use of com.prosysopc.ua.types.opcua.server.ServerCapabilitiesTypeNode in project FAAAST-Service by FraunhoferIOSB.
the class Server method startup.
/**
* Starts the server
*/
public void startup() {
try {
String hostName;
hostName = InetAddress.getLocalHost().getHostName();
ApplicationIdentity.setActualHostName(hostName);
// *** Create the server
server = new UaServer();
// currently without IPv6
server.setEnableIPv6(true);
// Use PKI files to keep track of the trusted and rejected client
// certificates...
final PkiDirectoryCertificateStore applicationCertificateStore = new PkiDirectoryCertificateStore("PKI/CA");
final PkiDirectoryCertificateStore applicationIssuerCertificateStore = new PkiDirectoryCertificateStore("PKI/CA/issuers");
final DefaultCertificateValidator applicationCertificateValidator = new DefaultCertificateValidator(applicationCertificateStore, applicationIssuerCertificateStore);
server.setCertificateValidator(applicationCertificateValidator);
// ...and react to validation results with a custom handler
applicationCertificateValidator.setValidationListener(validationListener);
// Handle user certificates
final PkiDirectoryCertificateStore userCertificateStore = new PkiDirectoryCertificateStore("USERS_PKI/CA");
final PkiDirectoryCertificateStore userIssuerCertificateStore = new PkiDirectoryCertificateStore("USERS_PKI/CA/issuers");
final DefaultCertificateValidator userCertificateValidator = new DefaultCertificateValidator(userCertificateStore, userIssuerCertificateStore);
userValidator = new AasUserValidator(userCertificateValidator);
// ...and react to validation results with a custom handler
userCertificateValidator.setValidationListener(userCertificateValidationListener);
// *** Application Description is sent to the clients
ApplicationDescription appDescription = new ApplicationDescription();
// 'localhost' (all lower case) in the ApplicationName and
// ApplicationURI is converted to the actual host name of the computer
// (including the possible domain part) in which the application is run.
// (as available from ApplicationIdentity.getActualHostName())
// 'hostname' is converted to the host name without the domain part.
// (as available from
// ApplicationIdentity.getActualHostNameWithoutDomain())
appDescription.setApplicationName(new LocalizedText(APPLICATION_NAME + "@hostname"));
appDescription.setApplicationUri(APPLICATION_URI);
appDescription.setProductUri("urn:de:fraunhofer:iosb:opcua:aas:server");
appDescription.setApplicationType(ApplicationType.Server);
// *** Server Endpoints
// TCP Port number for the UA TCP protocol
server.setPort(Protocol.OpcTcp, tcpPort);
// TCP Port for the HTTPS protocol - currently disabled
// server.setPort(Protocol.OpcHttps, httpsPort);
// optional server name part of the URI (default for all protocols)
// server.setServerName("OPCUA/" + applicationName);
// Optionally restrict the InetAddresses to which the server is bound.
// You may also specify the addresses for each Protocol.
// The default is binding to IPv6 wildcard '[::]' when isEnableIPv6 is true
// or to IPv4 wildcard '0.0.0.0' otherwise.
// Alternatively, the Server can be bound to all available InetAddresses.
// isEnableIPv6 defines whether IPv6 address should be included in the bound addresses.
// Note that it requires Java 7 or later to work in practice in Windows
// server.setBindAddresses(EndpointUtil.getInetAddresses(server.isEnableIPv6()));
// *** Certificates
logger.info("Loading certificates..");
File privatePath = new File(applicationCertificateStore.getBaseDir(), "private");
// Define a certificate for a Certificate Authority (CA) which is used
// to issue the keys. Especially
// the HTTPS certificate should be signed by a CA certificate, in order
// to make the .NET applications trust it.
//
// If you have a real CA, you should use that instead of this sample CA
// and create the keys with it.
// Here we use the IssuerCertificate only to sign the HTTPS certificate
// (below) and not the Application Instance Certificate.
KeyPair issuerCertificate = ApplicationIdentity.loadOrCreateIssuerCertificate("FraunhoferIosbSampleCA@" + ApplicationIdentity.getActualHostNameWithoutDomain() + "_https_" + CERT_KEY_SIZE, privatePath, "opcua", 3650, false, CERT_KEY_SIZE);
int[] keySizes = new int[] { CERT_KEY_SIZE };
// If you wish to use big certificates (4096 bits), you will need to
// define two certificates for your application, since to interoperate
// with old applications, you will also need to use a small certificate
// (up to 2048 bits).
// Also, 4096 bits can only be used with Basic256Sha256 security
// profile, which is currently not enabled by default, so we will also
// leave the the keySizes array as null. In that case, the default key
// size defined by CertificateUtils.getKeySize() is used.
// keySizes = new int[] { 2048, 4096 };
// *** Application Identity
// Define the Server application identity, including the Application
// Instance Certificate (but don't sign it with the issuerCertificate as
// explained above).
final ApplicationIdentity identity = ApplicationIdentity.loadOrCreateCertificate(appDescription, "Fraunhofer IOSB", /* Private Key Password */
"opcua", /* Key File Path */
privatePath, /* Issuer Certificate & Private Key */
null, /* Key Sizes for instance certificates to create */
keySizes, /* Enable renewing the certificate */
true);
// Create the HTTPS certificate bound to the hostname.
