Add configurable transport security profiles and bind address

Adds Security section to appsettings.json with configurable OPC UA transport profiles (None, Basic256Sha256-Sign, Basic256Sha256-SignAndEncrypt), certificate policy settings, and a configurable BindAddress for the OPC UA endpoint. Defaults preserve backward compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 15:59:43 -04:00
parent bbd043e97b
commit 55173665b1
28 changed files with 1092 additions and 87 deletions
--- a/docs/CliTool.md
+++ b/docs/CliTool.md
@@ -37,6 +37,31 @@ Example:
 dotnet run -- write -u opc.tcp://localhost:4840 -n "ns=2;s=MyNode" -v 42 -U operator -P op123
 ```

+## Transport Security Options
+
+All commands accept the `-S` / `--security` flag to select the transport security mode:
+
+| Flag | Values | Description |
+|------|--------|-------------|
+| `-S` / `--security` | `none`, `sign`, `encrypt` | Transport security mode (default: `none`) |
+
+When `sign` or `encrypt` is specified, the CLI tool:
+
+1. Ensures a client application certificate exists (auto-created if missing)
+2. Discovers server endpoints and selects one matching the requested `MessageSecurityMode`
+3. Prefers `Basic256Sha256` when multiple matching endpoints exist
+4. Fails with a clear error if no matching endpoint is found
+
+Examples:
+
+```bash
+# Connect with encrypted transport
+dotnet run -- connect -u opc.tcp://localhost:4840/LmxOpcUa -S encrypt
+
+# Browse with signed transport and credentials
+dotnet run -- browse -u opc.tcp://localhost:4840/LmxOpcUa -S sign -U admin -P secret -r -d 2
+```
+
 ## Commands

 ### connect