C++ Based OPC UA Client/Server SDK
1.6.2.402
|
The Unified Automation C++ Server SDK provides different options for server configuration. See Configuring the SDK with CMake for configuration options at build time.
The figure Options for product specific configuration gives an overview of the SDK classes designed for this purpose.
The SDK provides the following classes:
The class ServerConfig is the interface used by the SDK to access product specific configuration settings.
The class ServerConfigData implements the interface ServerConfig and provides configuration settings through the settings stored in the member variables of the class.
The class ServerConfigXml loads the settings from an XML file and stores them in the members of ServerConfigData.
The class ServerConfigIni loads the settings from an INI file and stores them in the members of ServerConfigData.
These classes offer the following options for integrating product specific configuration settings.
A Product specific XML configuration file is loaded by the helper class ServerConfigXml. For more information, see XML Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.xml
A Product specific INI configuration file is loaded by the helper class ServerConfigIni. For more information, see INI Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.ini
Either the product configuration holds the configuration information or part of it can be set in code directly. The settings are made on the class ServerConfigBase to be stored in memory. The SDK code can access the configuration via the ServerConfig interface.
An XML based example configuration file can be found in [Installation Directory]/bin
.
The element <Trace>
stores the trace settings for the OPC UA Stack and OPC UA Application. It contains the following child elements:
Element | Description | Default |
---|---|---|
UaStackTraceEnabled | Enable or disable the UA stack trace; possible values are true or false. | false |
UaStackTraceLevel | The UA stack trace level; possible values are
| NONE |
UaAppTraceEnabled | Enable or disable the UA server application trace; possible values are true or false | false |
UaAppTraceLevel | The UA server application trace level; possible values are
| NoTrace |
UaAppTraceMaxEntries | The maximum number of trace entries in one file | 100000 |
UaAppTraceMaxBackup | The maximum number of backup files | 5 |
UaAppTraceDisableFlush | If set to true , the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true . If you have issues with missing trace entries in case of an application crash, you should set this option to false . | true |
UaAppTraceFile | The trace file; [TracePath] can be used as a placeholder for the path to the server application, e.g. [TracePath]/srvTrace.log . | Set by define SERVERCONFIG_SERVERTRACEFILE |
TraceEvents | Setting to allow clients to get the SDK trace outputs for trace levels
See getTraceEventSettings for more details. | History |
This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a special configuration for a specific endpoint is required.
The configuration per Endpoint is no longer necessary. The default configuration is used if no Endpoint specific configuration is provided.
Please refer to Certificates, Certificate Store and Trust List for more information.
Element | Description | Default | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
MaxTrustListSize | The maximum size of the trust list in bytes. | 0 (unlimited) | ||||||||||
SendCertificateChain | For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. | true | ||||||||||
OpenSSLStore | File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
See Certificates, Certificate Store and Trust List for background information and more details on the different directories. The recommended file directory layout for the store has the following directories and subdirectories:
| — | ||||||||||
WindowsStore | [ConfigPath] can be used as placeholder for the configuration path.<WindowsStore> has the following child elements:
| — | ||||||||||
ServerCertificate | Application instance certificate for the Server. See the separate table for child elements. |
Element | Description | Default | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
OpenSSLStore | File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path. Certificates have to be stored in DER format (with file extension .der). Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension). The private key is encoded in PEM format (with .pem as file extension). A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document). <OpenSSLStore> has the following child elements:
| — | ||||||||||||||||||||||||||||||||||||||
WindowsStore | [ConfigPath] can be used as placeholder for the configuration path.<WindowsStore> has the following child elements:
| — | ||||||||||||||||||||||||||||||||||||||
GenerateCertificate | Enable or disable server certificate creation if no certificate is available; possible values: true or false . | true | ||||||||||||||||||||||||||||||||||||||
CertificateSettings | Settings for a certificate generated by the server; the information is stored in the following child elements:
|
This part of the configuration defines the OPC UA communication endpoints for the server and their security configurations.
The configuration information for each Endpoint has to be stored in a separate XML element <UaEndpoint>
using the child elements described later on.
The following code gives an example for a completely configured endpoint.
