C++ Based OPC UA Client/Server/PubSub SDK  1.8.3.628
Server Configuration

ServerConfig Interface

The Unified Automation C++ Server SDK provides different options for server configuration. See Configuring the SDK with CMake for configuration options at build time.

The figure Options for product specific configuration gives an overview of the SDK classes designed for this purpose.

The SDK provides the following classes:

ServerConfig

The class ServerConfig is the interface used by the SDK to access product specific configuration settings.

ServerConfigData

The class ServerConfigData implements the interface ServerConfig and provides configuration settings through the settings stored in the member variables of the class.

ServerConfigXml

The class ServerConfigXml loads the settings from an XML file and stores them in the members of ServerConfigData.

ServerConfigIni

The class ServerConfigIni loads the settings from an INI file and stores them in the members of ServerConfigData.

ServerConfigBase
The class ServerConfigBase provides a way to fill the the settings that are stored in members of ServerConfigBase without any file access.

These classes offer the following options for integrating product specific configuration settings.

Option 1

A Product specific XML configuration file is loaded by the helper class ServerConfigXml. For more information, see XML Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.xml

Option 2

A Product specific INI configuration file is loaded by the helper class ServerConfigIni. For more information, see INI Configuration File. An example for this file is included with the SDK: [Installation Directory]/bin/ServerConfig.ini

Option 3

Either the product configuration holds the configuration information or part of it can be set in code directly. The settings are made on the class ServerConfigBase to be stored in memory. The SDK code can access the configuration via the ServerConfig interface.

Option 4
A Product specific implementation of the ServerConfig interface is accessing a product specific configuration data base for every access to the interface ServerConfig.

Options for Server Configuration

XML Configuration File

An XML based example configuration file can be found in [Installation Directory]/bin.

Trace

The element <Trace> stores the trace settings for the OPC UA Stack and OPC UA Application. It contains the following child elements:

Element Description Default
UaStackTraceEnabled Enable or disable the UA stack trace; possible values are true or false. false
UaStackTraceLevel The UA stack trace level; possible values are
NONE
No Trace
ERROR
Critical errors, which require attention, i.e. unexpected errors and/or errors requiring external actions
WARNING
Non-critical faults, which should not go unnoticed but are handled internally
SYSTEM
Rare major events (good cases) like initializations, shutdown, etc.
INFO
Regular good case events, like connects, renews
DEBUG
Used for debugging purposes
CONTENT
Used to add additional content (i.e. whole message bodies) to debug traces
ALL
All outputs
NONE
UaAppTraceEnabled Enable or disable the UA server application trace; possible values are true or false false
UaAppTraceLevel The UA server application trace level; possible values are
NoTrace
No Trace
Errors
Unexpected errors
Warning
Unexpected behaviour that is not an error
Info
Information about important activities, like connection establishment
InterfaceCall
Calls to module interfaces
CtorDtor
Creation and destruction of objects
ProgramFlow
Internal program flow
Data
Data
NoTrace
PubSubStackTraceEnabled Enable or disable the PubSub stack trace; possible values are true or false. The trace level for PubSub is derived from the UaAppTraceLevel setting. false
UaAppTraceMaxEntries The maximum number of trace entries in one file 100000
UaAppTraceMaxBackup The maximum number of backup files 5
UaAppTraceDisableFlush If set to true, the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true. If you have issues with missing trace entries in case of an application crash, you should set this option to false. true
UaAppTraceFile The trace file; [TracePath] can be used as a placeholder for the path to the server application, e.g. [TracePath]/srvTrace.log. Set by define SERVERCONFIG_SERVERTRACEFILE
TraceEvents

Setting to allow clients to get the SDK trace outputs for trace levels Errors, Warning and Info via HistoryRead for events and/or Events from the server. Possible values are:

  • Disabled
  • History
  • HistoryAndEvents

See getTraceEventSettings for more details.

History

RoleConfiguration

The element <RoleConfigXml> stores the RoleConfiguration settings for the OPC UA Application. It contains the following child elements:

<RoleConfiguration>
<!--Enable SDK to load and persist the roles; true/false-->
<Enabled>true</Enabled>
<!--Location of the RoleConfiguration file-->
<ConfigFileLocation>[ConfigPath]/RoleConfiguration.xml</ConfigFileLocation>
</RoleConfiguration>
Element Description Default
Enabled Enable SDK to load and persist the roles; possible values are true or false. true
ConfigFileLocation Location of the RoleConfiguration file.
[ConfigPath] can be used as placeholder for the configuration path.
See Role Configuration XML and Role Configuration INI for a description of the two possible Role file formats.

Default Application Certificate Store

This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a special configuration for a specific endpoint is required.

The configuration per Endpoint is no longer necessary. The default configuration is used if no Endpoint specific configuration is provided.

Please refer to Certificates, Certificate Store and Trust List for more information.

<DefaultApplicationCertificateStore>
<MaxTrustListSize>0</MaxTrustListSize>
<SendCertificateChain>true</SendCertificateChain>
<DisablePrivateKeyPush>false</DisablePrivateKeyPush>
<OpenSSLStore>
<CertificateTrustListLocation>[ConfigPath]/pkiserver/trusted/certs/</CertificateTrustListLocation>
<CertificateRevocationListLocation>[ConfigPath]/pkiserver/trusted/crl/</CertificateRevocationListLocation>
<IssuersCertificatesLocation>[ConfigPath]/pkiserver/issuers/certs/</IssuersCertificatesLocation>
<IssuersRevocationListLocation>[ConfigPath]/pkiserver/issuers/crl/</IssuersRevocationListLocation>
</OpenSSLStore>
<ServerCertificate>
<OpenSSLStore>
<ServerCertificate>[ConfigPath]/pkiserver/own/certs/uaservercpp.der</ServerCertificate>
<ServerPrivateKey>[ConfigPath]/pkiserver/own/private/uaservercpp.pem</ServerPrivateKey>
</OpenSSLStore>
<GenerateCertificate>true</GenerateCertificate>
<CertificateSettings>
<CommonName>[ServerName]</CommonName>
<DomainComponent>[NodeName]</DomainComponent>
<Organization>Organization</Organization>
<OrganizationUnit>Unit</OrganizationUnit>
<Locality>LocationName</Locality>
<State></State>
<Country>DE</Country>
<YearsValidFor>5</YearsValidFor>
<KeyLength>2048</KeyLength>
<CertificateType>RsaSha256</CertificateType>
<IPAddress>2a00:1158:400:407:0:0:0:1b2</IPAddress>
<IPAddress>213.95.4.190</IPAddress>
<DNSName>demo.unifiedautomation.com</DNSName>
<DNSName>[NodeName]</DNSName>
</CertificateSettings>
</ServerCertificate>
</DefaultApplicationCertificateStore>
ElementDescriptionDefault
MaxTrustListSize The maximum size of the trust list in bytes. 0 (unlimited)
SendCertificateChain For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. true
DisablePrivateKeyPush For GDS Push, this flag controls whether the UpdateCertificate allows setting of private keys by the GDS. false
OpenSSLStore

File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
<OpenSSLStore> has the following child elements:

ElementDescription
CertificateTrustListLocation The folder where certificates of trusted applications and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. Each CA certificate in the CertificateTrustListLocation requires one and only one CRL file in this folder.
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. Each CA certificate in the IssuersCertificatesLocation requires one and only one CRL file in this folder.

See Certificates, Certificate Store and Trust List for background information and more details on the different directories.

The recommended file directory layout for the store has the following directories and subdirectories:

  • own (see element ServerCertificate in separate table).
    • certs: ServerCertificate
    • private: ServerPrivateKey
  • trusted
    • certs: CertificateTrustListLocation
    • crl: CertificateRevocationListLocation
  • issuers
    • certs: IssuersCertificatesLocation
    • crl: IssuersRevocationListLocation
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
<WindowsStore> has the following child elements:
ElementDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
ServerCertificate Application instance certificate for the Server. See the separate table for child elements.

Element ServerCertificate

ElementDescriptionDefault
OpenSSLStore File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
Certificates have to be stored in DER format (with file extension .der).
Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension).
The private key is encoded in PEM format (with .pem as file extension).
A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document).
<OpenSSLStore> has the following child elements:
ElementDescription
ServerCertificate The file containing the server certificate.
ServerPrivateKey The file containing the server private key.
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
<WindowsStore> has the following child elements:
ElementDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
GenerateCertificate Enable or disable server certificate creation if no certificate is available; possible values: true or false. true
CertificateSettings Settings for a certificate generated by the server; the information is stored in the following child elements:
ElementDescriptionDefault
CommonName Name of the application; [ServerName] can be used as a placeholder for the configured server name (see Server Instance Information). [ServerName]
DomainComponent DomainComponent as defined in RFC 2247. [NodeName] can be used as a placeholder for the hostname of the machine. [NodeName]
Organization Name of the organization using the OPC UA server
OrganizationUnit Name of the organization unit using the OPC UA server
Locality Name of the location where the OPC UA server is running
State State where the OPC UA server is running
Country Two letter code for country where the OPC UA server is running e.g. DE or US
YearsValidFor The number of years the certificate is valid for; the maximum accepted number is 20, but it is strongly recommended to use a shorter time interval. 5
KeyLength Key length (in bits) of the certificate to create; valid values are 1024 and 2048 for RsaMin, and 2048, 3072 and 4096 for RsaSha256 2048
CertificateType Defines the algorithm used to sign the certificate. Valid values are RsaMin and RsaSha256. Applications that support the Basic128Rsa15 and Basic256 profiles need a Certificate of type RsaMin. Applications that support the Basic256Sha256 profile need a Certificate of type RsaSha256. In this version of the SDK it is not possible to support multiple certificates for one Endpoint, thus it is not possible to support the RsaMin and the RsaSha256 profile at the same time. It is strongly recommended to use RsaSha256 since Basic128Rsa15 and Basic256 are deprecated but would also allow RsaSha256. RsaSha256
IPAddress An application instance certificate needs to provide one or more DNSNames and/or IPAddresses at which the Endpoint can be reached. This information is added to the SubjectAlternativeName of the certificate. [NodeName] can be used as a placeholder for the hostname of the machine.
DNSName [NodeName]

Endpoint Configuration

This part of the configuration defines the OPC UA communication endpoints for the server and their security configurations.

List of Configured Endpoints

The configuration information for each Endpoint has to be stored in a separate XML element <UaEndpoint> using the child elements described later on.

The following code gives an example for a completely configured endpoint.

<UaEndpoint>
<SerializerType>Binary</SerializerType>
<Url>opc.tcp://[NodeName]:48010</Url>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicy>
<MessageSecurityMode>None</MessageSecurityMode>
</SecuritySetting>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicy>
<MessageSecurityMode>Sign</MessageSecurityMode>
<MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
</SecuritySetting>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep</SecurityPolicy>
<MessageSecurityMode>Sign</MessageSecurityMode>
<MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
</SecuritySetting>
<SecuritySetting>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss</SecurityPolicy>
<MessageSecurityMode>Sign</MessageSecurityMode>
<MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
</SecuritySetting>
<IsVisible>true</IsVisible>
<IsDiscoveryUrl>true</IsDiscoveryUrl>
<ReturnOnlyOnEndpointUrlMatch>false</ReturnOnlyOnEndpointUrlMatch>
<AutomaticallyTrustAllClientCertificates>false</AutomaticallyTrustAllClientCertificates>
<SecurityCheckOverwrites>
<DisableErrorCertificateTimeInvalid>false</DisableErrorCertificateTimeInvalid>
<DisableErrorCertificateIssuerTimeInvalid>false</DisableErrorCertificateIssuerTimeInvalid>
<DisableErrorCertificateRevocationUnknown>false</DisableErrorCertificateRevocationUnknown>
<DisableErrorCertificateIssuerRevocationUnknown>false</DisableErrorCertificateIssuerRevocationUnknown>
<DisableErrorCertificateKeyTooShort>false</DisableErrorCertificateKeyTooShort>
<DisableErrorCertificateKeyTooLong>false</DisableErrorCertificateKeyTooLong>
<DisableApplicationUriCheck>false</DisableApplicationUriCheck>
<DisableNonceLengthCheck>false</DisableNonceLengthCheck>
<DisableUserTokenPolicyIdCheck>false</DisableUserTokenPolicyIdCheck>
<DisableCertificateSignatureAlgorithmCheck>true</DisableCertificateSignatureAlgorithmCheck>
<DisableCertificateUsageCheck>false</DisableCertificateUsageCheck>
</SecurityCheckOverwrites>
</UaEndpoint>

