.NET Based OPC UA Client/Server SDK  3.3.3.537
Configuration Schema

Overview

The schema for the configuration is based on the SecuredApplication schema defined in Annex D of Part 6 of the OPC UA Specification. The order of the elements in the XML file is significant. Configuration specific to the SDK or to applications built with the SDK can be added to the Extensions element defined by the SecuredApplication schema. This can be found in the folder "configurationschema". The static methods ParseExtension<T> and UpdateExtension<T> on the Utils class object can be used to read or update any individual extension. These methods require a class which supports serialization with the WCF DataContract serializer or with the standard .NET XML serializer.

The SDK defines several standard extensions for different groups of configuration parameters which, by convention, all end with the suffix ‘Settings’. These standard extensions are described below along with the mandatory elements from the SecuredApplication schema. The SDK supports the use of file paths relative to special folder names. This allows the same configuration file to be used on different machines. The syntax replaces the drive letter with a special folder name enclosed in percent signs (%). For example, the following path refers to the Documents folder for the current user:

%MyDocuments%/Logs/LogFile.txt

The complete set of special folder names is defined by the Environment.SpecialFolder enumeration.

SecuredApplication

This is the base schema for the application configuration file. The properties of the interface IConfiguration have the same names.

Certificate Management

Certificates are blobs of data which can be stored on disk or in a Windows certificate store. Each certificate has a public key and a private key. The private key must be protected and is only accessible to the owner of the certificate. The public key and private key are stored in separate files for this reason.

Certificates and revocation lists have to be stored in DER format. Allowed file extensions are .der or .cer for certificates and .crl for revocation lists.

The sdk implementation of the certificate management stores private keys in a PKSC#12 format (*.pfx). If a certificate is placed in a Windows certificate store, the private key is placed in a file managed by Windows.

Certificates are placed into a subfolder of the trusted certificate store, and issuer certificate store respectively, named “certs” (see the table below). Existing certificate revocation lists are placed into a subfolder named “crl”. If the crl folder exists, every CA certificate needs to have a crl file. This behavior can be deactivated by setting the DisableCertificateRevocationUnknown attribute or DisableCertificateIssuerRevocationUnknown respectively in the extension CertificateCheckSettings.

A more detailed explanation of certificate management can be found on the website of the OPC Foundation: The OPC UA Security Model for Administrators (pdf document).

Element Description
ApplicationName A human readable name for the application.
The value has a default chosen by the application vendor but can be changed by the administrators of the application.
ApplicationUri A globally unique identifier for the application instance. This must be a valid URI which should include the DNS name of the machine, the name of the product vendor and the name of the application.
ApplicationType The type of application.
May be Server_0 or Client_1.
Product Name A human readable name for the product.
This value is set by the application vendor.
ApplicationCertificate Location and identifier for the application instance certificate.
The default server StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiserver\own"
The default client StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiclient\own"
TrustedCertificateStore Location of the trusted certificate store. Peer and CA certificates which the application trusts are placed here.
See paragraph Certificate Management above for more information on file format and folder structure.
The default server StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiserver\trusted"
The default client StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiclient\trusted"
IssuerCertificateStore Location of the issuer certificate store. Certificates which are needed to validate certificate chains are placed here.
See paragraph Certificate Management above for more information on file format and folder structure.
The default server StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiserver\issuers"
The default client StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiclient\issuers"
RejectedCertificatesStore Location of the rejected certificate store.
Stores certificates which have been rejected because they are untrusted.
The default server StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiserver\rejected"
The default client StorePath is (StoreType is “Directory”):"%CommonApplicationData%\<Company>\pkiclient\rejected"
BaseAddresses The list of endpoint URLs supported by Server.
Any URL with “localhost” as the domain is bound to all machine IP addresses. The “localhost” is changed to the default DNS name of the machine during initialization.
A URL with “127.0.0.1” as the domain is only accessible to Clients running on the same machine.
For each URI scheme the following transport profiles are assumed:
opc.tcp UaTcpTransport
SecurityProfiles

