# ANSI C Demo Server Configuration File

[General]
# Maximum number of nodes per provider supported by the server.
MaxProviderNodes                            = 3500
# Maximum number of references to return in a Browse/BrowseNext response.
MaxReferencesToReturn                       = 10000
# Maximum number of nodes to return in a TranslateBrowsePathsToNodeIds response.
MaxTranslateResults                         = 10000
# Maximum number of SecureChannels. The upper limit of this value depends on the CMake
# settings UASTACK_TCPLISTENER_MAX_CONNECTIONS and UASTACK_SOCKETMANAGER_NUMBER_OF_SOCKETS
# (equals OPCUA_TCPLISTENER_MAXCONNECTIONS and OPCUA_P_SOCKETMANAGER_NUMBEROFSOCKETS).
# Set to 0 for no limit.
MaxSecureChannels                           = 100
# Maximum total number of sessions. As most clients use one SecureChannel per session,
# the upper limits of MaxSecureChannels apply to this setting, too. Set to 0 for no limit.
MaxSessions                                 = 50
# Maximum number of sessions the server allows per client. Set to 0 for no limit.
MaxSessionsPerClient                        = 0
# Maximum total number of subscriptions. Set to 0 for no limit.
MaxSubscriptions                            = 0
# Maximum number of subscriptions per session. Set to 0 for no limit.
MaxSubscriptionsPerSession                  = 20
# Maximum number of publish requests per session.
MaxPublishPerSession                        = 10
# Maximum number of continuation points per session.
MaxContinuationPointsPerSession             = 5
# Maximum number of continuation points per session for Query services.
MaxQueryContinuationPointsPerSession        = 5
# Maximum number of continuation points per session for ReadHistory services.
MaxHistoryContinuationPointsPerSession      = 5
# Minimum session timeout in milliseconds. Set to 0 for no limit.
MinSessionTimeout                           = 0
# Maximum session timeout in milliseconds. Set to 0 for no limit.
MaxSessionTimeout                           = 0
# Session timeout resolution in milliseconds. Set to 0 for no limitation.
SessionTimeoutResolution                    = 0
# The minimum supported publishing interval.
MinPublishingInterval                       = 50
# The maximum supported publishing interval.
MaxPublishingInterval                       = 3600000
# The minimum supported KeepAliveInterval for subscriptions.
MinKeepAliveInterval                        = 500
# The maximum supported KeepAliveInterval for subscriptions.
MaxKeepAliveInterval                        = 1200000
# The minimum supported Lifetime for subscriptions. Should be at least 3 * MinKeepAliveInterval.
MinLifetimeInterval                         = 1500
# The maximum supported Lifetime for subscriptions. Should be at least 3 * MaxKeepAliveInterval.
MaxLifetimeInterval                         = 360000000
# Maximum total number of monitored items. Set to 0 for no limit.
MaxMonitoredItems                           = 0
# Maximum number of monitored items per subscription. Set to 0 for no limit.
MaxMonitoredItemsPerSubscription            = 1500
# Guaranteed minimum number of monitored items a subscription can create.
GuaranteedMonitoredItemsPerSubscription     = 0
# Maximum number of monitored items per session. Set to 0 for no limit.
MaxMonitoredItemsPerSession                 = 0
# Maximum queue size for data monitored items.
MaxMonitoredItemsQueueSize                  = 100000
# Maximum queue size for event monitored items.
MaxEventMonitoredItemsQueueSize             = 10000
# Maximum number of monitored items for the subscription containing the data logger nodes.
MaxDataLoggerSubscriptionItems              = 1000
# Publishing interval of the subscription containing the data logger nodes.
DataLoggerSubscriptionPublishingInterval    = 500

