OPC UA Server Settings Tab

Context

You define server endpoints on this tab.

Procedure

Choose Add Endpoint.

PCo displays the Add Server Endpoint Description dialog box.
In the Endpoint URL field, define the URL at which the OPC UA server can be addressed for the clients.
PCo proposes an example URL. When you create a new entry or change an entry, you need to enter a valid URL here. A simple validity check is performed. A valid URL starts with one of the following three character strings:
- opc.tcp://
- http://
- https://
Then comes the URL of the server, where, ideally, you use a fully qualified domain name. This is followed – separated by colons – by a port number and, optionally, path details.

Example

Example of a valid URL:

opc.tcp://myserver.domain.com:56711/MyApplication

PCo checks if the port number is still being used on other active servers of the PCo instance and allows you, if necessary, to choose a port number that has not yet been used.

The selection options for the following three fields depend on the structure of the URL entry:

Field	Description
Security Mode	The security mode defines which steps are used for a secure connection setup (OpenSecureChannel request). You can choose between the following settings: None For this setting, the request is neither signed nor encrypted. In this case, no certificates are used for a secure connection setup. Sign For this setting, the request is signed with the private key of the server application certificate so that the client (that has to trust the server certificate) can validate the request. SignAndEncrypt For this setting, the server uses the public key of the client to sign the message and to encrypt it. Note These settings only have an effect on the connection setup or on the later renewal of the connection.
Security Policy	The security policy allows the cryptoalgorithm, to a certain extent, to be chosen for setting up the secure connection. The following options are possible depending on the security mode defined previously: Security mode None: `None` Security modes Sign and SignAndEncrypt: The following security policies are available: Aes128_Sha256_RsaOaep This security policy is intended for configurations with medium security requirements. Aes256_Sha256_RsaPss This security policy is intended for configurations with high security requirements. Basic256Sha256 This security policy is intended for configurations with high security requirements. For more information about these security policies, see https://apps.opcfoundation.org/profilereporting/ in the section Security Category SecurityPolicy. There are also the deprecated security policies Basic128Rsa15 or Basic256. These can still be used if you have explicitly allowed their use. See: Compatibility Settings. They appear then in the dropdown list with the addition of the word `(deprecated)`. Recommendation It is recommended that you select the security policy Basic256Sha256 or Aes256_Sha256_RsaPss in all scenarios (except test scenarios) if the processing power of the client and the server permits this.
Encoding	The following options are available for encoding: (OPC UA) Binary (OPC UA) XML XML is only available if the endpoint URL starts with http or https.

Field

Description

Security Mode

The security mode defines which steps are used for a secure connection setup (OpenSecureChannel request). You can choose between the following settings:

None

For this setting, the request is neither signed nor encrypted. In this case, no certificates are used for a secure connection setup.
Sign

For this setting, the request is signed with the private key of the server application certificate so that the client (that has to trust the server certificate) can validate the request.
SignAndEncrypt

For this setting, the server uses the public key of the client to sign the message and to encrypt it.

Security Policy

The security policy allows the cryptoalgorithm, to a certain extent, to be chosen for setting up the secure connection.

The following options are possible depending on the security mode defined previously:

Security mode None: None
Security modes Sign and SignAndEncrypt:
The following security policies are available:
- Aes128_Sha256_RsaOaep
  
  This security policy is intended for configurations with medium security requirements.
- Aes256_Sha256_RsaPss
  
  This security policy is intended for configurations with high security requirements.
- Basic256Sha256
  
  This security policy is intended for configurations with high security requirements.
For more information about these security policies, see https://apps.opcfoundation.org/profilereporting/ in the section Security Category SecurityPolicy.

There are also the deprecated security policies Basic128Rsa15 or Basic256. These can still be used if you have explicitly allowed their use. See: Compatibility Settings. They appear then in the dropdown list with the addition of the word (deprecated).

Encoding

The following options are available for encoding:

(OPC UA) Binary
(OPC UA) XML

XML is only available if the endpoint URL starts with http or https.