OPC UA Profiles and Facets Support

July 1, 2026 · View on GitHub

This document describes which OPC UA Profiles and Facets are implemented in the OPC UA .NET Standard Stack, and where in the codebase / documentation each one lives.

Overview

The OPC UA .NET Standard Stack is a reference implementation that targets OPC UA specification version 1.05.07. The stack has been certified for compliance through an OPC Foundation Certification Test Lab and is continuously tested for compliance using the latest Compliance Test Tool (CTT).

Version 2.0 substantially extends companion-spec coverage over the previous 1.5.378 version. The stack now ships full server- and client-side support for: Part 9 (Alarms & Conditions), Part 11 (Historical Access) + Part 13 (Aggregates), Part 16 (State Machines), Part 17 (Alias Names), Part 18 (Role Management), Part 20 (File Transfer), Part 100 (Device Integration / Software Update), OPC 10100-1 (WoT Connectivity), and the Local Discovery Server. See What's New in 2.0 for the broader change narrative.

The canonical list of all OPC UA profile and facet URIs is maintained by the OPC Foundation at https://profiles.opcfoundation.org/. Where this document hyperlinks a URI, that URI is the same string the reference server advertises in ServerProfileArray; URIs not yet present in a shipping config are referred to by name and the reader should consult the OPC Foundation registry for the canonical URI form.

Server Profiles

The reference server (Applications/ConsoleReferenceServer) advertises the following profiles in its ServerProfileArray:

Core Server Profiles

  • Standard UA Server Profile (2017) — The core OPC UA Server profile that includes:
    • Basic server capabilities
    • Discovery services
    • Session management
    • Subscription management
    • MonitoredItem services
    • View services (Browse, BrowseNext, TranslateBrowsePathsToNodeIds)
    • Attribute services (Read, Write, HistoryRead, HistoryUpdate)
    • Query services

Functional Facets

Local Discovery Server (LDS) Profile

The Opc.Ua.Lds.Server library plus the ConsoleLdsServer reference application implement the Local Discovery Server. The LDS application advertises the Local Discovery Server 2017 Facet (see Applications/ConsoleLdsServer/Lds.Server.Config.xml).

Additional facets supported by the implementation (beyond the default advertised set)

Beyond the five facets advertised by default in the reference server's ServerProfileArray, the master branch implements the following facets in the SDK. They can be enabled per-application by registering the corresponding NodeManager and, where applicable, adding the matching URI to ServerProfileArray (consult https://profiles.opcfoundation.org/ for the canonical URI string before claiming a facet):

  • Historical Access (Part 11) — IHistorianProvider provider model in Libraries/Opc.Ua.Server/Historian/, with a InMemoryHistorianProvider enabled by the reference server (ReferenceNodeManager.cs). Covers raw, modified, at-time, processed (aggregate), and annotation reads / updates. See Historical Access.
  • Aggregates (Part 13) — AggregateManager and the AggregateCalculator family in Libraries/Opc.Ua.Server/Aggregates/. All 37 standard aggregate functions of v1.05.07 are implemented; servers can additionally push down aggregation by implementing IHistorianProcessedProvider. See Aggregates.
  • Alarms and Conditions (Part 9) — Full server-side implementation with latched / silenced / out-of-service alarms, alarm groups, a suppression engine, and rate metrics. The reference server's AlarmNodeManager exposes a working sample. See Alarms and Conditions.
  • State Machine (Part 16) — StateMachineBuilder and the FluentFiniteStateMachineState extensibility in Libraries/Opc.Ua.Server/StateMachines/. The reference server's BoilerStateMachineState is an end-to-end sample. See State Machines.
  • File Access (Part 20) — Server-side FileSystemNodeManager + IFileSystemProvider in Libraries/Opc.Ua.Server/FileSystem/. The reference server enables it via the EnableFileSystemNodeManager option. The matching System.IO-style client lives in FileSystemClient.
  • Node Management (Part 4 service set) — INodeManagementAsyncNodeManager opt-in plus a per-NodeManager AllowNodeManagement gate for AddNodes / DeleteNodes / AddReferences / DeleteReferences. See Node Management.
  • Alias Names (Part 17) — AliasNameStore and the optional AliasNameNodeManager for AliasNameCategory / FindAlias / FindAliasVerbose / AddAliasesToCategory / DeleteAliasesFromCategory / LastChange. The reference server wires the standard Aliases and Topics nodes via ConfigureAliasNameStore. See Alias Names.
  • WoT Connectivity (OPC 10100-1) — Opc.Ua.WotCon / Opc.Ua.WotCon.Server / Opc.Ua.WotCon.Client library trio for surfacing OPC UA servers as Web-of-Things Thing Descriptions. See WoT Connectivity.
  • Device Integration (Part 100) — Opc.Ua.Di / Opc.Ua.Di.Server / Opc.Ua.Di.Client library trio, including the lock service and the software-update package store. See Device Integration and Software Update.
  • Role Management (Part 18) — Server-side role administration plus a pluggable identity-provider model for anonymous, username, X.509, and token-issuer flows. The server automatically assigns the OPC UA Part 3 §4.9 TrustedApplication role; see also Role-Based User Management.
  • Auditing — The server raises audit events for security-relevant service calls (channel/secure-channel/session/activate/cancel). The audit and redaction APIs are provided by Opc.Ua.Server.
  • Model Change Tracking — Server-side ModelChangeAggregator with auto-emitted GeneralModelChangeEvent from CustomNodeManager; client-side per-node INodeCache.InvalidateNode. See Model Change Tracking.
  • Durable Subscriptions — Subscriptions that persist across reconnects. See Durable Subscriptions.
  • Complex Types — Custom structures and enumerations; see Complex Types.
  • Async server NodeManagers — TAP-based AsyncCustomNodeManager is the recommended base for new NodeManagers, and every NodeManager shipped with the stack has migrated to it. See Async Server Support.

