OPC UA Profiles and Facets Support
July 1, 2026 · View on GitHub
This document describes which OPC UA Profiles and Facets are implemented in the OPC UA .NET Standard Stack, and where in the codebase / documentation each one lives.
Overview
The OPC UA .NET Standard Stack is a reference implementation that targets OPC UA specification version 1.05.07. The stack has been certified for compliance through an OPC Foundation Certification Test Lab and is continuously tested for compliance using the latest Compliance Test Tool (CTT).
Version 2.0 substantially extends companion-spec coverage over the previous 1.5.378 version. The stack now ships full server- and client-side support for: Part 9 (Alarms & Conditions), Part 11 (Historical Access) + Part 13 (Aggregates), Part 16 (State Machines), Part 17 (Alias Names), Part 18 (Role Management), Part 20 (File Transfer), Part 100 (Device Integration / Software Update), OPC 10100-1 (WoT Connectivity), and the Local Discovery Server. See What's New in 2.0 for the broader change narrative.
The canonical list of all OPC UA profile and facet URIs is maintained by the
OPC Foundation at https://profiles.opcfoundation.org/. Where this document
hyperlinks a URI, that URI is the same string the reference server
advertises in ServerProfileArray; URIs not yet present in a shipping
config are referred to by name and the reader should consult the OPC
Foundation registry for the canonical URI form.
Server Profiles
The reference server (Applications/ConsoleReferenceServer) advertises the
following profiles in its ServerProfileArray:
Core Server Profiles
- Standard UA Server Profile (2017) — The core OPC UA Server profile that includes:
- Basic server capabilities
- Discovery services
- Session management
- Subscription management
- MonitoredItem services
- View services (Browse, BrowseNext, TranslateBrowsePathsToNodeIds)
- Attribute services (Read, Write, HistoryRead, HistoryUpdate)
- Query services
Functional Facets
- Data Access Server Facet — Variables, data types, and data-change notifications.
- Method Server Facet — Method calls on objects in the address space.
- Reverse Connect Facet — Server-initiated connections to a client (see Reverse Connect documentation).
- Client Redundancy Facet — Subscription transfer between sessions/servers; see Transfer Subscriptions.
Local Discovery Server (LDS) Profile
The Opc.Ua.Lds.Server library plus the ConsoleLdsServer reference
application implement the Local Discovery Server. The LDS application
advertises the Local Discovery Server 2017 Facet
(see Applications/ConsoleLdsServer/Lds.Server.Config.xml).
Additional facets supported by the implementation (beyond the default advertised set)
Beyond the five facets advertised by default in the reference server's
ServerProfileArray, the master branch implements the following facets in
the SDK. They can be enabled per-application by registering the
corresponding NodeManager and, where applicable, adding the matching URI to
ServerProfileArray (consult https://profiles.opcfoundation.org/ for the
canonical URI string before claiming a facet):
- Historical Access (Part 11) —
IHistorianProviderprovider model inLibraries/Opc.Ua.Server/Historian/, with aInMemoryHistorianProviderenabled by the reference server (ReferenceNodeManager.cs). Covers raw, modified, at-time, processed (aggregate), and annotation reads / updates. See Historical Access. - Aggregates (Part 13) —
AggregateManagerand theAggregateCalculatorfamily inLibraries/Opc.Ua.Server/Aggregates/. All 37 standard aggregate functions of v1.05.07 are implemented; servers can additionally push down aggregation by implementingIHistorianProcessedProvider. See Aggregates. - Alarms and Conditions (Part 9) — Full server-side implementation
with latched / silenced / out-of-service alarms, alarm groups, a
suppression engine, and rate metrics. The reference server's
AlarmNodeManagerexposes a working sample. See Alarms and Conditions. - State Machine (Part 16) —
StateMachineBuilderand theFluentFiniteStateMachineStateextensibility inLibraries/Opc.Ua.Server/StateMachines/. The reference server'sBoilerStateMachineStateis an end-to-end sample. See State Machines. - File Access (Part 20) — Server-side
