Add provisioning mode support for certificate provisioning and initial server configuration (#3375)

* Initial plan

* Add provisioning mode support to ConsoleReferenceServer

Co-authored-by: romanett <[email protected]>

* Add provisioning mode test and ServerFixture support

Co-authored-by: romanett <[email protected]>

* Add provisioning mode documentation

Co-authored-by: romanett <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: romanett <[email protected]>

Author: Copilot

Applications/ConsoleReferenceServer/Program.cs

@@ -69,6 +69,7 @@ public static async Task<int> Main(string[] args)
             bool shadowConfig = false;
             bool samplingGroups = false;
             bool cttMode = false;
+            bool provisioningMode = false;
             char[] password = null;
             int timeout = -1;
 
@@ -92,7 +93,12 @@ public static async Task<int> Main(string[] args)
                     "use the sampling group mechanism in the Reference Node Manager",
                     sg => samplingGroups = sg != null
                 },
-                { "ctt", "CTT mode, use to preset alarms for CTT testing.", c => cttMode = c != null }
+                { "ctt", "CTT mode, use to preset alarms for CTT testing.", c => cttMode = c != null },
+                {
+                    "provision",
+                    "start server in provisioning mode with limited namespace for certificate provisioning",
+                    p => provisioningMode = p != null
+                }
             };
 
             using var telemetry = new ConsoleTelemetry();
@@ -155,6 +161,20 @@ await server
                 // Create and add the node managers
                 server.Create(Servers.Utils.NodeManagerFactories);
 
+                // enable provisioning mode if requested
+                if (provisioningMode)
+                {
+                    logger.LogInformation("Enabling provisioning mode.");
+                    Servers.Utils.EnableProvisioningMode(server.Server);
+                    // Auto-accept is required in provisioning mode
+                    if (!autoAccept)
+                    {
+                        logger.LogInformation("Auto-accept enabled for provisioning mode.");
+                        autoAccept = true;
+                        server.AutoAccept = autoAccept;
+                    }
+                }
+
                 // enable the sampling groups if requested
                 if (samplingGroups)
                 {

Applications/Quickstarts.Servers/ReferenceServer/ReferenceServer.cs

@@ -61,6 +61,12 @@ public class ReferenceServer : ReverseConnectServer
         /// </summary>
         public bool UseSamplingGroupsInReferenceNodeManager { get; set; }
 
+        /// <summary>
+        /// If true, the server starts in provisioning mode with limited namespace
+        /// and requires authenticated user access for certificate provisioning
+        /// </summary>
+        public bool ProvisioningMode { get; set; }
+
         /// <summary>
         /// Creates the node managers for the server.
         /// </summary>
@@ -77,25 +83,36 @@ protected override MasterNodeManager CreateMasterNodeManager(
                 Utils.TraceMasks.StartStop,
                 "Creating the Reference Server Node Manager.");
 
-            IList<INodeManager> nodeManagers =
-            [
-                // create the custom node manager.
-                new ReferenceNodeManager(
-                    server,
-                    configuration,
-                    UseSamplingGroupsInReferenceNodeManager)
-            ];
+            IList<INodeManager> nodeManagers;
+            var asyncNodeManagers = new List<IAsyncNodeManager>();
 
-            foreach (INodeManagerFactory nodeManagerFactory in NodeManagerFactories)
+            if (ProvisioningMode)
             {
-                nodeManagers.Add(nodeManagerFactory.Create(server, configuration));
+                m_logger.LogInformation(
+                    Utils.TraceMasks.StartStop,
+                    "Server is in provisioning mode - limited namespace enabled.");
+                nodeManagers = [];
             }
-
-            var asyncNodeManagers = new List<IAsyncNodeManager>();
-
-            foreach (IAsyncNodeManagerFactory nodeManagerFactory in AsyncNodeManagerFactories)
+            else
             {
-                asyncNodeManagers.Add(nodeManagerFactory.CreateAsync(server, configuration).AsTask().GetAwaiter().GetResult());
+                nodeManagers =
+                [
+                    // create the custom node manager.
+                    new ReferenceNodeManager(
+                        server,
+                        configuration,
+                        UseSamplingGroupsInReferenceNodeManager)
+                ];
+
+                foreach (INodeManagerFactory nodeManagerFactory in NodeManagerFactories)
+                {
+                    nodeManagers.Add(nodeManagerFactory.Create(server, configuration));
+                }
+
+                foreach (IAsyncNodeManagerFactory nodeManagerFactory in AsyncNodeManagerFactories)
+                {
+                    asyncNodeManagers.Add(nodeManagerFactory.CreateAsync(server, configuration).AsTask().GetAwaiter().GetResult());
+                }
             }
 
             return new MasterNodeManager(server, configuration, null, asyncNodeManagers, nodeManagers);
@@ -227,6 +244,12 @@ public override UserTokenPolicyCollection GetUserTokenPolicies(
                 configuration,
                 description);
 
