The understand the value of this approach you must see a UA information model as a window on your data rather than a database.

What this means is you do not need represent a device as 10+ nodes in memory. You instead build a NodeId structure that allows to response to Browse/Read/Write/Call on demand.

This means the only thing you actually need in memory is a structure that describes your device. All of the information associated with various Nodes used to represent your device are collected on demand by merging the static model with the device specific data..

To illustrate this concept a NodeManager for 100 million Nodes was implemented here:

https://github.com/OPCFoundati.....moryBuffer

We are developing an OPC UA server based on on the library 'OPCFoundation.NetStandard.Opc.Ua.Server'. The server exposes data of building automation controllers (up to 500 devices). We are now a bit worried that the address space will take up too much RAM, since each object is represented by a number of nodes that must be stored in memory.

What generally consumes the most memory in an OPC UA server? Is it the storage of the address space, or other factors such as subscriptions and monitored items?

Please guide us regarding memory consumption in an OPC UA server. Maybe we're worrying about nothing?

How we are currently working:

We model our object types in a ModelDesign.xml file and then compile it with ModelCompiler. Then we load the .uanodes file generated by the compiler in our node manager class. To add an object (set of nodes) to the address space of the server we create an object instance of one of the classes that are generated by the compiler and then call CreateNode with that instance as inparameter (we also create references). As we understand the address space (all nodes) are cached in CustomNodeManager2::m_predefinedNodes.

Was working fine with anonymous/basic auth during local testing, but I'm running into failures now trying to connect to a customer OPC UA server leveraging certificates.

Looking for any guidance, as both this auth problem and certificate problems in general are a little out of my depth.

I am not using an XML config for the application configuration, I have most of it hard coded with some choices exposed through default ASP.NET Core `IConfiguration`.

I thought that using a single certificate would be better than allowing the application to generate its own on session handshake, so I used an F# script to generate a certificate and provided the `pem` and `der` to the customer to add to the `trusted` folder of their OPC UA server. I'm pulling in the `.pfx` file to use during the handshake.

Any help or guidance towards documentation/examples to help me resolve this problem would be greatly appreciated!

Here is the log message/exception that I'm getting:
```
info: ReachPapermakingClient.OpcUaClientFactoryV2[0]
Loaded OPC UA client certificate: Subject=CN=ProjectName, O=CompanyName, OU=OPC UA Client, Thumbprint=12345abcdefg, ValidTo=04/13/2036 10:44:59
info: ReachPapermakingClient.OpcUaClientFactoryV2[0]
OPC UA application configuration validated

info: ReachPapermakingClient.OpcUaClientFactoryV2[0]
Connecting: Endpoint=opc.tcp://myendpoint.com:4840, Session=REACH_Papermaking_Client_Primary, Auth=Username (opc_test)

info: ReachPapermakingClient.OpcUaClientFactoryV2[0]
Selected endpoint: opc.tcp://myendpoint.com:4840, SecurityPolicy=https://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss, SecurityMode=SignAndEncrypt

info: ReachPapermakingClient.OpcUaClientFactoryV2[0]
Using username/password identity for user: opc_test

Unhandled exception. Opc.Ua.ServiceResultException: ApplicationCertificate for the security profile https://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss cannot be found.
at Opc.Ua.Client.Session.LoadCertificateAsync(ApplicationConfiguration configuration, String securityProfile)
at Opc.Ua.Client.Session.CreateChannelAsync(ApplicationConfiguration configuration,
ITransportWaitingConnection connection, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, Boolean checkDomain, CancellationToken ct)
at Opc.Ua.Client.Session.CreateAsync(ISessionInstantiator sessionInstantiator, ApplicationConfiguration configuration, ITransportWaitingConnection connection, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, Boolean checkDomain, String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales, CancellationToken ct)
at Opc.Ua.Client.DefaultSessionFactory.CreateAsync(ApplicationConfiguration configuration, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, Boolean checkDomain, String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales, CancellationToken ct)
at Opc.Ua.Client.TraceableSessionFactory.CreateAsync(ApplicationConfiguration configuration, ConfiguredEndpoint endpoint, Boolean updateBeforeConnect, String sessionName, UInt32 sessionTimeout, IUserIdentity identity, IList`1 preferredLocales, CancellationToken ct)
at ReachPapermakingClient.OpcUaClientFactoryV2.CreateClientAsync(ApplicationConfiguration config, String endpointUrl, String sessionName) in D:\agent\_work\3348\s\OpcUa\OpcUaClientFactoryV2.cs:line 206
at ReachPapermakingClient.OpcUaClientFactoryV2.CreateRedundantOpcUaClient(String sessionName, ILogger`1 logger) in D:\agent\_work\3348\s\OpcUa\OpcUaClientFactoryV2.cs:line 58
at Program.<Main>$(String[] args) in D:\agent\_work\3348\s\Worker\Program.cs:line 74
at Program.<Main>(String[] args)
Aborted
```