A list of supported security profiles.
If omitted then the Aes128Sha256RsaOaep, Basic256Sha256 and None profiles are used as defaults.
Possible values are:

SecurityProfilesUri Comment
http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss Is only available for:
.NET Standard 2.0
.NET Standard 2.1
.NET Framework 4.8
.NET 6.0
http://opcfoundation.org/UA/SecurityPolicy#Basic256 No longer recommended.
Should only be configured if backward
compatibility is required.
See ServerSettings.AllowDepreciatedPolicies.
http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 No longer recommended.
Should only be configured if backward
compatibility is required.
See ServerSettings.AllowDepreciatedPolicies.
http://opcfoundation.org/UA/SecurityPolicy#None No secure communication possible.
Shall not be used in end user products.

If FIPS compliant algorithms are enabled on the target machine, it depends on the OS and the used framework version if http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 is working.

OS 3.5.1 4.0 4.5 4.8
Windows 10 no yes yes yes
Windows 7 no no yes yes
Windows XP no no x x

If FIPS is not enabled, all security profiles are working.

Extensions A list of SDK and application specific configuration settings.
Any valid XML is allowed. The XML is parsed when the ApplicationInstance.ParseExtension<T> method is called by the application.

CertificateCheckSettings

This set of configuration options can be used to set default certificate checks which are enforced by the application as well as to override these default checks for single certificates.

See Certificate Validation for more information.

The following code shows a configuration example:

<Extension>
<CertificateCheckSettings xmlns="http://unifiedautomation.com/schemas/2011/12/Application.xsd">
<!-- This element sets the default certificate checks which are enforced by the application -->
DisableDomainCheck="false"
DisableApplicationUriCheck="false"
DisableCertificateTimeInvalid="false"
DisableCertificateIssuerTimeInvalid="false"
DisableCertificateRevocationUnknown="false"
DisableCertificateIssuerRevocationUnknown="false" />
<!-- These elements override the default certificate checks for a single certificate -->
<!--
<Certificate Thumbprint="9F94EBF4473CE8589F348FD853D1DBF3A3514A7D" DisableApplicationUriCheck="true" DisableCertificateRevocationUnknown="true" />
<Certificate Thumbprint="8B2B4864EDAD10D73DBFFBC0BC820E76A7A6A22C" DisableCertificateRevocationUnknown="true" />
-->
</CertificateCheckSettings>
</Extension>
Element Description
DisableDomainCheck If set to TRUE, the domain in the endpoint URL will not be compared to the certificate domains. This parameter is only validated by the Client SDK. The Server SDK will ignore this parameter, because it doesn’t check the domain.
DisableApplicationUriCheck If set to TRUE, the application URI will not be compared to the application URI in the certificate. The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. It is not recommended to change this setting.
DisableCertificateTimeInvalid If set to TRUE, expired or not yet valid certificates will be accepted.
DisableCertificateIssuerTimeInvalid If set to TRUE, expired or not yet valid issuer certificates will be accepted.
DisableCertificateRevocationUnknown If set to TRUE, certificates will be accepted even if it is not possible to check their revocation status.
DisableCertificateIssuerRevocationUnknown If set to TRUE, issuer certificates will be accepted even if it is not possible to check their revocation status.

TransportSettings

These values specify various limits used by the transport layer.

Element Description
MaxBufferSize The maximum size of any buffers allocated.
If not specified, the default is 65,536.
MaxStringLength The maximum length of any encoded String value.
If not specified, the default is 16,777,216.
MaxByteStringLength The maximum length of any encoded ByteString value.
If not specified, the default is 16,777,216.
MaxArrayLength The maximum length of any encoded array value.
If not specified, the default is 65,536.
MaxMessageSize The maximum size of any encoded message.
If not specified, the default is 16,777,216.
OperationTimeout The global maximum timeout, in milliseconds, for any service request.
If not specified, the default is 120,000.
ChannelLifetime The lifetime, in milliseconds, of a secure channel until it has to be renewed.
If not specified, the default is 120,000.
InactiveChannelLifetime The lifetime, in milliseconds, of a secure channel if communication setup is incomplete.
If not specified, the default is 10,000.
MaxChannelCount The maximum number of sockets.
If not specified, the default is 100.
SecurityTokenLifetime The lifetime, in milliseconds, of a security token.
If not specified, the default is 3,600,000.