Endpoint Configuration Options

ElementDescriptionDefault
SerializerType The data type encoding for network transport; currently, only Binary is supported
Url URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name.
The following configuration alternatives are available:
opc.tcp://[NodeName]:48010
for this URL, the SDK replaces [NodeName] with the host name. The stack binds to all IP addresses (on all network interfaces) of the host. If the host has a dual protocol enabled TCP/IP stack, this includes all network protocol families. If this functionality is not available, the configured preferred protocol (IPv4 of IPv6; part of the stack configuration) is used and the endpoint will only be reachable on network interfaces supporting this protocol type. The host name is returned in the discovery URL.
opc.tcp://MyComputer:48010
for this URL, the stack binds to all IP addresses (on all network interfaces) of the host. If the host has a dual protocol enabled TCP/IP stack, this includes all network protocol families. If this functionality is not available, the configured preferred protocol (IPv4 of IPv6; part of the stack configuration) is used and the endpoint will only be reachable on network interfaces supporting this protocol type. The URL with the host name is returned to clients during discovery.
opc.tcp://192.168.0.15:48010
for this URL, the stack binds just to the IPv4 address and the URL with the IP address is returned to clients during discovery.
opc.tcp://[fe80::20ec:3acb:55d9:a3da]:48010
for this URL, the stack binds just to the IPv6 address and the URL with the IP address is returned to clients during discovery.
StackUrl Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192.168.0.15:48010. It can be used to bind the endpoint to a specific network card or to localhost only.
SecuritySetting Each supported security setting has to be stored in a separate XML element <SecuritySetting> containing the following child elements:
ElementDescription
SecurityPolicy Possible values are #None, #Basic256Sha256, #Aes128_Sha256_RsaOaep, and #Aes256_Sha256_RsaPss (see sample code above). The possible values #Basic128Rsa15 and #Basic256 are no longer considered as secure. An administrator should be involved to enable them for backward compatibility.
MessageSecurityMode The possible values depend on the security policy. Set value to None with security policy #None. When using security policies other than #None, you can choose between Sign and SignAndEncrypt. It is possible to allow Sign as well as SignAndEncrypt (by adding two MessageSecurityModes, see sample code above)).
IsVisible Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. true
IsDiscoveryUrl Flag indicating if the endpoint URL is provided as discovery URL. true
ReturnOnlyOnEndpointUrlMatch If this flag is set to true, the endpoint is only included in FindServers and GetEndpoints responses if the client is using the EndpointUrl of this endpoint for the request. false
AutomaticallyTrustAllClientCertificates This option can be activated if certificates are only used for message security but not for application authentication. If set to true, all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. false
CreateSignatureWithChain For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. false
SecurityCheckOverwrites Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server through the following configuration options (create a separate child element for each check to enable/disable).
ElementDescriptionDefault
DisableErrorCertificateTimeInvalid Flag used to disable the client certificate validation error BadCertificateTimeInvalid. false
DisableErrorCertificateIssuerTimeInvalid Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. false
DisableErrorCertificateRevocationUnknown Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. false
DisableErrorCertificateIssuerRevocationUnknown Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. false
DisableErrorCertificateKeyTooShort Flag used to disable the client certificate validation error BadCryptoKeyTooShort. This is a security relevant check and should never be disabled except for a temporary workaround if absolutely necessary. false
DisableErrorCertificateKeyTooLong Flag used to disable the client certificate validation error BadCryptoKeyTooLong. A key longer than defined by the security policy is not a security problem but against the standard. false
DisableApplicationUriCheck Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. false
DisableNonceLengthCheck Flag used to disable the client nonce length check in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a client nonce that is shorter than the required 32 bytes. false
DisableUserTokenPolicyIdCheck Flag used to disable the UserToken PolicyId check in ActivateSession. The check is required for compliant OPC UA servers but older clients may not provide the UserToken PolicyId. false
DisableCertificateSignatureAlgorithmCheck Flag used to disable the client certificate validation error BadSignatureAlgorithmNotAllowed. This is a security relevant check and should never be disabled except for a temporary workaround if absolutely necessary. false
DisableCertificateUsageCheck Flag used to disable the client certificate validation error BadCertificateUseNotAllowed. These checks include checking for the SubjectAlternativeName, the KeyUsage and ExtendedKeyUsage of the certificate. These are security relevant checks and should not be disabled except for a temporary workaround if absolutely necessary. false
CertificateStore Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates.
This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. CertificateStore can have the same child elements as DefaultApplicationCertificateStore.

Reverse Connect Configuration

The OPC UA Reverse Connect functionality can be configured as part of the Endpoint configuration. The clients are configured with a list of URLs in the XML element ReverseConnect as shown in the following example.

All clients that use reverse connect must be configured in this URL list.

<UaEndpoint>
<!-- Other endpoint configuration options -->
<ReverseConnect>
<Url>opc.tcp://client1:48060</Url>
<Url>opc.tcp://client2:48060</Url>
</ReverseConnect>
</UaEndpoint>

Alternative Endpoint URL Configuration

OPC UA clients may connect to a server through a proxy, NAT or port multiplexer. In this case the endpoint URL the client is using to connect to a server may be different than the direct accessible endpoint URL configured by the server. This direct accessible endpoint URL in configured through the <Url> element of the endpoint configuration.

OPC UA defines the handling of such scenarios by passing in the Endpoint URL used by the client in the services GetEndpoints and CreateSession. These services return the list of endpoints provided by the server.

A server can detect that an alternative URL is used and can return the matching URL to the client in response to GetEndpoints and CreateSession.

The allowed alternative URLs must be configured in the endpoint with the option shown in the following example.

If an alternative URL contains a host name or IP address that is different than the host name or IP Address of the default URL, these host names or IP addresses must be added to the corresponding list in the certificate. The related certificate create settings (IPAddress or DNSName) can be found in Default Application Certificate Store

‍Element ServerCertificate > CertificateSettings.

<UaEndpoint>
<!-- Other endpoint configuration options -->
<AlternativeEndpointUrls>
<Url>opc.tcp://PC1:48011/Server1</Url>
<Url>opc.tcp://PC2:48011/Server1</Url>
</AlternativeEndpointUrls>
</UaEndpoint>

Provisioning Mode

If the server is in the Provisioning mode, it accepts all client certificates as long as the trust list is empty.

The element <ProvisioningModeSettings> stores the provisioning mode settings for the OPC UA Server. It contains the following child elements:

ElementDescriptionDefault
IsActive If this flag is set to true and the trust list is empty, the server accepts all certificates. If there are certificates in the trust list, the server does only accept certificates that are trusted. false
DeactivateAfterInitialConfiguration If this flag is true, the IsActive flag will be set to false as soon as the first certificates are added to the trust list. The Provisioning mode will not be activated again if the trust list is empty. If this flag is false, the IsActive flag is not changed and the server will go back to Provisioning as soon as the trust list is empty. true
<ProvisioningModeSettings>
<IsActive>false</IsActive>
<DeactivateAfterInitialConfiguration>true</DeactivateAfterInitialConfiguration>
</ProvisioningModeSettings>

Server Settings

Element Description Default
MaxRequestAge The maximum age of a request (in milliseconds) the server allows. 0 (unlimited)
MaxSessionCount Maximum number of sessions the server allows to create, 0 means unlimited. 100
MaxSessionsPerClient The maximum number of sessions the server allows per client, 0 means unlimited. 0
MinSessionTimeout Minimum time-out in ms for a sessions the server allows to set. Can't be less than 5000. 10000
MaxSessionTimeout Maximum time-out in ms for a sessions the server allows to set, 0 means unlimited. 3600000
MaxBrowseContinuationPoints The maximum number of Browse Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP;
default value: 10)
MaxBrowseResults The maximum number of Browse results for one browse operation. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS;
default value: 1000)
MaxNodesPerRead The maximum number of nodes per read the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerWrite The maximum number of nodes per write the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerBrowse The maximum number of nodes to browse the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerTranslateBrowsePathsToNodeIds The maximum number of nodes to use in a TranslateBrowsePathsToNodeIds service request. 0 (Serializer.MaxArrayLength)
MaxMonitoredItemsPerCall The maximum number of monitored items per call the server allows to create, modify or delete. 0 (Serializer.MaxArrayLength)
MaxNodesPerMethodCall The maximum number of methods per method call the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryReadData The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryReadEvents The maximum number of nodes accepted by the server for the HistoryRead service for Events. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryUpdateData The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryUpdateEvents The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. 0 (Serializer.MaxArrayLength)
MaxNodesPerRegisterNodes The maximum number of nodes per register or unregister nodes the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerNodeManagement The maximum number of nodes or references per NodeManagement service the server will accept. 0 (Serializer.MaxArrayLength)
MaxHistoryContinuationPoints The maximum number of History Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP;
default value: 100)
MinPublishingInterval The minimum publishing interval (in milliseconds) the server allows. 50
MaxPublishingInterval The maximum publishing interval (in milliseconds) the server allows. 0 (no limitation)
MinKeepAliveInterval The minimum KeepAlive interval (in milliseconds) the server allows. 5000
MinSubscriptionLifetime The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. 10000
MaxSubscriptionLifetime Maximum Subscription lifetime (in milliseconds) the server allows, 0 means unlimited.td> 3600000
MaxRetransmissionQueueSize The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. 20
MaxNotificationsPerPublish The maximum number of notifications per Publish the server allows. 0 (no limitation)
MaxDataQueueSize The maximum size of data monitored item queues. 100
MaxEventQueueSize The maximum size of event monitored item queues. 1000
MaxSubscriptionCount Maximum number of subscriptions the server allows to create, 0 means unlimited. 250
MaxSubscriptionsPerSession Maximum number of subscriptions the server allows to create per Session, 0 means unlimited. 10
MaxMonitoredItemCount Maximum number of monitored items the server allows to create, 0 means unlimited. 500000
MaxMonitoredItemPerSubscriptionCount Maximum number of monitored items per subscriptions the server allows to create, 0 means unlimited. 100000
MaxMonitoredItemPerSessionCount The maximum number of monitored items per session the server allows to create. 0 (unlimited)
MinSupportedSampleRate The minimum sample interval (in milliseconds) supported by the server. 0
SamplingRateNonValueAttributes The sample interval (in milliseconds) used for non value attributes by the server. 5000
AvailableSamplingRates The settings for the sampling engine; each sampling rate (in milliseconds) has to be stored in a separate child element,
e.g. <SamplingRate>50</SamplingRate>.
50, 100, 250, 500, 1000, 2000, 5000, 10000
AvailableLocaleIds The settings for the available LocaleIds known to be supported by the server; each LocaleId has to be stored in a separate child element,
e.g. <LocaleId>en</LocaleId>.
en
AvailableServerProfiles The settings for the available UA profiles known to be supported by the server; each profile has to be stored in a separate child element <ServerProfileUri>. http://opcfoundation.org/UAProfile/Server/StandardUA
ServerCapabilities The settings for the supported server capabilities like DA, HA, AE or HE. Each capability has to be stored in a separate child element <ServerCapability>. NA
IsAuditActivated Flag indicating if audit events are activated; possible values: true or false. false
ThreadPoolSettings The settings for the thread pools used in the server application. A thread pool is a list of worker threads. The minimum size denotes the size of the tread pool at initialization. It grows dynamically until the maximum size is reached. The following child elements can be set:
  • MinSizeTransactionManager
  • MaxSizeTransactionManager
  • MinSizeSubscriptionManager
  • MaxSizeSubscriptionManager
4 (for each)
RejectedCertificatesDirectory Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected. Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application.
RejectedCertificatesCount The maximum number of certificates stored in the rejected certificates directory. 100
AllowDeprecatedSecurityPolicies By default deprecated SecurityPolicies are rejected by the SDK when loading the configuration. For backwards compatibility with old applications that behavior can be overridden. Please consider carefully before turning this feature on. false
CheckForDuplicateReferences This setting only affects the NodeManagerUaNode implementation. If set to true the NodeManagerUaNode will check if an identical reference already exists before adding a UaReference. Since this check has some impact on the performance when loading the addressspace the default is false. We recommend to turn this check on for testing or for loading an addressspace the first time and turn the check off for productive use. false

Build Information for the Server Application

Element Description Default
ProductUri A globally unique identifier for the server product; e.g. urn:UnifiedAutomation:UaServerCpp. Set by define SERVERCONFIG_PRODUCTURI
ManufacturerName A human readable name for manufacturer of the product. Set by define SERVERCONFIG_MANUFACTURERNAME
ProductName A human readable name for the server product. Set by define SERVERCONFIG_PRODUCTNAME
SoftwareVersion A string representing the version of the server product. Set by define SERVERCONFIG_SOFTWAREVERSION
BuildNumber A string representing the build number of the server product. Set by define SERVERCONFIG_BUILDNUMBER

Server Instance Information

These elements provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.