Element | Description | Default | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SerializerType | The data type encoding for network transport; currently, only Binary is supported | — | ||||||||||||||||||||||||
Url | URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name. The following configuration alternatives are available:
| — | ||||||||||||||||||||||||
StackUrl | Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192.168.0.15:48010 . It can be used to bind the endpoint to a specific network card or to localhost only. | — | ||||||||||||||||||||||||
SecuritySetting | Each supported security setting has to be stored in a separate XML element <SecuritySetting> containing the following child elements:
| — | ||||||||||||||||||||||||
IsVisible | Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. | true | ||||||||||||||||||||||||
IsDiscoveryUrl | Flag indicating if the endpoint URL is provided as discovery URL. | true | ||||||||||||||||||||||||
AutomaticallyTrustAllClientCertificates | This option can be activated if certificates are only used for message security but not for application authentication. If set to true, all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. | false | ||||||||||||||||||||||||
CreateSignatureWithChain | For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. | false | ||||||||||||||||||||||||
SecurityCheckOverwrites | Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server through the following configuration options (create a separate child element for each check to enable/disable).
| |||||||||||||||||||||||||
CertificateStore | Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates. This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. CertificateStore can have the same child elements as DefaultApplicationCertificateStore. |
The OPC UA Reverse Connect functionality can be configured as part of the Endpoint configuration. The clients are configured with a list of URLs in the XML element ReverseConnect as shown in the following example.
All clients that use reverse connect must be configured in this URL list.
Element | Description | Default |
---|---|---|
MaxRequestAge | The maximum age of a request (in milliseconds) the server allows. | 0 (unlimited) |
MaxSessionCount | The maximum number of sessions allowed by the server; ; 0 is unlimited. | 100 |
MaxSessionsPerClient | The maximum number of sessions the server allows per client; 0 is unlimited. | 0 |
MinSessionTimeout | The minimum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. | 10000 |
MaxSessionTimeout | The maximum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. | 3600000 |
MaxBrowseContinuationPoints | The maximum number of Browse Continuation Points managed by a session. | 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP; default value: 10) |
MaxBrowseResults | The maximum number of Browse results for one browse operation. | 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS; default value: 1000) |
MaxNodesToBrowse | The maximum number of nodes to browse the server will accept. | 0 (unlimited) |
MaxNodesPerHistoryReadData | The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. | 0 (unlimited) |
MaxNodesPerHistoryReadEvents | The maximum number of nodes accepted by the server for the HistoryRead service for Events. | 0 (unlimited) |
MaxNodesPerHistoryUpdateData | The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. | 0 (unlimited) |
MaxNodesPerHistoryUpdateEvents | The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. | 0 (unlimited) |
MaxHistoryContinuationPoints | The maximum number of History Continuation Points managed by a session. | 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP; default value: 100) |
MinPublishingInterval | The minimum publishing interval (in milliseconds) the server allows. | 50 |
MaxPublishingInterval | The maximum publishing interval (in milliseconds) the server allows. | 0 (no limitation) |
MinKeepAliveInterval | The minimum KeepAlive interval (in milliseconds) the server allows. | 5000 |
MinSubscriptionLifetime | The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. | 10000 |
MaxSubscriptionLifetime | The maximum Subscription lifetime (in milliseconds) the server allows. | 0 (no limitation) |
MaxRetransmissionQueueSize | The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. | 20 |
MaxNotificationsPerPublish | The maximum number of notifications per Publish the server allows. | 0 (no limitation) |
MaxDataQueueSize | The maximum size of data monitored item queues. | 100 |
MaxEventQueueSize | The maximum size of event monitored item queues. | 1000 |
MaxSubscriptionCount | The maximum number of subscriptions the server allows to create. | 0 (unlimited) |
MaxSubscriptionsPerSession | The maximum number of subscriptions the server allows to create per Session. | 0 (unlimited) |
MaxMonitoredItemCount | The maximum number of monitored items the server allows to create. | 0 (unlimited) |
MaxMonitoredItemPerSubscriptionCount | The maximum number of monitored items per subscription the server allows to create. | 0 (unlimited) |
