server allows. 50
MaxPublishingInterval The maximum publishing interval (in milliseconds) the server allows. 0 (no limitation)
MinKeepAliveInterval The minimum KeepAlive interval (in milliseconds) the server allows. 5000
MinSubscriptionLifetime The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. 10000
MaxSubscriptionLifetime The maximum Subscription lifetime (in milliseconds) the server allows. 0 (no limitation)
MaxRetransmissionQueueSize The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. 20
MaxNotificationsPerPublish The maximum number of notifications per Publish the server allows. 0 (no limitation)
MaxDataQueueSize The maximum size of data monitored item queues. 100
MaxEventQueueSize The maximum size of event monitored item queues. 1000
MaxSubscriptionCount The maximum number of subscriptions the server allows to create. 0 (unlimited)
MaxSubscriptionsPerSession The maximum number of subscriptions the server allows to create per Session. 0 (unlimited)
MaxMonitoredItemCount The maximum number of monitored items the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSubscriptionCount The maximum number of monitored items per subscription the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSessionCount The maximum number of monitored items per session the server allows to create. 0 (unlimited)
MinSupportedSampleRate The minimum sample interval (in milliseconds) supported by the server. 0
AvailableSamplingRates The settings for the sampling engine; each sampling rate (in milliseconds) has to be stored in a separate child element,
e.g. <SamplingRate>50</SamplingRate>.
50, 100, 250, 500, 1000, 2000, 5000, 10000
AvailableLocaleIds The settings for the available LocaleIds known to be supported by the server; each LocaleId has to be stored in a separate child element,
e.g. <LocaleId>en</LocaleId>.
en
AvailableServerProfiles The settings for the available UA profiles known to be supported by the server; each profile has to be stored in a separate child element. http://opcfoundation.org/UAProfile/Server/StandardUA
IsAuditActivated Flag indicating if audit events are activated; possible values: true or false. false
ThreadPoolSettings The settings for the thread pools used in the server application. A thread pool is a list of worker threads. The minimum size denotes the size of the tread pool at initialization. It grows dynamically until the maximum size is reached. The following child elements can be set:
  • MinSizeTransactionManager
  • MaxSizeTransactionManager
  • MinSizeSubscriptionManager
  • MaxSizeSubscriptionManager
4 (for each)
RejectedCertificatesDirectory Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected. Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application.
RejectedCertificatesCount Maximum number of certificates stored in the rejected certificates directory. 100

Build Information for the Server Application

Element Description Default
ProductUri A globally unique identifier for the server product; e.g. urn:UnifiedAutomation:UaServerCpp. Set by define SERVERCONFIG_PRODUCTURI
ManufacturerName A human readable name for manufacturer of the product. Set by define SERVERCONFIG_MANUFACTURERNAME
ProductName A human readable name for the server product. Set by define SERVERCONFIG_PRODUCTNAME
SoftwareVersion A string representing the version of the server product. Set by define SERVERCONFIG_SOFTWAREVERSION
BuildNumber A string representing the build number of the server product. Set by define SERVERCONFIG_BUILDNUMBER

Server Instance Information

These elements provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.

Element Description Default
ServerUri A globally unique identifier for the server installation; e.g. urn:[NodeName]:UnifiedAutomation:UaServerCpp. Set by define SERVERCONFIG_SERVERURI
ServerName A human readable name for the server installation; e.g. UaServerCpp@[NodeName]. Set by define SERVERCONFIG_SERVERNAME

User Identity Tokens

The configuration of supported user identity tokens is stored in the element <UserIdentityTokens>. It contains the following child elements:

Element Description Default
EnableAnonymous Enable or disable anonymous log-on; possible values are true or false. true
EnableUserPw Enable or disable user/password log-on; possible values are true or false. false
EnableCertificate Enable or disable certificate based user log-on; possible values are true or false.

false

SecurityPolicy The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. http://opcfoundation.org/UA/SecurityPolicy#Basic256
DefaultUserCertificateStore Configuration for file based certificate store to handle user certificates. It has the following child elements:
Element Description Default
CertificateTrustListLocation The folder where certificates of trusted users and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/trusted/certs/
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. [ConfigPath]/pkiuser/trusted/crl/
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/issuers/certs/
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. [ConfigPath]/pkiuser/issuers/crl/
RejectedUserCertificatesDirectory Folder used to store rejected user certificates. [ConfigPath]/pkiuser/rejected
RejectedUserCertificatesCount Maximum number of certificates stored in the rejected directory. 100

IDs for Default Roles

I addition to the user authentication through the different user token types, the SDK provides also a user authorization down to a single node managed by the toolkit layer. The assignment of users to groups and the setting of the access masks for the different nodes created is in the responsibility of the application developer. See the related example for more details.

But the SDK has some built-in nodes and features like the ServerConfiguration object for standardized certificate management, the trace configuration objects or the creation of AuditEvents where the access must be limited to authorized users.