Client Profiles

The client (Opc.Ua.Client) supports the standard UA Client functionality through two coexisting paths:

  • Classic Session — the lowest-level OPC UA session primitive, paired with SessionReconnectHandler for caller-driven reconnect.
  • ManagedSession — recommended for new code. Encapsulates the connection state machine, reconnect policy, and pluggable subscription engine behind a fluent builder. See Sessions, Reconnection, and Subscription Engines.

Client-side feature coverage:

  • Subscriptions and monitored items — Both the classic publish engine and the V2 subscription engine (ISubscriptionManager / DefaultSubscriptionEngine) are supported and selectable per session. The V2 surface includes a declarative + imperative SetTriggering API with N:M support and automatic replay on recreate / reconnect, plus an IStreamingSubscription (IAsyncEnumerable-based) facade for state-machine waits and short-lived monitoring (ManagedSession.DefaultStreaming, TakeUntilAsync / WithTimeoutAsync helpers). See Subscriptions and Monitored Items.
  • Transfer Subscriptions — Subscription transfer between servers; see Transfer Subscriptions. An opt-in SubscriptionRecoveryPolicy lets the client tolerate Good_SubscriptionTransferred notifications from the server.
  • Reverse Connect — Client can accept connections initiated by the server; see Reverse Connect.
  • Model Change Tracking — Client-side per-node cache invalidation driven by server-emitted model-change events; see Model Change Tracking.
  • File System Operations — Async, System.IO-style client over OPC UA file methods; see FileSystemClient.
  • Alarms and Conditions — Typed AlarmClient event records, fluent AlarmEventFilterBuilder, and IAsyncEnumerable alarm streaming via AlarmStreamExtensions; see Alarms and Conditions.
  • Historical AccessHistoryClient (session.Historian()) for raw, modified, at-time, processed (aggregate), and annotation reads / updates; see Historical Access.
  • State Machines — Streaming and read helpers (GetCurrentFiniteStateAsync, ObserveFiniteTransitionsAsync, WaitForStateAsync) on the source-generated *TypeClient proxies; see State Machines.
  • NodeSet Export — Extract a server's address space to NodeSet2 XML; see NodeSet Export.
  • Source-generated typed proxies*TypeClient proxies for ObjectTypes inside loaded models give strongly-typed method-call signatures; see Source-Generated NodeManagers.
  • Complex types — Decode and consume server-defined structures and enumerations on the client; see Complex Types.

Transport Profiles

The stack implements the following transport profiles:

Client and server transports

  • UA TCP Transport (opc.tcp://) — Primary OPC UA binary transport over TCP.

    • Full UA Secure Conversation (UASC)
    • Binary encoding
    • Reverse-connect capability
  • HTTPS Binary Transport (opc.https:// and https://) — OPC UA binary protocol over HTTPS with TLS.