[Trace]
# Enable the trace
Enabled = true
# Trace level (possible values: None, Error, Warning, System, Info, Debug, Content, All)
Level = All
# Use local time instead of UTC in the trace
LocalTimeTrace = true
# Print the date in addition to the time
PrintDateInTrace = false
# Enable tracing to the console on stdout
ConsoleTraceEnabled = true
# Enable tracing to a file
FileTraceEnabled = true
# File to use for tracing
FileTraceFilename = servertrace
# Maximum number of trace entries in one file
FileTraceMaxEntries = 1000
# Maximum number of backup files
FileTraceNumBackupFiles = 5
# Do not flush the file after each trace entry. The trace file is flushed automatically from time to time anyway.
# - For maximum trace performance you should set this option to true.
# - If you have issues with missing trace entries in case of an application crash, you should set this option to false.
FileTraceFlushDisabled = false
# Activate trace events for trace levels System, Warning and Error. Requires OPCUA_TRACE_RAW to be enabled.
# Possible values are: Disabled, History, HistoryAndEvents
EventTraceMode = Disabled

[UaStack]
# The largest size for a memory block the serializer can do when deserializing a message.
Serializer_MaxAlloc             = 16777216
# The largest string accepted for any decoded string.
Serializer_MaxStringLength      = 16646145
# The largest byte string accepted for any decoded byte string.
Serializer_MaxByteStringLength  = 16646145
# Maximum number of elements in an array accepted for any decoded array.
Serializer_MaxArrayLength       = 65536
# The maximum number of bytes per decoded message in total.
Serializer_MaxMessageSize       = 16777216

# The default and maximum size for message chunks in the server. Affects network performance and memory usage.
TcpListener_DefaultChunkSize    = 65536
# The default and maximum size for messages. Affects memory usage.
TcpTransport_MaxMessageLength   = 16777216
# The default and maximum number of message chunks per message. Affects memory usage.
TcpTransport_MaxChunkCount      = 256

[Endpoints]
Endpoints/size = 2
# URL of the Endpoint; this URL is used for Discovery and to open the Endpoints
# in the UA stack if no BindURL is configured.
# [gethostname] can be used as placeholder for the computer name.
Endpoints/0/EndpointURL = opc.tcp://[gethostname]:48020
# Optional URL that allows to define a specific address the stack should use to bind to.
# Can be used to bind the endpoint to a specific network card or to localhost only.
# [gethostname] can be used as placeholder for the computer name
Endpoints/0/BindURL = opc.tcp://[gethostname]:48020
# SecurityPolicies the endpoint shall offer (comma separated list of sections)
# The SecurityPolicies 'Basic128Rsa15' and 'Basic256' are deprecated.
# It is up to an administrator to configure the actual exposed SecurityPolicies.
Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256, SecurityPolicy_Aes128
# UserTokenPolicies the endpoint shall offer (comma separated list of sections)
Endpoints/0/UserTokenPolicies = Anonymous, UserName_256Sha256, UserName_Aes128, Certificate_256Sha256, Certificate_Aes128
# The PKI store section this endpoint shall use
# Two stores are available in this settings file: PKIStore_OpenSSL and PKIStore_None
Endpoints/0/PKIStore = PKIStore_OpenSSL
# This option can be activated if certificates are used only for message security but not for application authentication.
# If set to true, all client certificates will be accepted automatically, and they are not stored.
# It is strongly recommended to use this option only together with user authentication.
Endpoints/0/TrustAllClientCertificates = false
# For calculating the server signature, the server appends the client certificate to the client nonce.
# If the client sends a certificate chain, the server should only use the leaf certificate to calculate the server signature.
# With this setting enabled, the server uses the complete certificate chain instead. This is not the recommended behaviour.
# Only set this flag to work around interoperability issues with misbehaving clients.
Endpoints/0/CreateSignatureWithChain = false

# Flag used to disable the client certificate validation error BadCertificateTimeInvalid. Default is false.
Endpoints/0/DisableErrorCertificateTimeInvalid = false
# Flag used to disable the client certificate validation error BadCertificateIssuerTimeInvalid. Default is false.
Endpoints/0/DisableErrorCertificateIssuerTimeInvalid = false
# Flag used to disable the client certificate validation error BadCertificateRevocationUnknown. Default is false.
Endpoints/0/DisableErrorCertificateRevocationUnknown = false
# Flag used to disable the client certificate validation error BadCertificateIssuerRevocationUnknown. Default is false.
Endpoints/0/DisableErrorCertificateIssuerRevocationUnknown = false
# Flag used to disable the ApplicationUri match check between client certificate and parameter in CreateSession.
# The check is required for compliant OPC UA servers but older clients may provide a wrong ApplicationUri. Default is false.
Endpoints/0/DisableApplicationUriCheck = false
# Flag used to disable the check for compliant certificate usage entries. Default is false.
Endpoints/0/DisableCertificateUsageCheck = false
# Flag used to disable the check if the certificate key length matches the requirements of the used SecurityPolicy. Default is false.
Endpoints/0/DisableCertificateKeyLengthCheck = false
# Flag used to disable the check if the certificate signature algorithm matches the requirements of the used SecurityPolicy. Default is false.
Endpoints/0/DisableCertificateAlgorithmCheck = false