FileSystemNodeManager+IFileSystemProviderinLibraries/Opc.Ua.Server/FileSystem/. The reference server enables it via theEnableFileSystemNodeManageroption. The matching System.IO-style client lives inFileSystemClient. - Node Management (Part 4 service set) —
INodeManagementAsyncNodeManageropt-in plus a per-NodeManagerAllowNodeManagementgate forAddNodes/DeleteNodes/AddReferences/DeleteReferences. See Node Management. - Alias Names (Part 17) —
AliasNameStoreand the optionalAliasNameNodeManagerforAliasNameCategory/FindAlias/FindAliasVerbose/AddAliasesToCategory/DeleteAliasesFromCategory/LastChange. The reference server wires the standard Aliases and Topics nodes viaConfigureAliasNameStore. See Alias Names. - WoT Connectivity (OPC 10100-1) —
Opc.Ua.WotCon/Opc.Ua.WotCon.Server/Opc.Ua.WotCon.Clientlibrary trio for surfacing OPC UA servers as Web-of-Things Thing Descriptions. See WoT Connectivity. - Device Integration (Part 100) —
Opc.Ua.Di/Opc.Ua.Di.Server/Opc.Ua.Di.Clientlibrary trio, including the lock service and the software-update package store. See Device Integration and Software Update. - Role Management (Part 18) — Server-side role administration plus a
pluggable identity-provider model for anonymous,
username, X.509, and token-issuer flows. The server automatically
assigns the OPC UA Part 3 §4.9
TrustedApplicationrole; see also Role-Based User Management. - Auditing — The server raises audit events for security-relevant
service calls (channel/secure-channel/session/activate/cancel). The
audit and redaction APIs are provided by
Opc.Ua.Server. - Model Change Tracking — Server-side
ModelChangeAggregatorwith auto-emittedGeneralModelChangeEventfromCustomNodeManager; client-side per-nodeINodeCache.InvalidateNode. See Model Change Tracking. - Durable Subscriptions — Subscriptions that persist across reconnects. See Durable Subscriptions.
- Complex Types — Custom structures and enumerations; see Complex Types.
- Async server NodeManagers — TAP-based
AsyncCustomNodeManageris the recommended base for new NodeManagers, and every NodeManager shipped with the stack has migrated to it. See Async Server Support.
Client Profiles
The client (Opc.Ua.Client) supports the standard UA Client functionality
through two coexisting paths:
- Classic
Session— the lowest-level OPC UA session primitive, paired withSessionReconnectHandlerfor caller-driven reconnect. ManagedSession— recommended for new code. Encapsulates the connection state machine, reconnect policy, and pluggable subscription engine behind a fluent builder. See Sessions, Reconnection, and Subscription Engines.
Client-side feature coverage:
- Subscriptions and monitored items — Both the classic publish
engine and the V2 subscription engine (
ISubscriptionManager/DefaultSubscriptionEngine) are supported and selectable per session. The V2 surface includes a declarative + imperativeSetTriggeringAPI with N:M support and automatic replay on recreate / reconnect, plus anIStreamingSubscription(IAsyncEnumerable-based) facade for state-machine waits and short-lived monitoring (ManagedSession.DefaultStreaming,TakeUntilAsync/WithTimeoutAsynchelpers). See Subscriptions and Monitored Items. - Transfer Subscriptions — Subscription transfer between servers;
see Transfer Subscriptions. An opt-in
SubscriptionRecoveryPolicylets the client tolerateGood_SubscriptionTransferrednotifications from the server. - Reverse Connect — Client can accept connections initiated by the server; see Reverse Connect.
- Model Change Tracking — Client-side per-node cache invalidation driven by server-emitted model-change events; see Model Change Tracking.
- File System Operations — Async,
System.IO-style client over OPC UA file methods; see FileSystemClient. - Alarms and Conditions — Typed
AlarmClientevent records, fluentAlarmEventFilterBuilder, andIAsyncEnumerablealarm streaming viaAlarmStreamExtensions; see Alarms and Conditions. - Historical Access —
HistoryClient(session.Historian()) for raw, modified, at-time, processed (aggregate), and annotation reads / updates; see Historical Access. - State Machines — Streaming and read helpers
(
GetCurrentFiniteStateAsync,ObserveFiniteTransitionsAsync,WaitForStateAsync) on the source-generated*TypeClientproxies; see State Machines. - NodeSet Export — Extract a server's address space to NodeSet2 XML; see NodeSet Export.