For these built-in nodes and features, the SDK defines two roles, the security administrator and the configuration administrator. The element <UserAndGroupIdsForDefaultRoles> can be used to set IDs for default roles defined in the SDK.

Element Description Default
RootUserId The root user has unlimited access to all nodes and features in the server 0
SecurityAdminGroupId Members of the SecurityAdminGroup can receive audit events and configure certificates. 0
ConfigurationAdminGroupId Members of the ConfigurationAdminGroup can configure the server trace. 0

Discovery Registration

The configuration for the registration with discovery server(s) is stored in the element <DiscoveryRegistration>. It contains the following child elements:

Element Description Default
AutomaticCertificateExchange Flag indicating if the certificates should be exchanged with the windows certificate store false
DiscoveryServerTrustListLocation Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used.
DiscoveryServerStoreName Store name used for the local discovery server in the windows certificate store.
DiscoveryServerCertificateName Certificate name of the local discovery server in the windows certificate store.
RegistrationInterval Interval (in milliseconds) for registration with discovery server(s) 30000
Url List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. Additional remote discovery servers can be added.

Redundancy Support and Additional Server Entries

<RedundancySettings>
<RedundancySupport>Hot</RedundancySupport>
<ServerUri>urn:MyServer:UnifiedAutomation:RedundancySample</ServerUri>
<ServerUri>urn:PC1:UnifiedAutomation:RedundancySample</ServerUri>
<ServerUri>urn:PC2:UnifiedAutomation:RedundancySample</ServerUri>
</RedundancySettings>
<AdditionalServerEntries>
<ApplicationDescription>
<ApplicationUri>urn:PC1:UnifiedAutomation:RedundancySample</ApplicationUri>
<ProductUri>urn:UnifiedAutomation:RedundancySample</ProductUri>
<ApplicationName>RedundancySample@PC1</ApplicationName>
<ApplicationType>Server</ApplicationType>
<GatewayServerUri></GatewayServerUri>
<DiscoveryProfileUri></DiscoveryProfileUri>
<DiscoveryUrl>opc.tcp://PC1:48010</DiscoveryUrl>
<DiscoveryUrl>https://PC1:48011</DiscoveryUrl>
</ApplicationDescription>
<ApplicationDescription>
<ApplicationUri>urn:PC2:UnifiedAutomation:RedundancySample</ApplicationUri>
<ProductUri>urn:UnifiedAutomation:RedundancySample</ProductUri>
<ApplicationName>RedundancySample@PC2</ApplicationName>
<ApplicationType>Server</ApplicationType>
<GatewayServerUri></GatewayServerUri>
<DiscoveryProfileUri></DiscoveryProfileUri>
<DiscoveryUrl>opc.tcp://PC2:48010</DiscoveryUrl>
<DiscoveryUrl>https://PC2:48011</DiscoveryUrl>
</ApplicationDescription>
</AdditionalServerEntries>

See Redundancy for more information about server redundancy.

Redundancy Settings

This element provides the redundancy settings for the server.

Element Description Default
RedundancySupport Possible redundancy support options are None, Cold, Warm, Hot and Transparent (Transparent requires a special module). None
ServerUri The list of server URIs for the servers in the NonTransparent redundant set. Add a separate child element ServerUri for each server. The server itself has to be included in the list (see sample code).

Additional Server Entries

This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions as child elements of <AdditionalServerEntries> as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.

This can also be used to configure other servers on the same system if the server itself is running on Port 4840.

Element Description
ApplicationUri A globally unique identifier for the server product.
ProductUri A globally unique identifier for the product the server belongs to.
ApplicationName A human readable name for the server product.
ApplicationType Possible application types are Server and ClientAndServer.
GatewayServerUri A URI that indentifies the Gateway Server associated with the DiscoveryUrl.
DiscoveryProfileUri A URI that identifies the discovery profile supported by the URL.
DiscoveryUrl URL for the discovery Endpoint provided by the server.

Serializer

This part of the configuration defines the OPC UA Stack serializer settings and are stored in the element <Serializer>. Set these values carefully, as they are the security constraints for the serializer. The following child elements can be set:

Element Description Default
MaxAlloc The largest size for a memory block the serializer can do when deserializing a message. Set by define OPCUA_SERIALIZER_MAXALLOC
MaxStringLength The largest string accepted by the serializer. Set by define OPCUA_ENCODER_MAXSTRINGLENGTH
MaxByteStringLength The largest byte string accepted by the serializer. Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH
MaxArrayLength Maximum number of elements in an array accepted by the serializer. Set by define OPCUA_ENCODER_MAXARRAYLENGTH
MaxMessageSize The maximum number of bytes per message in total. Set by define OPCUA_ENCODER_MAXMESSAGELENGTH

Stack Thread Pool Settings

The element <StackThreadPoolSettings> stores the settings for the thread pool used in the OPC UA Stack. It contains the following child elements:

Element Description Default
Enabled Controls whether the secure listener uses a thread pool to dispatch received requests. false
MinThreads The minimum number of threads in the thread pool. 5
MaxThreads The maximum number of threads in the thread pool. 5
MaxJobs The length of the queue with jobs waiting for a free thread. 20
BlockOnAdd If MaxJobs is reached, the add operation can block or return an error. true
Timeout If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. infinite

INI Configuration File

An INI based example configuration file can be found in [Installation Directory]/bin.