+            // In provisioning mode, remove anonymous authentication
+            if (ProvisioningMode)
+            {
+                return [.. policies.Where(u => u.TokenType != UserTokenType.Anonymous)];
+            }
+
             // sample how to modify default user token policies
             if (description.SecurityPolicyUri == SecurityPolicies.Aes256_Sha256_RsaPss &&
                 description.SecurityMode == MessageSecurityMode.SignAndEncrypt)

Applications/Quickstarts.Servers/Utils.cs

@@ -114,6 +114,15 @@ public static void UseSamplingGroupsInReferenceNodeManager(
             server.UseSamplingGroupsInReferenceNodeManager = true;
         }
 
+        /// <summary>
+        /// Enable provisioning mode in the ReferenceServer.
+        /// </summary>
+        public static void EnableProvisioningMode(
+            ReferenceServer.ReferenceServer server)
+        {
+            server.ProvisioningMode = true;
+        }
+
         /// <summary>
         /// The property with available node manager factories.
         /// </summary>

Docs/ProvisioningMode.md

@@ -0,0 +1,185 @@
+# Provisioning Mode
+
+## Overview
+
+Provisioning mode is a special server startup mode designed to facilitate secure certificate provisioning and initial server configuration. When enabled, the server starts with a limited default namespace and enhanced security settings to allow administrators to safely configure the server before exposing the full application functionality.
+
+## Purpose
+
+The provisioning mode addresses the need for secure server initialization by:
+- Providing a minimal server environment during initial setup
+- Requiring authenticated user access (anonymous access is disabled)
+- Enabling automatic certificate acceptance to simplify certificate provisioning
+- Preventing access to application-specific data and functionality until the server is properly configured
+
+This mode is particularly useful when:
+- Setting up a new OPC UA server installation
+- Provisioning certificates for production environments
+- Performing initial server configuration in a secure manner
+
+## How to Enable Provisioning Mode
+
+### ConsoleReferenceServer
+
+The ConsoleReferenceServer application supports provisioning mode via the `--provision` command line option:
+
+```bash
+dotnet ConsoleReferenceServer.dll --provision
+```
+
+### Command Line Options
+
+When using provisioning mode, you can combine it with other options:
+
+```bash
+# Enable provisioning mode with console logging
+dotnet ConsoleReferenceServer.dll --provision --console --log
+
+# Enable provisioning mode with timeout
+dotnet ConsoleReferenceServer.dll --provision --timeout 300
+```
+
+Note: When provisioning mode is enabled, auto-accept for untrusted certificates is automatically activated. You don't need to specify the `--autoaccept` option separately.
+
+## Behavior in Provisioning Mode
+
+When the server starts in provisioning mode:
+
+### 1. Limited Namespace
+- Only the core OPC UA namespace is exposed
+- Application-specific node managers are not loaded
+- Standard OPC UA objects (Objects, Types, Views) remain accessible
+- Custom server nodes and data are not available
+
+### 2. Authentication Requirements
+- Anonymous authentication is disabled
+- Users must authenticate using:
+  - Username/password
+  - X.509 certificate
+  - Other supported authentication mechanisms
+
+### 3. Certificate Handling
+- Auto-accept for untrusted certificates is enabled
+- Administrators can provision certificates without manual approval
+- Certificate validation still occurs, but untrusted certificates are accepted
+
+### 4. Reduced Attack Surface
+- No application-specific functionality is exposed
+- Minimal node managers are active
+- Only core server capabilities are available
+
+## Use Cases
+
+### Initial Server Setup
+1. Start the server in provisioning mode
+2. Connect as an authenticated administrator
+3. Provision required certificates
+4. Configure server settings
+5. Restart the server in normal mode
+
+### Certificate Provisioning
+1. Start the server with `--provision`
+2. Use a GDS (Global Discovery Server) or certificate management tool
+3. Push certificates to the server
+4. Verify certificate installation
+5. Exit provisioning mode
+
+### Secure Configuration
+1. Enable provisioning mode for configuration changes
+2. Make necessary updates to server configuration
+3. Test changes in the limited environment
+4. Restart in production mode
+
+## Implementation Details
+
+### ReferenceServer Class
+
+The provisioning mode is implemented in the `ReferenceServer` class:
+
+```csharp
+public bool ProvisioningMode { get; set; }
+```
+
+When `ProvisioningMode` is true:
+- `CreateMasterNodeManager` skips loading application-specific node managers
+- `GetUserTokenPolicies` removes anonymous authentication policies
+
+### Programmatic Usage
+
+To enable provisioning mode programmatically:
+
+```csharp
+var server = new ReferenceServer();
+Quickstarts.Servers.Utils.EnableProvisioningMode(server);
+```
+
+Or directly:
+
+```csharp
+var server = new ReferenceServer
+{
+    ProvisioningMode = true
+};
+```
+
+## Security Considerations
+
+### Benefits
+- Reduces attack surface during initial setup
+- Requires authenticated access for configuration
+- Prevents unauthorized access to application data
+
+### Limitations
+- Auto-accept mode accepts all certificates (including potentially malicious ones)
+- Should only be used during controlled setup/configuration periods
+- Not intended for long-term operation
+
+### Best Practices
+1. Use provisioning mode only during initial setup or maintenance windows
+2. Ensure the server is not accessible from untrusted networks while in provisioning mode
+3. Switch to normal mode as soon as provisioning is complete
+4. Monitor and review all certificates that were auto-accepted
+5. Remove or properly validate any questionable certificates before exiting provisioning mode
+
+## Comparison with Normal Mode
+
+| Feature | Normal Mode | Provisioning Mode |
+|---------|-------------|-------------------|
+| Namespace | Full application namespace | Core namespace only |
+| Node Managers | All configured | Core managers only |
+| Anonymous Access | Allowed (if configured) | Disabled |
+| Auto-Accept Certificates | Optional | Enabled |
+| Application Data | Accessible | Not available |
+| Security Admin Access | Available | Required |
+
+## Examples
+
+### Start Server in Provisioning Mode
+
+Windows:
+```cmd
+ConsoleReferenceServer.exe --provision --console --log
+```
+
+Linux/Mac:
+```bash
+dotnet ConsoleReferenceServer.dll --provision --console --log
+```
+
+### Expected Output
+
+When provisioning mode is active, you should see log messages similar to:
+
+```
+[INF] Enabling provisioning mode.
+[INF] Auto-accept enabled for provisioning mode.
+[INF] Server is in provisioning mode - limited namespace enabled.
+[INF] MasterNodeManager.Startup - NodeManagers=2
+```
+
+The `NodeManagers=2` indicates only the core node managers are loaded (CoreNodeManager and SystemNodeManager), confirming the limited namespace is in effect.
+
+## Related Documentation
+
+- [Certificates](Certificates.md) - Certificate management and storage
+- [RoleBasedUserManagement](RoleBasedUserManagement.md) - User authentication and authorization

