Docs · Configuration

Security configuration

Security-relevant YAML keys grouped by purpose — policy, mode, app identity, user identity, trust store. The configuration tour; the deep dives are under Security.

The security-relevant keys in config/packages/php_opcua_symfony_opcua.yaml, grouped by purpose. Each one points at its dedicated page under Security for the why — this page is the where.

Policy and mode

text security & mode

php_opcua_symfony_opcua:
    connections:
        default:
            security_policy: '%env(OPCUA_SECURITY_POLICY)%'
            security_mode:   '%env(OPCUA_SECURITY_MODE)%'

Key	Values
`security_policy`	`None`, `Basic128Rsa15`, `Basic256`, `Basic256Sha256`, `Aes128Sha256RsaOaep`, `Aes256Sha256RsaPss`, `ECC_nistP256`, `ECC_nistP384`, `ECC_brainpoolP256r1`, `ECC_brainpoolP384r1`
`security_mode`	`None`, `Sign`, `SignAndEncrypt`

Defaults: both None. Anything beyond None requires client_certificate and client_key.

See Security · Policies and modes.

Application identity

text client cert

php_opcua_symfony_opcua:
    connections:
        default:
            client_certificate: '%env(OPCUA_CLIENT_CERT)%'
            client_key:         '%env(OPCUA_CLIENT_KEY)%'
            ca_certificate:     '%env(OPCUA_CA_CERT)%'

The client cert identifies the Symfony application to the OPC UA server at the secure-channel layer. Most servers require the cert's fingerprint or DN to be in their trust store.

See Security · Certificates.

User identity

OPC UA's session layer carries a user identity independent of the channel cert. Two options:

Username + password

text username

php_opcua_symfony_opcua:
    connections:
        default:
            username: '%env(OPCUA_USERNAME)%'
            password: '%env(secret:OPCUA_PASSWORD)%'

X.509 user certificate

text user cert

php_opcua_symfony_opcua:
    connections:
        default:
            user_certificate: '%env(OPCUA_USER_CERT)%'
            user_key:         '%env(OPCUA_USER_KEY)%'

If both are present, the user cert wins. If neither, the session is anonymous.

See Security · Credentials.

Trust store

text trust store

php_opcua_symfony_opcua:
    connections:
        default:
            trust_store_path:    '%env(OPCUA_TRUST_STORE_PATH)%'
            trust_policy:        '%env(OPCUA_TRUST_POLICY)%'
            auto_accept:         '%env(bool:OPCUA_AUTO_ACCEPT)%'
            auto_accept_force:   false

Key	Values
`trust_store_path`	Filesystem path to the PKI store
`trust_policy`	`fingerprint`, `fingerprint+expiry`, `full`
`auto_accept`	`true`/`false` — TOFU mode
`auto_accept_force`	Re-accept previously rejected certs

In production, set auto_accept to false and pin server certs explicitly. See Security · Trust store.

Daemon-side security

The daemon has its own auth-token gate. Set this in production:

text auth token

php_opcua_symfony_opcua:
    session_manager:
        auth_token: '%env(secret:OPCUA_AUTH_TOKEN)%'

Generate a value with:

bash terminal

php -r 'echo bin2hex(random_bytes(32));'
# Then:
php bin/console secrets:set OPCUA_AUTH_TOKEN

See Session manager · Production supervisor.

Allowed certificate directories

The daemon can restrict where it'll load certs from:

text allowed cert dirs

php_opcua_symfony_opcua:
    session_manager:
        allowed_cert_dirs:
            - /etc/opcua/certs
            - '%kernel.project_dir%/var/opcua-pki'

Prevents an IPC peer from asking the daemon to read arbitrary filesystem paths via the open command.

Complete secured connection

text prod-shape

php_opcua_symfony_opcua:
    session_manager:
        enabled:           true
        auth_token:        '%env(secret:OPCUA_AUTH_TOKEN)%'
        allowed_cert_dirs: ['/etc/opcua/certs']

    connections:
        plc:
            endpoint:           '%env(OPCUA_ENDPOINT)%'
            timeout:            10.0
            security_policy:    Basic256Sha256
            security_mode:      SignAndEncrypt
            client_certificate: '%env(OPCUA_CLIENT_CERT)%'
            client_key:         '%env(OPCUA_CLIENT_KEY)%'
            ca_certificate:     '%env(OPCUA_CA_CERT)%'
            username:           '%env(OPCUA_USERNAME)%'
            password:           '%env(secret:OPCUA_PASSWORD)%'
            trust_store_path:   '%kernel.project_dir%/var/opcua-trust'
            trust_policy:       fingerprint+expiry
            auto_accept:        false

Note

auto_accept: true is for dev. It pins every server cert on first contact. In production this disables server-cert validation the first time you connect.

What lives where

Concern	This file (config)	Deep dive
Choosing a policy / mode	`security_policy`, `security_mode`	Policies and modes
Generating the client cert	(path only)	Certificates
Pinning server certs	(path only)	Trust store
Username / user-cert identity	`username`/`password`/`user_*`	Credentials

Where to read next

Session manager — the daemon-side config.
Security · Policies and modes — pick the right combination.
Recipes · Production deployment — putting it together.

Last updated · 2026-05-25

Edit on GitHub Report issue

← Previous

Environment variables

Session manager