diff --git a/src/.vuepress/public/img/opc-ua-un-none-1.png b/src/.vuepress/public/img/opc-ua-un-none-1.png
new file mode 100644
index 000000000..0d29120ba
Binary files /dev/null and b/src/.vuepress/public/img/opc-ua-un-none-1.png differ
diff --git a/src/.vuepress/public/img/opc-ua-un-none-2.png b/src/.vuepress/public/img/opc-ua-un-none-2.png
new file mode 100644
index 000000000..cb276ade2
Binary files /dev/null and b/src/.vuepress/public/img/opc-ua-un-none-2.png differ
diff --git a/src/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md b/src/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
index 80b5446b9..7d139aea2 100644
--- a/src/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
+++ b/src/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
@@ -61,22 +61,22 @@ CREATE PIPE p1
#### 2.1.2 Parameters
-| **Parameter** | **Description** | **Value Range** | **Required** | **Default Value** |
-| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |-------------------------------------------------------------------------------------------------------------------------------------| -------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| sink | OPC UA SINK | String: opc-ua-sink | Required | |
-| sink.opcua.model | OPC UA operational mode | String: client-server / pub-sub | Optional | client-server |
-| sink.opcua.tcp.port | OPC UA TCP port | Integer: [0, 65536] | Optional | 12686 |
-| sink.opcua.https.port | OPC UA HTTPS port | Integer: [0, 65536] | Optional | 8443 |
-| sink.opcua.security.dir | OPC UA key and certificate directory | String: Path (supports absolute/relative paths) | Optional | 1. `opc_security` folder under IoTDB's DataNode conf directory `/`. 2. User home directory's `iotdb_opc_security` folder `/` if no IoTDB conf directory exists (e.g., when starting DataNode in IDEA) |
+| **Parameter** | **Description** | **Value Range** | **Required** | **Default Value** |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |-------------------------------------------------------------------------------------------------------------------------------------| -------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| sink | OPC UA SINK | String: opc-ua-sink | Required | |
+| sink.opcua.model | OPC UA operational mode | String: client-server / pub-sub | Optional | client-server |
+| sink.opcua.tcp.port | OPC UA TCP port | Integer: [0, 65536] | Optional | 12686 |
+| sink.opcua.https.port | OPC UA HTTPS port | Integer: [0, 65536] | Optional | 8443 |
+| sink.opcua.security.dir | OPC UA key and certificate directory | String: Path (supports absolute/relative paths) | Optional | 1. `opc_security` folder under IoTDB's DataNode conf directory `/`. 2. User home directory's `iotdb_opc_security` folder `/` if no IoTDB conf directory exists (e.g., when starting DataNode in IDEA) |
| opcua.security-policy | Security policy used for OPC UA connections (case-insensitive). Multiple policies can be configured and separated by commas. After configuring one policy, clients can only connect using that policy. Default implementation supports `None` and `Basic256Sha256`. Should be set to a non-`None` policy by default. `None` policy is only for debugging (convenient but insecure; not recommended for production). Note: Supported since V2.0.8, only for client-server mode. | String (security level increases):`None`,`Basic128Rsa15`,`Basic256`,`Basic256Sha256`,`Aes128_Sha256_RsaOaep`,`Aes256_Sha256_RsaPss` | Optional | `Basic256Sha256,Aes128_Sha256_RsaOaep,Aes256_Sha256_RsaPss` |
-| sink.opcua.enable-anonymous-access | Whether OPC UA allows anonymous access | Boolean | Optional | true |
-| sink.user | User (OPC UA allowed user) | String | Optional | root |
-| sink.password | Password (OPC UA allowed password) | String | Optional | TimechoDB@2021 (Default was 'root' before V2.0.6.x) |
+| sink.opcua.enable-anonymous-access | Whether OPC UA allows anonymous access | Boolean | Optional | true |
+| sink.user | User (OPC UA allowed user) | String | Optional | root |
+| sink.password | Password (OPC UA allowed password) | String | Optional | TimechoDB@2021 (Default was 'root' before V2.0.6.x) |
| opcua.with-quality | Whether OPC UA publishes data in value + quality mode. When enabled, system processes data as follows:1. Both value and quality present → Push directly to OPC UA Server.2. Only value present → Quality automatically filled as UNCERTAIN (default, configurable).3. Only quality present → Ignore write (no processing).4. Non-value/quality fields present → Ignore data and log warning (configurable log frequency to avoid high-frequency interference).5. Quality type restriction: Only boolean type supported (true = GOOD, false = BAD).**Note**: Supported since V2.0.8, only for client-server mode | Boolean | Optional | false |