Element Description Default
ServerUri A globally unique identifier for the server installation; e.g. urn:[NodeName]:UnifiedAutomation:UaServerCpp. Set by define SERVERCONFIG_SERVERURI
ServerName A human readable name for the server installation; e.g. UaServerCpp@[NodeName]. Set by define SERVERCONFIG_SERVERNAME

User Identity Tokens

The configuration of supported user identity tokens and related configuration options are stored in the element <UserIdentityTokens>. It contains the following child elements:

<UserIdentityTokens>
<EnableAnonymous>true</EnableAnonymous>
<EnableUserPw>true</EnableUserPw>
<EnableCertificate>true</EnableCertificate>
<EnableIssuedToken>false</EnableIssuedToken>
<PasswordFileLocation>[ConfigPath]/passwd</PasswordFileLocation>
<UserPasswordManagement>
<EnableUserManagement>true</EnableUserManagement>
<PasswordOptions>0</PasswordOptions>
<MinPasswordLength>0</MinPasswordLength>
<MaxPasswordLength>0</MaxPasswordLength>
<MinUserNameLength>0</MinUserNameLength>
<MaxUserNameLength>0</MaxUserNameLength>
<MaxNumberOfUsers>1000</MaxNumberOfUsers>
<DefaultPasswordEncryptionAlgorithm>SHA512</DefaultPasswordEncryptionAlgorithm>
</UserPasswordManagement>
<SecurityPolicy>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicy>
<DefaultUserCertificateStore>
<CertificateTrustListLocation>[ConfigPath]/pkiuser/trusted/certs/</CertificateTrustListLocation>
<CertificateRevocationListLocation>[ConfigPath]/pkiuser/trusted/crl/</CertificateRevocationListLocation>
<IssuersCertificatesLocation>[ConfigPath]/pkiuser/issuers/certs/</IssuersCertificatesLocation>
<IssuersRevocationListLocation>[ConfigPath]/pkiuser/issuers/crl/</IssuersRevocationListLocation>
</DefaultUserCertificateStore>
<RejectedUserCertificatesDirectory>[ConfigPath]/pkiuser/rejected/</RejectedUserCertificatesDirectory>
<RejectedUserCertificatesCount>100</RejectedUserCertificatesCount>
</UserIdentityTokens>
Element Description Default
EnableAnonymous Enable or disable anonymous log-on; possible values are true or false. true
EnableUserPw Enable or disable user/password log-on; possible values are true or false. false
EnableCertificate Enable or disable certificate based user log-on; possible values are true or false. false
EnableIssuedToken Enable or disable issued token based user log-on; possible values are true or false. false
PasswordFileLocation Location of the password file, empty if no password file is configured. The default password manager used by the SDK is file based where the file contains the users and the password as hash. The file location is used for the default file based password management.
See User and Password File for a description of the content and format of the file.
UserPasswordManagement Configuration for the OPC UA defined UserManagement object that allows on-line user management through the OPC UA server interface. It requires either the use of the default file based password management or a server application specific implementation of the UaPasswordManager interface (see also ServerManager::setPasswordManager()). It has the following child elements:
Element Description Default
EnableUserManagement Option to enable the standard UserManagement object. false
PasswordOptions Configuration for the user management and password options. Value based on PasswordOptionsMask. No special options are supported at the moment. 0
MinPasswordLength Minimum password length. A value of 0 indicates no limit for minimum. 0
MaxPasswordLength Maximum password length. A value of 0 indicates no limit for maximum. 64
MinUserNameLength Minimum user name length. A value of 0 indicates no limitation. 0
MaxUserNameLength Maximum user name length. A value of 0 indicates no limitation. 256
MaxNumberOfUsers Maximum number of users that can be added to the user management. A value of 0 indicates no limitation. 1000
DefaultPasswordEncryptionAlgorithm Encryption/Hashing algorithm used to store passwords of new users. SHA512
SecurityPolicy The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. The security policy Basic128Rsa15 is no longer accepted. http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
DefaultUserCertificateStore Configuration for file based certificate store to handle user certificates. It has the following child elements:
Element Description Default
CertificateTrustListLocation The folder where certificates of trusted users and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/trusted/certs/
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. [ConfigPath]/pkiuser/trusted/crl/
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/issuers/certs/
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. [ConfigPath]/pkiuser/issuers/crl/
RejectedUserCertificatesDirectory Folder used to store rejected user certificates. [ConfigPath]/pkiuser/rejected
RejectedUserCertificatesCount The maximum number of certificates stored in the rejected directory. 100

PubSub Module Configuration

The element <PubSubSettings> stores the settings for the PubSub module. It contains the following child elements:

Element Description Default
EnablePubSub Enable or disable the PubSub functionality. false
PubSubConfigFileBin PubSub configuration file name and location
PubSubSecurityKeyFile PubSub security key file name and location
SecurityKeyServerActive Flag to turn on the PubSub Security Key Server functionality false
SecurityKeyPullActive Flag to turn on the PubSub Security Key Pull functionality. The client SDK library must be available in the PubSub application. false
SecurityKeyPushActive Flag to turn on the PubSub Security Key Push functionality false
LegacyPubSubConfigActive Flag to turn on the legacy PubSub configuration file object false
DefaultDatagramPublisherId Default PublisherId for Datagram transport protocols. Must be unique and should be initially set by the application. It is recommended to set the first 6 bytes with the MAC address of one of the network interfaces and to set the two remaining bytes to the OPC UA Server port of the OPC UA Application. If it is not set at first start of the server a random default PublihsherId it is generated by the SDK. 0
MaxPubSubConfigSize Maximum size of PubSub configuration binary file 16.777.216
MaxPubSubConnections Maximum number of PubSubConnections 8
MaxWriterGroups Maximum number of WriterGroups 8
MaxReaderGroups Maximum number of ReaderGroups 8
MaxDataSetWriters Maximum number of DataSetWriters 32
MaxDataSetReaders Maximum number of DataSetReaders 32
MaxPublishedDataSets Maximum number of PublishedDataSets 32
MaxSubscribedDataSets Maximum number of SubscribedDataSets 32
MaxSecurityGroups Maximum number of SecurityGroups 32
MaxNetworkMessageSizeDatagram Maximum size of datagram network messages. 1400
PullRetryInterval Retry interval if a key Pull fails 1000
KeyLifetimeMax Longest lifetime that can be configured for a SecurityGroup 3600000
KeyLifetimeMin Shortest lifetime that can be configured for a SecurityGroup 100
PastKeyCountMax Maximal PastKeyCount that can be configured for a SecurityGroup 10
PastKeyCountMin Minnmal PastKeyCount that can be configured for a SecurityGroup 0
FutureKeyCountMax Maximal FutureKeyCount that can be configured for a SecurityGroup 50
FutureKeyCountMin Minnimal FutureKeyCount that can be configured for a SecurityGroup 1

Discovery Registration

The configuration for the registration with discovery server(s) is stored in the element <DiscoveryRegistration>. It contains the following child elements:

Element Description Default
AutomaticCertificateExchange Flag indicating if the certificates should be exchanged with the windows certificate store false
DiscoveryServerTrustListLocation Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used.
DiscoveryServerStoreName Store name used for the local discovery server in the windows certificate store.
DiscoveryServerCertificateName Certificate name of the local discovery server in the windows certificate store.
RegistrationInterval Interval (in milliseconds) for registration with discovery server(s) 30000
Url List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. Additional remote discovery servers can be added.

Redundancy Support and Additional Server Entries

<RedundancySettings>
<RedundancySupport>Hot</RedundancySupport>
<ServerUri>urn:MyServer:UnifiedAutomation:RedundancySample</ServerUri>
<ServerUri>urn:PC1:UnifiedAutomation:RedundancySample</ServerUri>
<ServerUri>urn:PC2:UnifiedAutomation:RedundancySample</ServerUri>
</RedundancySettings>
<AdditionalServerEntries>
<ApplicationDescription>
<ApplicationUri>urn:PC1:UnifiedAutomation:RedundancySample</ApplicationUri>
<ProductUri>urn:UnifiedAutomation:RedundancySample</ProductUri>
<ApplicationName>RedundancySample@PC1</ApplicationName>
<ApplicationType>Server</ApplicationType>
<GatewayServerUri></GatewayServerUri>
<DiscoveryProfileUri></DiscoveryProfileUri>
<DiscoveryUrl>opc.tcp://PC1:48010</DiscoveryUrl>
<DiscoveryUrl>https://PC1:48011</DiscoveryUrl>
</ApplicationDescription>
<ApplicationDescription>
<ApplicationUri>urn:PC2:UnifiedAutomation:RedundancySample</ApplicationUri>
<ProductUri>urn:UnifiedAutomation:RedundancySample</ProductUri>
<ApplicationName>RedundancySample@PC2</ApplicationName>
<ApplicationType>Server</ApplicationType>
<GatewayServerUri></GatewayServerUri>
<DiscoveryProfileUri></DiscoveryProfileUri>
<DiscoveryUrl>opc.tcp://PC2:48010</DiscoveryUrl>
<DiscoveryUrl>https://PC2:48011</DiscoveryUrl>
</ApplicationDescription>
</AdditionalServerEntries>

See Redundancy for more information about server redundancy.

Redundancy Settings

This element provides the redundancy settings for the server.

Element Description Default
RedundancySupport Possible redundancy support options are None, Cold, Warm, Hot and Transparent (Transparent requires a special module). None
ServerUri The list of server URIs for the servers in the NonTransparent redundant set. Add a separate child element ServerUri for each server. The server itself has to be included in the list (see sample code).

Additional Server Entries

This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions as child elements of <AdditionalServerEntries> as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.

This can also be used to configure other servers on the same system if the server itself is running on Port 4840.

Element Description
ApplicationUri A globally unique identifier for the server product.
ProductUri A globally unique identifier for the product the server belongs to.
ApplicationName A human readable name for the server product.
ApplicationType Possible application types are Server and ClientAndServer.
GatewayServerUri A URI that indentifies the Gateway Server associated with the DiscoveryUrl.
DiscoveryProfileUri A URI that identifies the discovery profile supported by the URL.
DiscoveryUrl URL for the discovery Endpoint provided by the server.

Serializer

This part of the configuration defines the OPC UA Stack serializer settings and are stored in the element <Serializer>. Set these values carefully, as they are the security constraints for the serializer. The following child elements can be set:

Element Description Default
MaxAlloc The largest size for a memory block the serializer can do when deserializing a message. Set by define OPCUA_SERIALIZER_MAXALLOC
MaxStringLength The largest string accepted by the serializer. Set by define OPCUA_ENCODER_MAXSTRINGLENGTH
MaxByteStringLength The largest byte string accepted by the serializer. Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH
MaxArrayLength Maximum number of elements in an array accepted by the serializer. Set by define OPCUA_ENCODER_MAXARRAYLENGTH
MaxMessageSize The maximum number of bytes per message in total. Set by define OPCUA_ENCODER_MAXMESSAGELENGTH

Stack Thread Pool Settings

The element <StackThreadPoolSettings> stores the settings for the thread pool used in the OPC UA Stack. It contains the following child elements:

Element Description Default
Enabled Controls whether the secure listener uses a thread pool to dispatch received requests. false
MinThreads The minimum number of threads in the thread pool. 5
MaxThreads The maximum number of threads in the thread pool. 5
MaxJobs The length of the queue with jobs waiting for a free thread. 20
BlockOnAdd If MaxJobs is reached, the add operation can block or return an error. true
Timeout If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. infinite

Durable Subscription

If the server implements durable subscriptions, the following settings must be configured.