Build Information for the Server Application

ProductUri=urn:[NodeName]:UnifiedAutomation:UaServerCpp
ManufacturerName=Unified Automation GmbH
ProductName=C++ SDK OPC UA Demo Server
SoftwareVersion=1.4.0
BuildNumber=250
Parameter Description Default
ProductUri A globally unique identifier for the server product Set by define SERVERCONFIG_PRODUCTURI
ManufacturerName A human readable name for manufacturer of the product. Set by define SERVERCONFIG_MANUFACTURERNAME
ProductName A human readable name for the server product. Set by define SERVERCONFIG_PRODUCTNAME
SoftwareVersion A string representing the version of the server product. Set by define SERVERCONFIG_SOFTWAREVERSION
BuildNumber A string representing the build number of the server product. Set by define SERVERCONFIG_BUILDNUMBER

Server Instance Information

These parameters provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.

ServerUri=urn:[NodeName]:UnifiedAutomation:UaServerCpp
ServerName=UaServerCpp@[NodeName]
Parameter Description Default
ServerUri A globally unique identifier for the server installation. Set by define SERVERCONFIG_SERVERURI
ServerName A human readable name for the server installation. Set by define SERVERCONFIG_SERVERNAME

Trace

Here, the trace settings for the OPC UA Stack and OPC UA Application are stored. The following parameters can be set:

Trace/UaAppTraceFile=[TracePath]/UaServerCPP.log
Trace/UaAppTraceEnabled=false
Trace/UaAppTraceLevel=Data
Trace/UaStackTraceEnabled=false
Trace/UaStackTraceLevel=ALL
Trace/UaAppTraceMaxBackup=5
Trace/UaAppTraceMaxEntries=100000
Trace/UaAppTraceDisableFlush=true
Trace/TraceEvents=History
Parameter Description Default
UaAppTraceFile The trace file; [TracePath] can be used as a placeholder for the path to the server application. Set by define SERVERCONFIG_SERVERTRACEFILE
UaStackTraceEnabled Enable or disable the UA stack trace; possible values are true or false. false
UaStackTraceLevel The UA stack trace level; possible values are
NONE
No Trace
ERROR
Critical errors, which require attention, i.e. unexpected errors and/or errors requiring external actions
WARNING
Non-critical faults, which should not go unnoticed but are handled internally
SYSTEM
Rare major events (good cases) like initializations, shutdown, etc.
INFO
Regular good case events, like connects, renews
DEBUG
Used for debugging purposes
CONTENT
Used to add additional content (i.e. whole message bodies) to debug traces
ALL
All outputs
NONE
UaAppTraceEnabled Enable or disable the UA server application trace; possible values are true or false false
UaAppTraceLevel The UA server application trace level; possible values are
NoTrace
No Trace
Errors
Unexpected errors
Warning
Unexpected behaviour that is not an error
Info
Information about important activities, like connection establishment
InterfaceCall
Calls to module interfaces
CtorDtor
Creation and destruction of objects
ProgramFlow
Internal program flow
Data
Data
NoTrace
UaAppTraceMaxBackup The maximum number of backup files 5
UaAppTraceMaxEntries The maximum number of trace entries in one file 100000
UaAppTraceDisableFlush If set to true, the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true. If you have issues with missing trace entries in case of an application crash, you should set this option to false. true
TraceEvents Setting to allow clients to get the SDK trace outputs for trace levels Errors, Warning and Info via HistoryRead for events and/or Events from the server. Possible values are: History

Default Application Certificate Store

This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a different configuration for a specific endpoint is required.

The configuration per Endpoint is not longer necessary. The default configuration is used if no Endpoint specific configuration is provided.

Please refer to Certificates, Certificate Store and Trust List for more information.