MaxMonitoredItemPerSessionCount | The maximum number of monitored items per session the server allows to create. | 0 (unlimited) |
MinSupportedSampleRate | The minimum sample interval (in milliseconds) supported by the server. | 0 |
AvailableSamplingRates | The settings for the sampling engine; each sampling rate (in milliseconds) has to be stored in a separate child element, e.g. <SamplingRate>50</SamplingRate> . | 50, 100, 250, 500, 1000, 2000, 5000, 10000 |
AvailableLocaleIds | The settings for the available LocaleIds known to be supported by the server; each LocaleId has to be stored in a separate child element, e.g. <LocaleId>en</LocaleId> . | en |
AvailableServerProfiles | The settings for the available UA profiles known to be supported by the server; each profile has to be stored in a separate child element <ServerProfileUri> . | http://opcfoundation.org/UAProfile/Server/StandardUA |
ServerCapabilities | The settings for the supported server capabilities like DA, HA, AE or HE. Each capability has to be stored in a separate child element <ServerCapability> . | NA |
IsAuditActivated | Flag indicating if audit events are activated; possible values: true or false . | false |
ThreadPoolSettings | The settings for the thread pools used in the server application. A thread pool is a list of worker threads. The minimum size denotes the size of the tread pool at initialization. It grows dynamically until the maximum size is reached. The following child elements can be set:
| 4 (for each) |
RejectedCertificatesDirectory | Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected . Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application. | — |
RejectedCertificatesCount | Maximum number of certificates stored in the rejected certificates directory. | 100 |
Element | Description | Default |
---|---|---|
ProductUri | A globally unique identifier for the server product; e.g. urn:UnifiedAutomation:UaServerCpp . | Set by define SERVERCONFIG_PRODUCTURI |
ManufacturerName | A human readable name for manufacturer of the product. | Set by define SERVERCONFIG_MANUFACTURERNAME |
ProductName | A human readable name for the server product. | Set by define SERVERCONFIG_PRODUCTNAME |
SoftwareVersion | A string representing the version of the server product. | Set by define SERVERCONFIG_SOFTWAREVERSION |
BuildNumber | A string representing the build number of the server product. | Set by define SERVERCONFIG_BUILDNUMBER |
These elements provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.
Element | Description | Default |
---|---|---|
ServerUri | A globally unique identifier for the server installation; e.g. urn:[NodeName]:UnifiedAutomation:UaServerCpp . | Set by define SERVERCONFIG_SERVERURI |
ServerName | A human readable name for the server installation; e.g. UaServerCpp@[NodeName] . | Set by define SERVERCONFIG_SERVERNAME |
The configuration of supported user identity tokens is stored in the element <UserIdentityTokens>
. It contains the following child elements:
Element | Description | Default | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
EnableAnonymous | Enable or disable anonymous log-on; possible values are true or false . | true | |||||||||||||||
EnableUserPw | Enable or disable user/password log-on; possible values are true or false . | false | |||||||||||||||
EnableCertificate | Enable or disable certificate based user log-on; possible values are true or false . | false | |||||||||||||||
SecurityPolicy | The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. The security policy #Basic128Rsa15 is no longer accepted. | http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 | |||||||||||||||
DefaultUserCertificateStore | Configuration for file based certificate store to handle user certificates. It has the following child elements:
| ||||||||||||||||
RejectedUserCertificatesDirectory | Folder used to store rejected user certificates. | [ConfigPath]/pkiuser/rejected | |||||||||||||||
RejectedUserCertificatesCount | Maximum number of certificates stored in the rejected directory. | 100 |
The configuration for the registration with discovery server(s) is stored in the element <DiscoveryRegistration>
. It contains the following child elements:
Element | Description | Default |
---|---|---|
AutomaticCertificateExchange | Flag indicating if the certificates should be exchanged with the windows certificate store | false |
DiscoveryServerTrustListLocation | Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used. | — |
DiscoveryServerStoreName | Store name used for the local discovery server in the windows certificate store. | — |
DiscoveryServerCertificateName | Certificate name of the local discovery server in the windows certificate store. | — |
RegistrationInterval | Interval (in milliseconds) for registration with discovery server(s) | 30000 |
Url | List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. Additional remote discovery servers can be added. | — |
See Redundancy for more information about server redundancy.
