lmxopcua/docs/Configuration.md

Configuration Reference

This is the live configuration reference for the OtOpcUa Host (src/Server/ZB.MOM.WW.OtOpcUa.Host/). It enumerates the appsettings*.json sections, the bound Options classes, and the OTOPCUA_* / sim-endpoint environment variables — every entry grounded in source.

Two related concerns get their own dedicated pages and are only summarised + linked here, not duplicated:

• Transport security, OPC UA authentication, LDAP, data-/control-plane authorization → security.md
• Redundancy + the Cluster section → Redundancy.md

How configuration is layered

The Host (Program.cs) loads appsettings.json, then overlays a per-role file chosen from the cluster roles:

• A single role → appsettings.{role}.json (e.g. appsettings.driver.json, appsettings.admin.json).
• Both roles → appsettings.admin-driver.json (roles joined with -, ordinal-sorted).
• appsettings.{ASPNETCORE_ENVIRONMENT}.json (e.g. appsettings.Development.json) is layered on by the host builder.

All role overlays are optional — the base appsettings.json plus the Options-class C# defaults are enough to boot. The roles themselves come from the OTOPCUA_ROLES env var (see ServiceHosting.md and the table below).

The checked-in appsettings*.json files are deliberately thin: they carry only Serilog and the Security:Ldap overlay. Everything else (OpcUa, Cluster, ConnectionStrings/ConfigDb) binds from the Options-class defaults documented below unless an operator adds the section explicitly or supplies the corresponding environment variable.

---

appsettings sections

Serilog

• Purpose: logging. Console + rolling daily file sink, layered with the shared ZB.MOM.WW.Telemetry enrichers (AddZbSerilog in Program.cs).
• Where bound: builder.AddZbSerilog(...) reads Serilog from configuration (ReadFrom.Configuration).
• Checked-in shape (appsettings.json): Using = [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ], WriteTo = a Console sink and a File sink (path: logs/otopcua-.log, rollingInterval: Day). Role overlays add MinimumLevel / Override blocks (e.g. Opc.Ua: Debug, Akka: Information).

OpcUa

• Purpose: the OPC UA server endpoint identity, listening port, PKI, transport-security profiles, and redundancy peer advertising.
• Options class: OpcUaApplicationHostOptions — src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs.
• Bound by: AddValidatedOptions<OpcUaApplicationHostOptions, OpcUaApplicationHostOptionsValidator>(config, "OpcUa") in Program.cs (driver-role only). Validated fail-fast at startup by OpcUaApplicationHostOptionsValidator (src/Server/ZB.MOM.WW.OtOpcUa.Host/Configuration/OpcUaApplicationHostOptionsValidator.cs).

Key	Type	Default	Meaning
ApplicationName	string	OtOpcUa	Server application name. Required (validated).
ApplicationUri	string	urn:OtOpcUa	Server application URI. Must be unique per redundancy node. Required.
ProductUri	string	https://zb.com/otopcua	Product URI. Not validated.
OpcUaPort	int	4840	Binary endpoint listen port. Validated as a port.
PublicHostname	string	0.0.0.0	Hostname/IP advertised in endpoint descriptions. Required.
ApplicationConfigPath	string?	null	Optional path to an application config XML; loaded instead of building from defaults.
PkiStoreRoot	string	pki	Root of the PKI hierarchy (own/issuer/trusted/rejected substores created under it). Required. See security.md.
EnabledSecurityProfiles	list of OpcUaSecurityProfile	[None, Basic256Sha256Sign, Basic256Sha256SignAndEncrypt]	Transport-security profiles, one endpoint per entry. Must contain ≥1. Profile detail in security.md.
AutoAcceptUntrustedClientCertificates	bool	false	Auto-trust unknown client certs on first connect (dev convenience). Not validated. See security.md.
PeerApplicationUris	list of string	[] (empty)	Partner node ApplicationUris published in Server.ServerArray for redundancy discovery. See Redundancy.md.

Transport security profiles (the values in EnabledSecurityProfiles — None, Basic256Sha256Sign, Basic256Sha256SignAndEncrypt) and the PKI trust flow are documented in full in security.md. This page does not duplicate them.

Security

• Purpose: Admin-UI and OPC UA authentication. Three subsections, each its own Options class:

Subsection	Options class (SectionName)	Purpose
Security:Ldap	LdapOptions — src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapOptions.cs	LDAP bind for Admin cookie login + OPC UA UserName tokens. Bound by AddValidatedOptions<LdapOptions, LdapOptionsValidator> in Program.cs.
Security:Jwt	JwtOptions — src/Server/ZB.MOM.WW.OtOpcUa.Security/Jwt/JwtOptions.cs	Signing config for the JWT minted at /auth/token for external consumers (OPC UA clients / automation).
Security:Cookie	OtOpcUaCookieOptions — src/Server/ZB.MOM.WW.OtOpcUa.Security/CookieOptions.cs	The Admin-UI auth cookie (AddOtOpcUaAuth copies these onto CookieAuthenticationOptions).