-| opcua.value-name | Effective when `with-quality` = true, specifies the name of the value point. **Note**: Supported since V2.0.8, only for client-server mode | String | Optional | value |
-| opcua.quality-name | Effective when `with-quality` = true, specifies the name of the quality point. **Note**: Supported since V2.0.8, only for client-server mode | String | Optional | quality |
-| opcua.default-quality | When no quality is provided, specify `GOOD`/`UNCERTAIN`/`BAD` via SQL parameter. **Note**: Supported since V2.0.8, only for client-server mode | String: `GOOD`/`UNCERTAIN`/`BAD` | Optional | `UNCERTAIN` |
-| opcua.timeout-seconds | Client connection timeout in seconds (effective only when IoTDB acts as client). **Note**: Supported since V2.0.8, only for client-server mode | Long | Optional | 10L |
+| opcua.value-name | Effective when `with-quality` = true, specifies the name of the value point. **Note**: Supported since V2.0.8, only for client-server mode | String | Optional | value |
+| opcua.quality-name | Effective when `with-quality` = true, specifies the name of the quality point. **Note**: Supported since V2.0.8, only for client-server mode | String | Optional | quality |
+| opcua.default-quality | When no quality is provided, specify `GOOD`/`UNCERTAIN`/`BAD` via SQL parameter. **Note**: Supported since V2.0.8, only for client-server mode | String: `GOOD`/`UNCERTAIN`/`BAD` | Optional | `UNCERTAIN` |
+| opcua.timeout-seconds | Client connection timeout in seconds (effective only when IoTDB acts as client). **Note**: Supported since V2.0.8, only for client-server mode | Long | Optional | 10L |
#### 2.1.3 Example
@@ -110,12 +110,13 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
2. Install UAExpert and configure certificate information.
##### 2.2.1.2 Quick Start
-
+###### 2.2.1.2.1 Scenarios Supporting the None Security Policy
1. Start OPC UA service using SQL (detailed syntax see [IoTDB OPC Server Syntax](./Programming-OPC-UA_timecho.md#_2-1-语法)):
```SQL
-CREATE PIPE p1 WITH SINK ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+Note: Since version V2.0.8.1, None is no longer supported by default. To use it, you must manually enable it via the security-policy parameter as shown above.
2. Write some data:
@@ -124,9 +125,70 @@ INSERT INTO root.test.db(time, s2) VALUES(NOW(), 2);
```
3. Configure UAExpert to connect to IoTDB (password matches `sink.password` configured above, e.g., root/TimechoDB@2021):
+
+ ::: center
+
+ 
+
+ :::
+
+ ::: center
+
+ 
+
+ :::
+
4. Trust the server certificate, then view written data under Objects folder on the left:
+
+ ::: center
+
+ 
+
+ :::
+
+ ::: center
+
+ 
+
+ :::
+
+ Note: Since the SecurityPolicy is set to None, mutual certificate trust is not required. For production environments, it is recommended to use a non-None SecurityPolicy for connection, which requires mutual certificate trust. For operations, refer to the Pub/Sub mode section below. In the Client/Server certificate directory (search for the keyword keyStore in the printed logs), move the contents in reject to trusted/certs. Follow the sequence: connect → move server directory → connect → move client directory → connect.
+
+
5. Drag left nodes to the middle to display latest value:
+ ::: center
+
+ 
+
+ :::
+
+###### 2.2.1.2.2 Scenarios Not Supporting the None Security Policy
+1. Use the following SQL to create and start the OPC UA service.
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+
+ Note: Since version V2.0.8.1, OpcUaSink no longer supports None mode by default for security considerations.
+
+2. Insert some test data.
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. Configure the IoTDB connection in UAExpert:
+
+ - Do not access the URL directly; endpoints must be discovered using the Discover method
+ - The client first sends a GetEndpoints request with the None policy to retrieve the endpoint list
+ - It then selects the corresponding encrypted endpoint based on the configured Basic256Sha256 + SignAndEncrypt to establish an encrypted connection
+
+ 
+
+4. Use the same username and password configuration as above. After selecting the relevant connection mode (Sign / Sign & Encrypt), if the following prompt appears, click Ignore to connect directly.