DefaultApplicationCertificateStore/MaxTrustListSize=0
DefaultApplicationCertificateStore/SendCertificateChain=true
DefaultApplicationCertificateStore/OpenSSLStore/CertificateTrustListLocation=[ConfigPath]/pkiserver/trusted/certs/
DefaultApplicationCertificateStore/OpenSSLStore/CertificateRevocationListLocation=[ConfigPath]/pkiserver/trusted/crl/
DefaultApplicationCertificateStore/OpenSSLStore/IssuersCertificatesLocation=[ConfigPath]/pkiserver/issuers/certs/
DefaultApplicationCertificateStore/OpenSSLStore/IssuersRevocationListLocation=[ConfigPath]/pkiserver/issuers/crl/
DefaultApplicationCertificateStore/ServerCertificate_1/OpenSSLStore/ServerCertificate=[ConfigPath]/pkiserver/own/certs/uaservercpp.der
DefaultApplicationCertificateStore/ServerCertificate_1/OpenSSLStore/ServerPrivateKey=[ConfigPath]/pkiserver/own/private/uaservercpp.pem
DefaultApplicationCertificateStore/ServerCertificate_1/GenerateCertificate=true
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/CommonName=[ServerName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DomainComponent=[NodeName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Organization=Organization
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/OrganizationUnit=Unit
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Locality=LocationName
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/State
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Country=DE
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/YearsValidFor=5
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/KeyLength=2048
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/CertificateType=RsaSha256
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/IPAddress_1=213.95.4.190
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/IPAddress_2=2a00:1158:400:407:0:0:0:1b2
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DNSName_1=[NodeName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DNSName_2=demo.unifiedautomation.com
ParameterDescriptionDefault
MaxTrustListSize The maximum size of the trust list in bytes. 0 (unlimited)
SendCertificateChain For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. true
OpenSSLStore

File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set:

ParameterDescription
CertificateTrustListLocation The folder where certificates of trusted applications and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. Each CA certificate in the CertificateTrustListLocation requires one and only one CRL file in this folder.
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. Each CA certificate in the IssuersCertificatesLocation requires one and only one CRL file in this folder.

The recommended file directory layout for the store has the following directories and subdirectories:

  • own (see parameter ServerCertificate in separate table).
    • certs: ServerCertificate
    • private: ServerPrivateKey
  • trusted
    • certs: CertificateTrustListLocation
    • crl: CertificateRevocationListLocation
  • issuers
    • certs: IssuersCertificatesLocation
    • crl: IssuersRevocationListLocation
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set for WindowsStore:
ParameterDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
ServerCertificate Application instance certificate for the Server. See the separate table for a description.

Element ServerCertificate

ParameterDescriptionDefault
OpenSSLStore File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
Certificates have to be stored in DER format (with file extension .der).
Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension).
The private key is encoded in PEM format (with .pem as file extension).
A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document).
The following parameters can be set (see sample code):
ParameterDescription
ServerCertificate The file containing the server certificate.
ServerPrivateKey The file containing the server private key.
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set:
ParameterDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
GenerateCertificate Enable or disable server certificate creation if no certificate is available; possible values: true or false. true
CertificateSettings Settings for a certificate generated by the server; the information is stored in the following parameters (see sample code):
ParameterDescriptionDefault
CommonName Name of the application; [ServerName] can be used as a placeholder for the configured server name (see Server Instance Information). [ServerName]
DomainComponent DomainComponent as defined in RFC 2247. [NodeName] can be used as a placeholder for the hostname of the machine. [NodeName]
Organization Name of the organization using the OPC UA server
OrganizationUnit Name of the organization unit using the OPC UA server
Locality Name of the location where the OPC UA server is running
State State where the OPC UA server is running
Country Two letter code for country where the OPC UA server is running e.g. DE or US
YearsValidFor The number of years the certificate is valid for; the maximum accepted number is 20, but it is strongly recommended to use a shorter time interval. 5
KeyLength Key length (in bits) of the certificate to create; valid values are 1024 and 2048 for RsaMin, and 2048, 3072 and 4096 for RsaSha256 2048
CertificateType Defines the algorithm used to sign the certificate. Valid values are RsaMin and RsaSha256. Applications that support the Basic128Rsa15 and Basic256 profiles need a Certificate of type RsaMin. Applications that support the Basic256Sha256 profile need a Certificate of type RsaSha256. In this version of the SDK it is not possible to support multiple certificates for one Endpoint, thus it is not possible to support the RsaMin and the RsaSha256 profile at the same time. RsaSha256
IPAddress An application instance certificate needs to provide one or more DNSNames and/or IPAddresses at which the Endpoint can be reached. This information is added to the SubjectAlternativeName of the certificate. [NodeName] can be used as a placeholder for the hostname of the machine.
DNSName [NodeName]