  • HTTPS JSON Transport (opc.https:// and https://) - OPC UA JSON (compact / reversible) over HTTPS (OPC UA Part 6 §7.4.5)

    • Compact JSON encoding (application/opcua+uajson)
    • TLS/SSL encryption only — no UA SecureChannel layer
    • Restricted to MessageSecurityMode.None; transport security is provided exclusively by TLS
  • WebSocket Secure (UA Binary) (opc.wss:// and wss://) - UA Binary + UASC over secure WebSockets (OPC UA Part 6 §7.5.2, sub-protocol opcua+uacp)

    • Same UASC SecureChannel pipeline as opc.tcp carried over WebSocket binary frames (one frame per MessageChunk)
    • Supports all security modes (None / Sign / SignAndEncrypt)
    • TLS/SSL encryption at the WebSocket layer
  • WebSocket Secure (JSON) (opc.wss:// and wss://) - OPC UA JSON over secure WebSockets (Part 6 §7.5.2, sub-protocol opcua+uajson)

    • Compact JSON encoding per WebSocket text frame
    • TLS/SSL encryption only — no UA SecureChannel layer
    • Restricted to MessageSecurityMode.None
  • HTTPS OpenAPI (opc.https:// and https://) - OPC UA OpenAPI Mapping (Part 6 §G.3) — official OPC Foundation profile/2338, URI http://opcfoundation.org/UA-Profile/Transport/https-uajson-openapi

    • Path-routed REST surface: POST /<service> (e.g. /read, /browse, /createsubscription)
    • Body is the bare <Service>Request / <Service>Response — no {UaTypeId, UaBody} envelope at the HTTPS layer
    • Compact (default, mandatory per §5.4.9) and Verbose JSON flavours selected via the application/json; encoding=compact|verbose media-type parameter
    • TLS/SSL encryption only — no UA SecureChannel layer
    • Restricted to MessageSecurityMode.None
    • Authentication via Anonymous, Bearer JWT, HTTP Basic, or Mutual TLS (see WebApi.md)
    • Server-side discovery emission: HttpsServiceHost emits this sub-profile as a discovery-only twin alongside each SecurityMode.None HTTPS-binary endpoint, so discovery-driven clients can find the OpenAPI endpoint without hard-coding the URL.
    • Shipped as part of the OPCFoundation.NetStandard.Opc.Ua.Bindings.Https package (net8+ only)
    • Surfaced via Profiles.HttpsOpenApiTransport
  • WSS OpenAPI (opc.wss:// and wss://) - OPC UA OpenAPI Mapping over secure WebSockets (Part 6 §7.5.2, sub-protocol opcua+openapi / opcua+openapi+<accesstoken>) — official OPC Foundation profile/2339, URI http://opcfoundation.org/UA-Profile/Transport/wss-uajson-openapi

    • Same on-wire {TypeId, Body} OPC UA JSON envelope as opcua+uajson, multiplexed over WebSocket text frames; distinguished by the negotiated sub-protocol and the advertised TransportProfileUri
    • Bearer-token variant negotiates the access token in the sub-protocol name (no Authorization header — required for browser fetch compatibility); the server extracts the token from the sub-protocol name and feeds it through the standard ISessionlessIdentityProvider pipeline
    • Server-side discovery emission: the WSS factories emit this sub-profile as a discovery-only twin alongside each SecurityMode.None WSS binary endpoint, mirroring the HTTPS OpenAPI emission.
    • Client surface: Libraries/Opc.Ua.Client/WebApi/WebApiWssTransportChannel.cs; fluent shortcut ManagedSessionBuilder.UseWssOpenApiEndpoint(url); DI registration via services.AddWebApiTransportChannel() (registers both HTTPS and WSS WebApi channel factories).
    • Surfaced via Profiles.WssOpenApiTransport

PubSub transports

The PubSub library supports the following PubSub transport facets (URIs surfaced by Profiles.PubSub*Transport constants in Stack/Opc.Ua.Core/Security/Constants/SecurityConstants.cs). Facet machinery and conformance unit semantics are defined by Part 7 §4.3.

  • PubSub UDP UADP — UDP transport with UADP message encoding.
  • PubSub Ethernet UADP — Ethernet (Layer 2) transport with UADP message encoding (see PubSub transports).
  • PubSub MQTT UADP — MQTT transport with UADP message encoding.
  • PubSub MQTT JSON — MQTT transport with JSON message encoding.
  • Datagram-v2 connection profileDatagramConnectionTransport2DataType (Part 14 §6.4.1.4) is honoured for UDP transports. The DiscoveryAnnounceRate, DiscoveryMaxMessageSize, and QosCategory fields drive discovery cadence and the IP DSCP TOS byte.
  • PubSub SKS pull / pushPart 14 §8.5.1 / §8.5.2: the AddPubSubSecurityKeyServiceClient extension implements the pull client (calls GetSecurityKeys on a remote SKS), and AddPubSubSecurityKeyServiceServer hosts the in-memory SKS with Get/SetSecurityKeys and AddSecurityGroup methods bound on the address space.
  • AES-128-CTR / AES-256-CTR with HMAC-SHA-256Part 14 §8.4.3 message security. Profiles registered as PubSubAes128CtrPolicy / PubSubAes256CtrPolicy; conformance to NIST SP 800-38A F.5.1 / F.5.5 is asserted by the test suite.
  • Anonymous certificate-based MQTT auth — the MQTT transport exposes the MqttClientAuthenticationOptions with the certificate-based variant from Part 14 §6.4.2.2.4.