+
+ 
+
+
#### 2.2.2 Pub/Sub Mode
In this mode, IoTDB's stream processing engine sends data change events to the OPC UA Server (Server) via OPC UA Sink. These events are published to the server's message queue and managed via Event Nodes. Other OPC UA clients (Clients) can subscribe to these Event Nodes to receive notifications when data changes.
diff --git a/src/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md b/src/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
index 31890ac50..5cca37d1c 100644
--- a/src/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
+++ b/src/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
@@ -92,13 +92,16 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
2. Install UAExpert and fill in your own certificate information.
#### Quick Start
+##### Scenarios Supporting the None Security Policy
1. Use the following SQL to create and start the OPC UA Sink in client-server mode. For detailed syntax, please refer to: [IoTDB OPC Server Syntax](#syntax)
```sql
- create pipe p1 with sink ('sink'='opc-ua-sink');
+ create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+ Note: Since version V1.3.7.2, None is no longer supported by default. To use it, you must manually enable it via the security-policy parameter as shown above.
+
2. Write some data.
```sql
@@ -135,6 +138,9 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
:::
+ Note: Since the SecurityPolicy is set to None, mutual certificate trust is not required. For production environments, it is recommended to use a non-None SecurityPolicy for connection, which requires mutual certificate trust. For operations, refer to the Pub/Sub mode section below. In the Client/Server certificate directory (search for the keyword keyStore in the printed logs), move the contents in reject to trusted/certs. Follow the sequence: connect → move server directory → connect → move client directory → connect.
+
+
5. You can drag the node on the left to the center and display the latest value of that node:
::: center
@@ -143,6 +149,32 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
:::
+##### Scenarios Not Supporting the None Security Policy
+1. Use the following SQL to create and start the OPC UA service.
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+
+ Note: Since version V1.3.7.2, OpcUaSink no longer supports None mode by default for security considerations.
+
+2. Insert some test data.
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. Configure the IoTDB connection in UAExpert:
+
+ - Do not access the URL directly; endpoints must be discovered using the Discover method
+ - The client first sends a GetEndpoints request with the None policy to retrieve the endpoint list
+ - It then selects the corresponding encrypted endpoint based on the configured Basic256Sha256 + SignAndEncrypt to establish an encrypted connection
+
+ 
+
+4. Use the same username and password configuration as above. After selecting the relevant connection mode (Sign / Sign & Encrypt), if the following prompt appears, click Ignore to connect directly.
+
+ 
+
+
### Pub / Sub Mode
In this mode, IoTDB's stream processing engine sends data change events to the OPC UA Server through an OPC UA Sink. These events are published to the server's message queue and managed through Event Nodes. Other OPC UA Clients can subscribe to these Event Nodes to receive notifications upon data changes.
diff --git a/src/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md b/src/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
index 31890ac50..5cca37d1c 100644
--- a/src/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
+++ b/src/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
@@ -92,13 +92,16 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
2. Install UAExpert and fill in your own certificate information.
#### Quick Start
+##### Scenarios Supporting the None Security Policy
1. Use the following SQL to create and start the OPC UA Sink in client-server mode. For detailed syntax, please refer to: [IoTDB OPC Server Syntax](#syntax)
```sql
- create pipe p1 with sink ('sink'='opc-ua-sink');
+ create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+ Note: Since version V1.3.7.2, None is no longer supported by default. To use it, you must manually enable it via the security-policy parameter as shown above.
+
2. Write some data.
```sql
@@ -135,6 +138,9 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
:::
+ Note: Since the SecurityPolicy is set to None, mutual certificate trust is not required. For production environments, it is recommended to use a non-None SecurityPolicy for connection, which requires mutual certificate trust. For operations, refer to the Pub/Sub mode section below. In the Client/Server certificate directory (search for the keyword keyStore in the printed logs), move the contents in reject to trusted/certs. Follow the sequence: connect → move server directory → connect → move client directory → connect.
+
+
5. You can drag the node on the left to the center and display the latest value of that node:
::: center
@@ -143,6 +149,32 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
:::
+##### Scenarios Not Supporting the None Security Policy
+1. Use the following SQL to create and start the OPC UA service.
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+
+ Note: Since version V1.3.7.2, OpcUaSink no longer supports None mode by default for security considerations.
+
+2. Insert some test data.
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. Configure the IoTDB connection in UAExpert:
+
+ - Do not access the URL directly; endpoints must be discovered using the Discover method
+ - The client first sends a GetEndpoints request with the None policy to retrieve the endpoint list
+ - It then selects the corresponding encrypted endpoint based on the configured Basic256Sha256 + SignAndEncrypt to establish an encrypted connection
+
+ 
+
+4. Use the same username and password configuration as above. After selecting the relevant connection mode (Sign / Sign & Encrypt), if the following prompt appears, click Ignore to connect directly.