Here is the application configuration that I'm using to build out the OPC UA Client:
```cs
private ApplicationConfiguration BuildApplicationConfiguration()
{
var certificate = LoadClientCertificate();

return new ApplicationConfiguration
{
ApplicationName = ApplicationName,
ApplicationUri = ApplicationUri,
ApplicationType = ApplicationType.Client,
SecurityConfiguration = new SecurityConfiguration
{
ApplicationCertificate = new CertificateIdentifier
{
StoreType = "Directory",
StorePath = GetCertificateStorePath("own"),
SubjectName = certificate.Subject,
Certificate = certificate
},
AutoAcceptUntrustedCertificates = true,
RejectSHA1SignedCertificates = false,
RejectUnknownRevocationStatus = false,
AddAppCertToTrustedStore = true,
TrustedPeerCertificates = new CertificateTrustList
{
StoreType = "Directory",
StorePath = GetCertificateStorePath("trusted")
},
TrustedIssuerCertificates = new CertificateTrustList
{
StoreType = "Directory",
StorePath = GetCertificateStorePath("issuer")
},
RejectedCertificateStore = new CertificateStoreIdentifier
{
StoreType = "Directory",
StorePath = GetCertificateStorePath("rejected")
}
},
TransportConfigurations = new TransportConfigurationCollection(),
TransportQuotas = new TransportQuotas { OperationTimeout = 30_000 },
ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60_000 },
};
}
```

Here is the F# script that is used to create the cert that we're using (in case we need to embed the security profile in the generation somehow? Again, i have no idea here)

```fs
let applicationName = "REACH_Papermaking"
let applicationUri = "urn:REACH_Papermaking:OpcUaClient"
let subjectName = "CN=ProjectName, O=CompanyName, OU=OPC UA Client"

let outputDir =
let dir = Path.Combine(__SOURCE_DIRECTORY__, "..", "Worker", "Certificates")
let dir = Path.GetFullPath(dir)
Directory.CreateDirectory(dir) |> ignore
dir

let lifetimeMonths = uint16 (10 * 12)

let cert =
CertificateFactory
.CreateCertificate(applicationUri, applicationName, subjectName, null)
.SetNotBefore(DateTime.UtcNow.AddDays(-1.0))
.SetLifeTime(lifetimeMonths)
.SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(uint32 CertificateFactory.DefaultHashSize))
.SetRSAKeySize(CertificateFactory.DefaultKeySize)
.CreateForRSA()

let derPath = Path.Combine(outputDir, $"{applicationName}.der")
File.WriteAllBytes(derPath, cert.RawData)
let pfxPath = Path.Combine(outputDir, $"{applicationName}.pfx")
File.WriteAllBytes(pfxPath, cert.Export(X509ContentType.Pfx))
let pemPath = Path.Combine(outputDir, $"{applicationName}.pem")
File.WriteAllText(pemPath, cert.ExportCertificatePem())

exit 0
```

Just wanted to add an option that wasn't available back in 2016: php-opcua (https://www.php-opcua.com/) is a pure-PHP OPC UA client that works on Linux with no native extensions required — just composer require php-opcua/opcua-client.