Security:Ldap — see security.md for the full field-by-field reference and bind-flow. The checked-in role overlays set only DevStubMode and Transport; the remaining LdapOptions fields (Enabled, Server, Port, AllowInsecure, SearchBase, ServiceAccountDn, ServiceAccountPassword, GroupAttribute, DisplayNameAttribute, UserNameAttribute, GroupToRole) are covered there.

Security:Jwt key fields (JwtOptions):

Key	Type	Default	Meaning
SigningKey	string	""	HS256 signing key; must be ≥32 bytes UTF-8. Set from your secret store — never commit a value.
Issuer	string	otopcua	JWT issuer.
Audience	string	otopcua	JWT audience.
ExpiryMinutes	int	15	Token lifetime.

Security:Cookie key fields (OtOpcUaCookieOptions):

Key	Type	Default	Meaning
Name	string	ZB.MOM.WW.OtOpcUa.Auth	Auth cookie name. Changing it invalidates existing sessions on next deploy.
ExpiryMinutes	int	30	Idle sliding-window length.
RequireHttpsCookie	bool	true	SecurePolicy = Always. Set false only for plain-HTTP local dev (emits a startup Warning).

Authentication, data-plane authorization (NodeAcl / PermissionTrie), and control-plane Admin roles are all in security.md.

Cluster

• Purpose: Akka.NET cluster identity, transport, and roles — the backbone of redundancy.
• Options class: AkkaClusterOptions (SectionName = "Cluster") — src/Core/ZB.MOM.WW.OtOpcUa.Cluster/AkkaClusterOptions.cs. Bound by AddOtOpcUaCluster(config) in Program.cs.

Key	Type	Default	Meaning
SystemName	string	otopcua	Akka actor-system name.
Hostname	string	0.0.0.0	Bind hostname.
Port	int	4053	Cluster transport port.
PublicHostname	string	127.0.0.1	Hostname advertised in cluster gossip; must be reachable by peers.
SeedNodes	string[]	[]	Seed nodes for bootstrapping.
Roles	string[]	[]	Cluster roles for this node. When empty, falls back to OTOPCUA_ROLES. Allowed values: admin, driver, dev.

The full redundancy model (ServiceLevel tiers, split-brain, peer discovery) is in Redundancy.md. The OPC UA peer-URI advertising lives in the OpcUa:PeerApplicationUris key above.

ConnectionStrings → ConfigDb

• Purpose: the central Config DB connection string. Required for every role — Program.cs calls AddOtOpcUaConfigDb unconditionally.
• Bound by: AddOtOpcUaConfigDb(config) (src/Core/ZB.MOM.WW.OtOpcUa.Configuration/ServiceCollectionExtensions.cs). The connection-string name constant is ConnectionStringName = "ConfigDb", read via configuration.GetConnectionString("ConfigDb"). If absent, startup throws with a message pointing to either appsettings.json or the OTOPCUA_CONFIG_CONNECTION env var.
• Shape: standard ConnectionStrings:ConfigDb SQL Server connection string. There is no checked-in default in the thin appsettings*.json — supply it per environment.

The Config DB itself (the EF Core OtOpcUaConfigDbContext, entities, draft/publish generations, NodeAcl, LdapGroupRoleMapping, migrations) is the durable home for the fleet's drivers, UNS hierarchy, ACLs, and audit log. For the full schema see docs/v2/config-db-schema.md. This page does not duplicate it.

Galaxy / MxAccess driver config (DriverConfig JSON, not appsettings)

The Galaxy/MxAccess connection settings are not an appsettings section. They are driver-instance options stored in the DriverConfig JSON column of the Config DB (edited via the Admin UI), bound to GalaxyDriverOptions (src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Contracts/GalaxyDriverOptions.cs, namespace ...Driver.Galaxy.Config). It decomposes into nested records:

Record	Key fields (default)	Meaning
GalaxyGatewayOptions (Gateway)	Endpoint; ApiKeySecretRef; UseTls (true); CaCertificatePath (null); ConnectTimeoutSeconds (10); DefaultCallTimeoutSeconds (30); StreamTimeoutSeconds (0 = unlimited)	mxaccessgw gateway connection. ApiKeySecretRef supports env:NAME / file:PATH / dev:KEY / literal forms (resolved at InitializeAsync); prefer env:/file: in production. Never store a cleartext key.
GalaxyMxAccessOptions (MxAccess)	ClientName; PublishingIntervalMs (1000); WriteUserId (0 = anonymous); EventPumpChannelCapacity (50000)	MXAccess client identity + tuning. ClientName must be unique per OtOpcUa instance (redundancy pairs enforce this).
GalaxyRepositoryOptions (Repository)	DiscoverPageSize (5000); WatchDeployEvents (true)	Galaxy Repository browse paging + deploy-event watching.
GalaxyReconnectOptions (Reconnect)	InitialBackoffMs (500); MaxBackoffMs (30000); ReplayOnSessionLost (true)	In-driver reconnect-supervisor backoff.
(top-level)	ProbeTimeoutSeconds (30, range 1–60)	AdminUI Test-Connect probe timeout.