Docs/README.md

@@ -16,6 +16,7 @@ UA Core stack related:
 Reference application related:
 * [Reference Client](../Applications/ConsoleReferenceClient/README.md) documentation for configuration of the console reference client using parameters.
 * [Reference Server](../Applications/README.md) documentation for running against CTT.
+* [Provisioning Mode](ProvisioningMode.md) for secure certificate provisioning and initial server configuration.
 * Using the [Container support](ContainerReferenceServer.md) of the Reference Server in Visual Studio 2026 and for local testing.
 
 Starting with version 1.5.375.XX the winforms reference client & winforms reference server were moved to the [OPC UA .NET Standard Samples](https://github.com/OPCFoundation/UA-.NETStandard-Samples) repository.

Tests/Opc.Ua.Server.Tests/ReferenceServerTest.cs

@@ -981,5 +981,52 @@ public async Task ServerEventNotifierHistoryReadBitAsync()
             Assert.IsTrue((eventNotifier & EventNotifiers.SubscribeToEvents) != 0,
                 "Server EventNotifier should have SubscribeToEvents bit set");
         }
+
+        /// <summary>
+        /// Test provisioning mode - server should start with limited namespace.
+        /// </summary>
+        [Test]
+        public async Task ProvisioningModeTestAsync()
+        {
+            ITelemetryContext telemetry = NUnitTelemetryContext.Create();
+
+            // start Ref server in provisioning mode
+            var fixture = new ServerFixture<ReferenceServer>
+            {
+                AllNodeManagers = false,
+                OperationLimits = false,
+                DurableSubscriptionsEnabled = false,
+                AutoAccept = true,
+                ProvisioningMode = true
+            };
+
+            ReferenceServer server = await fixture.StartAsync().ConfigureAwait(false);
+
+            // Verify provisioning mode is enabled
+            Assert.IsTrue(server.ProvisioningMode, "Server should be in provisioning mode");
+
+            // Get endpoints - in provisioning mode, anonymous authentication should not be allowed
+            EndpointDescriptionCollection endpoints = server.GetEndpoints();
+            Assert.IsNotNull(endpoints);
+            Assert.IsTrue(endpoints.Count > 0, "Server should have endpoints");
+
+            // Check that anonymous token policy is not present for at least one endpoint
+            bool hasEndpointWithoutAnonymous = false;
+            foreach (EndpointDescription endpoint in endpoints)
+            {
+                bool hasAnonymous = endpoint.UserIdentityTokens.Any(
+                    policy => policy.TokenType == UserTokenType.Anonymous);
+                if (!hasAnonymous)
+                {
+                    hasEndpointWithoutAnonymous = true;
+                    break;
+                }
+            }
+            Assert.IsTrue(hasEndpointWithoutAnonymous,
+                "At least one endpoint should not allow anonymous authentication in provisioning mode");
+
+            // Clean up
+            await fixture.StopAsync().ConfigureAwait(false);
+        }
     }
 }