The element <DurableSubscription> stores the durable subscription settings for the OPC UA Server. It contains the following child elements:

ElementDescriptionDefault
Enabled Flag indicating if durable subscription support is enabled. false
StorageDirectory File directory used by the SDK to store durable subscriptions.
MaxSubscriptionLifetimeInHours Maximum Durable Subscription lifetime in hours the server allows. 0
MaxMonitoredItemQueueSize Maximum size of a durable monitored item queue the server allows. 0
LiveQueueSize Size of the live value queue for a durable monitored item in normal operation. The default value is 100. The minimum value is 10. 100
<DurableSubscription>
<!-- Flag indicating if durable subscription support is enabled -->
<Enabled>true</Enabled>
<!--Storage directory for durable subscription configurations
[ConfigPath] can be used as placeholder for the configuration directory path.
[ApplicationPath] can be used as placeholder for the application path.-->
<StorageDirectory>[ConfigPath]/durablesubscriptions</StorageDirectory>
<!-- Maximum Durable Subscription lifetime in hours the server allows -->
<MaxSubscriptionLifetimeInHours>100</MaxSubscriptionLifetimeInHours>
<!-- Maximum size of a durable monitored item queue the server allows -->
<MaxMonitoredItemQueueSize>0</MaxMonitoredItemQueueSize>
<!-- Size of the live value queue for a durable monitored item in normal operation. The default value is 100. The minimum value is 10. -->
<LiveQueueSize>100</LiveQueueSize>
</DurableSubscription>

INI Configuration File

An INI based example configuration file can be found in [Installation Directory]/bin. Note that the INI file is only installed if the CMake switch UASDK_WITH_XMLPARSER support is disabled.

Build Information for the Server Application

ProductUri=urn:[NodeName]:UnifiedAutomation:UaServerCpp
ManufacturerName=Unified Automation GmbH
ProductName=C++ SDK OPC UA Demo Server
SoftwareVersion=1.4.0
BuildNumber=250
Parameter Description Default
ProductUri A globally unique identifier for the server product Set by define SERVERCONFIG_PRODUCTURI
ManufacturerName A human readable name for manufacturer of the product. Set by define SERVERCONFIG_MANUFACTURERNAME
ProductName A human readable name for the server product. Set by define SERVERCONFIG_PRODUCTNAME
SoftwareVersion A string representing the version of the server product. Set by define SERVERCONFIG_SOFTWAREVERSION
BuildNumber A string representing the build number of the server product. Set by define SERVERCONFIG_BUILDNUMBER

Server Instance Information

These parameters provide server instance information defined for the server installation. [NodeName] can be used as a placeholder for the computer name.

ServerUri=urn:[NodeName]:UnifiedAutomation:UaServerCpp
ServerName=UaServerCpp@[NodeName]
Parameter Description Default
ServerUri A globally unique identifier for the server installation. Set by define SERVERCONFIG_SERVERURI
ServerName A human readable name for the server installation. Set by define SERVERCONFIG_SERVERNAME

Trace

Here, the trace settings for the OPC UA Stack and OPC UA Application are stored. The following parameters can be set:

Trace/UaAppTraceFile=[TracePath]/UaServerCPP.log
Trace/UaAppTraceEnabled=false
Trace/UaAppTraceLevel=Data
Trace/UaStackTraceEnabled=false
Trace/UaStackTraceLevel=ALL
Trace/UaAppTraceMaxBackup=5
Trace/UaAppTraceMaxEntries=100000
Trace/UaAppTraceDisableFlush=true
Trace/TraceEvents=History
Trace/PubSubStackTraceEnabled=false
Parameter Description Default
UaAppTraceFile The trace file; [TracePath] can be used as a placeholder for the path to the server application. Set by define SERVERCONFIG_SERVERTRACEFILE
UaStackTraceEnabled Enable or disable the UA stack trace; possible values are true or false. false
UaStackTraceLevel The UA stack trace level; possible values are
NONE
No Trace
ERROR
Critical errors, which require attention, i.e. unexpected errors and/or errors requiring external actions
WARNING
Non-critical faults, which should not go unnoticed but are handled internally
SYSTEM
Rare major events (good cases) like initializations, shutdown, etc.
INFO
Regular good case events, like connects, renews
DEBUG
Used for debugging purposes
CONTENT
Used to add additional content (i.e. whole message bodies) to debug traces
ALL
All outputs
NONE
UaAppTraceEnabled Enable or disable the UA server application trace; possible values are true or false false
UaAppTraceLevel The UA server application trace level; possible values are
NoTrace
No Trace
Errors
Unexpected errors
Warning
Unexpected behaviour that is not an error
Info
Information about important activities, like connection establishment
InterfaceCall
Calls to module interfaces
CtorDtor
Creation and destruction of objects
ProgramFlow
Internal program flow
Data
Data
NoTrace
PubSubStackTraceEnabled Enable or disable the PubSub stack trace; possible values are true or false. The trace level for PubSub is derived from the UaAppTraceLevel setting. false
UaAppTraceMaxBackup The maximum number of backup files 5
UaAppTraceMaxEntries The maximum number of trace entries in one file 100000
UaAppTraceDisableFlush If set to true, the trace file is not flushed after each trace entry, but automatically from time to time. For maximum trace performance you should set this option to true. If you have issues with missing trace entries in case of an application crash, you should set this option to false. true
TraceEvents Setting to allow clients to get the SDK trace outputs for trace levels Errors, Warning and Info via HistoryRead for events and/or Events from the server. Possible values are: History

RoleConfiguration

Here, the <RoleConfigIni> settings for the OPC UA Application are stored. The following parameters can be set:

RoleConfiguration/Enabled=true
RoleConfiguration/ConfigFileLocation=[ConfigPath]/RoleConfiguration.ini
Parameter Description Default
Enabled Enable SDK to load and persist the roles; possible values are true or false. true
ConfigFileLocation Location of the RoleConfiguration file.
[ConfigPath] can be used as placeholder for the configuration path.
See Role Configuration XML and Role Configuration INI for a description of the two possible Role file formats.


Default Application Certificate Store

This part of the configuration file sets the defaults for the certificate handling. These settings can be overwritten in Endpoint Configuration if a different configuration for a specific endpoint is required.

The configuration per Endpoint is not longer necessary. The default configuration is used if no Endpoint specific configuration is provided.

Please refer to Certificates, Certificate Store and Trust List for more information.

DefaultApplicationCertificateStore/MaxTrustListSize=0
DefaultApplicationCertificateStore/SendCertificateChain=true
DefaultApplicationCertificateStore/DisablePrivateKeyPush=false
DefaultApplicationCertificateStore/OpenSSLStore/CertificateTrustListLocation=[ConfigPath]/pkiserver/trusted/certs/
DefaultApplicationCertificateStore/OpenSSLStore/CertificateRevocationListLocation=[ConfigPath]/pkiserver/trusted/crl/
DefaultApplicationCertificateStore/OpenSSLStore/IssuersCertificatesLocation=[ConfigPath]/pkiserver/issuers/certs/
DefaultApplicationCertificateStore/OpenSSLStore/IssuersRevocationListLocation=[ConfigPath]/pkiserver/issuers/crl/
DefaultApplicationCertificateStore/ServerCertificate_1/OpenSSLStore/ServerCertificate=[ConfigPath]/pkiserver/own/certs/uaservercpp.der
DefaultApplicationCertificateStore/ServerCertificate_1/OpenSSLStore/ServerPrivateKey=[ConfigPath]/pkiserver/own/private/uaservercpp.pem
DefaultApplicationCertificateStore/ServerCertificate_1/GenerateCertificate=true
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/CommonName=[ServerName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DomainComponent=[NodeName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Organization=Organization
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/OrganizationUnit=Unit
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Locality=LocationName
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/State
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/Country=DE
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/YearsValidFor=5
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/KeyLength=2048
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/CertificateType=RsaSha256
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/IPAddress_1=213.95.4.190
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/IPAddress_2=2a00:1158:400:407:0:0:0:1b2
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DNSName_1=[NodeName]
DefaultApplicationCertificateStore/ServerCertificate_1/CertificateSettings/DNSName_2=demo.unifiedautomation.com
ParameterDescriptionDefault
MaxTrustListSize The maximum size of the trust list in bytes. 0 (unlimited)
SendCertificateChain For CA signed certificates, this flag controls whether the server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. true
DisablePrivateKeyPush For GDS Push, this flag controls whether the UpdateCertificate allows setting of private keys by the GDS. false
OpenSSLStore

File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set:

ParameterDescription
CertificateTrustListLocation The folder where certificates of trusted applications and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. Each CA certificate in the CertificateTrustListLocation requires one and only one CRL file in this folder.
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet.
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. Each CA certificate in the IssuersCertificatesLocation requires one and only one CRL file in this folder.

The recommended file directory layout for the store has the following directories and subdirectories:

  • own (see parameter ServerCertificate in separate table).
    • certs: ServerCertificate
    • private: ServerPrivateKey
  • trusted
    • certs: CertificateTrustListLocation
    • crl: CertificateRevocationListLocation
  • issuers
    • certs: IssuersCertificatesLocation
    • crl: IssuersRevocationListLocation
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set for WindowsStore:
ParameterDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
ServerCertificate Application instance certificate for the Server. See the separate table for a description.

Element ServerCertificate

ParameterDescriptionDefault
OpenSSLStore File based certificate store used with OpenSSL; [ConfigPath] can be used as placeholder for the configuration path.
Certificates have to be stored in DER format (with file extension .der).
Revocation lists have to be stored in DER format (with file extension .crl) or in PEM format (with .pem as file extension).
The private key is encoded in PEM format (with .pem as file extension).
A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document).
The following parameters can be set (see sample code):
ParameterDescription
ServerCertificate The file containing the server certificate.
ServerPrivateKey The file containing the server private key.
WindowsStore [ConfigPath] can be used as placeholder for the configuration path.
The following parameters can be set:
ParameterDescription
StoreLocation Location of the store; valid values are LocalMachine and CurrentUser
StoreName Name of the certificate store on the local computer
ServerCertificateThumbprint Thumbprint of the server certificate used to load from store
GenerateCertificate Enable or disable server certificate creation if no certificate is available; possible values: true or false. true
CertificateSettings Settings for a certificate generated by the server; the information is stored in the following parameters (see sample code):
ParameterDescriptionDefault
CommonName Name of the application; [ServerName] can be used as a placeholder for the configured server name (see Server Instance Information). [ServerName]
DomainComponent DomainComponent as defined in RFC 2247. [NodeName] can be used as a placeholder for the hostname of the machine. [NodeName]
Organization Name of the organization using the OPC UA server
OrganizationUnit Name of the organization unit using the OPC UA server
Locality Name of the location where the OPC UA server is running
State State where the OPC UA server is running
Country Two letter code for country where the OPC UA server is running e.g. DE or US
YearsValidFor The number of years the certificate is valid for; the maximum accepted number is 20, but it is strongly recommended to use a shorter time interval. 5
KeyLength Key length (in bits) of the certificate to create; valid values are 1024 and 2048 for RsaMin, and 2048, 3072 and 4096 for RsaSha256 2048
CertificateType Defines the algorithm used to sign the certificate. Valid values are RsaMin and RsaSha256. Applications that support the Basic128Rsa15 and Basic256 profiles need a Certificate of type RsaMin. Applications that support the Basic256Sha256 profile need a Certificate of type RsaSha256. In this version of the SDK it is not possible to support multiple certificates for one Endpoint, thus it is not possible to support the RsaMin and the RsaSha256 profile at the same time. It is strongly recommended to use RsaSha256 since Basic128Rsa15 and Basic256 are deprecated but would also allow RsaSha256. RsaSha256
IPAddress An application instance certificate needs to provide one or more DNSNames and/or IPAddresses at which the Endpoint can be reached. This information is added to the SubjectAlternativeName of the certificate. [NodeName] can be used as a placeholder for the hostname of the machine.
DNSName [NodeName]

Provisioning Mode

If the server is in the Provisioning mode, it accepts all client certificates as long as the trust list is empty.