PubSub additionally supports certificate-based MQTT authentication and considers WriterGroups in MQTT keep-alive calculations.

All transport profiles defined in OPC UA Part 6 §7.4 (HTTPS) and §7.5 (WebSockets) are supported, including the opcua+openapi and opcua+openapi+<accesstoken> WebSocket sub-protocols (Part 6 §7.5.2 Table 81).

Security Profiles

The stack supports the following security profiles for secure communication. The canonical set is defined in Stack/Opc.Ua.Core/Security/Constants/SecurityPolicies.cs.

RSA-based security policies

  • Basic256Sha256
    • 256-bit AES encryption
    • RSA-OAEP for key encryption
    • HMAC-SHA256 for message authentication
    • Minimum key size: 2048 bits
  • Aes128_Sha256_RsaOaep
    • 128-bit AES encryption
    • RSA-OAEP for key encryption
    • HMAC-SHA256 for message authentication
  • Aes256_Sha256_RsaPss
    • 256-bit AES encryption
    • RSA-PSS signatures
    • HMAC-SHA256 for message authentication

ECC-based security policies

ECC support is documented in detail in ECC Profiles.

Traditional ECC curves

Modern ECC curves (v2.0)

AES-GCM and ChaCha20-Poly1305 variants (v2.0)

Modern AEAD cipher alternatives for traditional ECC curves:

  • ECC_nistP256_AesGcm, ECC_nistP256_ChaChaPoly
  • ECC_nistP384_AesGcm, ECC_nistP384_ChaChaPoly
  • ECC_brainpoolP256r1_AesGcm, ECC_brainpoolP256r1_ChaChaPoly
  • ECC_brainpoolP384r1_AesGcm, ECC_brainpoolP384r1_ChaChaPoly

RSA Diffie-Hellman (v2.0)

  • RSA_DH_AesGcm — RSA Diffie-Hellman key agreement with AES-GCM
  • RSA_DH_ChaChaPoly — RSA Diffie-Hellman key agreement with ChaCha20-Poly1305

Platform requirements for ECC. ECC support is available on .NET Framework 4.8, .NET Standard 2.1, and .NET 5.0 or later. Modern curves (Curve25519, Curve448) and AEAD ciphers (AES-GCM, ChaCha20-Poly1305) require .NET 8.0 or later (AesGcm.IsSupported / ChaCha20Poly1305.IsSupported guard the runtime registration). Not all curves are supported by every OS platform and .NET implementation.

Deprecated security policies

The following security policies are deprecated but still supported for backward compatibility:

Note. SHA-1 signed certificates are rejected by default (RejectSHA1SignedCertificates configuration option). These deprecated policies should only be enabled for compatibility with legacy systems.

Security policy None

  • None — No security.
    • For testing or isolated networks only.
    • Not recommended for production environments.

User Authentication

The stack supports the following user authentication mechanisms:

  • Anonymous — No user authentication.
  • Username / Password — User credentials encrypted using the active security policy.
  • X.509 Certificate — User authentication via X.509 certificates.
  • Issued Token — Includes JSON Web Tokens (JWT) and other IssuerEndpointUrl-driven flows (OAuth2 / OIDC / Entra). The Identity Providers pluggable model (IClientIdentityProvider, IUserTokenAuthenticator, IAccessTokenProvider, ITokenIssuer, IIdentityClaims) is the recommended way to wire these in.

Certificate Types

The stack supports the following certificate types for application authentication:

RSA certificates

  • RsaSha256ApplicationCertificateType — RSA with SHA-256 signatures
    • Default minimum key size: 2048 bits
    • Recommended for production use

ECC certificates

  • EccNistP256ApplicationCertificateType
  • EccNistP384ApplicationCertificateType
  • EccBrainpoolP256r1ApplicationCertificateType
  • EccBrainpoolP384r1ApplicationCertificateType

The RejectSHA1SignedCertificates configuration option (on by default) prevents SHA-1 signed certificates from being accepted. See Certificates and Certificate Manager for storage, ref-counted lifetime, and the segregated-interface design.