// The HTTPS certificate must be created, if you enable HTTPS.
hostName = ApplicationIdentity.getActualHostName();
identity.setHttpsCertificate(ApplicationIdentity.loadOrCreateHttpsCertificate(appDescription, hostName, "opcua", issuerCertificate, privatePath, true, CERT_KEY_SIZE));
server.setApplicationIdentity(identity);
// *** Security settings
/*
* Define the security modes to support for the Binary protocol.
* Note that different versions of the specification might add/deprecate some modes, in this
* example all the modes are added, but you should add some way in your application to configure
* these. The set is empty by default, you must add at least one SecurityMode for the server to
* start.
*/
Set<SecurityPolicy> supportedSecurityPolicies = new HashSet<>();
/*
* This policy does not support any security. Should only be used in isolated networks.
*/
supportedSecurityPolicies.add(SecurityPolicy.NONE);
// Modes defined in previous versions of the specification
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_101);
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_102);
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_103);
/*
* Per the 1.04 specification, only these should be used. However in practice this list only
* contains very new security policies, which most of the client applications as of today that
* are used might not be unable to (yet) use.
*/
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_104);
Set<MessageSecurityMode> supportedMessageSecurityModes = new HashSet<>();
/*
* This mode does not support any security. Should only be used in isolated networks. This is
* also the only mode, which does not require certificate exchange between the client and server
* application (when used in conjunction of only ANONYMOUS UserTokenPolicy).
*/
supportedMessageSecurityModes.add(MessageSecurityMode.None);
/*
* This mode support signing, so it is possible to detect if messages are tampered. Note that
* they are not encrypted.
*/
supportedMessageSecurityModes.add(MessageSecurityMode.Sign);
/*
* This mode signs and encrypts the messages. Only this mode is recommended outside of isolated
* networks.
*/
supportedMessageSecurityModes.add(MessageSecurityMode.SignAndEncrypt);
/*
* This creates all possible combinations (NONE pairs only with None) of the configured
* MessageSecurityModes and SecurityPolicies) for opc.tcp communication.
*/
server.getSecurityModes().addAll(SecurityMode.combinations(supportedMessageSecurityModes, supportedSecurityPolicies));
/*
* NOTE! The MessageSecurityMode.None for HTTPS means Application level authentication is not
* used. If used in combination with the UserTokenPolicy ANONYMOUS anyone can access the server
* (but the traffic is encrypted). HTTPS mode is always encrypted, therefore the given
* MessageSecurityMode only affects if the UA certificates are exchanged when forming the
* Session.
*/
server.getHttpsSecurityModes().addAll(SecurityMode.combinations(EnumSet.of(MessageSecurityMode.None, MessageSecurityMode.Sign), supportedSecurityPolicies));
// The TLS security policies to use for HTTPS
Set<HttpsSecurityPolicy> supportedHttpsSecurityPolicies = new HashSet<>();
// (HTTPS was defined starting from OPC UA Specification 1.02)
supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_102);
supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_103);
// Only these are recommended by the 1.04 Specification
supportedHttpsSecurityPolicies.addAll(HttpsSecurityPolicy.ALL_104);
server.getHttpsSettings().setHttpsSecurityPolicies(supportedHttpsSecurityPolicies);
// Number of threads to reserve for the HTTPS server, default is 10
// server.setHttpsWorkerThreadCount(10);
// Define the certificate validator for the HTTPS certificates;
// we use the same validator that we use for Application Instance Certificates
server.getHttpsSettings().setCertificateValidator(applicationCertificateValidator);
// Define the supported user authentication methods
server.addUserTokenPolicy(UserTokenPolicies.ANONYMOUS);
server.addUserTokenPolicy(UserTokenPolicies.SECURE_USERNAME_PASSWORD);
server.addUserTokenPolicy(UserTokenPolicies.SECURE_CERTIFICATE);
// Define a validator for checking the user accounts
server.setUserValidator(userValidator);
// currently skip discovery
// // Register to the local discovery server (if present)
// try {
// server.setDiscoveryServerUrl(DISCOVERY_SERVER_URL);
// }
// catch (URISyntaxException e) {
// logger.error("DiscoveryURL is not valid", e);
// }
// *** 'init' creates the service handlers and the default endpoints
// *** according to the settings defined above
server.init();
initBuildInfo();
// "Safety limits" for ill-behaving clients
server.getSessionManager().setMaxSessionCount(500);
// one hour
server.getSessionManager().setMaxSessionTimeout(3600000);
server.getSubscriptionManager().setMaxSubscriptionCount(50);
/*
* Safety limits for XXXContinuationPoints. Note! These are the current defaults. Technically a
* value of 0 (unlimited) is allowed by the OPC UA Specification, but our implementation does
* allocate server-side memory, thus do not use value of 0 (or you can run out of memory).
* Future SDK releases may improve this.
*/
ServerCapabilitiesTypeNode serverCapabilities = server.getAddressSpace().getNodeManagerRoot().getServerData().getServerCapabilitiesNode();
serverCapabilities.setMaxBrowseContinuationPoints(UnsignedShort.MAX_VALUE);
serverCapabilities.setMaxQueryContinuationPoints(UnsignedShort.MAX_VALUE);
serverCapabilities.setMaxHistoryContinuationPoints(UnsignedShort.MAX_VALUE);
// You can do your own additions to server initializations here
createAddressSpace();
server.start();
running = true;
} catch (Throwable ex) {
logger.error("startup Exception", ex);
}
}
Aggregations