The element <ProvisioningModeSettings> stores the provisioning mode settings for the OPC UA Server. It contains the following parameters:

ParameterDescriptionDefault
IsActive If this flag is set to true and the trust list is empty, the server accepts all certificates. If there are certificates in the trust list, the server does only accept certificates that are trusted. false
DeactivateAfterInitialConfiguration If this flag is true, the IsActive flag will be set to false as soon as the first certificates are added to the trust list. The Provisioning mode will not be activated again if the trust list is empty. If this flag is false, the IsActive flag is not changed and the server will go back to Provisioning as soon as the trust list is empty. true
ProvisioningModeSettings/IsActive=false
ProvisioningModeSettings/DeactivateAfterInitialConfiguration=true

Server Settings

MaxRequestAge=0
MaxSessionCount=100
MaxSessionsPerClient=0
MinSessionTimeout=10000
MaxSessionTimeout=3600000
MaxBrowseContinuationPoints=0
MaxBrowseResults=0
MaxNodesPerRead=0
MaxNodesPerWrite=0
MaxNodesPerBrowse=0
MaxNodesPerTranslateBrowsePathsToNodeIds=0
MaxNodesPerMethodCall=0
MaxMonitoredItemsPerCall=0
MaxNodesPerHistoryReadData=0
MaxNodesPerHistoryReadEvents=0
MaxNodesPerHistoryUpdateData=0
MaxNodesPerHistoryUpdateEvents=0
MaxNodesPerRegisterNodes=0
MaxNodesPerNodeManagement=0
MaxHistoryContinuationPoints=0
MinPublishingInterval=50
MaxPublishingInterval=0
MinKeepAliveInterval=5000
MinSubscriptionLifetime=10000
MaxSubscriptionLifetime=3600000
MaxRetransmissionQueueSize=20
MaxNotificationsPerPublish=0
MaxDataQueueSize=100
MaxEventQueueSize=10000
MaxSubscriptionCount=250
MaxSubscriptionsPerSession=10
MaxMonitoredItemCount=500000
MaxMonitoredItemPerSubscriptionCount=100000
MaxMonitoredItemPerSessionCount=0
MinSupportedSampleRate=0
SamplingRateNonValueAttributes=5000
AvailableSamplingRates/SamplingRate_1=0
AvailableSamplingRates/SamplingRate_2=50
AvailableSamplingRates/SamplingRate_3=100
AvailableSamplingRates/SamplingRate_4=250
AvailableSamplingRates/SamplingRate_5=500
AvailableSamplingRates/SamplingRate_6=1000
AvailableSamplingRates/SamplingRate_7=2000
AvailableSamplingRates/SamplingRate_8=5000
AvailableSamplingRates/SamplingRate_9=10000
AvailableLocaleIds/LocaleId_1=en
AvailableServerProfiles/ServerProfileUri_1=http://opcfoundation.org/UAProfile/Server/StandardUA
AvailableServerProfiles/ServerProfileUri_2=http://opcfoundation.org/UAProfile/Server/DataAccess
AvailableServerProfiles/ServerProfileUri_3=http://opcfoundation.org/UAProfile/Server/Methods
AvailableServerProfiles/ServerProfileUri_4=http://opcfoundation.org/UAProfile/Server/NodeManagement
AvailableServerProfiles/ServerProfileUri_5=http://opcfoundation.org/UAProfile/Server/EventSubscription
ServerCapabilities/ServerCapability_1=DA
ServerCapabilities/ServerCapability_2=HD
ServerCapabilities/ServerCapability_3=AC
ServerCapabilities/ServerCapability_4=HE
IsAuditActivated=false
ThreadPoolSettings/MinSizeTransactionManager=1
ThreadPoolSettings/MaxSizeTransactionManager=10
ThreadPoolSettings/MinSizeSubscriptionManager=1
ThreadPoolSettings/MaxSizeSubscriptionManager=10
RejectedCertificatesDirectory=[ConfigPath]/pki/rejected
RejectedCertificatesCount=100
AllowDeprecatedSecurityPolicies=false
CheckForDuplicateReferences=false
Parameter Description Default
MaxRequestAge The maximum age of a request (in milliseconds) the server allows. 0 (unlimited)
MaxSessionCount The maximum number of sessions allowed by the server; 0 is unlimited. 100
MaxSessionsPerClient The maximum number of sessions the server allows per client; 0 is unlimited. 0
MinSessionTimeout The minimum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 10000
MaxSessionTimeout The maximum timeout for a session (in milliseconds) the server allows to set; 0 is unlimited. 3600000
MaxBrowseContinuationPoints The maximum number of Browse Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_CP;
default value: 10)
MaxBrowseResults The maximum number of Browse results for one browse operation. 0 (using default settings defined by compiler switch DEFAULT_MAX_BROWSE_RESULTS;
default value: 1000)
MaxNodesPerRead The maximum number of nodes per read the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerWrite The maximum number of nodes per write the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerBrowse The maximum number of nodes to browse the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerTranslateBrowsePathsToNodeIds The maximum number of nodes to use in a TranslateBrowsePathsToNodeIds service request. 0 (Serializer.MaxArrayLength)
MaxMonitoredItemsPerCall The maximum number of monitored items per call the server allows to create, modify or delete. 0 (Serializer.MaxArrayLength)
MaxNodesPerMethodCall The maximum number of methods per method call the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryReadData The maximum number of nodes accepted by the server for the HistoryRead service for Raw, Modified, Processed, and AtTime. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryReadEvents The maximum number of nodes accepted by the server for the HistoryRead service for Events. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryUpdateData The maximum number of nodes accepted by the server for the HistoryUpdate service for Data. 0 (Serializer.MaxArrayLength)
MaxNodesPerHistoryUpdateEvents The maximum number of nodes accepted by the server for the HistoryUpdate service for Events. 0 (Serializer.MaxArrayLength)
MaxNodesPerRegisterNodes The maximum number of nodes per register or unregister nodes the server will accept. 0 (Serializer.MaxArrayLength)
MaxNodesPerNodeManagement The maximum number of nodes or references per NodeManagement service the server will accept. 0 (Serializer.MaxArrayLength)
MaxHistoryContinuationPoints The maximum number of History Continuation Points managed by a session. 0 (using default settings defined by compiler switch DEFAULT_MAX_HISTORY_READ_CP;
default value: 100)
MinPublishingInterval The minimum publishing interval (in milliseconds) the server allows. 50
MaxPublishingInterval The maximum publishing interval (in milliseconds) the server allows. 0 (no limitation)
MinKeepAliveInterval The minimum KeepAlive interval (in milliseconds) the server allows. 5000
MinSubscriptionLifetime The minimum Subscription lifetime (in milliseconds) the server allows; 0 is no limitation. 10000
MaxSubscriptionLifetime The maximum Subscription lifetime (in milliseconds) the server allows. 0 (no limitation)
MaxRetransmissionQueueSize The maximum number of messages per Subscription in the republish queue the server allows. This setting affects the maximum number of Publish requests queued by the server for a Session. The resulting setting for the Publish requests is MaxRetransmissionQueueSize/2. 20
MaxNotificationsPerPublish The maximum number of notifications per Publish the server allows. 0 (no limitation)
MaxDataQueueSize The maximum size of data monitored item queues. 100
MaxEventQueueSize The maximum size of event monitored item queues. 1000
MaxSubscriptionCount The maximum number of subscriptions the server allows to create. 0 (unlimited)
MaxSubscriptionsPerSession The maximum number of subscriptions the server allows to create per Session. 0 (unlimited)
MaxMonitoredItemCount The maximum number of monitored items the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSubscriptionCount The maximum number of monitored items per subscription the server allows to create. 0 (unlimited)
MaxMonitoredItemPerSessionCount The maximum number of monitored items per session the server allows to create. 0 (unlimited)
MinSupportedSampleRate The minimum sample interval supported by the server. 0
SamplingRateNonValueAttributes The sample interval (in milliseconds) used for non value attributes by the server. 5000
AvailableSamplingRates The settings for the sampling engine; add a line AvailableSamplingRates/SamplingRate_[n]=[sampling rate in milliseconds] for each sampling rate (see sample code). 50, 100, 250, 500, 1000, 2000, 5000, 10000
AvailableLocaleIds The settings for the available LocaleIds known to be supported by the server; add a line AvailableLocaleIds/LocaleId_[n]=[Locale ID] for each Locale ID (see sample code). en
AvailableServerProfiles The settings for the available UA profiles known to be supported by the server; add a line AvailableServerProfiles/ServerProfileUri_[n]=[Server Profile URI] for each Server Profile URI (see sample code). http://opcfoundation.org/UAProfile/Server/StandardUA
ServerCapabilities The settings for the supported server capabilities like DA, HA, AE or HE. add a line ServerCapabilities/ServerCapability_[n]=[Capability] for each Server Capability (see sample code). NA
IsAuditActivated Flag indicating if audit events are activated; possible values: true or false. false
ThreadPoolSettings The settings for the thread pools used in the server application; the following parameters can be set (each in a separate line ThreadPoolSettings/[parameter]=[value]): MaxSizeTransactionManager, MinSizeTransactionManager, MaxSizeSubscriptionManager, MinSizeSubscriptionManager (see sample code). 4 (for each)
RejectedCertificatesDirectory Folder used to store rejected client certificates; e.g. [ConfigPath]/pki/rejected. Administrators can copy files from this folder to the trust list. [ConfigPath] can be used as a placeholder for the path to the server application.
RejectedCertificatesCount The maximum number of certificates stored in the rejected certificates directory. 100
AllowDeprecatedSecurityPolicies By default deprecated SecurityPolicies are rejected by the SDK when loading the configuration. For backwards compatibility with old applications that behavior can be overridden. Please consider carefully before turning this feature on. false
CheckForDuplicateReferences This setting only affects the NodeManagerUaNode implementation. If set to true the NodeManagerUaNode will check if an identical reference already exists before adding a UaReference. Since this check has some impact on the performance when loading the addressspace the default is false. We recommend to turn this check on for testing or for loading an addressspace the first time and turn the check off for productive use. false

User Identity Tokens

The configuration of supported user identity tokens is stored in the parameter set UserIdentityTokens containing the following parameters:

UserIdentityTokens/EnableAnonymous=true
UserIdentityTokens/EnableUserPw=true
UserIdentityTokens/EnableCertificate=true
UserIdentityTokens/EnableIssuedToken=false
UserIdentityTokens/PasswordFileLocation=[ConfigPath]/passwd
UserIdentityTokens/UserPasswordManagement/EnableUserManagement=true
UserIdentityTokens/UserPasswordManagement/PasswordOptions=0
UserIdentityTokens/UserPasswordManagement/MinPasswordLength=0
UserIdentityTokens/UserPasswordManagement/MaxPasswordLength=64
UserIdentityTokens/UserPasswordManagement/MinUserNameLength=0
UserIdentityTokens/UserPasswordManagement/MaxUserNameLength=256
UserIdentityTokens/UserPasswordManagement/MaxNumberOfUsers=1000
UserIdentityTokens/UserPasswordManagement/DefaultPasswordEncryptionAlgorithm=SHA512
UserIdentityTokens/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
UserIdentityTokens/DefaultUserCertificateStore/CertificateTrustListLocation=[ConfigPath]/pkiuser/trusted/certs/
UserIdentityTokens/DefaultUserCertificateStore/CertificateRevocationListLocation=[ConfigPath]/pkiuser/trusted/crl/
UserIdentityTokens/DefaultUserCertificateStore/IssuersCertificatesLocation=[ConfigPath]/pkiuser/issuers/certs/
UserIdentityTokens/DefaultUserCertificateStore/IssuersRevocationListLocation=[ConfigPath]/pkiuser/issuers/crl/
UserIdentityTokens/RejectedUserCertificatesDirectory=[ConfigPath]/pkiuser/rejected
UserIdentityTokens/RejectedUserCertificatesCount=100
Parameter Description Default
EnableAnonymous Enable or disable anonymous log-on; possible values are true or false. true
EnableUserPw Enable or disable user/password log-on; possible values are true or false. false
EnableCertificate Enable or disable certificate based user log-on; possible values are true or false. false
EnableIssuedToken Enable or disable log-on with issued token; possible values are true or false. false
PasswordFileLocation Location of the password file, empty if no password file is configured. The default password manager used by the SDK is file based where the file contains the users and the password as hash. The file location is used for the default file based password management.
See User and Password File for a description of the content and format of the file.
UserPasswordManagement Configuration for the OPC UA defined UserManagement object that allows on-line user management through the OPC UA server interface. It requires either the use of the default file based password management or a server application specific implementation of the UaPasswordManager interface (see also ServerManager::setPasswordManager()). It has the following child elements:
Parameter Description Default
EnableUserManagement Option to enable the standard UserManagement object. false
PasswordOptions Configuration for the user management and password options. Value based on PasswordOptionsMask. No special options are supported at the moment. 0
MinPasswordLength Minimum password length. A value of 0 indicates no limit for minimum. 0
MaxPasswordLength Maximum password length. A value of 0 indicates no limit for maximum. 64
MinUserNameLength Minimum user name length. A value of 0 indicates no limitation. 0
MaxUserNameLength Maximum user name length. A value of 0 indicates no limitation. 256
MaxNumberOfUsers Maximum number of users that can be added to the user management. A value of 0 indicates no limitation. 1000
DefaultPasswordEncryptionAlgorithm Encryption/Hashing algorithm used to store passwords of new users. SHA512
SecurityPolicy The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the server. This security policy is only applied for None Endpoints. For other Endpoints, we use the security policy of the Endpoint. The security policy Basic128Rsa15 is no longer accepted. http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
DefaultUserCertificateStore Configuration for file based certificate store to handle user certificates. The following parameters can be set:
Parameters Description Default
CertificateTrustListLocation The folder where certificates of trusted users and trusted CAs should be stored. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/trusted/certs/
CertificateRevocationListLocation The folder where revocation lists for trusted CAs should be stored. [ConfigPath]/pkiuser/trusted/crl/
IssuersCertificatesLocation The folder where issuer certificates are stored. Issuer certificates are CA certificates necessary for the verification of the full trust chain of CA certificates in the trust list. Each CA requires one and only one CRL. The CRL may be empty if no certificates have been revoked yet. [ConfigPath]/pkiuser/issuers/certs/
IssuersRevocationListLocation The folder where revocation lists for issuer CAs should be stored. [ConfigPath]/pkiuser/issuers/crl/
RejectedUserCertificatesDirectory Folder used to store rejected user certificates. [ConfigPath]/pkiuser/rejected
RejectedUserCertificatesCount The maximum number of certificates stored in the rejected directory. 100