+
+ 
+
+
### Pub / Sub Mode
In this mode, IoTDB's stream processing engine sends data change events to the OPC UA Server through an OPC UA Sink. These events are published to the server's message queue and managed through Event Nodes. Other OPC UA Clients can subscribe to these Event Nodes to receive notifications upon data changes.
diff --git a/src/UserGuide/latest/API/Programming-OPC-UA_timecho.md b/src/UserGuide/latest/API/Programming-OPC-UA_timecho.md
index 149f989e1..7d139aea2 100644
--- a/src/UserGuide/latest/API/Programming-OPC-UA_timecho.md
+++ b/src/UserGuide/latest/API/Programming-OPC-UA_timecho.md
@@ -110,12 +110,13 @@ In this mode, IoTDB's stream processing engine establishes a connection with the
2. Install UAExpert and configure certificate information.
##### 2.2.1.2 Quick Start
-
+###### 2.2.1.2.1 Scenarios Supporting the None Security Policy
1. Start OPC UA service using SQL (detailed syntax see [IoTDB OPC Server Syntax](./Programming-OPC-UA_timecho.md#_2-1-语法)):
```SQL
-CREATE PIPE p1 WITH SINK ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+Note: Since version V2.0.8.1, None is no longer supported by default. To use it, you must manually enable it via the security-policy parameter as shown above.
2. Write some data:
@@ -124,9 +125,70 @@ INSERT INTO root.test.db(time, s2) VALUES(NOW(), 2);
```
3. Configure UAExpert to connect to IoTDB (password matches `sink.password` configured above, e.g., root/TimechoDB@2021):
+
+ ::: center
+
+
+
+ :::
+
+ ::: center
+
+
+
+ :::
+
4. Trust the server certificate, then view written data under Objects folder on the left:
+
+ ::: center
+
+
+
+ :::
+
+ ::: center
+
+
+
+ :::
+
+ Note: Since the SecurityPolicy is set to None, mutual certificate trust is not required. For production environments, it is recommended to use a non-None SecurityPolicy for connection, which requires mutual certificate trust. For operations, refer to the Pub/Sub mode section below. In the Client/Server certificate directory (search for the keyword keyStore in the printed logs), move the contents in reject to trusted/certs. Follow the sequence: connect → move server directory → connect → move client directory → connect.
+
+
5. Drag left nodes to the middle to display latest value:
+ ::: center
+
+
+
+ :::
+
+###### 2.2.1.2.2 Scenarios Not Supporting the None Security Policy
+1. Use the following SQL to create and start the OPC UA service.
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+
+ Note: Since version V2.0.8.1, OpcUaSink no longer supports None mode by default for security considerations.
+
+2. Insert some test data.
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. Configure the IoTDB connection in UAExpert:
+
+ - Do not access the URL directly; endpoints must be discovered using the Discover method
+ - The client first sends a GetEndpoints request with the None policy to retrieve the endpoint list
+ - It then selects the corresponding encrypted endpoint based on the configured Basic256Sha256 + SignAndEncrypt to establish an encrypted connection
+
+ 
+
+4. Use the same username and password configuration as above. After selecting the relevant connection mode (Sign / Sign & Encrypt), if the following prompt appears, click Ignore to connect directly.
+
+ 
+
+
#### 2.2.2 Pub/Sub Mode
In this mode, IoTDB's stream processing engine sends data change events to the OPC UA Server (Server) via OPC UA Sink. These events are published to the server's message queue and managed via Event Nodes. Other OPC UA clients (Clients) can subscribe to these Event Nodes to receive notifications when data changes.