Server Settings

MaxRequestAge=0
MaxSessionCount=100
MaxSessionsPerClient=0
MinSessionTimeout=10000
MaxSessionTimeout=3600000
MaxBrowseContinuationPoints=0
MaxBrowseResults=0
MaxNodesToBrowse=0
MaxNodesPerHistoryReadData=0
MaxNodesPerHistoryReadEvents=0
MaxNodesPerHistoryUpdateData=0
MaxNodesPerHistoryUpdateEvents=0
MaxHistoryContinuationPoints=0
MinPublishingInterval=50
MaxPublishingInterval=0
MinKeepAliveInterval=5000
MinSubscriptionLifetime=10000
MaxSubscriptionLifetime=0
MaxRetransmissionQueueSize=20
MaxNotificationsPerPublish=0
MaxDataQueueSize=100
MaxEventQueueSize=10000
MaxSubscriptionCount=0
MaxSubscriptionsPerSession=10
MaxMonitoredItemCount=0
MaxMonitoredItemPerSubscriptionCount=0
MaxMonitoredItemPerSessionCount=0
MinSupportedSampleRate=0
AvailableSamplingRates/SamplingRate_1=0
AvailableSamplingRates/SamplingRate_2=50
AvailableSamplingRates/SamplingRate_3=100
AvailableSamplingRates/SamplingRate_4=250
AvailableSamplingRates/SamplingRate_5=500
AvailableSamplingRates/SamplingRate_6=1000
AvailableSamplingRates/SamplingRate_7=2000
AvailableSamplingRates/SamplingRate_8=5000
AvailableSamplingRates/SamplingRate_9=10000
AvailableLocaleIds/LocaleId_1=en
AvailableServerProfiles/ServerProfileUri_1=http://opcfoundation.org/UAProfile/Server/StandardUA
AvailableServerProfiles/ServerProfileUri_2=http://opcfoundation.org/UAProfile/Server/DataAccess
AvailableServerProfiles/ServerProfileUri_3=http://opcfoundation.org/UAProfile/Server/Methods
AvailableServerProfiles/ServerProfileUri_4=http://opcfoundation.org/UAProfile/Server/NodeManagement
AvailableServerProfiles/ServerProfileUri_5=http://opcfoundation.org/UAProfile/Server/EventSubscription
IsAuditActivated=false
ThreadPoolSettings/MinSizeTransactionManager=1
ThreadPoolSettings/MaxSizeTransactionManager=10
ThreadPoolSettings/MinSizeSubscriptionManager=1
ThreadPoolSettings/MaxSizeSubscriptionManager=10
RejectedCertificatesDirectory=[ConfigPath]/pki/rejected
RejectedCertificatesCount=100
Parameter Description Default
MaxRequestAge The maximum age of a request (in milliseconds) the server allows. 0 (unlimited)
MaxSessionCount The maximum number of sessions allowed by the server; 0 is unlimited. 100
MaxSessionsPerClient The maximum number of sessions the server allows per client; 0 is unlimited. 0
MinSessionTimeout The minimum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 10000
MaxSessionTimeout The maximum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 3600000
MaxNodesPerHistoryReadData The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. 0 (unlimited)
MaxNodesPerHistoryReadEvents The maximum number of nodes accepted by the server for the HistoryRead service for Events. 0 (unlimited)
MaxNodesPerHistoryUpdateData The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. 0 (unlimited)
MaxNodesPerHistoryUpdateEvents The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. 0 (unlimited)
MaxBrowseContinuationPoints The maximum number of Browse Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP;
default value: 10)
MaxBrowseResults The maximum number of Browse results for one browse operation. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS;
default value: 1000)
MaxNodesToBrowse The maximum number of nodes to browsethe server will accept. 0 (unlimited)
MaxHistoryContinuationPoints The maximum number of History Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP;
default value: 100)
MinPublishingInterval The minimum publishing interval (in milliseconds) the server allows. 50
MaxPublishingInterval The maximum publishing interval (in milliseconds) the server allows. 0 (no limitation)
MinKeepAliveInterval The minimum KeepAlive interval (in milliseconds) the server allows. 5000
MinSubscriptionLifetime The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. 10000
MaxSubscriptionLifetime The maximum Subscription lifetime (in milliseconds) the server allows. 0 (no limitation)
MaxRetransmissionQueueSize The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. 20
MaxNotificationsPerPublish The maximum number of notifications per Publish the server allows. 0 (no limitation)
MaxDataQueueSize The maximum size of data monitored item queues. 100
MaxEventQueueSize The maximum size of event monitored item queues. 1000
MaxSubscriptionCount The maximum number of subscriptions the server allows to create. 0 (unlimited)
MaxSubscriptionsPerSession The maximum number of subscriptions the server allows to create per Session. 0 (unlimited)
MaxMonitoredItemCount The maximum number of monitored items the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSubscriptionCount The maximum number of monitored items per subscription the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSessionCount The maximum number of monitored items per session the server allows to create. 0 (unlimited)
MinSupportedSampleRate The minimum sample interval supported by the server. 0
AvailableSamplingRates The settings for the sampling engine; add a line AvailableSamplingRates/SamplingRate_[n]=[sampling rate in milliseconds] for each sampling rate (see sample code). 50, 100, 250, 500, 1000, 2000, 5000, 10000
AvailableLocaleIds The settings for the available LocaleIds known to be supported by the server; add a line AvailableLocaleIds/LocaleId_[n]=[Locale ID] for each Locale ID (see sample code). en
AvailableServerProfiles The settings for the available UA profiles known to be supported by the server; add a line AvailableServerProfiles/ServerProfileUri_[n]=[Server Profile URI] for each Server Profile URI (see sample code). http://opcfoundation.org/UAProfile/Server/StandardUA
IsAuditActivated Flag indicating if audit events are activated; possible values: true or false. false
ThreadPoolSettings The settings for the thread pools used in the server application; the following parameters can be set (each in a separate line ThreadPoolSettings/[parameter]=[value]): MaxSizeTransactionManager, MinSizeTransactionManager, MaxSizeSubscriptionManager, MinSizeSubscriptionManager (see sample code). 4 (for each)
RejectedCertificatesDirectory Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected. Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application.
RejectedCertificatesCount Maximum number of certificates stored in the rejected certificates directory. 100