Serializer

This part of the configuration defines the OPC UA Stack serializer settings. Set these values carefully, as they are the security constraints for the serializer. The following parameters can be set:

Serializer/MaxAlloc=16777216
Serializer/MaxStringLength=16777216
Serializer/MaxByteStringLength=16777216
Serializer/MaxArrayLength=65536
Serializer/MaxMessageSize=16777216
Parameter Description Default
MaxAlloc The largest size for a memory block the serializer can do when deserializing a message. Set by define OPCUA_SERIALIZER_MAXALLOC
MaxStringLength The largest string accepted by the serializer. Set by define OPCUA_ENCODER_MAXSTRINGLENGTH
MaxByteStringLength The largest byte string accepted by the serializer. Set by define OPCUA_ENCODER_MAXBYTESTRINGLENGTH
MaxArrayLength Maximum number of elements in an array accepted by the serializer. Set by define OPCUA_ENCODER_MAXARRAYLENGTH
MaxMessageSize The maximum number of bytes per message in total. Set by define OPCUA_ENCODER_MAXMESSAGELENGTH

Stack Thread Pool Settings

The parameter set StackThreadPoolSettings stores the settings for the thread pool used in the OPC UA Stack. The following parameters can be set:

StackThreadPoolSettings/Enabled=false
StackThreadPoolSettings/MaxJobs=20
StackThreadPoolSettings/Timeout=0
StackThreadPoolSettings/BlockOnAdd=true
StackThreadPoolSettings/MinThreads=5
StackThreadPoolSettings/MaxThreads=10
Parameter Description Default
Enabled Controls whether the secure listener uses a thread pool to dispatch received requests. false
MaxJobs The length of the queue with jobs waiting for a free thread. 20
Timeout If the add operation blocks on a full job queue, this value sets the maximum waiting time (in milliseconds). 0 is infinite. infinite
BlockOnAdd If MaxJobs is reached, the add operation can block or return an error. true
MaxThreads The maximum number of threads in the thread pool. 5
MinThreads The minimum number of threads in the thread pool. 5

PubSub Module Configuration

The configuration for the PubSub module is stored in the parameter set PubSubSettings containing the following parameters:

Parameter Description Default
EnablePubSub Enable or disable the PubSub functionality. false
PubSubConfigFileBin PubSub configuration file name and location
PubSubSecurityKeyFile PubSub security key file name and location
SecurityKeyServerActive Flag to turn on the PubSub Security Key Server functionality false
SecurityKeyPullActive Flag to turn on the PubSub Security Key Pull functionality. The client SDK library must be available in the PubSub application. false
SecurityKeyPushActive Flag to turn on the PubSub Security Key Push functionality false
LegacyPubSubConfigActive Flag to turn on the legacy PubSub configuration file object false
DefaultDatagramPublisherId Default PublisherId for Datagram transport protocols. Must be initially set by the application or is generated by SDK. 0
MaxPubSubConfigSize Maximum size of PubSub configuration binary file 16.777.216
MaxPubSubConnections Maximum number of PubSubConnections 8
MaxWriterGroups Maximum number of WriterGroups 8
MaxReaderGroups Maximum number of ReaderGroups 8
MaxDataSetWriters Maximum number of DataSetWriters 32
MaxDataSetReaders Maximum number of DataSetReaders 32
MaxPublishedDataSets Maximum number of PublishedDataSets 32
MaxSubscribedDataSets Maximum number of SubscribedDataSets 32
MaxSecurityGroups Maximum number of SecurityGroups 32
MaxNetworkMessageSizeDatagram Maximum size of datagram network messages. 1400

Discovery Registration

DiscoveryRegistration/AutomaticCertificateExchange=false
DiscoveryRegistration/DiscoveryServerStoreName=UA Applications
DiscoveryRegistration/DiscoveryServerCertificateName=UA Local Discovery Server
DiscoveryRegistration/RegistrationInterval=30000
DiscoveryRegistration/Url_1=opc.tcp://localhost:4840

The configuration for the registration with discovery server(s) is stored in the parameter set DiscoveryRegistration containing the following parameters:

Parameter Description Default
AutomaticCertificateExchange Flag indicating if the certificates should be exchanged with the windows certificate store false
DiscoveryServerTrustListLocation Path of the local discovery server trust list. This is where the server copies its certificate to if the file based store of the new LDS is used.
DiscoveryServerStoreName Store name used for the local discovery server in the windows certificate store.
DiscoveryServerCertificateName Certificate name of the local discovery server in the windows certificate store.
RegistrationInterval Interval (in milliseconds) for registration with discovery server(s) 30000
Url List of discovery servers to register with, typically opc.tcp://localhost:4840 (local discovery server); if the list is empty, no registration is executed. To add additional remote discovery servers, add each in a separate line, consecutively numbered (DiscoveryRegistration/Url_[n]=[Server Url]).

Redundancy Support and Additional Server Entries

RedundancySettings/RedundancySupport=Hot
RedundancySettings/ServerUri_1=urn:MyServer:UnifiedAutomation:RedundancySample
RedundancySettings/ServerUri_2=urn:PC1:UnifiedAutomation:RedundancySample
RedundancySettings/ServerUri_3=urn:PC2:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ApplicationUri=urn:PC1:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ProductUri=urn:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_1/ApplicationName=RedundancySample@PC1
AdditionalServerEntries/ApplicationDescription_1/ApplicationType=Server
AdditionalServerEntries/ApplicationDescription_1/GatewayServerUri=
AdditionalServerEntries/ApplicationDescription_1/DiscoveryProfileUri=
AdditionalServerEntries/ApplicationDescription_1/DiscoveryUrl_1=opc.tcp://PC1:48010
AdditionalServerEntries/ApplicationDescription_1/DiscoveryUrl_2=https://PC1:48011
AdditionalServerEntries/ApplicationDescription_2/ApplicationUri=urn:PC2:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_2/ProductUri=urn:UnifiedAutomation:RedundancySample
AdditionalServerEntries/ApplicationDescription_2/ApplicationName=RedundancySample@PC2
AdditionalServerEntries/ApplicationDescription_2/ApplicationType=Server
AdditionalServerEntries/ApplicationDescription_2/GatewayServerUri=
AdditionalServerEntries/ApplicationDescription_2/DiscoveryProfileUri=
AdditionalServerEntries/ApplicationDescription_2/DiscoveryUrl_1=opc.tcp://PC2:48010
AdditionalServerEntries/ApplicationDescription_2/DiscoveryUrl_2=https://PC2:48011

See Redundancy for more information about server redundancy.

Redundancy Settings

This parameter set provides the redundancy settings for the server.

Parameter Description Default
RedundancySupport Possible redundancy support options are None, Cold, Warm, Hot and Transparent (Transparent requires a special module). None
ServerUri The list of server URIs for the servers in the NonTransparent redundant set. Add a separate line in the form RedundancySettings/ServerUri_[n]=[ServerUri] for each server. The server itself has to be included in the list (see sample code).

Additional Server Entries

This is required for the redundancy configuration to provide the discovery URLs for the configured ServerUris of the redundant servers in a non-transparent redundancy set. It is possible to define a list of application descriptions numbered consecutively as shown in the code sample. [NodeName] can be used as a placeholder for the computer name. The own server must be excluded from the list.

This can also be used to configure other servers on the same system if the server itself is running on Port 4840.

Parameter Description
ApplicationUri A globally unique identifier for the server product.
ProductUri A globally unique identifier for the product the server belongs to.
ApplicationName A human readable name for the server product.
ApplicationType Possible application types are Server and ClientAndServer.
GatewayServerUri A URI that identifies the Gateway Server associated with the DiscoveryUrl.
DiscoveryProfileUri A URI that identifies the discovery profile supported by the URL.
DiscoveryUrl URL for the discovery Endpoint provided by the server.

Endpoint Configuration

The following code gives an example for a parameter set resulting in a completely configured endpoint. Use consecutively numbered parameter sets UaEndpoint_[n] for additional Endpoints.

UaEndpoint_1/Url=opc.tcp://[NodeName]:48010
UaEndpoint_1/SerializerType=Binary
UaEndpoint_1/IsVisible=true
UaEndpoint_1/IsDiscoveryUrl=true
UaEndpoint_1/ReturnOnlyOnEndpointUrlMatch=false
UaEndpoint_1/AutomaticallyTrustAllClientCertificates=false
UaEndpoint_1/CreateSignatureWithChain=false
UaEndpoint_1/SecuritySetting_1/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#None
UaEndpoint_1/SecuritySetting_1/MessageSecurityMode=None
UaEndpoint_1/SecuritySetting_2/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
UaEndpoint_1/SecuritySetting_2/MessageSecurityMode_1=Sign
UaEndpoint_1/SecuritySetting_2/MessageSecurityMode_2=SignAndEncrypt
UaEndpoint_1/SecuritySetting_3/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
UaEndpoint_1/SecuritySetting_3/MessageSecurityMode_1=Sign
UaEndpoint_1/SecuritySetting_3/MessageSecurityMode_2=SignAndEncrypt
UaEndpoint_1/SecuritySetting_4/SecurityPolicy=http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss
UaEndpoint_1/SecuritySetting_4/MessageSecurityMode_1=Sign
UaEndpoint_1/SecuritySetting_4/MessageSecurityMode_2=SignAndEncrypt
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateTimeInvalid=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateIssuerTimeInvalid=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateRevocationUnknown=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateIssuerRevocationUnknown=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateKeyTooShort=false
UaEndpoint_1/SecurityCheckOverwrites/DisableErrorCertificateKeyTooLong=false
UaEndpoint_1/SecurityCheckOverwrites/DisableApplicationUriCheck=false
UaEndpoint_1/SecurityCheckOverwrites/DisableNonceLengthCheck=false
UaEndpoint_1/SecurityCheckOverwrites/DisableUserTokenPolicyIdCheck=false
UaEndpoint_1/SecurityCheckOverwrites/DisableCertificateSignatureAlgorithmCheck=false
UaEndpoint_1/SecurityCheckOverwrites/DisableCertificateUsageCheck=false
UaEndpoint_1/CertificateStore/OpenSSLStore/CertificateTrustListLocation=[ConfigPath]/pki/trusted/certs/
UaEndpoint_1/CertificateStore/OpenSSLStore/CertificateRevocationListLocation=[ConfigPath]/pki/trusted/crl/
UaEndpoint_1/CertificateStore/OpenSSLStore/IssuersCertificatesLocation=[ConfigPath]/pki/issuers/certs/
UaEndpoint_1/CertificateStore/OpenSSLStore/IssuersRevocationListLocation=[ConfigPath]/pki/issuers/crl/
UaEndpoint_1/CertificateStore/OpenSSLStore/ServerCertificate=[ConfigPath]/pki/own/certs/uaservercpp.der
UaEndpoint_1/CertificateStore/OpenSSLStore/ServerPrivateKey=[ConfigPath]/pki/own/private/uaservercpp.pem
UaEndpoint_1/CertificateStore/GenerateCertificate=true
UaEndpoint_1/CertificateStore/CertificateSettings/Country=DE
UaEndpoint_1/CertificateStore/CertificateSettings/Locality=LocationName
UaEndpoint_1/CertificateStore/CertificateSettings/CommonName=[ServerName]
UaEndpoint_1/CertificateStore/CertificateSettings/Organization=Organization
UaEndpoint_1/CertificateStore/CertificateSettings/OrganizationUnit=Unit
UaEndpoint_1/CertificateStore/CertificateSettings/YearsValidFor=5
UaEndpoint_1/CertificateStore/CertificateSettings/KeyLength=2048
UaEndpoint_1/CertificateStore/CertificateSettings/CertificateType=RsaSha256
UaEndpoint_1/ReverseConnect_1=opc.tcp://localhost:48061
UaEndpoint_1/ReverseConnect_2=opc.tcp://localhost:48062
UaEndpoint_1/AlternativeEnpointUrl_1=opc.tcp://PC1:48011/Server1
UaEndpoint_1/AlternativeEnpointUrl_2=opc.tcp://PC2:48011/Server1

The following table gives an overview of the configurable parameters for each Endpoint.