The OTOPCUA_GALAXY_* environment variables that v1's in-process Galaxy.Host consumed no longer live in this repo — they moved into the separately-installed mxaccessgw gateway's own config (see the v1 archive pointer in docs/README.md and the Galaxy overview at docs/drivers/Galaxy.md). The only Galaxy connection secret this repo touches is the gateway API key via ApiKeySecretRef above.

Historian config (HistorianGateway)

The historian backend is the external ZB.MOM.WW.HistorianGateway sidecar, consumed as the ZB.MOM.WW.HistorianGateway.Client gRPC package (the retired Wonderware TCP sidecar is documented at docs/drivers/Historian.Wonderware.md). The OtOpcUa host reads three appsettings sections — ServerHistorian (read path + gateway connection), ContinuousHistorization (FasterLog outbox + recorder draining to WriteLiveValues), and AlarmHistorian (SQLite store-and-forward alarm sink draining to SendEvent). The gateway connection (endpoint / key / TLS) lives only in ServerHistorian; the other two sections source it from there.

The gateway API key is supplied via the environment variable ServerHistorian__ApiKey — never committed to config. The target gateway must run RuntimeDb:Enabled=true + RuntimeDb:EventReadsEnabled=true, and the key must carry the scopes historian:read, historian:write, historian:tags:write. See docs/Historian.md for the full key reference, the migration note (old Wonderware keys → gateway keys), and the deployment prerequisites.

---

Environment variables

All names are read in this repo's source via Environment.GetEnvironmentVariable(...) unless noted otherwise. Defaults shown are the in-source fallbacks.

Host / cluster / Config DB

Variable	Read by	Effect / default
OTOPCUA_ROLES	src/Server/ZB.MOM.WW.OtOpcUa.Host/Program.cs (RoleParser.Parse)	Comma-separated cluster roles for the node (admin, driver, dev). Drives the conditional wiring and the per-role appsettings overlay. Used when Cluster:Roles is empty.
OTOPCUA_CONFIG_CONNECTION	src/Core/ZB.MOM.WW.OtOpcUa.Configuration/DesignTimeDbContextFactory.cs (design-time / dotnet ef only)	Read at design time by DesignTimeDbContextFactory.cs for dotnet ef migrations. At runtime the server resolves the connection string from ConnectionStrings:ConfigDb (env form: ConnectionStrings__ConfigDb) via configuration.GetConnectionString("ConfigDb") in ServiceCollectionExtensions.cs — OTOPCUA_CONFIG_CONNECTION appears there only as a hint in an error message, not via GetEnvironmentVariable. No credential is embedded in source.
ASPNETCORE_ENVIRONMENT	ASP.NET host builder (framework)	Selects appsettings.{Environment}.json (e.g. Development).

Historian (ServerHistorian__ApiKey)

The retired Wonderware sidecar's OTOPCUA_HISTORIAN_* environment variables are gone — no source reads them anymore. The historian backend is now the external HistorianGateway, configured through the ServerHistorian / ContinuousHistorization / AlarmHistorian appsettings sections (above). The single historian secret this repo reads from the environment is the gateway API key:

Variable	Effect / default
ServerHistorian__ApiKey	The HistorianGateway peppered-HMAC key (histgw_<id>_<secret>) sent as Authorization: Bearer. Supply via environment — never commit. Required when ServerHistorian:Enabled=true.

Driver integration-test / fixture sim endpoints

These are consumed by the driver integration-test fixtures (under tests/Drivers/...IntegrationTests/), not by the production server. Each overrides the simulator endpoint a fixture TCP-probes; defaults point at the shared Docker host 10.100.0.35 (see CLAUDE.md Docker Workflow).

Variable	Read by (fixture)	Default
MODBUS_SIM_ENDPOINT	tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs	10.100.0.35:5020
AB_SERVER_ENDPOINT	tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture.cs	10.100.0.35:44818
S7_SIM_ENDPOINT	tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.S7.IntegrationTests/Snap7ServerFixture.cs	10.100.0.35:1102 (non-privileged; not S7-standard 102)
OPCUA_SIM_ENDPOINT	tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.IntegrationTests/OpcPlcFixture.cs	opc.tcp://10.100.0.35:50000
OTOPCUA_FOCAS_SIM_ENDPOINT	tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.FOCAS.IntegrationTests/FocasSimFixture.cs	localhost:8193

Additional harness/parity/soak env vars (OTOPCUA_FOCAS_*, OTOPCUA_PARITY_*, OTOPCUA_SOAK_*, OTOPCUA_HARNESS_USE_SQL) exist only in the test/parity/soak harnesses, not in production source, and are out of scope for this reference.

---

See also

• security.md — transport security, OPC UA authentication, LDAP (Security:Ldap), data-plane ACLs, control-plane roles.
• Redundancy.md — the Cluster section in the context of warm/hot redundancy, ServiceLevel, peer discovery.
• ServiceHosting.md — role-based host wiring and OTOPCUA_ROLES.
• docs/drivers/Galaxy.md — Galaxy/MxAccess driver overview.
• docs/v2/config-db-schema.md — the full Config DB schema.