InstallationSettings

These values specify various options used during Installation/Uninstallation Process.

Element Description
GenerateCertificateIfNone If TRUE a new certificate is generated if a valid one does not exist.
If not specified, the default is FALSE.
CertificateKeyLength The length of the auto-created certificate in bits.
The default is 2048. Supported values are 1024, 2048, 3072 and 4096.
CertificateHashAlgorithm The hash algorithm used on the auto-created certificate.
The default is 'sha256'. Supported values are 'sha1' and 'sha256'.
DeleteCertificateOnUninstall If TRUE the application certificate is deleted during uninstall.
If not specified, the default is FALSE.
ConfigureFirewall If TRUE the sdk is configured to call OpenFirewallPorts() while install and CloseFirewallPorts() while uninstall process.
Override these methods to configure the firewall for the application. If not specified, the default is FALSE.
ConfigureHttpAccess If TRUE any HTTP or HTTPS endpoints are configured to allow access by a process running with the credentials of the UsersGroup.
If not specified, the default is FALSE.
InstallAsService If TRUE a Server is configured to run as a Windows Service.
If not specified, the default is FALSE.
The service will run as 'Local System'.
ServiceName The name of the Windows Service created during install.
Must be specified if InstallAsService is set to TRUE.
ServiceDescription A human readable description for the Windows Service.
If not specified, the default is an empty string.
ServiceStartMode The following values are possible: Auto, Manual, Disabled.
If not specified, the default is Manual
UsersGroup The name of the Windows Account Group which is allowed to run the application.
If not specified, the default is the ‘Users’ built-in group.
AdministratorsGroup The name of the Windows Account Group which is allowed to administer the application.
If not specified, the default is the ‘Administrators’ built-in group.
DisableSetFilePermissions If FALSE access permissions are set for the executable, the configuration file and the certificate store.
If not specified, the default is FALSE
DisableLdsCertificateExchange If FALSE the application instance certificate is pushed to the trusted certificate store of the Local Discovery Server (LDS) and the certificate of the LDS is pulled to the own trusted store.
If not specified, the default is FALSE.
LdsTrustedCertificateStore The location of the trusted store of the local discovery server.
This setting is only evaluated if DisableLdsCertificateExchange is FALSE.
If not specified, the SDK checks if standard locations of the trusted store are available.
LdsApplicationCertificateFile The filename of the application instance certificate of the local discovery server.
This setting is only evaluated if DisableLdsCertificateExchange is FALSE.
If not specified, the SDK searches at standard locations of the lds certificate.

CertificateStoreSettings

This value species limits for certificate stores.

Element Description
MaxRejectedCertificatesCount Specifies the maximum number of certificates in the rejected store. If this number would be exeeded, the oldest certificate will be removed.
The default value is 100. If 0 is specified, then there is no limitation.
This setting is only evaluated for DirectoryCertificateStores.

TraceSettings

These values control the information written to the trace log files.