ParameterDescriptionDefault
Url URL of the Endpoint; this URL is used for Discovery and to open the Endpoints in the UA stack if no StackUrl is configured. [NodeName] can be used as placeholder for the computer name.
SerializerType The data type encoding for network transport; currently, only Binary is supported
StackUrl Optional URL that allows to define a specific address the stack should use to bind to, e.g. opc.tcp://192.168.0.15:48011. It can be used to bind the endpoint to a specific network card or to localhost only.
IsVisible Flag indicating if the endpoint is provided in GetEndpoints and is therefore visible to a client. true
IsDiscoveryUrl Flag indicating if the endpoint URL is provided as discovery URL. true
ReturnOnlyOnEndpointUrlMatch If this flag is set to true, the endpoint is only included in FindServers and GetEndpoints responses if the client is using the EndpointUrl of this endpoint for the request. false
AutomaticallyTrustAllClientCertificates This option can be activated if certificates are only used for message security but not for application authentication. If set to true, all client certificates will be accepted automatically and will not be stored. It is strongly recommended to use this option only together with user authentication. false
CreateSignatureWithChain For calculating the server signature, the server needs to append the client certificate to the client nonce. If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature. With this setting, the server uses the complete certificate chain instead. This is not the recommended behavior. Only set this flag to work around interoperability issues with misbehaving clients. false
SecuritySetting Each supported security setting has to be stored in a separate parameter set UaEndpoint_[m]/SecuritySetting_[n]/[parameter]=[value], numbered consecutively (see sample code). The following parameters can be specified:
ParameterDescription
SecurityPolicy Possible values are #None, #Basic256Sha256, #Aes128_Sha256_RsaOaep, and #Aes256_Sha256_RsaPss (see sample code above). The possible values #Basic128Rsa15 and #Basic256 are no longer considered as secure. An administrator should be involved to enable them for backward compatibility.
MessageSecurityMode The possible values depend on the security policy. Set value to None with security policy #None. When using security policies other than #None, you can choose between Sign and SignAndEncrypt. If you would like to allow Sign as well as SignAndEncrypt, add a separate line and number the message security modes consecutively.
SecurityCheckOverwrites Some of the OPC UA security checks are optional in OPC UA or cause interoperability issues with older OPC UA clients and can be disabled by an administrator of the OPC UA server using the following configuration options. Add a separate line UaEndpoint_[m]/SecurityCheckOverwrites/[parameter]=[value] for each parameter (see sample code).
ParameterDescriptionDefault
DisableErrorCertificateTimeInvalid Flag used to disable the client certificate validation error BadCertificateTimeInvalid. false
DisableErrorCertificateIssuerTimeInvalid Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. false
DisableErrorCertificateRevocationUnknown Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. false
DisableErrorCertificateIssuerRevocationUnknown Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. false
DisableErrorCertificateKeyTooShort Flag used to disable the client certificate validation error BadCryptoKeyTooShort. This is a security relevant check and should never be disabled except for a temporary workaround if absolutely necessary. false
DisableErrorCertificateKeyTooLong Flag used to disable the client certificate validation error BadCryptoKeyTooLong. A key longer than defined by the security policy is not a security problem but against the standard. false
DisableApplicationUriCheck Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. false
DisableNonceLengthCheck Flag used to disable the client nonce length check in CreateSession. The check is required for compliant OPC UA servers but older clients may provide a client nonce that is shorter than the required 32 bytes. false
DisableUserTokenPolicyIdCheck Flag used to disable the UserToken PolicyId check in ActivateSession. The check is required for compliant OPC UA servers but older clients may not provide the UserToken PolicyId. false
DisableCertificateSignatureAlgorithmCheck Flag used to disable the client certificate validation error BadSignatureAlgorithmNotAllowed. This is a security relevant check and should never be disabled except for a temporary workaround if absolutely necessary. false
DisableCertificateUsageCheck Flag used to disable the client certificate validation error BadCertificateUseNotAllowed. These checks include checking for the SubjectAlternativeName, the KeyUsage and ExtendedKeyUsage of the certificate. These are security relevant checks and should not be disabled except for a temporary workaround if absolutely necessary. false
CertificateStore Certificate store used for PKI certificate handling; different Endpoints can have different stores and different server certificates. This setting is only required if the defaults specified in Default Application Certificate Store should be overwritten. It uses the same parameter set as DefaultApplicationCertificateStore
ReverseConnect The OPC UA Reverse Connect functionality can be configured as part of the Endpoint configuration. The clients are configured with a list of URLs in the INI file element ReverseConnect as shown in the sample code. Add a separate line UaEndpoint_[m]/ReverseConnect_[n]=[URL] for each reverse connect URL.
AlternativeEnpointUrl OPC UA clients may connect to a server through a proxy, NAT or port multiplexer. In this case the endpoint URL the client is using to connect to a server may be different than the direct accessible endpoint URL configured by the server. This direct accessible endpoint URL is configured through the 'Url' parameter of the endpoint configuration. OPC UA defines the handling of such scenarios by passing in the Endpoint URL used by the client in the services GetEndpoints and CreateSession. These services return the list of endpoints provided by the server. A server can detect that an alternative URL is used and can return the matching URL to the client in response to GetEndpoints and CreateSession. The allowed alternative URLs must be configured in the endpoint with the option shown in the in the sample code.
If an alternative URL contains a host name or IP address that is different than the host name or IP Address of the default URL, these host names or IP addresses must be added to the corresponding list in the certificate. The related certificate create settings (IPAddress or DNSName) can be found in Default Application Certificate Store. Add a separate line UaEndpoint_[m]/AlternativeEnpointUrl_[n]=[URL] for each alternative Endpoint URL.

User and Password File

The passwords are stored in the file unreadable as hashes with salt, however it is still possible to start brute-force attacks against these hashes to retrieve the passwords. Therefore the password file should only be readable by the server process and no other user.

The users and passwords are stored in the form <user>:<hash_type>:<salt>:<hash>

joe:sha256:c8tp9lVEseINSl14:69BB84F1D0058C39B084A44BB0251E330AAC58160D6574A975D85EA17D74B9ED
sam:sha256:Z4if1eC94cj9i01G:ED0181B1B578227B911C189369435E57F1A7F9DE71CFF0C222B43E8036A38826
sue:sha256:gILIEAyomshQ1cYj:2A80F09B8B6E75E9831EFEB61FCB818269756374A37CC1F8CEA41201180E9EC7
john:sha256:7QSPNYR0CQOGyFDS:FCAD970ABC35CAD82F275979674D1FCF38C5AC5F683328A8D060FDFB4376B7CF
root:sha512:4vrJhT88K3vVESt9:682862B1B61A66CFC415595C1C5A41F38BE23D5219268704152C1F157CFAF1EDBDA98DFAE0702CE1BCDF95CD8F0BB8617C35257BEE571D8CBBCC27C75268A6FB
ruth:sha256:3GnFp4lIsQtrmN4O:2E7B2F426D4C48A1161325655AB15CCA80D95762F23E6DC8417D86CD20DC5C59

Each line in the password file represents one user. Lines preceded with *#* are treated as comments/empty lines.

A line is a colon-separated list of elements. The first element is the username.

This is followed by an entry indicating the hashing algorithm which is used to protect the stored password. Possible at the moment values are sha256, sha512 and cleartext. In the case of cleartext the third element is the password in clear text.

When the password file is loaded, the cleartext entries are hashed with the strongest algorithm available and then written back.

In the hashed entries, the third element is the salt used to create the hash. It is encoded as alphanumeric characters. Each character representing one byte of the actual salt.

The fourth element is the actual hash encoded in hexadecimal system. The actual hash is created from the concatenation of salt + username + password. It is possible to implement a custom storage format by implementing the methods loadPasswords() and writePasswords() defined by the UaPasswordManager* interface.

Role Configuration XML

The following XML document contains some standard roles and one custom role as example.

<?xml version="1.0"?>
<RoleConfigurations xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://unifiedautomation.com/schemas/RoleConfigurations.xsd" EnableOnlineConfiguration="true" MaxRoles="100" MaxIdentitiesPerRole="1000" MaxApplicationsPerRole="100" MaxEndpointsPerRole="100">
<NamespaceTable>
<Uri>http://opcfoundation.org/UA/</Uri>
<Uri>&lt;server&gt;</Uri>
</NamespaceTable>
<Roles>
<Role Name="Anonymous" NodeId="i=15644" EndpointsMode="Ignore" ApplicationsMode="Ignore">
<Endpoints/>
<Applications/>
<Identities>
<Identity CriteriaType="Anonymous"/>
<Identity CriteriaType="AuthenticatedUser"/>
</Identities>
</Role>
<Role Name="AuthenticatedUser" NodeId="i=15656" EndpointsMode="Ignore" ApplicationsMode="Ignore">
<Endpoints/>
<Applications/>
<Identities>
<Identity CriteriaType="AuthenticatedUser"/>
</Identities>
</Role>
<Role Name="Operator" NodeId="i=15680" EndpointsMode="Ignore" ApplicationsMode="Ignore">
<Endpoints/>
<Applications/>
<Identities>
<Identity CriteriaType="UserName">john</Identity>
<Identity CriteriaType="UserName">sue</Identity>
<Identity CriteriaType="UserName">Test</Identity>
</Identities>
</Role>
<Role Name="SecurityAdmin" NodeId="i=15704" EndpointsMode="Ignore" ApplicationsMode="Ignore">
<Endpoints/>
<Applications/>
<Identities>
<Identity CriteriaType="UserName">root</Identity>
<Identity CriteriaType="Application">urn:mytest:uagds:unifiedautomation</Identity>
</Identities>
</Role>
<Role Name="MyDemoRole1" NodeId="ns=1;s=MyDemoRole1" EndpointsMode="Ignore" ApplicationsMode="Ignore">
<Endpoints/>
<Applications/>
<Identities>
<Identity CriteriaType="UserName">joe</Identity>
<Identity CriteriaType="UserName">sue</Identity>
</Identities>
</Role>
</Roles>
</RoleConfigurations>

RoleConfigurations RootNode

The following XML attributes are used in the Root node

Attribute Description Default
EnableOnlineConfiguration Enable/Disable configuring the Roles with OPC UA Methods in the server. true
MaxRoles The maximum number of roles. A value of 0 indicates no limitation. 100
MaxIdentitiesPerRole The maximum number of identities per role. A value of 0 indicates no limitation. 1000
MaxApplicationsPerRole The maximum number of application to include or exclude per role. A value of 0 indicates no limitation. 100
MaxEndpointsPerRole The maximum number of endpoints per role. A value of 0 indicates no limitation. 100

NamespaceTable Element

The following Role Elements uses NodeIds, to universally load these, a mapping for the namespace indicies to the respective namespace uris is required. An entry in the namespace table is needed for each namespace which is used by the NodeIds below.

ElementDescription
Uri The URI of the namespace, e.g. http://opcfoundation.org/UA/ for namespace 0, the special name <server> can be used to map indices to the server namespace (which always has index 1 in the running server). The index N is used as namespace index for NodeIds in this file to refer to the respective namespace.

Role Element

The Roles XML element contains a list or Role XML elements for each configured Role in the OPC UA Server.