- Source-generated typed proxies —
*TypeClientproxies for ObjectTypes inside loaded models give strongly-typed method-call signatures; see Source-Generated NodeManagers. - Complex types — Decode and consume server-defined structures and enumerations on the client; see Complex Types.
Transport Profiles
The stack implements the following transport profiles:
Client and server transports
-
UA TCP Transport (
opc.tcp://) — Primary OPC UA binary transport over TCP.- Full UA Secure Conversation (UASC)
- Binary encoding
- Reverse-connect capability
-
HTTPS Binary Transport (
opc.https://andhttps://) — OPC UA binary protocol over HTTPS with TLS. -
HTTPS JSON Transport (
opc.https://andhttps://) - OPC UA JSON (compact / reversible) over HTTPS (OPC UA Part 6 §7.4.5)- Compact JSON encoding (
application/opcua+uajson) - TLS/SSL encryption only — no UA SecureChannel layer
- Restricted to
MessageSecurityMode.None; transport security is provided exclusively by TLS
- Compact JSON encoding (
-
WebSocket Secure (UA Binary) (
opc.wss://andwss://) - UA Binary + UASC over secure WebSockets (OPC UA Part 6 §7.5.2, sub-protocolopcua+uacp)- Same UASC SecureChannel pipeline as
opc.tcpcarried over WebSocket binary frames (one frame per MessageChunk) - Supports all security modes (None / Sign / SignAndEncrypt)
- TLS/SSL encryption at the WebSocket layer
- Same UASC SecureChannel pipeline as
-
WebSocket Secure (JSON) (
opc.wss://andwss://) - OPC UA JSON over secure WebSockets (Part 6 §7.5.2, sub-protocolopcua+uajson)- Compact JSON encoding per WebSocket text frame
- TLS/SSL encryption only — no UA SecureChannel layer
- Restricted to
MessageSecurityMode.None
-
HTTPS OpenAPI (
opc.https://andhttps://) - OPC UA OpenAPI Mapping (Part 6 §G.3) — official OPC Foundation profile/2338, URIhttp://opcfoundation.org/UA-Profile/Transport/https-uajson-openapi- Path-routed REST surface:
POST /<service>(e.g./read,/browse,/createsubscription) - Body is the bare
<Service>Request/<Service>Response— no{UaTypeId, UaBody}envelope at the HTTPS layer - Compact (default, mandatory per §5.4.9) and Verbose JSON flavours selected via the
application/json; encoding=compact|verbosemedia-type parameter - TLS/SSL encryption only — no UA SecureChannel layer
- Restricted to
MessageSecurityMode.None - Authentication via Anonymous, Bearer JWT, HTTP Basic, or Mutual TLS (see WebApi.md)
- Server-side discovery emission:
HttpsServiceHostemits this sub-profile as a discovery-only twin alongside eachSecurityMode.NoneHTTPS-binary endpoint, so discovery-driven clients can find the OpenAPI endpoint without hard-coding the URL. - Shipped as part of the
OPCFoundation.NetStandard.Opc.Ua.Bindings.Httpspackage (net8+ only) - Surfaced via
Profiles.HttpsOpenApiTransport
- Path-routed REST surface:
-
WSS OpenAPI (
opc.wss://andwss://) - OPC UA OpenAPI Mapping over secure WebSockets (Part 6 §7.5.2, sub-protocolopcua+openapi/opcua+openapi+<accesstoken>) — official OPC Foundation profile/2339, URIhttp://opcfoundation.org/UA-Profile/Transport/wss-uajson-openapi- Same on-wire
{TypeId, Body}OPC UA JSON envelope asopcua+uajson, multiplexed over WebSocket text frames; distinguished by the negotiated sub-protocol and the advertised TransportProfileUri - Bearer-token variant negotiates the access token in the sub-protocol name (no
Authorizationheader — required for browser fetch compatibility); the server extracts the token from the sub-protocol name and feeds it through the standardISessionlessIdentityProviderpipeline - Server-side discovery emission: the WSS factories emit this sub-profile as a discovery-only twin alongside each
SecurityMode.NoneWSS binary endpoint, mirroring the HTTPS OpenAPI emission. - Client surface:
Libraries/Opc.Ua.Client/WebApi/WebApiWssTransportChannel.cs; fluent shortcutManagedSessionBuilder.UseWssOpenApiEndpoint(url); DI registration viaservices.AddWebApiTransportChannel()(registers both HTTPS and WSS WebApi channel factories). - Surfaced via
Profiles.WssOpenApiTransport
- Same on-wire
PubSub transports
The PubSub library supports the following PubSub transport
facets (URIs surfaced by Profiles.PubSub*Transport constants in
Stack/Opc.Ua.Core/Security/Constants/SecurityConstants.cs). Facet
machinery and conformance unit semantics are defined by
Part 7 §4.3.