Element Description
TraceFile The location of the trace file.
If not specified, then no trace information is written to a file.
The default path is:\CommonApplicationData%\unifiedautomation\logs
MaxEntriesPerLog The maximum number of entries per log file.
If not specified, then default is 100000.
MaxLogFileBackups The maximum number of backup for log files.
If not specified, then default is 5.
FastTrace If TRUE, the trace file is kept open.
If FALSE, the trace file is opened and closed for each log message written.
If not specified then the default is FALSE.
MasterTraceEnabled If FALSE, all tracing is disabled.
If not specified then the default is FALSE.
DefaultTraceLevel The default trace level.
If not specified, then the default is “Error”.
OnlineConfiguration Encapsulates the configuration options for the Trace Object in the server addressspace.
Enabled If TRUE, a Trace Object is created on the server at startup.
It allows to change the trace configuration of the server at runtime.
If not specified, then default is FALSE.
MaxEntriesPerLogMinimum The minimum number of MaxEntriesPerLog that can be configured with the online configuration.
If not specified, then default is 1000.
MaxEntriesPerLogMaximum The maximum number of MaxEntriesPerLog that can be configured with the online configuration.
If not specified, then default is 100000.
MaxLogFileBackupsMaximum The maximum number of MaxLogFileBackups that can be configured with the online configuration.
If not specified, then default is 5.
TimestampFormat The string format of the Timestamp within the trace entry.
If not specified, then the default is “HH:mm.sss”.
This setting is used to call DateTime.ToString(string format).
ModuleSettings A list of settings for each trace module in the process.
ModuleName The name of the trace module.
If not specified, then the module is ignored.
TraceEnabled If FALSE, then tracing is disabled for the module.
If not specified, then the default is TRUE.
TraceLevel The default trace level for the module.
If not specified, then the default is “Default”.

TraceLevels

These are the possible trace levels that can be specified.

Level Description
Default Use the default trace level.
None Turn all tracing off.
Error Unexpected errors that require the attention of developers or administrators.
Warning Less critical issues that also require the attention of developers or administrators.
System General system messages.
Info Informational messages.
InterfaceCall The entry and exit messages for major API methods.
Constructor The constructors of major API objects.
ProgramFlow Additional entry and exit messages for minor API methods.
Data Verbose information when the state of objects changes during processing.

GdsSettings

These values specify the required information for the Register and Pull Management with a Global Discovery Server (GDS).

Element Description
GdsDiscoveryUrl The Discovery URL of the Global Discovery Server
ServerDiscoveryUrls The Discovery URLs of the application to register.
If not specified, then the EndpointUrls of the server application are used implicitly. Shall not be set for client applications.
RetryFrequency The time in milliseconds between initial GDS interactions.
If not specified, then default is 60000 (1 minute).
DefaultUpdateFrequency The frequency in milliseconds for checking the certificate and trust list status, if the GDS does not expose an UpdateFrequency or IgnoreGdsDefinedUpdateFrequency is set to TRUE.
If not specified then the default is 86400000 (1 day).
IgnoreGdsDefinedUpdateFrequency If TRUE, the UpdateFrequency specified by the GDS is ignored and the DefaultUpdateFrequency is used instead.
If not specified then the default is FALSE.
IgnoreLastUpdateTime If TRUE, the LastUpdateTime of the TrustList is ignored and the TrustList is read on each update. If FALSE the TrustList is only read if the Value of LastUpdateTime changed.
If not specified then the default is FALSE.

ClientSettings

These values control the base configuration for the Client.

Element Description
ProductUri A globally unique identifier for the product that client belongs to.
If not specified then the default is an empty string.
DiagnosticMasks The diagnostic masks to use with each request.
If not specified, then the default is 0 (no diagnostics).
RequestTimeout The default timeout in milliseconds for each service request. Is limited by the TransportSettings.OperationTimeout
If not specified, then the default is 30,000.
MaxOperationsPerRequest

The maximum number of operations per request.
If this value is not set, the default value of MaxArrayLength of the TransportSettings is taken.

If a request with more operations than the specified value is passed to the SDK, it splits the call into individual requests. In this case, the RequestTimeout time applies to the entire set of requests.