diff --git a/src/zh/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md b/src/zh/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
index cb545a4d1..f53d8d036 100644
--- a/src/zh/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
+++ b/src/zh/UserGuide/Master/Tree/API/Programming-OPC-UA_timecho.md
@@ -61,22 +61,22 @@ create pipe p1
#### 2.1.2 参数
-| **参数** | **描述** | **取值范围** | **是否必填** | **默认值** |
-| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |------------------------------------------------------------------------------------------------------------------------------------------| -------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| sink | OPC UA SINK | String: opc-ua-sink | 必填 | |
-| sink.opcua.model | OPC UA 使用的模式 | String: client-server / pub-sub | 选填 | client-server |
-| sink.opcua.tcp.port | OPC UA 的 TCP 端口 | Integer: [0, 65536] | 选填 | 12686 |
-| sink.opcua.https.port | OPC UA 的 HTTPS 端口 | Integer: [0, 65536] | 选填 | 8443 |
-| sink.opcua.security.dir | OPC UA 的密钥及证书目录 | String: Path,支持绝对及相对目录 | 选填 | 1. iotdb 相关 DataNode 的 conf 目录下的 `opc_security` 文件夹 `/`。2. 如无 iotdb 的 conf 目录(例如 IDEA 中启动 DataNode),则为用户主目录下的 `iotdb_opc_security` 文件夹 `/` |
-| opcua.security-policy | OPC UA 连接使用的安全策略,不区分大小写。可以配置多个,用`,`连接。配置一个安全策略后,client 才能用对应的策略连接。当前实现默认支持`None`和`Basic256Sha256`策略,应该默认改为任意的非`None`策略,`None`策略在调试环境中单独配置,因为`None`策略虽然不需移动证书,操作方便,但是不安全,生产环境的 server 不建议支持该策略。注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String(安全性依次递增):
`None`
`Basic128Rsa15`
`Basic256`
`Basic256Sha256`
`Aes128_Sha256_RsaOaep`
`Aes256_Sha256_RsaPss` | 选填| `Basic256Sha256`,`Aes128_Sha256_RsaOaep`,`lAes256_Sha256_RsaPss` |
-| sink.opcua.enable-anonymous-access | OPC UA 是否允许匿名访问 | Boolean | 选填 | true |
-| sink.user | 用户,这里指 OPC UA 的允许用户 | String | 选填 | root |
-| sink.password | 密码,这里指 OPC UA 的允许密码 | String | 选填 | TimechoDB@2021(V2.0.6.x 之前默认密码为root) |
+| **参数** | **描述** | **取值范围** | **是否必填** | **默认值** |
+| ------------------------------------ |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------| -------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| sink | OPC UA SINK | String: opc-ua-sink | 必填 | |
+| sink.opcua.model | OPC UA 使用的模式 | String: client-server / pub-sub | 选填 | client-server |
+| sink.opcua.tcp.port | OPC UA 的 TCP 端口 | Integer: [0, 65536] | 选填 | 12686 |
+| sink.opcua.https.port | OPC UA 的 HTTPS 端口 | Integer: [0, 65536] | 选填 | 8443 |
+| sink.opcua.security.dir | OPC UA 的密钥及证书目录 | String: Path,支持绝对及相对目录 | 选填 | 1. iotdb 相关 DataNode 的 conf 目录下的 `opc_security` 文件夹 `/`。2. 如无 iotdb 的 conf 目录(例如 IDEA 中启动 DataNode),则为用户主目录下的 `iotdb_opc_security` 文件夹 `/` |
+| opcua.security-policy | OPC UA 连接使用的安全策略,不区分大小写。可以配置多个,用`,`连接。配置一个安全策略后,client 才能用对应的策略连接。当前实现默认支持`None`和`Basic256Sha256`策略,应该默认改为任意的非`None`策略,`None`策略在调试环境中单独配置,因为`None`策略虽然不需移动证书,操作方便,但是不安全,生产环境的 server 不建议支持该策略。注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String(安全性依次递增):
`None`
`Basic128Rsa15`
`Basic256`
`Basic256Sha256`
`Aes128_Sha256_RsaOaep`
`Aes256_Sha256_RsaPss` | 选填| `Basic256Sha256`,`Aes128_Sha256_RsaOaep`,`lAes256_Sha256_RsaPss` |
+| sink.opcua.enable-anonymous-access | OPC UA 是否允许匿名访问 | Boolean | 选填 | true |