- PubSub UDP UADP — UDP transport with UADP message encoding.
- PubSub Ethernet UADP — Ethernet (Layer 2) transport with UADP message encoding (see PubSub transports).
- PubSub MQTT UADP — MQTT transport with UADP message encoding.
- PubSub MQTT JSON — MQTT transport with JSON message encoding.
- Datagram-v2 connection profile —
DatagramConnectionTransport2DataType(Part 14 §6.4.1.4) is honoured for UDP transports. TheDiscoveryAnnounceRate,DiscoveryMaxMessageSize, andQosCategoryfields drive discovery cadence and the IP DSCP TOS byte. - PubSub SKS pull / push —
Part 14 §8.5.1
/ §8.5.2: the
AddPubSubSecurityKeyServiceClientextension implements the pull client (callsGetSecurityKeyson a remote SKS), andAddPubSubSecurityKeyServiceServerhosts the in-memory SKS withGet/SetSecurityKeysandAddSecurityGroupmethods bound on the address space. - AES-128-CTR / AES-256-CTR with HMAC-SHA-256 —
Part 14 §8.4.3
message security. Profiles registered as
PubSubAes128CtrPolicy/PubSubAes256CtrPolicy; conformance to NIST SP 800-38A F.5.1 / F.5.5 is asserted by the test suite. - Anonymous certificate-based MQTT auth — the MQTT transport
exposes the
MqttClientAuthenticationOptionswith the certificate-based variant from Part 14 §6.4.2.2.4.
PubSub additionally supports certificate-based MQTT authentication and
considers WriterGroups in MQTT keep-alive calculations.
All transport profiles defined in OPC UA Part 6 §7.4 (HTTPS) and §7.5
(WebSockets) are supported, including the opcua+openapi and
opcua+openapi+<accesstoken> WebSocket sub-protocols (Part 6 §7.5.2
Table 81).
Security Profiles
The stack supports the following security profiles for secure
communication. The canonical set is defined in
Stack/Opc.Ua.Core/Security/Constants/SecurityPolicies.cs.
RSA-based security policies
- Basic256Sha256
- 256-bit AES encryption
- RSA-OAEP for key encryption
- HMAC-SHA256 for message authentication
- Minimum key size: 2048 bits
- Aes128_Sha256_RsaOaep
- 128-bit AES encryption
- RSA-OAEP for key encryption
- HMAC-SHA256 for message authentication
- Aes256_Sha256_RsaPss
- 256-bit AES encryption
- RSA-PSS signatures
- HMAC-SHA256 for message authentication
ECC-based security policies
ECC support is documented in detail in ECC Profiles.
