Classic RSA and ECC servers
The 10 classic OPC UA servers — RSA and ECC, every policy and mode and authentication combination you're likely to test against.
Eight servers cover RSA, two cover ECC. They all share the same address space (~300 nodes); they differ in security policy, mode, and which auth methods they accept.
RSA servers
opcua-no-security — port 4840
endpoint: opc.tcp://localhost:4840/UA/TestServer
policy: None
mode: None
auth: Anonymous only
limits: MaxNodesPerRead=5, MaxNodesPerWrite=5
The simplest server. No crypto handshake, no credentials. Used for connectivity smoke-tests, browse/read/write tests, method calls, and subscription tests where security isn't relevant.
Limit notes. This is the only server with operation limits (5 nodes per read/write). Use it to verify your client handles the limit error path. Every other server is unlimited.
opcua-userpass — port 4841
endpoint: opc.tcp://localhost:4841/UA/TestServer
policy: Basic256Sha256
mode: SignAndEncrypt
auth: Username/Password
Encrypted channel, username/password identity. Anonymous is rejected.
Users in config/users.json:
| Username | Password | Role |
|---|---|---|
admin |
admin123 |
admin |
operator |
operator123 |
operator |
viewer |
viewer123 |
viewer |
test |
test |
admin |
opcua-certificate — port 4842
endpoint: opc.tcp://localhost:4842/UA/TestServer
policy: Basic256Sha256, Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss
mode: Sign, SignAndEncrypt
auth: X.509 Certificate only
X.509-only — no anonymous, no username. Strict cert validation: self-signed and expired certs are rejected (see Trust flow).
Multi-policy endpoint — GetEndpoints() returns 6 valid
combinations.
opcua-all-security — port 4843
endpoint: opc.tcp://localhost:4843/UA/TestServer
policy: None, Basic128Rsa15, Basic256, Basic256Sha256,
Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss
mode: None, Sign, SignAndEncrypt
auth: Anonymous, Username/Password, X.509 Certificate
The "kitchen sink". Every policy, every mode, every auth method.
GetEndpoints() returns 11 endpoint descriptors. The right
target for endpoint negotiation logic in your client — pick
strongest available, fall back gracefully, etc.
opcua-auto-accept — port 4845
endpoint: opc.tcp://localhost:4845/UA/TestServer
policy: Basic256Sha256
mode: SignAndEncrypt
auth: Anonymous, Username/Password, X.509 Certificate
extra: OPCUA_AUTO_ACCEPT_CERTS=true
Like opcua-userpass but with auto-trust enabled — any client
certificate is accepted on first contact (TOFU). Useful for
quick setup without distributing the client cert to the server's
trust store.
opcua-sign-only — port 4846
endpoint: opc.tcp://localhost:4846/UA/TestServer
policy: Basic256Sha256
mode: Sign
auth: Anonymous, Username/Password
Sign mode only — messages are signed but not encrypted. The wire is readable to anyone who can sniff it. Use to verify your client distinguishes Sign from SignAndEncrypt behaviour.
opcua-legacy — port 4847
endpoint: opc.tcp://localhost:4847/UA/TestServer
policy: Basic128Rsa15, Basic256
mode: Sign, SignAndEncrypt
auth: Anonymous, Username/Password
Deprecated policies. Useful for backward-compatibility tests — your client should connect but ideally warn the operator that the policies are weak.
ECC servers
opcua-ecc-nist — port 4848
endpoint: opc.tcp://localhost:4848/UA/TestServer
policy: ECC_nistP256, ECC_nistP384
mode: Sign, SignAndEncrypt
auth: Anonymous, Username/Password, X.509 Certificate
ECC with NIST curves. ECDSA signatures (SHA-256 / SHA-384), ephemeral ECDH key agreement. The server's own ECC certificate is auto-generated by UA-.NETStandard on first start.
For client-side ECC certificates see Authentication · Certificate authentication.
opcua-ecc-brainpool — port 4849
endpoint: opc.tcp://localhost:4849/UA/TestServer
policy: ECC_brainpoolP256r1, ECC_brainpoolP384r1
mode: Sign, SignAndEncrypt
auth: Anonymous, Username/Password, X.509 Certificate
ECC with Brainpool curves — the European BSI standard (BSI TR-03116). Functionally equivalent to NIST ECC but uses verifiably-random curve parameters. Useful for clients that need to interop with European regulatory environments.
Endpoint negotiation across all servers
opcua-all-security (4843) is the single best server to
test endpoint negotiation logic — its GetEndpoints() response
covers the most combinations. A robust client should:
- Call
GetEndpoints(). - Filter to endpoints whose
securityPolicyis not deprecated. - Prefer
SignAndEncryptoverSign. - Match identity-token types you support.
- Fall back gracefully if the preferred combination is unavailable.
For ECC-specific negotiation, opcua-ecc-nist and
opcua-ecc-brainpool together cover the modern profile.
Behaviour matrix
| Test | 4840 | 4841 | 4842 | 4843 | 4845 | 4846 | 4847 | 4848 | 4849 |
|---|---|---|---|---|---|---|---|---|---|
| Anonymous accepted | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Username accepted | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Client cert accepted | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Encrypts payloads | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Signs payloads | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Auto-accepts unknown client certs | ✓ | ||||||||
| Has deprecated policies | ✓ | ✓ | |||||||
| Uses ECC | ✓ | ✓ |
Where to read next
- Special-purpose servers — discovery, SKS, PubSub.
- Security · Policies and modes — the full policy / mode reference.