+| sink.user | 用户,这里指 OPC UA 的允许用户 | String | 选填 | root |
+| sink.password | 密码,这里指 OPC UA 的允许密码 | String | 选填 | TimechoDB@2021(V2.0.6.x 之前默认密码为root) |
| opcua.with-quality | OPC UA 的测点发布是否为 value + quality 模式。启用配置后,系统将按以下规则处理写入数据:
1. 同时包含 value 和 quality,则直接推送至 OPC UA Server。
2. 仅包含 value,则 quality 自动填充为 UNCERTAIN(默认值,支持自定义配置)。
3. 仅包含 quality,则该写入被忽略,不进行任何处理。
4. 包含非 value/quality 字段,则忽略该数据,并记录警告日志(日志频率可配置,避免高频干扰)。
5. quality 类型限制:目前仅支持布尔类型(true 表示 GOOD,false 表示 BAD); 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | Boolean | 选填 | false |
-| opcua.value-name | With-quality 为 true 时生效,表示 value 测点的名字。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String | 选填 | value |
-| opcua.quality-name | With-quality 为 true 时生效,表示 quality 测点的名字。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String | 选填 | quality |
-| opcua.default-quality | 没有 quality 时,可以通过 SQL 参数指定`GOOD`/`UNCERTAIN`/`BAD`。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String:`GOOD`/`UNCERTAIN`/`BAD` | 选填 | `UNCERTAIN` |
-| opcua.timeout-seconds | Client 连接 server 的超时秒数,仅在 IoTDB 为 client 时生效 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | Long | 选填 | 10L |
+| opcua.value-name | With-quality 为 true 时生效,表示 value 测点的名字。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String | 选填 | value |
+| opcua.quality-name | With-quality 为 true 时生效,表示 quality 测点的名字。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String | 选填 | quality |
+| opcua.default-quality | 没有 quality 时,可以通过 SQL 参数指定`GOOD`/`UNCERTAIN`/`BAD`。 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | String:`GOOD`/`UNCERTAIN`/`BAD` | 选填 | `UNCERTAIN` |
+| opcua.timeout-seconds | Client 连接 server 的超时秒数,仅在 IoTDB 为 client 时生效 注意:V2.0.8 起支持该参数,且仅支持 client-server 模式 | Long | 选填 | 10L |
#### 2.1.3 示例
@@ -107,16 +107,18 @@ start pipe p1;
2. 安装 UAExpert,填写自身的证书等信息。
##### 2.2.1.2 快速开始
+###### 2.2.1.2.1 支持 None 安全策略的场景
1. 使用如下 sql,启动 OPC UA 服务。详细语法参见上文:[IoTDB OPC Server语法](./Programming-OPC-UA_timecho.md#_2-1-语法)
```SQL
-create pipe p1 with sink ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+注意:在 2.0.8.1 及以上版本中,默认不再支持 `None`,如需使用必须通过 `security-policy` 参数手动开启,如上所示。
2. 写入部分数据。
```SQL
-insert into root.test.db(time, s2) values(now(), 2)
+insert into root.test.db(time, s2) values(now(), 2);
```
3. 在 UAExpert 中配置 iotdb 的连接,其中 password 填写为上述参数配置中 sink.password 中设定的密码(此处用户名、密码以2.3小节示例中配置的 root/root 为例):
@@ -139,12 +141,37 @@ insert into root.test.db(time, s2) values(now(), 2)
+注意:由于此处配置的 `SecurityPolicy` 为 `None`,因此不需要相互信任证书。生产环境建议使用非 `None` 的 `SecurityPolicy` 进行连接,此时需要相互信任证书,操作步骤可以见下文 `Pub/Sub` 模式,在 `Client/Server` 的证书目录下(可以在打印的日志中找 keyStore 关键词),将 reject 的内容挪到 `trusted/certs`下即可,采用连接、移动 server 目录、连接、移动 client 目录、连接的顺序。
+
5. 可以将左侧节点拖动到中间,并展示该节点的最新值:
+###### 2.2.1.2.2 不支持 None 安全策略的场景
+1. 使用如下 sql,创建并启动 OPC UA 服务。
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+ 注意:从 2.0.8.1 版本开始,`OpcUaSink` 出于安全考虑,默认不再支持 `None` 模式。
+
+2. 写入部分数据。
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. 在 UAExpert 中配置 IoTDB 连接:
+ - 不可直接访问 `URL`,必须通过 `Discover` 方式发现端点
+ - 客户端会先使用 `None` 策略发送 `GetEndpoints` 请求获取端点列表
