Secure Policy

Security policy determines what encryption and signature algorithms is applied to messages. The list of security policies that can be used by the server or client is defined in the configuration file.


Secure policy None does not apply any protection to messages. Use this secure policy only for testing purposes. The following example shows how to configure client with ability to communicate with server without encryption:

local ua = require("opcua.api")

local config = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:opcua-lua:example",
  productUri = "urn:opcua-lua:example",
  securePolicies = {
    { -- #1
      securityPolicyUri = ua.Types.SecurityPolicy.None

local client = ua.newClient(config)
trace("connecting to server")
local endpointUrl = "opc.tcp://localhost:4841"
local err = client:connect(endpointUrl)
if err ~= nil then
  trace("connection failed: "..err)
  trace("Connected sucessfully")


Full source


Secure policy Basic128Rsa15 applies the next algorithms to messages:

  • Asymmetric encryption with RSA with key size 1024 or 2048 bits.

  • Symmetric encryption with AES-128

  • Message signatur is SHA-1

The next example shows how to configure Basic128Rsa15 secure policy

local clientConfig = {
  applicationName = 'RealTimeLogic example',
  applicationUri = "urn:localhost:RealTimeLogic",

  securePolicies = {
    { -- #1 Required to discover secure policies
      securityPolicyUri = ua.Types.SecurityPolicy.None
    { -- #2
      securityPolicyUri = ua.Types.SecurityPolicy.Basic128Rsa15,
      securityMode = ua.Types.MessageSecurityMode.SignAndEncrypt,
      certificate = mako.cfgdir.."/certs/basic128rsa15_client.pem",
      key =         mako.cfgdir.."/certs/basic128rsa15_client.key",

Full source

Establishing secure connection

When client connects to server it must open secure channel and specify a secure policy to use. To discover exact secure policy parameters client can use a GetEndpoints request. In response on GetEndpoints request the server will return all known endpoints with applicable secure policies. The following example shows how to discover an endpoint with secure policy Basic128Rsa15:

local c = ua.newClient(clientConfig)

-- Connecto to server
err = c:connect("opc.tcp://localhost:4841")
if err ~= nil then error(err) end

-- Open channel with secure policy None. In this mode server
-- should allow to call endpoint services
resp, err = c:openSecureChannel(3600000,
  ua.Types.SecurityPolicy.None, ua.Types.MessageSecurityMode.None)

-- Select endpoints
resp, err = c:getEndpoints()
if err ~= nil then error(err) end

-- close secure channel (TCP connection is still alive)
err = c:closeSecureChannel()

-- Search secure policy
local basic128rsa15
for _, endpoint in ipairs(resp.endpoints) do
  if endpoint.securityPolicyUri == ua.Types.SecurityPolicy.Basic128Rsa15 then
    basic128rsa15 = endpoint

if not basic128rsa15 then
  error("Cannot find Basic128Rsa15 policy on the server")

-- Open secure channel. Specify secure policy and server certificate
resp, err = c:openSecureChannel(
  ua.Types.SecurityPolicy.Basic128Rsa15, ua.Types.MessageSecurityMode.SignAndEncrypt,

Full source