The following methods support this setting:

Session

  • Read
  • Write
  • BrowseList
  • TranslateBrowsePath
  • CallList
  • HistoryReadRaw
  • HistoryReadModified
  • HistoryReadProcessed
  • HistoryReadAtTime
  • HistoryUpdateData
  • HistoryUpdateStructureData
  • HistoryDeleteRaw
  • HistoryDeleteAtTime
  • HistoryReadEvent
  • HistoryUpdateEvent
  • HistoryDeleteEvent
  • AddNodes
  • AddReferences
  • DeleteNodes
  • DeleteReferences
  • RegisterNodes
  • UnregisterNodes
  • TransferSubscriptions

Subscription

  • CreateMonitoredItems
  • ModifyMonitoredItems
  • DeleteMonitoredItems
  • SetMonitoringMode
SessionTimeout The requested timeout, in milliseconds, for a session.
If not specified, then the default is 600,000.
WatchdogCycleTime The time interval, in milliseconds, between cycles of the watchdog which checks the status of the connection with the Server.
If not specified then the default is 5,000.
WatchdogTimeout The maximum time, in milliseconds, that the watchdog waits for a response from the Server before starting the reconnect process.
If not specified then the default is 10,000.
AutomaticReconnect If TRUE, the watchdog will attempt to reconnect to the Server when it detects an error after it has connected.
If not specified, then the default is TRUE.
RetryInitialConnect If TRUE, the client tries to connect automatically if the initial connect fails. It will stop when a timeout occurs.
If not specified, then the default is FALSE.
ReconnectDelay The time in milliseconds between reconnect attempts.
If not specified, then the default is 10,000.
ReconnectTimeout The timeout for a reconnect attempt in milliseconds.
If not specified, then the default is ReconnectDelay / 2.
ReconnectCreateSubscriptionsDelay The timespan in milliseconds between a successfully recreation of a Session and the recreation of Subscriptions
If not specified, then the default is 0
DisableIncludeChains If FALSE, the entire chain is sent over the wire. If true, only the application instance certificate is sent over the wire. This setting allows for backward compatibility with applications that cannot handle a certificate chain or can be used in environments where issuer certificates are stored locally on the server.

ServerSettings

These values control the base configuration for the Server.

Element Description
ProductUri A globally unique identifier for the product that server belongs to.
The default is constructed with the ApplicationUri.
ProductName A human readable name for the product that server belongs to.
The default is the Product attribute for the EXE assembly.
ManufacturerName A human readable name for the manufacturer of the product.
The default is the Company attribute for the EXE assembly.
SoftwareVersion A string representing the version of the Server software.
The default is the first 2 fields from the EXE assembly FileVersion attribute.
BuildNumber A string representing the build of the Server software.
The default is the last 2 fields from the EXE assembly FileVersion attribute.
BuildDate When the Server software was built.
The last write time for the EXE assembly is the default.
IsAuditActivated If true, the Server will produce audit events.
The default is FALSE.
AvailableLocaleIds A list of locales supported by the Server. The syntax is defined by RFC 1766.
The default is "en-US".
AvailableServerProfiles A list of profiles supported by the Server.
If not set, a default will be set by the sdk.
UserIdentity The user identities supported by the server.
The default is the anonymous user token policy.
DiscoveryRegistration The discovery registration settings for servers.
Capabilities The capabilities supported of the server.
If not set, "DA" is specified as capability.
DisableUseLeafCertificateOnlyForSignature If true, the server uses whole the certificate data that is sent in CreateSession, for creating the server signature. If false, the leaf certificate is used.
The default and recommended setting is FALSE.
AllowDepreciatedPolicies Security policies that have been deprecated sometimes have to be enabled for interoperability. If set to true, this settings allows the use of those security policies. Use with caution.
The default is FALSE.
SupportedPollingIntervals If set these intervals are supported by the BaseNodeManager to sample nodes with NodeHandleType ExternalPolled and InternalPolled. If not set, all intervals are supported.
RoleConfigurationsFilePath Specifies the file path for the role configurations file. If not specified, a file with the name RoleConfigurations.xml will get loaded if existing.
The specified file must be valid for the schema http://unifiedautomation.com/schemas/RoleConfigurations.xsd.
RedundancyCapabilities Contains the supported redundancy and the list of alternative Server URIs for non-transparent redundancy types.
Note: These settings only update the address space. Redundancy is not yet implemented in the SDK and has to be handled by the application.