+ - 再根据配置的 `Basic256Sha256 + SignAndEncrypt` 选择对应加密端点建立加密连接
+
+
+
+4. 用户名密码配置同上,点击相关的连接模式后(`Sign` / `Sign & Encrypt`),如果出现以下内容,点 `Ignore` 直接连。
+
+
+
#### 2.2.2 Pub / Sub 模式
在这种模式下,IoTDB的流处理引擎通过 OPC UA Sink 向OPC UA 服务器(Server)发送数据变更事件。这些事件被发布到服务器的消息队列中,并通过事件节点 (Event Node) 进行管理。其他OPC UA客户端(Client)可以订阅这些事件节点,以便在数据变更时接收通知。
diff --git a/src/zh/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md b/src/zh/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
index 917b211ee..6661ae168 100644
--- a/src/zh/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
+++ b/src/zh/UserGuide/V1.3.x/API/Programming-OPC-UA_timecho.md
@@ -93,12 +93,13 @@ start pipe p1;
2. 安装 UAExpert,填写自身的证书等信息。
#### 快速开始
-
+##### 支持 None 安全策略的场景
1. 使用如下 sql,创建并启动 client-server 模式的 OPC UA Sink。详细语法参见上文:[IoTDB OPC Server语法](#语法)
```SQL
-create pipe p1 with sink ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+注意:在 V1.3.7.2 及以上版本中,默认不再支持 `None`,如需使用必须通过 `security-policy` 参数手动开启,如上所示。
2. 写入部分数据。
@@ -106,7 +107,7 @@ create pipe p1 with sink ('sink'='opc-ua-sink');
insert into root.test.db(time, s2) values(now(), 2)
```
- 此处自动创建元数据开启。
+此处自动创建元数据开启。
3. 在 UAExpert 中配置 iotdb 的连接,其中 password 填写为上述参数配置中 sink.password 中设定的密码(此处以默认密码root为例):
@@ -128,12 +129,37 @@ insert into root.test.db(time, s2) values(now(), 2)
+注意:由于此处配置的 `SecurityPolicy` 为 `None`,因此不需要相互信任证书。生产环境建议使用非 `None` 的 `SecurityPolicy` 进行连接,此时需要相互信任证书,操作步骤可以见下文 `Pub/Sub` 模式,在 `Client/Server` 的证书目录下(可以在打印的日志中找 keyStore 关键词),将 reject 的内容挪到 `trusted/certs`下即可,采用连接、移动 server 目录、连接、移动 client 目录、连接的顺序。
+
5. 可以将左侧节点拖动到中间,并展示该节点的最新值:
+##### 不支持 None 安全策略的场景
+1. 使用如下 sql,创建并启动 OPC UA 服务。
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+ 注意:从 V1.3.7.2 版本开始,`OpcUaSink` 出于安全考虑,默认不再支持 `None` 模式。
+
+2. 写入部分数据。
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. 在 UAExpert 中配置 IoTDB 连接:
+ - 不可直接访问 `URL`,必须通过 `Discover` 方式发现端点
+ - 客户端会先使用 `None` 策略发送 `GetEndpoints` 请求获取端点列表
+ - 再根据配置的 `Basic256Sha256 + SignAndEncrypt` 选择对应加密端点建立加密连接
+
+
+
+4. 用户名密码配置同上,点击相关的连接模式后(`Sign` / `Sign & Encrypt`),如果出现以下内容,点 `Ignore` 直接连。
+
+
+
### Pub / Sub 模式
在这种模式下,IoTDB的流处理引擎通过 OPC UA Sink 向OPC UA 服务器(Server)发送数据变更事件。这些事件被发布到服务器的消息队列中,并通过事件节点 (Event Node) 进行管理。其他OPC UA客户端(Client)可以订阅这些事件节点,以便在数据变更时接收通知。
diff --git a/src/zh/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md b/src/zh/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
index 917b211ee..6661ae168 100644
--- a/src/zh/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
+++ b/src/zh/UserGuide/dev-1.3/API/Programming-OPC-UA_timecho.md
@@ -93,12 +93,13 @@ start pipe p1;
2. 安装 UAExpert,填写自身的证书等信息。
#### 快速开始
-
+##### 支持 None 安全策略的场景
1. 使用如下 sql,创建并启动 client-server 模式的 OPC UA Sink。详细语法参见上文:[IoTDB OPC Server语法](#语法)
```SQL
-create pipe p1 with sink ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+注意:在 V1.3.7.2 及以上版本中,默认不再支持 `None`,如需使用必须通过 `security-policy` 参数手动开启,如上所示。
2. 写入部分数据。
@@ -106,7 +107,7 @@ create pipe p1 with sink ('sink'='opc-ua-sink');
insert into root.test.db(time, s2) values(now(), 2)
```
- 此处自动创建元数据开启。
+此处自动创建元数据开启。
3. 在 UAExpert 中配置 iotdb 的连接,其中 password 填写为上述参数配置中 sink.password 中设定的密码(此处以默认密码root为例):