This element provides the redundancy settings for the server.
Element | Description | Default |
---|---|---|
RedundancySupport | Possible redundancy support options are None , Cold , Warm , Hot and Transparent (Transparent requires a special module). | None |
ServerUri | The list of server URIs for the servers in the NonTransparent redundant set. Add a separate child element ServerUri for each server. The server itself has to be included in the list (see sample code). | — |
This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions as child elements of <AdditionalServerEntries>
as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.
This can also be used to configure other servers on the same system if the server itself is running on Port 4840.
Element | Description |
---|---|
ApplicationUri | A globally unique identifier for the server product. |
ProductUri | A globally unique identifier for the product the server belongs to. |
ApplicationName | A human readable name for the server product. |
ApplicationType | Possible application types are Server and ClientAndServer . |
GatewayServerUri | A URI that indentifies the Gateway Server associated with the DiscoveryUrl. |
DiscoveryProfileUri | A URI that identifies the discovery profile supported by the URL. |
DiscoveryUrl | URL for the discovery Endpoint provided by the server. |
This part of the configuration defines the OPC UA Stack serializer settings and are stored in the element <Serializer>
. Set these values carefully, as they are the security constraints for the serializer. The following child elements can be set:
Element | Description | Default |
---|---|---|
MaxAlloc | The largest size for a memory block the serializer can do when deserializing a message. | Set by define OPCUA_SERIALIZER_MAXALLOC |
MaxStringLength | The largest string accepted by the serializer. | Set by define OPCUA_ENCODER_MAXSTRINGLENGTH |
MaxByteStringLength | The largest byte string accepted by the serializer. | Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH |
MaxArrayLength | Maximum number of elements in an array accepted by the serializer. | Set by define OPCUA_ENCODER_MAXARRAYLENGTH |
MaxMessageSize | The maximum number of bytes per message in total. | Set by define OPCUA_ENCODER_MAXMESSAGELENGTH |
The element <StackThreadPoolSettings>
stores the settings for the thread pool used in the OPC UA Stack. It contains the following child elements:
Element | Description | Default |
---|---|---|
Enabled | Controls whether the secure listener uses a thread pool to dispatch received requests. | false |
MinThreads | The minimum number of threads in the thread pool. | 5 |
MaxThreads | The maximum number of threads in the thread pool. | 5 |
MaxJobs | The length of the queue with jobs waiting for a free thread. | 20 |
BlockOnAdd | If MaxJobs is reached, the add operation can block or return an error. | true |
Timeout | If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. | infinite |
An INI based example configuration file can be found in [Installation Directory]/bin
.
Parameter | Description | Default |
---|---|---|
ProductUri | A globally unique identifier for the server product | Set by define SERVERCONFIG_PRODUCTURI |
ManufacturerName | A human readable name for manufacturer of the product. | Set by define SERVERCONFIG_MANUFACTURERNAME |
ProductName | A human readable name for the server product. | Set by define SERVERCONFIG_PRODUCTNAME |
SoftwareVersion | A string representing the version of the server product. | Set by define SERVERCONFIG_SOFTWAREVERSION |
BuildNumber | A string representing the build number of the server product. | Set by define SERVERCONFIG_BUILDNUMBER |
These parameters provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.
Parameter | Description | Default |
---|---|---|
ServerUri | A globally unique identifier for the server installation. | Set by define SERVERCONFIG_SERVERURI |
ServerName | A human readable name for the server installation. | Set by define SERVERCONFIG_SERVERNAME |
Here, the trace settings for the OPC UA Stack and OPC UA Application are stored. The following parameters can be set:
Parameter | Description | Default |
---|---|---|
UaAppTraceFile | The trace file; [TracePath] can be used as a placeholder for the path to the server application. | Set by define SERVERCONFIG_SERVERTRACEFILE |
UaStackTraceEnabled | Enable or disable the UA stack trace; possible values are true or false. | false |
UaStackTraceLevel | The UA stack trace level; possible values are
| NONE |
UaAppTraceEnabled | Enable or disable the UA server application trace; possible values are true or false | false |
UaAppTraceLevel | The UA server application trace level; possible values are
| NoTrace |
UaAppTraceMaxBackup | The maximum number of backup files | 5 |
UaAppTraceMaxEntries | The maximum number of trace entries in one file | 100000 |
UaAppTraceDisableFlush | If set to true , the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true . If you have issues with missing trace entries in case of an application crash, you should set this option to false . | true |
TraceEvents | Setting to allow clients to get the SDK trace outputs for trace levels Errors , Warning and Info via HistoryRead for events and/or Events from the server. Possible values are:
| History |
This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a different configuration for a specific endpoint is required.