Traditional ECC curves
- ECC_nistP256 — NIST P-256 with SHA-256
- ECC_nistP384 — NIST P-384 with SHA-384
- ECC_brainpoolP256r1 — Brainpool P-256r1 with SHA-256
- ECC_brainpoolP384r1 — Brainpool P-384r1 with SHA-384
Modern ECC curves (v2.0)
- ECC_curve25519 — Curve25519 with ChaCha20-Poly1305
- ECC_curve25519_AesGcm — Curve25519 with AES-GCM
- ECC_curve448 — Curve448 with ChaCha20-Poly1305
- ECC_curve448_AesGcm — Curve448 with AES-GCM
AES-GCM and ChaCha20-Poly1305 variants (v2.0)
Modern AEAD cipher alternatives for traditional ECC curves:
- ECC_nistP256_AesGcm, ECC_nistP256_ChaChaPoly
- ECC_nistP384_AesGcm, ECC_nistP384_ChaChaPoly
- ECC_brainpoolP256r1_AesGcm, ECC_brainpoolP256r1_ChaChaPoly
- ECC_brainpoolP384r1_AesGcm, ECC_brainpoolP384r1_ChaChaPoly
RSA Diffie-Hellman (v2.0)
- RSA_DH_AesGcm — RSA Diffie-Hellman key agreement with AES-GCM
- RSA_DH_ChaChaPoly — RSA Diffie-Hellman key agreement with ChaCha20-Poly1305
Platform requirements for ECC. ECC support is available on .NET
Framework 4.8, .NET Standard 2.1, and .NET 5.0 or later. Modern curves
(Curve25519, Curve448) and AEAD ciphers (AES-GCM, ChaCha20-Poly1305)
require .NET 8.0 or later (AesGcm.IsSupported /
ChaCha20Poly1305.IsSupported guard the runtime registration). Not all
curves are supported by every OS platform and .NET implementation.
Deprecated security policies
The following security policies are deprecated but still supported for backward compatibility:
- Basic256 — uses SHA-1
- Basic128Rsa15 — uses SHA-1 and RSA-PKCS#1 v1.5
Note. SHA-1 signed certificates are rejected by default
(RejectSHA1SignedCertificates configuration option). These deprecated
policies should only be enabled for compatibility with legacy systems.
Security policy None
- None — No security.
- For testing or isolated networks only.
- Not recommended for production environments.
User Authentication
The stack supports the following user authentication mechanisms:
- Anonymous — No user authentication.
- Username / Password — User credentials encrypted using the active security policy.
- X.509 Certificate — User authentication via X.509 certificates.
- Issued Token — Includes JSON Web Tokens (JWT) and other
IssuerEndpointUrl-driven flows (OAuth2 / OIDC / Entra). The
Identity Providers pluggable model
(
IClientIdentityProvider,IUserTokenAuthenticator,IAccessTokenProvider,ITokenIssuer,IIdentityClaims) is the recommended way to wire these in.
Certificate Types
The stack supports the following certificate types for application authentication:
RSA certificates
- RsaSha256ApplicationCertificateType — RSA with SHA-256 signatures
- Default minimum key size: 2048 bits
- Recommended for production use
ECC certificates
- EccNistP256ApplicationCertificateType
- EccNistP384ApplicationCertificateType
- EccBrainpoolP256r1ApplicationCertificateType
- EccBrainpoolP384r1ApplicationCertificateType
The RejectSHA1SignedCertificates configuration option (on by default)
prevents SHA-1 signed certificates from being accepted. See
Certificates and Certificate Manager
for storage, ref-counted lifetime, and the segregated-interface design.
Global Discovery Server (GDS)
The stack ships a Global Discovery Server implementation that is full OPC UA Part 12 compliance, including:
- Application registration and discovery.
- Pull and Push certificate-management models, including pushing to arbitrary certificate groups and custom certificate groups on the GDS itself.
- Sub-CA revocation without auto-creating an empty CRL.
- Support for both RSA and ECC certificate types and CRLs.
- AuthorizationService (OPC 10000-12 §9) —
OAuth2-style
StartRequestToken/FinishRequestTokenissuance with a pluggableIAccessTokenProvider/ITokenIssuer. - KeyCredentialService (OPC 10000-12 §8) —
Credential issuance for non-OPC UA services such as MQTT brokers and
REST APIs, backed by
IKeyCredentialRequestStore/ISecretStore.
See the GDS Developer Guide for the full feature breakdown and
hosting integration. The Local Discovery Server is a separate library
(Opc.Ua.Lds.Server) and reference application (ConsoleLdsServer) that
advertises the
Local Discovery Server 2017
facet.