The following XML attributes are used in the Role element:

Name
Name of the Role
NodeId
NodeId of the Role object in the server address space
EndpointsMode
The modes for handling the endpoints filter. Possible values are Ignore, Include and Exclude.
ApplicationsMode
The modes for handling the applications filter. Possible values are Ignore, Include and Exclude.
DisableOnlineConfiguration
Enable/Disable configuring the specific role with OPC UA Methods in the server. Optional, default is false.

The following XML elements are used inside Role.

ElementDescription
Identities List of identity mappings.
Identity The value is used to compare the criteria. The possible CriteriaType attribute values are UserName, Application, Thumbprint, Role, GroupId, Anonymous, AuthenticatedUser and X509Subject. See description of identity mapping types.
Endpoints List of endpoints to include or exclude.
Applications List of applications to include or exclude.

The XML schema for the role config XML file:

<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="RoleConfigurations"
targetNamespace="http://unifiedautomation.com/schemas/RoleConfigurations.xsd"
elementFormDefault="qualified"
xmlns="http://unifiedautomation.com/schemas/RoleConfigurations.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<xs:complexType name="RoleConfigurations">
<xs:sequence>
<!-- The NamespaceUris used in the RoleConfiguration. The NamespaceIndex of a NodeId of a Role refers to this NamespaceTable. -->
<xs:element name="NamespaceTable" type="NamespaceTable" />
<xs:element name="Roles" type="ListOfRoles" />
</xs:sequence>
<!-- If 'true', configuring the Roles with OPC UA Methods gets enabled in the server. -->
<xs:attribute name="EnableOnlineConfiguration" type="xs:boolean" default="false" />
<!-- The maximum number of roles. Is only evaluated when adding a role online. If 0 is specified, then there is no limitation. -->
<xs:attribute name="MaxRoles" type="xs:unsignedInt" default="100" />
<!-- The maximum number of identities per role. Is only evaluated when adding an identity online. If 0 is specified, then there is no limitation. -->
<xs:attribute name="MaxIdentitiesPerRole" type="xs:unsignedInt" default="1000" />
<!-- The maximum number of application to include or exclude per role. Is only evaluated when adding an application online. If 0 is specified, then there is no limitation. -->
<xs:attribute name="MaxApplicationsPerRole" type="xs:unsignedInt" default="100" />
<!-- The maximum number of endpoints per role. Is only evaluated when adding an endpoint online. If 0 is specified, then there is no limitation. -->
<xs:attribute name="MaxEndpointsPerRole" type="xs:unsignedInt" default="100" />
</xs:complexType>
<xs:element name="RoleConfigurations" type="RoleConfigurations" />
<xs:complexType name="NamespaceTable">
<xs:sequence>
<xs:element name="Uri" type="xs:string" minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="ListOfRoles">
<xs:sequence>
<xs:element name="Role" type="RoleType" minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="ListOfApplications">
<xs:sequence>
<xs:element name="ApplicationUri" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="RoleType">
<xs:sequence>
<!-- The Endpoints to include or exclude. -->
<xs:element name="Endpoints" type="ListOfEndpoints" minOccurs="0" />
<!-- The Applications to include or exclude -->
<xs:element name="Applications" type="ListOfApplications" minOccurs="0" />
<!-- The Identities to include. If not set, all identities can be included, dependent on the Endpoints and Applications. If empty, the Role will be granted no user. -->
<xs:element name="Identities" type="ListOfIdentities" minOccurs="0" />
</xs:sequence>
<!-- The name of the Role -->
<xs:attribute name="Name" type="xs:string" use="required" />
<!-- The NodeId of the Role node -->
<xs:attribute name="NodeId" type="NodeId" use="required" />
<!-- If true node permission checks are skipped for users possesing this role. Should only enabled for debugging and is not recommended for production use. -->
<xs:attribute name="IgnorePermissions" type="xs:boolean" default="false" />
<!-- Sets the Value of the CustomConfiguration property -->
<xs:attribute name="CustomConfiguration" type="xs:boolean" default="false" />
<!-- Specifies if Endpoints are included, excluded or ignored. Ignore will set the Value of EndpointsExclude property to 'true'. -->
<xs:attribute name="EndpointsMode" type="Mode" default="Ignore" />
<!-- Specifies if Applications are included, excluded or ignored. Ignore will set the Value of ApplicationsExclude property to 'true'. -->
<xs:attribute name="ApplicationsMode" type="Mode" default="Ignore" />
<!-- Specifies if this role can be configured online. Is only evaluated if RoleConfigurations.EnableOnlineConfiguration is 'true'. -->
<xs:attribute name="DisableOnlineConfiguration" type="xs:boolean" default="false" />
</xs:complexType>
<!-- The NodeId in the XML representation defined in part 6 of the OPC UA specification. -->
<xs:simpleType name="NodeId">
<xs:restriction base="xs:string" />
</xs:simpleType>
<xs:simpleType name="Mode">
<xs:restriction base="xs:string">
<xs:enumeration value="Ignore" />
<xs:enumeration value="Exclude" />
<xs:enumeration value="Include" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ListOfEndpoints">
<xs:sequence>
<xs:element name="Endpoint" type="EndpointType" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="EndpointType">
<xs:simpleContent>
<xs:extension base="xs:string">
<!-- The security mode to match. If Invalid, this check will be skipped. -->
<xs:attribute name="SecurityMode" type="SecurityMode" default="Invalid" />
<!-- The security policy uri to match. If not set, this check will be skipped. -->
<xs:attribute name="SecurityPolicyUri" type="xs:string" use="optional" />
<!-- The transport profile uri to match. If not set, this check will be skipped.
The only meaningful value is http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary. -->
<xs:attribute name="TransportProfileUri" type="xs:string" use="optional" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="SecurityMode">
<xs:restriction base="xs:string">
<xs:enumeration value="Invalid" />
<xs:enumeration value="None" />
<xs:enumeration value="Sign" />
<xs:enumeration value="SignAndEncrypt" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ListOfIdentities">
<xs:sequence>
<xs:element name="Identity" type="IdentityType" minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IdentityType">
<xs:simpleContent>
<!-- Depending on the CriteriaType, the Value of this tag shall be empty or set. Anonymous and AuthenticatedUser shall not have a Value. Other CiteriaTypes require a Value. -->
<xs:extension base="xs:string">
<xs:attribute name="CriteriaType" type="CriteriaType" use="required" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="CriteriaType">
<xs:restriction base="xs:string">
<xs:enumeration value="UserName" /> <!-- The rule specifies a UserName from a UserNameIdentityToken. -->
<xs:enumeration value="Thumbprint" /> <!-- The rule specifies the Thumbprint of a user or CA Certificate. -->
<xs:enumeration value="Role" /> <!-- The rule is a Role specified in an Access Token. -->
<xs:enumeration value="GroupId" /> <!-- The rule is a user group specified in the Access Token. -->
<xs:enumeration value="Anonymous" /> <!-- The rule specifies Anonymous UserIdentityToken. -->
<xs:enumeration value="AuthenticatedUser" /> <!-- The rule specifies any non Anonymous UserIdentityToken. -->
<xs:enumeration value="Application" /> <!-- The rule specifies the combination of an application identity and an Anonymous UserIdentityToken. -->
<xs:enumeration value="X509Subject" /> <!-- The rule specifies the X509 subject name of a user or CA Certificate. -->
</xs:restriction>
</xs:simpleType>
</xs:schema>

Role Configuration INI

The following INI document contains some standard roles and one custom role as example.

[nstable]
nstable/0/url=http://opcfoundation.org/UA/
nstable/1/url=<server>
nstable/size=2
[roles]
enable_online_configuration=true
max_roles=100
max_identities_per_role=1000
max_applications_per_role=100
max_endpoints_per_role=100
roles/0/name=Anonymous
roles/0/nodeid=i=15644
roles/0/endpoints_mode=IGNORE
roles/0/applications_mode=IGNORE
roles/0/identities/0/criteria_type=ANONYMOUS
roles/0/identities/1/criteria_type=AUTHENTICATEDUSER
roles/0/identities/size=2
roles/1/name=AuthenticatedUser
roles/1/nodeid=i=15656
roles/1/endpoints_mode=IGNORE
roles/1/applications_mode=IGNORE
roles/1/identities/0/criteria_type=AUTHENTICATEDUSER
roles/1/identities/size=1
roles/2/name=Operator
roles/2/nodeid=i=15680
roles/2/endpoints_mode=IGNORE
roles/2/applications_mode=IGNORE
roles/2/identities/0/criteria=john
roles/2/identities/0/criteria_type=USERNAME
roles/2/identities/1/criteria=sue
roles/2/identities/1/criteria_type=USERNAME
roles/2/identities/size=2
roles/3/name=MyDemoRole1
roles/3/nodeid=ns=1;s=MyDemoRole1
roles/3/endpoints_mode=IGNORE
roles/3/applications_mode=IGNORE
roles/3/identities/0/criteria=joe
roles/3/identities/0/criteria_type=USERNAME
roles/3/identities/1/criteria=sue
roles/3/identities/1/criteria_type=USERNAME
roles/3/identities/size=2
roles/size=4

Namespace Table Section [nstable]

The following section uses nodeids, to universally load these, a mapping for the namespace indicies to the respective namespace urls is required. An entry in the namespace table is needed for each namespace which is used by the nodeids below.

Key Description
nstable/size Number of entries in the namespace table.
nstable/N/url The URL of the namespace, e.g. http://opcfoundation.org/UA/ for namespace 0, the special name <server> can be used to map indices to the server namespace (which alwaway has index 1 in the running server). The index N is used as namespace index for nodeids in this file to refer to the respective namespace.

Roles Section [roles]

Key Description Default
enable_online_configuration Enable/Disable configuring the Roles with OPC UA Methods in the server. true
max_roles The maximum number of roles. A value of 0 indicates no limitation. 100
max_identities_per_role The maximum number of identities per role. A value of 0 indicates no limitation. 1000
max_applications_per_role The maximum number of application to include or exclude per role. A value of 0 indicates no limitation. 100
max_endpoints_per_role The maximum number of endpoints per role. A value of 0 indicates no limitation. 100

Each role to be configured needs an entry in the roles array, the most important fields are the nodeid, name and identities* array the other fields can be omitted for most use cases.

Key Description
roles/size Number of roles.
roles/N1/nodeid Unique identifier of the role, mandatory.
roles/N1/name Text part of the browsename of the role object, as namespace index the index of the nodeid is used. Mandatory if the role object is created by the SDK.
roles/N1/ignore_permissions If true node permission checks are skipped for users possesing this role. Should only enabled for debugging and is not recommended for production use. Optional, default is false.
roles/N1/custom_configuration The value of this field is shown in the CustomConfiguration property of the role object. Optional, default is false.
roles/N1/disable_online_configuration Enable/Disable configuring the specific role with OPC UA Methods in the server. Optional, default is false.
roles/N1/identities/size Number of identities (a.k.a. identity mapping rules) for this role. If no identities are given, the role cannot be assigned to any user.
roles/N1/identities/N2/criteria_type Criteria type of the identity, one of: ANONYMOUS, AUTHENTICATEDUSER, USERNAME, THUMBPRINT, ROLE, GROUPID, APPLICATION, X509SUBJECT. Mandatory. See description of identity mapping types.
roles/N1/identities/N2/criteria Criteria value of the identity, depends on the criteria_type, the the user's name for USERNAME. Ignored for ANONYMOUS and AUTHENTICATEDUSER otherwise mandatory.
roles/N1/applications_mode Determines the handling of the following applications array, one of: IGNORE, INCLUDE, EXCLUDE. Optional, default is IGNORE.
roles/N1/applications/size Number of applications, the behavior when this array is empty depends on the applications_mode.
roles/N1/applications/N3/uri ApplicationUri of the client to match.
roles/N1/endpoints_mode Determines the handling of the following endpoints array, one of: IGNORE, INCLUDE, EXCLUDE. Optional, default is IGNORE.
roles/N1/endpoints/size Number of endpoints, the behavior when this array is empty depends on the endpoints_mode.
roles/N1/endpoints/N4/endpoint_url The URL of the endpoint to match, may also include a hostname placeholder like opc.tcp://[hostname]:4840, mandatory.
roles/N1/endpoints/N4/security_mode The security mode to match or invalid, one of: INVALID, NONE, SIGN, SIGNANDENCRYPT. Optional, default is INVALID.
roles/N1/endpoints/N4/security_policy_uri The security policy uri to match or null, for example "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256". Optional, default is null.
roles/N1/endpoints/N4/transport_profile_uri The transport profile uri to match or null, the only meaningful value is http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary. Optional, default is null.