The configuration per Endpoint is not longer necessary. The default configuration is used if no Endpoint specific configuration is provided.
Please refer to Certificates, Certificate Store and Trust List for more information.
Parameter | Description | Default | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
MaxTrustListSize | The maximum size of the trust list in bytes. | 0 (unlimited) | ||||||||||
SendCertificateChain | For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. | true | ||||||||||
OpenSSLStore | File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
The recommended file directory layout for the store has the following directories and subdirectories:
| — | ||||||||||
WindowsStore | [ConfigPath] can be used as placeholder for the configuration path. The following parameters can be set for WindowsStore:
| — | ||||||||||
ServerCertificate | Application instance certificate for the Server. See the separate table for a description. |
Parameter | Description | Default | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
OpenSSLStore | File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path. Certificates have to be stored in DER format (with file extension .der). Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension). The private key is encoded in PEM format (with .pem as file extension). A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document). The following parameters can be set (see sample code):
| — | ||||||||||||||||||||||||||||||||||||||
WindowsStore | [ConfigPath] can be used as placeholder for the configuration path. The following parameters can be set:
| — | ||||||||||||||||||||||||||||||||||||||
GenerateCertificate | Enable or disable server certificate creation if no certificate is available; possible values: true or false . | true | ||||||||||||||||||||||||||||||||||||||
CertificateSettings | Settings for a certificate generated by the server; the information is stored in the following parameters (see sample code):
|
Parameter | Description | Default |
---|---|---|
MaxRequestAge | The maximum age of a request (in milliseconds) the server allows. | 0 (unlimited) |
MaxSessionCount | The maximum number of sessions allowed by the server; 0 is unlimited. | 100 |
MaxSessionsPerClient | The maximum number of sessions the server allows per client; 0 is unlimited. | 0 |
MinSessionTimeout | The minimum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. | 10000 |
MaxSessionTimeout | The maximum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. | 3600000 |
MaxNodesPerHistoryReadData | The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. | 0 (unlimited) |
MaxNodesPerHistoryReadEvents | The maximum number of nodes accepted by the server for the HistoryRead service for Events. | 0 (unlimited) |
MaxNodesPerHistoryUpdateData | The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. | 0 (unlimited) |
MaxNodesPerHistoryUpdateEvents | The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. | 0 (unlimited) |
MaxBrowseContinuationPoints | The maximum number of Browse Continuation Points managed by a session. | 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP; default value: 10) |
MaxBrowseResults | The maximum number of Browse results for one browse operation. | 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS; default value: 1000) |
MaxNodesToBrowse | The maximum number of nodes to browsethe server will accept. | 0 (unlimited) |
MaxHistoryContinuationPoints | The maximum number of History Continuation Points managed by a session. | 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP; default value: 100) |
MinPublishingInterval | The minimum publishing interval (in milliseconds) the server allows. | 50 |
MaxPublishingInterval | The maximum publishing interval (in milliseconds) the server allows. | 0 (no limitation) |
MinKeepAliveInterval | The minimum KeepAlive interval (in milliseconds) the server allows. | 5000 |
MinSubscriptionLifetime | The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. | 10000 |
MaxSubscriptionLifetime | The maximum Subscription lifetime (in milliseconds) the server allows. | 0 (no limitation) |
MaxRetransmissionQueueSize | The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. | 20 |
MaxNotificationsPerPublish | The maximum number of notifications per Publish the server allows. | 0 (no limitation) |
MaxDataQueueSize | The maximum size of data monitored item queues. | 100 |
MaxEventQueueSize | The maximum size of event monitored item queues. | 1000 |
MaxSubscriptionCount | The maximum number of subscriptions the server allows to create. | 0 (unlimited) |
MaxSubscriptionsPerSession | The maximum number of subscriptions the server allows to create per Session. | 0 (unlimited) |