User Identity Tokens

The configuration of supported user identity tokens is stored in the parameter set UserIdentityTokens containing the following parameters:

UserIdentityTokens/EnableUserPw=true
UserIdentityTokens/EnableAnonymous=true
UserIdentityTokens/EnableCertificate=false
UserIdentityTokens/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
UserIdentityTokens/DefaultUserCertificateStore/CertificateTrustListLocation=[ConfigPath]/pkiuser/trusted/certs/
UserIdentityTokens/DefaultUserCertificateStore/CertificateRevocationListLocation=[ConfigPath]/pkiuser/trusted/crl/
UserIdentityTokens/DefaultUserCertificateStore/IssuersCertificatesLocation=[ConfigPath]/pkiuser/issuers/certs/
UserIdentityTokens/DefaultUserCertificateStore/IssuersRevocationListLocation=[ConfigPath]/pkiuser/issuers/crl/
UserIdentityTokens/RejectedUserCertificatesDirectory=[ConfigPath]/pkiuser/rejected
UserIdentityTokens/RejectedUserCertificatesCount=100
Parameter Description Default
EnableAnonymous Enable or disable anonymous log-on; possible values are true or false. true
EnableUserPw Enable or disable user/password log-on; possible values are true or false. false
EnableCertificate Enable or disable certificate based user log-on; possible values are true or false.

false

SecurityPolicy The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. http://opcfoundation.org/UA/SecurityPolicy#Basic256
DefaultUserCertificateStore Configuration for file based certificate store to handle user certificates. The following parameters can be set:
Parameters Description Default
CertificateTrustListLocation The folder where certificates of trusted users and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/trusted/certs/
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. [ConfigPath]/pkiuser/trusted/crl/
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/issuers/certs/
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. [ConfigPath]/pkiuser/issuers/crl/
RejectedUserCertificatesDirectory Folder used to store rejected user certificates. [ConfigPath]/pkiuser/rejected
RejectedUserCertificatesCount Maximum number of certificates stored in the rejected directory. 100

IDs for Default Roles

I addition to the user authentication through the different user token types, the SDK provides also a user authorization down to a single node managed by the toolkit layer. The assignment of users to groups and the setting of the access masks for the different nodes created is in the responsibility of the application developer. See the related example for more details.

But the SDK has some built-in nodes and features like the ServerConfiguration object for standardized certificate management, the trace configuration objects or the creation of AuditEvents where the access must be limited to authorized users.

For these built-in nodes and features, the SDK defines two roles, the security administrator and the configuration administrator. The element <UserAndGroupIdsForDefaultRoles> can be used to set IDs for default roles defined in the SDK.

UserAndGroupIdsForDefaultRoles/RootUserId=0
UserAndGroupIdsForDefaultRoles/SecurityAdminGroupId=0
UserAndGroupIdsForDefaultRoles/ConfigurationAdminGroupId=0
Parameter Description Default
RootUserId The root user has unlimited access to all nodes and features in the server. 0
SecurityAdminGroupId Members of the SecurityAdminGroup can receive audit events and configure certificates. 0
ConfigurationAdminGroupId Members of the ConfigurationAdminGroup can configure the server trace. 0

Serializer

This part of the configuration defines the OPC UA Stack serializer settings. Set these values carefully, as they are the security constraints for the serializer. The following parameters can be set:

Serializer/MaxAlloc=16777216
Serializer/MaxStringLength=16777216
Serializer/MaxByteStringLength=16777216
Serializer/MaxArrayLength=65536
Serializer/MaxMessageSize=16777216
Parameter Description Default
MaxAlloc The largest size for a memory block the serializer can do when deserializing a message. Set by define OPCUA_SERIALIZER_MAXALLOC
MaxStringLength The largest string accepted by the serializer. Set by define OPCUA_ENCODER_MAXSTRINGLENGTH
MaxByteStringLength The largest byte string accepted by the serializer. Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH
MaxArrayLength Maximum number of elements in an array accepted by the serializer. Set by define OPCUA_ENCODER_MAXARRAYLENGTH
MaxMessageSize The maximum number of bytes per message in total. Set by define OPCUA_ENCODER_MAXMESSAGELENGTH