EndpointSettings

These values control the security options and network interface used by a base address.

Element Description
EndpointUrl The URL which the settings apply to. This URL must match one of the URLs in the SecuredApplication.BaseAddresses list.
NetworkInterface The IP address to use when binding the socket. It can be an IPv4 or IPv6 address. If omitted, then the socket is bound to all IP addresses for the machine.
InternetProtocolVersion The Internet Protocol Version the socket is using. It can be Any(IPv4 and IPv6), IPv4Only or IPv6Only. The default value is Any.
Use this on environments without IPv6 functionalities. Note: Keep default setting if using NetworkInterface configuration.
DisableNoSecurity If true, the None message security mode is disabled for this endpoint. The default value is FALSE.
EnableSignOnly If true, the SignOnly message security mode is enabled for this endpoint. The default value is FALSE.
DisableSignAndEncrypt If true, the SignAndEncryp message security mode is disabled for this endpoint. The default value is FALSE.
EnableXmlEncoding If set to TRUE, the endpoint will only accept XML encoded messages.
If it is FALSE, then the messages must be UA Binary encoded.
NoSecurityUserSecurityPolicy The SecurityPolicy that is used for UserIdentityTokens that are not Anonymous at insecure Endpoints. The default is Basic256Sha256.
ApplicationCertificateStore The certificate store that is used for the application instance certificate used for this endpoint. The default is the ApplicationCertificateStore defined at top level.
ApplicationCertificateSubjectName The subject name of the application instance certificate used for this endpoint. The default is the SubjectName defined at top level.
ApplicationCertificateThumbprint If defined the certificate with this thumbprint is used for this endpoint.
TrustedCertificateStore The path of the trusted store for this endpoint. If null, the trusted store of the application is used.
IssuerCertificateStore The path of the issuer store for this endpoint. If null, the issuer store of the application is used.
DisableIncludeChains For CA signed certificates this flag controls if server shall send the complete certificate chain instead of just sending the certificate. This affects the GetEndpoints and CreateSession service. The default and recommended value is false.
MaxSecureChannelCount The maximum number of secure channels that can be created for this endpoint. If 0, TransportSettings.MaxChannelCount is used. The default value is 0.
CertificateConfiguration Defines the KeySize and the HashSize of the certificate used for this endpoint. The default is null.
OutgoingReverseConnections Specifies the reverse connect configurations for this endpoint. The default is null.

NetworkInterface Configuration

Configuration Table

This table shows how to select the EndpointSettings NetworkInterface, to reach endpoints through different discovery URLs.

NetworkInterface Setting
Discovery URLs*
empty
'0.0.0.0'
Server IPv4
'[::]'
Server IPv6
Hostname
'127.0.0.1' (loopback v4)
X
X
X
X
'[::1]' (loopback v6)
X
X
X
'localhost'
X
X
X
X
Valid Hostname
X
X
X
X
X
X
Server IPv4
X
X
X
X
X
Other local IPv4s
X
X
X
X
Server IPv6
X
X
X
X
Other local IPv6s
X
X
X
Wrong Hostname
Wrong IPv4
Wrong IPv6

X: Endpoint will be found by client discovery
* This Table mentions only the host part of the Discovery URL. Complete Discovery URL example: opc.tcp://localhost:48030

Configuration Example

This example shows the EndpointSettings extension of an application configuration file.

<Extension>
<EndpointSettings xmlns="http://unifiedautomation.com/schemas/2011/12/Application.xsd">
<Endpoint EndpointUrl="opc.tcp://localhost:48030">
<NetworkInterface>0.0.0.0</NetworkInterface>
</Endpoint>
</EndpointSettings>
</Extension>

Reverse Connection Configuration

This table shows how to configure the OutgoingReverseConnectionConfiguration of the Servers EndpointSettings to enable Reverse Connect.