@@ -128,12 +129,37 @@ insert into root.test.db(time, s2) values(now(), 2)
+注意:由于此处配置的 `SecurityPolicy` 为 `None`,因此不需要相互信任证书。生产环境建议使用非 `None` 的 `SecurityPolicy` 进行连接,此时需要相互信任证书,操作步骤可以见下文 `Pub/Sub` 模式,在 `Client/Server` 的证书目录下(可以在打印的日志中找 keyStore 关键词),将 reject 的内容挪到 `trusted/certs`下即可,采用连接、移动 server 目录、连接、移动 client 目录、连接的顺序。
+
5. 可以将左侧节点拖动到中间,并展示该节点的最新值:
+##### 不支持 None 安全策略的场景
+1. 使用如下 sql,创建并启动 OPC UA 服务。
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+ 注意:从 V1.3.7.2 版本开始,`OpcUaSink` 出于安全考虑,默认不再支持 `None` 模式。
+
+2. 写入部分数据。
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. 在 UAExpert 中配置 IoTDB 连接:
+ - 不可直接访问 `URL`,必须通过 `Discover` 方式发现端点
+ - 客户端会先使用 `None` 策略发送 `GetEndpoints` 请求获取端点列表
+ - 再根据配置的 `Basic256Sha256 + SignAndEncrypt` 选择对应加密端点建立加密连接
+
+
+
+4. 用户名密码配置同上,点击相关的连接模式后(`Sign` / `Sign & Encrypt`),如果出现以下内容,点 `Ignore` 直接连。
+
+
+
### Pub / Sub 模式
在这种模式下,IoTDB的流处理引擎通过 OPC UA Sink 向OPC UA 服务器(Server)发送数据变更事件。这些事件被发布到服务器的消息队列中,并通过事件节点 (Event Node) 进行管理。其他OPC UA客户端(Client)可以订阅这些事件节点,以便在数据变更时接收通知。
diff --git a/src/zh/UserGuide/latest/API/Programming-OPC-UA_timecho.md b/src/zh/UserGuide/latest/API/Programming-OPC-UA_timecho.md
index 6a7d2678b..f53d8d036 100644
--- a/src/zh/UserGuide/latest/API/Programming-OPC-UA_timecho.md
+++ b/src/zh/UserGuide/latest/API/Programming-OPC-UA_timecho.md
@@ -107,16 +107,18 @@ start pipe p1;
2. 安装 UAExpert,填写自身的证书等信息。
##### 2.2.1.2 快速开始
+###### 2.2.1.2.1 支持 None 安全策略的场景
1. 使用如下 sql,启动 OPC UA 服务。详细语法参见上文:[IoTDB OPC Server语法](./Programming-OPC-UA_timecho.md#_2-1-语法)
```SQL
-create pipe p1 with sink ('sink'='opc-ua-sink');
+create pipe p1 with sink ('sink'='opc-ua-sink', 'opcua.security-policy'='AES128_SHA256_RSAOAEP, AES256_SHA256_RSAPSS, BASIC256SHA256, NONE');
```
+注意:在 2.0.8.1 及以上版本中,默认不再支持 `None`,如需使用必须通过 `security-policy` 参数手动开启,如上所示。
2. 写入部分数据。
```SQL
-insert into root.test.db(time, s2) values(now(), 2)
+insert into root.test.db(time, s2) values(now(), 2);
```
3. 在 UAExpert 中配置 iotdb 的连接,其中 password 填写为上述参数配置中 sink.password 中设定的密码(此处用户名、密码以2.3小节示例中配置的 root/root 为例):
@@ -139,12 +141,37 @@ insert into root.test.db(time, s2) values(now(), 2)
+注意:由于此处配置的 `SecurityPolicy` 为 `None`,因此不需要相互信任证书。生产环境建议使用非 `None` 的 `SecurityPolicy` 进行连接,此时需要相互信任证书,操作步骤可以见下文 `Pub/Sub` 模式,在 `Client/Server` 的证书目录下(可以在打印的日志中找 keyStore 关键词),将 reject 的内容挪到 `trusted/certs`下即可,采用连接、移动 server 目录、连接、移动 client 目录、连接的顺序。
+
5. 可以将左侧节点拖动到中间,并展示该节点的最新值:
+###### 2.2.1.2.2 不支持 None 安全策略的场景
+1. 使用如下 sql,创建并启动 OPC UA 服务。
+ ```SQL
+ create pipe p1 with sink ('sink'='opc-ua-sink');
+ ```
+ 注意:从 2.0.8.1 版本开始,`OpcUaSink` 出于安全考虑,默认不再支持 `None` 模式。
+
+2. 写入部分数据。
+ ```SQL
+ insert into root.test.db(time, s2) values(now(), 2);
+ ```
+
+3. 在 UAExpert 中配置 IoTDB 连接:
+ - 不可直接访问 `URL`,必须通过 `Discover` 方式发现端点
+ - 客户端会先使用 `None` 策略发送 `GetEndpoints` 请求获取端点列表
+ - 再根据配置的 `Basic256Sha256 + SignAndEncrypt` 选择对应加密端点建立加密连接
+
+
+
+4. 用户名密码配置同上,点击相关的连接模式后(`Sign` / `Sign & Encrypt`),如果出现以下内容,点 `Ignore` 直接连。
+
+
+
#### 2.2.2 Pub / Sub 模式
在这种模式下,IoTDB的流处理引擎通过 OPC UA Sink 向OPC UA 服务器(Server)发送数据变更事件。这些事件被发布到服务器的消息队列中,并通过事件节点 (Event Node) 进行管理。其他OPC UA客户端(Client)可以订阅这些事件节点,以便在数据变更时接收通知。