# Uncomment the next settings (Endpoints/1/...) and set Endpoints/size to 2 to enable HTTPS based profiles.
# This profile works, but is not officially supported in this version of the SDK.
# This is the HTTP based protocol that will be supported by embedded devices.
# The HTTPS profile is not completely tested, so you can use it on your own risk.
# Additionally, you have to recompile the SDK with the following options set to 'ON' after setting
# ENABLE_EXPERIMENTAL_OPTIONS to 'ON':
# TLS   : UASTACK_WITH_TLS
# HTTPS : UASTACK_WITH_HTTPS

Endpoints/1/EndpointURL = opc.tcp://[gethostname]:4660
Endpoints/1/BindURL = opc.tcp://[gethostname]:4660
Endpoints/1/SecurityPolicies = SecurityPolicy_None
Endpoints/1/UserTokenPolicies = Anonymous
Endpoints/1/PKIStore = PKIStore_OpenSSL
Endpoints/1/TrustAllClientCertificates = false

[SecurityPolicy_None]
Url = http://opcfoundation.org/UA/SecurityPolicy#None
MessageSecurity = None

# The SecurityPolicies 'Basic128Rsa15' and 'Basic256' are deprecated.
# It is up to an administrator to configure the actual exposed SecurityPolicies.
#[SecurityPolicy_Basic128Rsa15]
#Url = http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
#MessageSecurity = Sign, SignAndEncrypt
#
#[SecurityPolicy_Basic256]
#Url = http://opcfoundation.org/UA/SecurityPolicy#Basic256
#MessageSecurity = Sign, SignAndEncrypt

[SecurityPolicy_Basic256Sha256]
Url = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
MessageSecurity = Sign, SignAndEncrypt

[SecurityPolicy_Aes128]
Url = http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
MessageSecurity = Sign, SignAndEncrypt

[SecurityPolicy_Aes256]
Url = http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss
MessageSecurity = Sign, SignAndEncrypt

[Anonymous]
PolicyId = Anonymous_Token
TokenType = Anonymous

# The SecurityPolicies 'Basic128Rsa15' and 'Basic256' are deprecated.
# It is up to an administrator to configure the actual exposed SecurityPolicies.
#[UserName_256]
#PolicyId = UserName_256_Token
#TokenType = UserName
#SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256
#
#[Certificate_256]
#PolicyId = Certificate_256_Token
#TokenType = Certificate
#SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256

[UserName_256Sha256]
PolicyId = UserName_256Sha256_Token
TokenType = UserName
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

[Certificate_256Sha256]
PolicyId = Certificate_256Sha256_Token
TokenType = Certificate
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

[UserName_Aes128]
PolicyId = UserName_Aes128_Token
TokenType = UserName
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep

[Certificate_Aes128]
PolicyId = Certificate_Aes128_Token
TokenType = Certificate
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep

[UserName_Aes256]
PolicyId = UserName_Aes256_Token
TokenType = UserName
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss

[Certificate_Aes256]
PolicyId = Certificate_Aes256_Token
TokenType = Certificate
SecurityPolicyUri = http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss

[PKIStore_OpenSSL]
# The PKI provider to use. OpenSSL is available on all platforms.
PkiType = OpenSSL
# Server Certificate: Path to a PEM or DER encoded certificate file.
# This file may also contain multiple concatenated certificates (certificate chain).
CertificateFile = pki/own/uaservercert.der
# Server Private Key: Path to a PEM encoded private key file. This should not be password protected
# so that the server can start unattended. With a password protected file, the server will need to prompt the user to
# input the password to unlock the file, which is not possible when running as a service.
CertificateKeyFile = pki/own/uaserverkey.nopass.pem
# Number of additional certificates to form the certificate chain.
AdditionalCertificates/size = 0
# Additional certificates that will be appended to the server certificate to form the certificate chain.
#AdditionalCertificates/0/File = pki/own/rootcacert.der
#AdditionalCertificates/1/File = pki/own/scacert.der
# Path to trusted certificates. This includes trusted CA certificates as well as self-signed certificates.
TrustListPath = pki/trusted/certs
# This is the directory where the server stores certificate revocation lists.
# By default this directory contains no CRLs.
CRLPath = pki/trusted/crl
# Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain.
IssuerTrustListPath = pki/issuers/certs
# Path to untrusted CA certificates. These certificates are only used to build a complete certificate chain.
IssuerCRLPath = pki/issuers/crl

# Enable server certificate creation if certificate is not available
GenerateCertificate = true
# Name of the application - [ApplicationName] is the default value to use the configured ApplicationName
CommonName = [ApplicationName]
# Name of the organization using the OPC UA server
Organization = ATM Samara
# Name of the organization unit using the OPC UA server
OrganizationUnit = 
# Name of the location where the OPC UA server is running
Locality = 
# State where the OPC UA server is running
State = Moscow
# Two letter code for the country where the OPC UA server is running, e.g. DE or US
Country = RU
# The number of years the certificate is valid for. The maximum accepted number is 20,
# but it is strongly recommended to use a shorter time.
YearsValidFor = 5
# Key length of the certificate to create
KeyLength = 2048
# Signature algorithm to use for signing the certificate
SignatureAlgorithm = Sha256

[PKIStore_None]
# Example PKI provider for disabled security
PkiType = None

[PKI]
# RejectedPath: Path where rejected certificates will be stored.
RejectedPath = pki/rejected
# Maximum number of rejected certificates. This prevents malicious programs from filling up available disk space by
# calling OpenSecureChannel with different certificates.
MaxRejectedCertificates = 50
# By default, deprecated SecurityPolicies are rejected by the SDK when loading the configuration.
# For backwards compatibility with old applications this behavior can be overridden.
# Please consider carefully before turning this feature on.
AllowDeprecatedSecurityPolicies = false
# All groups containing PKI store settings (comma separated list of groups)
PKIStores = PKIStore_OpenSSL

[Discovery]
# Enables registration at the local discovery server
Register = false
DiscoveryURL = opc.tcp://localhost:4840/UADiscovery/discovery
DiscoveryInterval = 30000

[Authentication]
# file path to passwd file
PasswdFilePath = passwd
# file path to group file
GroupFilePath = group
# The ID of the root user
RootUser = 0
# The ID of the security administrator group
SecurityAdminGroup = 0
# SecurityPolicy to use for UserTokens on non-secure endpoints where no SecurityPolicy or SecurityPolicy#None is set.
FallbackSecurityPolicy = http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
# The folder containing accepted user certificates for X509 authentication tokens.
UserCertsDir = auth_pki/trusted/certs
# The folder containing certificate revocation lists for X509 authentication tokens.
UserCrlDir = auth_pki/trusted/crl
# The folder containing issuer certificates for X509 authentication tokens.
UserIssuerCertsDir = auth_pki/issuers/certs
# The folder containing issuer revocation lists for X509 authentication tokens.
UserIssuerCrlDir = auth_pki/issuers/crl
# Flag used to disable the X509 user token validation error BadCertificateTimeInvalid. Default is false.
DisableErrorUserTokenTimeInvalid = false
# Flag used to disable the X509 user token validation error BadCertificateIssuerTimeInvalid. Default is false.
DisableErrorUserTokenIssuerTimeInvalid = false
# Flag used to disable the X509 user token validation error BadCertificateRevocationUnknown. Default is false.
DisableErrorUserTokenRevocationUnknown = false
# Flag used to disable the X509 user token validation error BadCertificateIssuerRevocationUnknown. Default is false.
DisableErrorUserTokenIssuerRevocationUnknown = false

[DemoProvider]
# Start logging on startup
StartLogging = false
# Folder to contain the logged data
DataLoggerPath = historian