High Performance OPC UA Server SDK

This section describes compliance certification and how to use the CTT with the HP SDK.


What can be certified?

The OPC Foundation does not allow to certify SDKs directly, so the HP SDK itself cannot be certified and an application is not certified automatically because it is built with a certain SDK. Only final products can be certified by the OPC Foundation, for this reason we can only certify our demoserver built with the SDK to proof that it is possible to develop a compliant application using the SDK. The SDK handles a lot of the CTT testcases, so applications built with the SDK will pass most testcases automatically, however a few subjects like data handling must be implemented in every application individually and thus each application must be certified individually.

Status of the HP SDK

The demoserver of the HP SDK version 1.5.1 is certified with the Embedded 2017 UA Server Profile. We do not officially certify the demoserver with every new SDK version, but we run the CTT regularly in our internal testing to detect regressions and resolve issues with new testcases. So servers built with the HP SDK should usually be certifiable with full featured server profiles up to the embedded profile, given that the application part is also compliant.

None of the HP SDK example clients are certified and there are currrently no plans to do so.


Missing Features in the HP SDK

The main feature missing for certification with the Standard profile is the ability of the server to register itself at a local discovery server using the RegisterServer/RegisterServer2 Services. Unfortunately it is currently not possible to implement these services with the client part of the HP SDK, however we have plans to support it in a future version of the HP SDK. The OPC UA Specification allows to implement this feature with a separate configuration utility, so customers with such an utility might be able to get certified with the Standard profile.

Static Address Space

In the HP SDK it is not possible to write the EnabledFlag of the ServerDiagnostics node at runtime, therefore the AccessLevel of that node (i=2294) must be changed from CurrentReadWrite (3) to CurrentRead (1). When loading NS0 dynamically this is done automatically by the SDK, for a static address space the AccessLevel attribute of that node must be edited inside Opc.Ua.NodeSet2.xml before generating the address space.


The CTT is the Compliance Test Tool provided by the OPC Foundation and the main factor of the certification. It can be downloaded from the OPC Foundation website by members to run before certification themselves. The following sections explain how to use the CTT with the HP SDK demoserver, which might be used as base for own certfifications.


This documentation applies to CTT, other versions of the CTT may yield different results.

Note: There is an issue in CTT which requires a different certificate generation script when running after the year 2020 found here: https://mantis.opcfoundation.org/view.php?id=6344

Standard Profile

The standard profile is the biggest of the full featured server profiles. A configuration for the demoserver that can be loaded in the CTT (see Configuration of the CTT) is provided here. In the CTT Profiles tab Standard 2017 UA Server must be selected.

For the server the configuration file settings_standard.conf is included, which conforms to the requirements for the certification, however those requirements include to use the None policy only for discovery services. So for local runs of the CTT we have also included settings_standard_insecure.conf which uses the same settings but allows the None policy for regular connections to simplify configuration of the CTT and debugging of issues in Wireshark:

uaserverhp -c settings_standard_insecure.conf

Micro Embedded Profile

The micro embedded profile is a rather small one of the full featured server profiles, it requires support only for few subscriptions and does not require UA Security. A configuration for the demoserver that can be loaded in the CTT (see Configuration of the CTT) is provided here. In the CTT Profiles tab Micro Embedded Device 2017 Server must be selected.

The SDK includes the settings_micro.conf which sets quantities according to the Micro Embedded Profile, however some of the CTT scripts were not written with such limited servers in mind an will falsely report errors. To make certification easier we provide a second configuration file settings_micro_ctt.conf, which is based on the above settings file but increases a few limits:

uaserverhp -c settings_micro_ctt.conf

Configuration of the CTT

  • Open the CTT and create a new project.
  • Create a new Server Standard Project with a name of your choice.
  • After project creation, the settings dialog appears automatically, click Import and select the suitable *.ctt.xml
  • In the settings dialog go to Server Test->Server URL and adjust the hostname and port.
  • Adjust further settings as needed and close the settings dialog.
  • In the Profiles tab select the suitable profile and facets. An overview of profiles and facets is provided by the OPC Foundation on their ProfileReporting site.

Configuration of CTT Certificates

In case the selected profile includes UA Security like the Embedded or Standard Server Profile a few more steps are required:

  • The CTT generates certificates for testing during installation, when not using the CTT for a while these certficates may expire, so it is recommended to generate new CTT certificates before running the CTT tests, to do so either run the certificate generation script manually or reinstall the CTT.
  • If X509 authentication is enabled the CTT also requires the following users to exist: ctt_usrT, ctt_ca1T_usrT, ctt_ca1I_usrT. In the example users file of the SDK these are already listed.
  • The certificates generated by the CTT are copied into the CTT project folder and some of them need to be imported into the server pki store before the CTT run. Using the included uacertmgr tool the certificates can be imported with this command:

    ./uacertmgr -c settings_standard_insecure.conf import-tree "<ctt-project>/PKI/copyToServer/ApplicationInstance_PKI"

    The user certificates can be imported with this command:

    ./uacertmgr -s1 -c settings_standard_insecure.conf import-tree "<ctt-project>/PKI/copyToServer/X509UserIdentity_PKI"

Known Issues of the CTT

There are a few testcase failing which we believe are errors in the test scripts, these isssues are reported to the OPC Foundation and will be fixed in future versions of the CTT. Depending on the configuration of the server and the exact setup of CTT and server these may or may not happen during a specific CTT run, some are sporadic and may happen only every n-th run. The following list includes links to the mantis bug tracker of the OPC Foundation, so people with an account can view them in detail, others may still provide the link during certification to reference a specific issue.