MaxMonitoredItemCount | The maximum number of monitored items the server allows to create. | 0 (unlimited) |
MaxMonitoredItemPerSubscriptionCount | The maximum number of monitored items per subscription the server allows to create. | 0 (unlimited) |
MaxMonitoredItemPerSessionCount | The maximum number of monitored items per session the server allows to create. | 0 (unlimited) |
MinSupportedSampleRate | The minimum sample interval supported by the server. | 0 |
AvailableSamplingRates | The settings for the sampling engine; add a line AvailableSamplingRates/SamplingRate_[n]=[sampling rate in milliseconds] for each sampling rate (see sample code). | 50, 100, 250, 500, 1000, 2000, 5000, 10000 |
AvailableLocaleIds | The settings for the available LocaleIds known to be supported by the server; add a line AvailableLocaleIds/LocaleId_[n]=[Locale ID] for each Locale ID (see sample code). | en |
AvailableServerProfiles | The settings for the available UA profiles known to be supported by the server; add a line AvailableServerProfiles/ServerProfileUri_[n]=[Server Profile URI] for each Server Profile URI (see sample code). | http://opcfoundation.org/UAProfile/Server/StandardUA |
ServerCapabilities | The settings for the supported server capabilities like DA, HA, AE or HE. add a line ServerCapabilities/ServerCapability_[n]=[Capability] for each Server Capability (see sample code). | NA |
IsAuditActivated | Flag indicating if audit events are activated; possible values: true or false . | false |
ThreadPoolSettings | The settings for the thread pools used in the server application; the following parameters can be set (each in a separate line ThreadPoolSettings/[parameter]=[value] ): MaxSizeTransactionManager , MinSizeTransactionManager , MaxSizeSubscriptionManager , MinSizeSubscriptionManager (see sample code). | 4 (for each) |
RejectedCertificatesDirectory | Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected . Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application. | — |
RejectedCertificatesCount | Maximum number of certificates stored in the rejected certificates directory. | 100 |
The configuration of supported user identity tokens is stored in the parameter set UserIdentityTokens
containing the following parameters:
Parameter | Description | Default | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
EnableAnonymous | Enable or disable anonymous log-on; possible values are true or false . | true | |||||||||||||||
EnableUserPw | Enable or disable user/password log-on; possible values are true or false . | false | |||||||||||||||
EnableCertificate | Enable or disable certificate based user log-on; possible values are true or false . | false | |||||||||||||||
SecurityPolicy | The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. The security policy #Basic128Rsa15 is no longer accepted. | http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 | |||||||||||||||
DefaultUserCertificateStore | Configuration for file based certificate store to handle user certificates. The following parameters can be set:
| ||||||||||||||||
RejectedUserCertificatesDirectory | Folder used to store rejected user certificates. | [ConfigPath]/pkiuser/rejected | |||||||||||||||
RejectedUserCertificatesCount | Maximum number of certificates stored in the rejected directory. | 100 |
This part of the configuration defines the OPC UA Stack serializer settings. Set these values carefully, as they are the security constraints for the serializer. The following parameters can be set:
Parameter | Description | Default |
---|---|---|
MaxAlloc | The largest size for a memory block the serializer can do when deserializing a message. | Set by define OPCUA_SERIALIZER_MAXALLOC |
MaxStringLength | The largest string accepted by the serializer. | Set by define OPCUA_ENCODER_MAXSTRINGLENGTH |
MaxByteStringLength | The largest byte string accepted by the serializer. | Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH |
MaxArrayLength | Maximum number of elements in an array accepted by the serializer. | Set by define OPCUA_ENCODER_MAXARRAYLENGTH |
MaxMessageSize | The maximum number of bytes per message in total. | Set by define OPCUA_ENCODER_MAXMESSAGELENGTH |
The parameter set StackThreadPoolSettings
stores the settings for the thread pool used in the OPC UA Stack. The following parameters can be set:
Parameter | Description | Default |
---|---|---|
Enabled | Controls whether the secure listener uses a thread pool to dispatch received requests. | false |
MaxJobs | The length of the queue with jobs waiting for a free thread. | 20 |
Timeout | If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. | infinite |
BlockOnAdd | If MaxJobs is reached, the add operation can block or return an error. | true |