It supports read/write, browse, subscriptions, and 10 security policies, and has dedicated packages for Laravel and Symfony. MIT licensed and open source.

Should be a good fit for the Linux use case mentioned in this thread.

Cheers

While all servers may not support today, it is something that can be easily filled in as part of a dialog with server vendors.

I believe that certification testing will require that this property be filled out correctly.

So insisting on certified servers would make the field more useful.

Based on your answer this list isn't limitted to the scope of server capabilities but also includes all used companion specification or vendor specific defined profiles?

I'm not shure if all servers are conform to this (at least the uamit demo server isn't it) https://github.com/umati/Sample-Server. So from a robust client perspecivte this isn't a feacable way.

ServerProfileArray lists the Profiles that the Server supports. The String shall be the URI of the Profile. See OPC 10000-7 for definitions of OPC UA Server Profiles. This list should be limited to the Profiles the Server supports in its current configuration.

https://reference.opcfoundatio.....docs/6.3.2

The mapping between information in a token and the local roles is defined by Part 18

https://reference.opcfoundatio.....docs/4.4.4

In this case, the server admin would set up mapping rules for the roles that actually appear in the token and the the roles it knows about.

Randy Armstrong said
Profiles are the primary way to to determine what functionality is supported.
  

But then we got the key-problems:

• how could a client read out the supported profiles from a server?
• it seems that OPC UA server doesn't offer a "interface version" in a common/generic way. If I implement the Machinery Basic Building Blocks V1.04, then I earn 4-7 additional nodeSets. Each of them has his own version and URI information - but what the machine really provides as funcitonality at the interface (assuming that no machine provide all defined things from day 1) is the question.

NodeSet minor versions are always backward compatible.

NodeSet major versions are not.

Usually, the URI will change with the major version. 

The Namespaces component of the Server Object has all of the metadata associated with the NamespaceUris.

We implemented a lot of different interfaces for our products, and we had always some issues or soultions regarding different interface versions of communication partners.

With OPC UA, there is a promise that this will be solved in a robust manner. therefore some questions arise: So what must be provided by the server?

• I assume that for each used NodeSet with its Namespace and details, there must be an entry in the Namespace-Array. Accessing the namespace-details in the ServerType isn't possible, because it is optional (https://reference.opcfoundatio.....docs/6.3.1). So as client, at this point we get just the URIs. On the other side, with the URIs the client could rely on that there is no breaking change (https://reference.opcfoundatio...../docs/11.3). But no informations regarding intermediate versions.
• A client could only rely on all mandatory parts of a specification (https://reference.opcfoundatio.....103/docs/3) -> that is clear, but most specifications defines more elements optional, than mandatory. on the other side the server could react with errors (e.g. BadNotImplemented) or just provide default values (e.g. empty strings) for mandatory parts, to bypass this requirement.
• Does the ServerStatus https://reference.opcfoundatio.....docs/12.10 provide BuildInfos regarding the used SDK or in general the OPC UA Server?
• If there are different profiles available, the interface and also the application will propably have an implementation progress.
• Any "software revision" provided by the nameplate will cover the entire machine - not just the OPC UA server or the interface definition. In addition this is only available whithin a limitted scope like companion specifications.

I've the feeling to overlook the basic version-information... like it is done for Rest-API versioning

Thanks, and best regards

P51D

This could mean long time outs or other error reporting delays that occur when relying on TCP stack error notifications.

The spec provides no recommendations when it comes to setting TCP socket properties but perhaps it should.

Can you add a mantis issue for Part 6 with some suggestions for spec additions:

https://mantis.opcfoundation.o.....default=no

What is the preferable way to determine the connection loss so ua server can resend RHEL message to the client?

Can we enable tcp keep-alive on ua-server side?

Or should we have some configurable timeout on ua-server side like "timeout of no client messages received" ?

Or may be ua-server shall once in a sec try to open socket to the client and this way monitor connection loss?

Or may be ua-server should wait for session timeout to pass?

Any other way?