Stack Thread Pool Settings

The parameter set StackThreadPoolSettings stores the settings for the thread pool used in the OPC UA Stack. The following parameters can be set:

StackThreadPoolSettings/Enabled=false
StackThreadPoolSettings/MaxJobs=20
StackThreadPoolSettings/Timeout=0
StackThreadPoolSettings/BlockOnAdd=true
StackThreadPoolSettings/MinThreads=5
StackThreadPoolSettings/MaxThreads=10
Parameter Description Default
Enabled Controls whether the secure listener uses a thread pool to dispatch received requests. false
MaxJobs The length of the queue with jobs waiting for a free thread. 20
Timeout If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. infinite
BlockOnAdd If MaxJobs is reached, the add operation can block or return an error. true
MaxThreads The maximum number of threads in the thread pool. 5
MinThreads The minimum number of threads in the thread pool. 5

Discovery Registration

DiscoveryRegistration/AutomaticCertificateExchange=false
DiscoveryRegistration/DiscoveryServerStoreName=UA Applications
DiscoveryRegistration/DiscoveryServerCertificateName=UA Local Discovery Server
DiscoveryRegistration/RegistrationInterval=30000
DiscoveryRegistration/Url_1=opc.tcp://localhost:4840

The configuration for the registration with discovery server(s) is stored in the parameter set DiscoveryRegistration containing the following parameters:

Parameter Description Default
AutomaticCertificateExchange Flag indicating if the certificates should be exchanged with the windows certificate store false
DiscoveryServerTrustListLocation Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used.
DiscoveryServerStoreName Store name used for the local discovery server in the windows certificate store.
DiscoveryServerCertificateName Certificate name of the local discovery server in the windows certificate store.
RegistrationInterval Interval (in milliseconds) for registration with discovery server(s) 30000
Url List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. To add additional remote discovery servers, add each in a separate line, consecutively numbered (DiscoveryRegistration/Url_[n]=[Server Url]).

Redundancy Support and Additional Server Entries

RedundancySettings/RedundancySupport=Hot
RedundancySettings/ServerUri_1=urn:MyServer:UnifiedAutomation:RedundancySample
RedundancySettings/ServerUri_2=urn:PC1:UnifiedAutomation:RedundancySample
RedundancySettings/ServerUri_3=urn:PC2:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ApplicationUri=urn:PC1:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ProductUri=urn:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ApplicationName=RedundancySample@PC1
AdditionalServerEntries/ApplicationDescription_1/ApplicationType=Server
AdditionalServerEntries/ApplicationDescription_1/GatewayServerUri=
AdditionalServerEntries/ApplicationDescription_1/DiscoveryProfileUri=
AdditionalServerEntries/ApplicationDescription_1/DiscoveryUrl_1=opc.tcp://PC1:48010
AdditionalServerEntries/ApplicationDescription_1/DiscoveryUrl_2=https://PC1:48011
AdditionalServerEntries/ApplicationDescription_2/ApplicationUri=urn:PC2:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_2/ProductUri=urn:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_2/ApplicationName=RedundancySample@PC2
AdditionalServerEntries/ApplicationDescription_2/ApplicationType=Server
AdditionalServerEntries/ApplicationDescription_2/GatewayServerUri=
AdditionalServerEntries/ApplicationDescription_2/DiscoveryProfileUri=
AdditionalServerEntries/ApplicationDescription_2/DiscoveryUrl_1=opc.tcp://PC2:48010
AdditionalServerEntries/ApplicationDescription_2/DiscoveryUrl_2=https://PC2:48011

See Redundancy for more information about server redundancy.

Redundancy Settings

This parameter set provides the redundancy settings for the server.

Parameter Description Default
RedundancySupport Possible redundancy support options are None, Cold, Warm, Hot and Transparent (Transparent requires a special module). None
ServerUri The list of server URIs for the servers in the NonTransparent redundant set. Add a separate line in the form RedundancySettings/ServerUri_[n]=[ServerUri] for each server. The server itself has to be included in the list (see sample code).

Additional Server Entries

This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions numbered consecutively as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.

This can also be used to configure other servers on the same system if the server itself is running on Port 4840.

Parameter Description
ApplicationUri A globally unique identifier for the server product.
ProductUri A globally unique identifier for the product the server belongs to.
ApplicationName A human readable name for the server product.
ApplicationType Possible application types are Server and ClientAndServer.
GatewayServerUri A URI that identifies the Gateway Server associated with the DiscoveryUrl.
DiscoveryProfileUri A URI that identifies the discovery profile supported by the URL.
DiscoveryUrl URL for the discovery Endpoint provided by the server.