Global Discovery Server (GDS)

The stack ships a Global Discovery Server implementation that is full OPC UA Part 12 compliance, including:

  • Application registration and discovery.
  • Pull and Push certificate-management models, including pushing to arbitrary certificate groups and custom certificate groups on the GDS itself.
  • Sub-CA revocation without auto-creating an empty CRL.
  • Support for both RSA and ECC certificate types and CRLs.
  • AuthorizationService (OPC 10000-12 §9) — OAuth2-style StartRequestToken / FinishRequestToken issuance with a pluggable IAccessTokenProvider / ITokenIssuer.
  • KeyCredentialService (OPC 10000-12 §8) — Credential issuance for non-OPC UA services such as MQTT brokers and REST APIs, backed by IKeyCredentialRequestStore / ISecretStore.

See the GDS Developer Guide for the full feature breakdown and hosting integration. The Local Discovery Server is a separate library (Opc.Ua.Lds.Server) and reference application (ConsoleLdsServer) that advertises the Local Discovery Server 2017 facet.

Message Encoding

The stack supports the following message encoding formats:

  • UA Binary — OPC UA binary encoding (primary for UA-TCP and HTTPS).
  • UA XML — OPC UA XML encoding (for configuration import / export and PubSub Dataset XML).
  • UA JSON — OPC UA JSON encoding for PubSub MQTT.
  • UADP — UA Data Protocol for PubSub.

The 2.0 release ships a new JSON decoder / encoder, array / matrix abstractions, and a first-class ByteString type. See the 2.0 migration guide — Encoders and Complex Types for the encoder/decoder migration details and Complex Types for client-side decode of server-defined types.

Specification Compliance

  • OPC UA Specification: Version 1.05.07.
  • Certification: The reference server has been certified for compliance through an OPC Foundation Certification Test Lab.
  • Testing: All releases are verified for compliance using the latest Compliance Test Tool (CTT).

Configuration

Server profile configuration

Server profiles are configured in the server configuration file using the ServerProfileArray element. The reference server's default array is:

<ServerConfiguration>
  <!-- see https://profiles.opcfoundation.org/ for the canonical list of profile and facet URIs -->
  <ServerProfileArray>
    <ua:String>http://opcfoundation.org/UA-Profile/Server/StandardUA2017</ua:String>
    <ua:String>http://opcfoundation.org/UA-Profile/Server/DataAccess</ua:String>
    <ua:String>http://opcfoundation.org/UA-Profile/Server/Methods</ua:String>
    <ua:String>http://opcfoundation.org/UA-Profile/Server/ReverseConnect</ua:String>
    <ua:String>http://opcfoundation.org/UA-Profile/Server/ClientRedundancy</ua:String>
  </ServerProfileArray>
</ServerConfiguration>

To advertise additional facets (Historical Access, Aggregates, Alarms & Conditions, File Access, Auditing, NodeManagement, State Machine, etc.) look up the canonical URI for the facet on https://profiles.opcfoundation.org/ and add it to ServerProfileArray. Only advertise a facet that the application genuinely implements — the Compliance Test Tool will exercise every claimed facet. Bringing the reference-server and CTT configs in line with the facets the stack actually implements is tracked in #3875.

Security policy configuration

Security policies are configured in the SecurityPolicies section:

<SecurityPolicies>
  <ServerSecurityPolicy>
    <SecurityMode>SignAndEncrypt_3</SecurityMode>
    <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri>
  </ServerSecurityPolicy>
  <ServerSecurityPolicy>
    <SecurityMode>SignAndEncrypt_3</SecurityMode>
    <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep</SecurityPolicyUri>
  </ServerSecurityPolicy>
  <!-- ECC security policies -->
  <ServerSecurityPolicy>
    <SecurityMode>SignAndEncrypt_3</SecurityMode>
    <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256</SecurityPolicyUri>
  </ServerSecurityPolicy>
</SecurityPolicies>

See the reference server configuration file for a complete example, or the CTT configuration file for the variant selected by --ctt.

  • What's New in 2.0 — Narrative tour of the 1.5.378 → 2.0 changes, grouped by theme and layer.
  • Migration Guide — Prescriptive, per-API migration reference.
  • Subscriptions and Monitored Items — V2 ISubscriptionManager, declarative + imperative SetTriggering (N:M, replay on recreate / reconnect), and IStreamingSubscription.
  • Async Server Support — TAP-based AsyncCustomNodeManager and the IAsyncNodeManager family.
  • Dependency Injectionservices.AddOpcUa() and the IOpcUaBuilder hosting surface.
  • Native AOT — AOT publishing, AOT-clean source generators, and the AOT test matrix.

References