Message Encoding
The stack supports the following message encoding formats:
- UA Binary — OPC UA binary encoding (primary for UA-TCP and HTTPS).
- UA XML — OPC UA XML encoding (for configuration import / export and PubSub Dataset XML).
- UA JSON — OPC UA JSON encoding for PubSub MQTT.
- UADP — UA Data Protocol for PubSub.
The 2.0 release ships a new JSON decoder / encoder, array / matrix
abstractions, and a first-class ByteString type. See the
2.0 migration guide — Encoders and Complex Types
for the encoder/decoder migration details and
Complex Types for client-side decode of
server-defined types.
Specification Compliance
- OPC UA Specification: Version 1.05.07.
- Certification: The reference server has been certified for compliance through an OPC Foundation Certification Test Lab.
- Testing: All releases are verified for compliance using the latest Compliance Test Tool (CTT).
Configuration
Server profile configuration
Server profiles are configured in the server configuration file using the
ServerProfileArray element. The reference server's default array is:
<ServerConfiguration>
<!-- see https://profiles.opcfoundation.org/ for the canonical list of profile and facet URIs -->
<ServerProfileArray>
<ua:String>http://opcfoundation.org/UA-Profile/Server/StandardUA2017</ua:String>
<ua:String>http://opcfoundation.org/UA-Profile/Server/DataAccess</ua:String>
<ua:String>http://opcfoundation.org/UA-Profile/Server/Methods</ua:String>
<ua:String>http://opcfoundation.org/UA-Profile/Server/ReverseConnect</ua:String>
<ua:String>http://opcfoundation.org/UA-Profile/Server/ClientRedundancy</ua:String>
</ServerProfileArray>
</ServerConfiguration>
To advertise additional facets (Historical Access, Aggregates, Alarms &
Conditions, File Access, Auditing, NodeManagement, State Machine, etc.)
look up the canonical URI for the facet on
https://profiles.opcfoundation.org/ and add it to ServerProfileArray.
Only advertise a facet that the application genuinely implements — the
Compliance Test Tool will exercise every claimed facet. Bringing the
reference-server and CTT configs in line with the facets the stack
actually implements is tracked in
#3875.
Security policy configuration
Security policies are configured in the SecurityPolicies section:
<SecurityPolicies>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep</SecurityPolicyUri>
</ServerSecurityPolicy>
<!-- ECC security policies -->
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256</SecurityPolicyUri>
</ServerSecurityPolicy>
</SecurityPolicies>
See the reference server configuration file
for a complete example, or the
CTT configuration file
for the variant selected by --ctt.
Related Documentation
- What's New in 2.0 — Narrative tour of the 1.5.378 → 2.0 changes, grouped by theme and layer.
- Migration Guide — Prescriptive, per-API migration reference.
- Subscriptions and Monitored Items —
V2
ISubscriptionManager, declarative + imperativeSetTriggering(N:M, replay on recreate / reconnect), andIStreamingSubscription. - Async Server Support — TAP-based
AsyncCustomNodeManagerand theIAsyncNodeManagerfamily. - Dependency Injection —
services.AddOpcUa()and theIOpcUaBuilderhosting surface. - Native AOT — AOT publishing, AOT-clean source generators, and the AOT test matrix.
Core and companion spec related documentation
- Alarms and Conditions (Part 9)
- Historical Access (Part 11)
- Aggregates (Part 13)
- State Machines (Part 16)
- Alias Names (Part 17)
- Role-Based User Management (Part 18)
- Identity Providers
- Authorization Service (Part 12 §9)
- Key Credential Service (Part 12 §8)
- GDS Developer Guide (Part 12 full compliance)
- File System Client (Part 20)
- Device Integration (Part 100)
- Software Update
- WoT Connectivity (OPC 10100-1)
- Node Management (Part 4)
References
- OPC Foundation Profile Reporting — canonical profile and facet URI registry.
- OPC UA Specification — online reference for the OPC 10000 series.
- OPC UA Compliance Test Tool (CTT) — official conformance test tool.