Endpoint Configuration

The following code gives an example for a parameter set resulting in a completely configured endpoint. Use consecutively numbered parameter sets UaEndpoint_[n] for additional Endpoints.

UaEndpoint_1/Url=opc.tcp://[NodeName]:48010
UaEndpoint_1/SerializerType=Binary
UaEndpoint_1/IsVisible=true
UaEndpoint_1/IsDiscoveryUrl=true
UaEndpoint_1/AutomaticallyTrustAllClientCertificates=false
UaEndpoint_1/CreateSignatureWithChain=false
UaEndpoint_1/SecuritySetting_1/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#None
UaEndpoint_1/SecuritySetting_1/MessageSecurityMode=None
UaEndpoint_1/SecuritySetting_2/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256
UaEndpoint_1/SecuritySetting_2/MessageSecurityMode_1=Sign
UaEndpoint_1/SecuritySetting_2/MessageSecurityMode_2=SignAndEncrypt
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateTimeInvalid=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateIssuerTimeInvalid=false
UaEndpoint_1/CertificateStore/OpenSSLStore/CertificateTrustListLocation=[ConfigPath]/pki/trusted/certs/
UaEndpoint_1/CertificateStore/OpenSSLStore/CertificateRevocationListLocation=[ConfigPath]/pki/trusted/crl/
UaEndpoint_1/CertificateStore/OpenSSLStore/IssuersCertificatesLocation=[ConfigPath]/pki/issuers/certs/
UaEndpoint_1/CertificateStore/OpenSSLStore/IssuersRevocationListLocation=[ConfigPath]/pki/issuers/crl/
UaEndpoint_1/CertificateStore/OpenSSLStore/ServerCertificate=[ConfigPath]/pki/own/certs/uaservercpp.der
UaEndpoint_1/CertificateStore/OpenSSLStore/ServerPrivateKey=[ConfigPath]/pki/own/private/uaservercpp.pem
UaEndpoint_1/CertificateStore/GenerateCertificate=true
UaEndpoint_1/CertificateStore/CertificateSettings/Country=DE
UaEndpoint_1/CertificateStore/CertificateSettings/Locality=LocationName
UaEndpoint_1/CertificateStore/CertificateSettings/CommonName=[ServerName]
UaEndpoint_1/CertificateStore/CertificateSettings/Organization=Organization
UaEndpoint_1/CertificateStore/CertificateSettings/OrganizationUnit=Unit
UaEndpoint_1/CertificateStore/CertificateSettings/YearsValidFor=5
UaEndpoint_1/CertificateStore/CertificateSettings/KeyLength=2048
UaEndpoint_1/CertificateStore/CertificateSettings/CertificateType=RsaSha256

The following table gives an overview of the configurable parameters for each Endpoint.

ParameterDescriptionDefault
Url URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name.
SerializerType The data type encoding for network transport; currently, only Binary is supported
StackUrl Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192.168.0.15:48011. It can be used to bind the endpoint to a specific network card or to localhost only.
IsVisible Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. true
IsDiscoveryUrl Flag indicating if the endpoint URL is provided as discovery URL. true
AutomaticallyTrustAllClientCertificates This option can be activated if certificates are only used for message security but not for application authentication. If set to true, all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. false
CreateSignatureWithChain For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. false
SecuritySetting Each supported security setting has to be stored in a separate parameter set UaEndpoint_[m]/SecuritySetting_[n]/[parameter]=[value], numbered consecutively (see sample code). The following parameters can be specified:
ParameterDescription
SecurityPolicy Possible values are #None, #Basic128Rsa15 (no longer considered as secure), #Basic256, and #Basic256Sha256 (see sample code above).
MessageSecurityMode The possible values depend on the security policy. Set value to None with security policy #None. When using security policies other than #None, you can choose between Sign and SignAndEncrypt. If you would like to allow Sign as well as SignAndEncrypt, add a separate line and number the message security modes consecutively.
SecurityCheckOverwrites Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server using the following configuration options. Add a separate line UaEndpoint_[m]/SecurityCheckOverwrites/[parameter]=[value] for each parameter (see sample code).
ParameterDescriptionDefault
DisableErrorCertificateTimeInvalid Flag used to disable the client certificate validation error BadCertificateTimeInvalid. false
DisableErrorCertificateIssuerTimeInvalid Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. false
DisableErrorCertificateRevocationUnknown Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. false
DisableErrorCertificateIssuerRevocationUnknown Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. false
DisableApplicationUriCheck Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. false
DisableNonceLengthCheck Flag used to disable the client nonce length check in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a client nonce that is shorter than the required 32 bytes. false
DisableUserTokenPolicyIdCheck Flag used to disable the UserToken PolicyId check in ActivateSession. The check is required for compliant OPC UA servers but older clients may not provide the UserToken PolicyId. false
CertificateStore Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates. This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. It uses the same parameter set as DefaultApplicationCertificateStore