MaxThreads | The maximum number of threads in the thread pool. | 5 |
MinThreads | The minimum number of threads in the thread pool. | 5 |
The configuration for the registration with discovery server(s) is stored in the parameter set DiscoveryRegistration
containing the following parameters:
Parameter | Description | Default |
---|---|---|
AutomaticCertificateExchange | Flag indicating if the certificates should be exchanged with the windows certificate store | false |
DiscoveryServerTrustListLocation | Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used. | — |
DiscoveryServerStoreName | Store name used for the local discovery server in the windows certificate store. | — |
DiscoveryServerCertificateName | Certificate name of the local discovery server in the windows certificate store. | — |
RegistrationInterval | Interval (in milliseconds) for registration with discovery server(s) | 30000 |
Url | List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. To add additional remote discovery servers, add each in a separate line, consecutively numbered (DiscoveryRegistration/Url_[n]=[Server Url] ). | — |
See Redundancy for more information about server redundancy.
This parameter set provides the redundancy settings for the server.
Parameter | Description | Default |
---|---|---|
RedundancySupport | Possible redundancy support options are None , Cold , Warm , Hot and Transparent (Transparent requires a special module). | None |
ServerUri | The list of server URIs for the servers in the NonTransparent redundant set. Add a separate line in the form RedundancySettings/ServerUri_ [n]=[ServerUri] for each server. The server itself has to be included in the list (see sample code). | — |
This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions numbered consecutively as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.
This can also be used to configure other servers on the same system if the server itself is running on Port 4840.
Parameter | Description |
---|---|
ApplicationUri | A globally unique identifier for the server product. |
ProductUri | A globally unique identifier for the product the server belongs to. |
ApplicationName | A human readable name for the server product. |
ApplicationType | Possible application types are Server and ClientAndServer . |
GatewayServerUri | A URI that identifies the Gateway Server associated with the DiscoveryUrl. |
DiscoveryProfileUri | A URI that identifies the discovery profile supported by the URL. |
DiscoveryUrl | URL for the discovery Endpoint provided by the server. |
The following code gives an example for a parameter set resulting in a completely configured endpoint. Use consecutively numbered parameter sets UaEndpoint_[n]
for additional Endpoints.
The following table gives an overview of the configurable parameters for each Endpoint.
Parameter | Description | Default | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Url | URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name. | — | ||||||||||||||||||||||||
SerializerType | The data type encoding for network transport; currently, only Binary is supported | — | ||||||||||||||||||||||||
StackUrl | Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192 .168.0.15:48011. It can be used to bind the endpoint to a specific network card or to localhost only. | — | ||||||||||||||||||||||||
IsVisible | Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. | true | ||||||||||||||||||||||||
IsDiscoveryUrl | Flag indicating if the endpoint URL is provided as discovery URL. | true | ||||||||||||||||||||||||
AutomaticallyTrustAllClientCertificates | This option can be activated if certificates are only used for message security but not for application authentication. If set to true , all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. | false | ||||||||||||||||||||||||
CreateSignatureWithChain | For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. | false | ||||||||||||||||||||||||
SecuritySetting | Each supported security setting has to be stored in a separate parameter set UaEndpoint_[m]/SecuritySetting_[n]/[parameter]=[value] , numbered consecutively (see sample code). The following parameters can be specified:
| — | ||||||||||||||||||||||||
SecurityCheckOverwrites | Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server using the following configuration options. Add a separate line UaEndpoint_[m]/SecurityCheckOverwrites/[parameter]=[value] for each parameter (see sample code).
| |||||||||||||||||||||||||
CertificateStore | Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates. This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. It uses the same parameter set as DefaultApplicationCertificateStore |