Element Description
RemoteClientUrl The URL were client have to listen to for reverse connect.
ConnectRetryInterval The Interval in seconds the server tries to establish a connection to the RemoteClientUrl.
ConnectCount Number of connection ports the server will open.

Example:

<OutgoingReverseConnections>
<OutgoingReverseConnectionConfiguration>
<RemoteClientUrl>opc.tcp://localhost:48070</RemoteClientUrl>
<ConnectRetryInterval>10</ConnectRetryInterval>
<ConnectCount>4</ConnectCount>
</OutgoingReverseConnectionConfiguration>
</OutgoingReverseConnections></td>

UserIdentitySettings

These values control what user identity tokens are accepted by a Server. These settings are part of the ServerSettings.

Element Description
EnableAnonymous Whether anonymous users are allowed.
Enabled if the UserIdentitySettings are missing from the configuration.
EnableUserName Whether authentication with a username and password is allowed.
Disabled if the UserIdentitySettings are missing from the configuration.
EnableCertificate Whether authentication with an X509 certificate is allowed.
Disabled if the UserIdentitySettings are missing from the configuration.
UserTrustedCertificateStore The store path for the trusted user certificates.
Is only used if EnableCertificate is set to 'true' and UserIssuerCertificateStore is configured.
UserIssuerCertificateStore The store path for the issuer user certificates.
Is only used if EnableCertificate is set to 'true' and UserTrustedCertificateStore is configured.
UserRejectedCertificateStore The store path for the issuer user certificates.
Is only used if EnableCertificate is set to 'true' and UserTrustedCertificateStore and UserIssuerCertificateStore are configured.
UserCertificateCheckSettings The certificate security overwrites for user certificates.
Is only used if EnableCertificate is set to 'true' and UserTrustedCertificateStore and UserIssuerCertificateStore are configured.
By default no overwrites are used.

RedundancyCapabilities

These values set the redundancy capabilities on the server object. These settings are part of the ServerSettings.

Element Description
RedundancySupport Sets the supported redundancy at at the server object. The configurable values are None(default), Cold, Warm, Hot, Transparent and HotAndMirrored.
AlternativeServerList The list of alternative Server URIs for non-transparent redundancy support.

DiscoveryRegistrationSettings

These values control how a server registers with the local discovery server.

Element Description
Url The URL of the discovery server the server must register with.
The default is 'opc.tcp://localhost:4840'.
Enabled Whether the server should attempt to register with the discovery server.
The default is TRUE.
RegistrationInterval The interval in seconds between registration attempts.
The default and minimum is 30 and the maximum is 600.
DisableRegisterServer2 Whether the server should skip trying to register with RegisterServer2 service but directly try to register with RegisterServer service.
The default is FALSE.

ThreadPoolSettings

These values control the thread pool used by the server.

Element Description
MinThreadCount The minimum number of threads.
The default and minimum value is 10.
MaxThreadCount Deprecated: This field is not evaluated anymore.
MaxRequestCount The maximum number of requests in the queue waiting for a thread.
The default is 65536 and the minimum value is 128.

SessionSettings

These values control the behavior of the SessionManager in the Server.

Element Description
MaxRequestAge The maximum difference in milliseconds between the timestamp of the request and the current time.
The minimum and default is 60,000.
MaxSessionCount The maximum number of open sessions.
The default is 100 and the minimum is 1.
MaxSessionsPerClient The maximum number of open sessions per client.
The default is 4,294,967,295 and the minimum is 2.
MaxOutstandingServiceRequests The maximum number of outstanding service request per session.
The default is 1000 and the minimum is 1.
MinSessionTimeout The minimum timeout in milliseconds for sessions.
The default is 20,000 and the minimum is 1,000.
MaxSessionTimeout The maximum timeout in milliseconds for sessions.
The default is 600,000 and the minimum is 60,000.
MaxBrowseContinuationPoints The maximum number of browse continuation points per session.
The default and minimum is the MaxNodesPerBrowse.
MaxHistoryContinuationPoints The maximum number of history continuation points per session.
The default and minimum is the MaxNodesPerHistoryDataRead.
MaxNodesPerRead The maximum number of read operations per request.
The default and minimum is 10,000.
MaxNodesPerWrite The maximum number of write operations per request.
The default and minimum is 10,000.
MaxNodesPerHistoryDataRead The maximum number of history data read operations per request.
The default and minimum is 1,000.
MaxNodesPerHistoryDataUpdate The maximum number of history data update operations per request.
The default and minimum is 1,000.
MaxNodesPerHistoryEventRead The maximum number of history event read operations per request.
The default and minimum is 1,000.
MaxNodesPerHistoryEventUpdate The maximum number of history event update operations per request.
The default and minimum is 1,000.
MaxNodesPerMethodCall The maximum number of call operations per request.
The default and minimum is 10,000.
MaxNodesPerBrowse The maximum number of browse operations per request.
The default and minimum is 1,000.
MaxNodesPerRegisterNodes The maximum number of register node operations per request.
The default and minimum is 1,000.
MaxNodesPerTranslateBrowsePathsToNodeIds The maximum number of translate browse operations per request.
The default and minimum is 1,000.
MaxNodesPerNodeManagement The maximum number of add or delete node operations per request.
The default and minimum is 100.
MaxMonitoredItemsPerCall The maximum number of monitored item operations per request.
The default and minimum is 10,000.
MaxHistoryDataValuesPerRead The maximum number of returned values per history read data request.
The default is 10,000 and the maximum is 50,000.
MaxHistoryEventsPerRead The maximum number of returned values per history read event request.
The default is 10,000 and the maximum is 50,000.
MinNonceLength The minimum nonce length.
The default and minimum is 32.
DisableNonceLengthCheck Disables the length check of the client nonce.
The default and recommended value is false.
MaxRegisteredNodes The maximum number of registered nodes per Session.
The default value is 10,000.

SubscriptionSettings

These values control the behavior of the SubscriptionManager in the Server.

Element Description
MinPublishingInterval The minimum publishing interval in milliseconds.
The minimum and default is PublishingIntervalResolution.
MaxPublishingInterval The maximum publishing interval in milliseconds.
The minimum and default is the MinPublishingInterval. The default is 60,000 and the minimum is MinPublishingInterval.
MaxKeepAliveInterval The maximum keep alive interval in milliseconds.
The default is 3,600,000 and the minimum is MinKeepAliveInterval.
MinKeepAliveInterval The minimum keep alive interval in milliseconds.
The minimum and default is 1,000.
MinLifetime The minimum subscription lifetime in milliseconds.
The minimum and default is the larger of 20,000 or the MinKeepAliveInterval.
MaxLifetime The maximum subscription lifetime in milliseconds.
The default is 3,600,000 and the minimum is MinLifetime.
PublishingIntervalResolution The minimum publish interval in milliseconds.
The default is 100. The minimum is 50.
MaxPublishRequestCount The maximum number of queued publish requests per session.
The default is 100. The minimum is 2.
MaxSubscriptionCount The maximum number of subscriptions (of the Server).
The default and minimum is 10.
MaxSubscriptionsPerSession The maximum number of subscriptions per session
The default is MaxSubscriptionCount. The minimum is 1.
MaxNotificationsPerPublish The maximum number of notifications per publish request.
The default is 10,000.
MaxMessageQueueSize The maximum of saved messages per subscription.
The default is 100.
MaxDataValueQueueSize The maximum queue size for data monitored items.
The default and minimum is 1,000.
MinEventQueueSize The minimum queue size for event monitored items.
The default and minimum is 1,000.
MaxEventQueueSize The maximum queue size for event monitored items.
The default is the 10,000 and the minimum is MinEventQueueSize.
MaxMonitoredItemsPerSubscription The maximum number of monitored items per subscription.
The default is 4,294,967,295 and the minimum is 1.