[all sections]

Settings which can be used in all sections

[all sections] aliveTimeout

Type
integer
Default
-10
Range
MIN_INT..MAX_INT
The entry defines at which intervals (in seconds) the alive telegrams of this manager must be received, when the target manager provides an alive port. The manager itself sends about 10 alive telegrams over this period. If the target manager does not receive any telegrams over this period, the target manager closes the connection. The value 0 deactivates the sending of alive telegrams and the monitoring of the target manager. Negative values are only valid for connections between managers that run on different computers. Positive values are valid for all manager connections. The target of alive managers can be any manager to which the alive manager builds a connection and which provides an alive port. Normally this is the Event and possibly the Data Manager. For Dist Manager also the Dist Managers of the coupled systems. The receiving of the respective manager can be deactivated by using the config entry "alivePort = 0".

[all sections] allowLocalMessageCompression

Type
bool
Default
0
Range
0|1
The config entry allowLocalMessageCompression = 1 can be used to activate the message compression on the local computer. You can set the config entry, for example, when using the Web Client.

[all sections] chainPrefix

Type
string
The certificate "chain" is a concatenation of the subjects of the daisy chained certificates. If you, for example, use the following certificates: 

  e.g.
                                                root-CA
                                                    ^
                                  sub-CA1 signed by |
                                     ^
                   sub-CA2 signed by |
                      ^
  HOST_CERT signed by |

  the certificate chain in the example would be "rootCA;sub-CA1;sub-CA2;HOST_CERT".
If the config file entry chainPrefix is set, the start of the certificate chain of the peer has to match the given string.

[all sections] cipherSuiteList

Type
string
Default
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256

A cipher suite is a set of cyptographic methods.

A comma separated list of all cipher suites to be offered for communication.

The server chooses the first cipher suite of its list which is also offered by the client.

By default TLSv1.3 is enabled using a list of default ciphers (see the default above). By default the following cipher suites are enabled:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

When listing the cipher suites, the values are separated by comma. Therefore, the default value of the config entry is:

cipherSuiteList = "TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256"
The syntax is: 
cipherSuiteList = "<cipherSuite0>, <cipherSuite1>,...,<cipherSuiteN>"

To disable either TLSv1.2 or TLSv1.3, change this cipherSuiteList config entry to only contain the specific ciphers, e.g. if no TLSv1.3 cipher is in the list, v1.3 will be disabled, and vice versa.

Use the debug flag "-dbg BCM" to display which ciphers will be used.

The allowed v1.3 ciphers are described on the openSSL web page.

Example

cipherSuiteList = "TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256"

The supported cipher suites can be found in the Security Guidelines on winccoa.com.

[all sections] connectDelay

Type
int
Default
20
Range
>0
Time remaining until next attempt is made to connect to another program (see connectRetries).

[all sections] connectRetries

Type
int
Default
30
Range
>0
Number of connection attempts to another program. The delay between the attempts is defined in connectDelay.

[all sections] coverageReportFile

Type
string
Defines the file to write the output of "-report CTRL_COVERAGE" to. The file will be created in the log directory of the project. The placeholder $MAN$, $DATE$, and $TIME$ will be replaced by manager name and number, current date in the format YYYYMMDD and current time in the format HHMMSS, resp. Special names are "stderr" for output to stderr and "stdout" for output to "stdout". Default is the same file as all other output from "-report ...".

[all sections] ctrlBreakFunctionCall

Type
bool
Default
Event: 0, all other managers: 1
Range
0|1
Defines if nested function calls shall be processed in one go (or until a waiting function call is reached) (= 0) or if the script can also be interupted during the function code execution (= 1).

[all sections] data

Type
string
Default
local host name, port 4897
This entry defines the host name of the Data Manager. Optionally with the port number. If a host name should be specified together with the port number, use the "data" entry. Host name and port number are separated by a colon. For redundant systems both data hosts are entered with a dollar sign separately. The complete syntax is: 
data = "host1[:port1]"
Or (in case of redundancy): 

data = "host1[:port1]$host2[:port2]"
For further information on the redundancy feature see chapter Redundancy, basics. Or (in case of redundant network connections): 

data = "host1-1[:port1],host1-2[:port1]"
For further information on redundant network connections in WinCC OA see chapter Redundant network connections. Or generally: 

data = "host1-1[:port1],host1-2[:port1]$host2-1[:port2],host2-2[:port2]"
Instead of specifying the host name you can also use IP addresses, e.g. data = "192.168.154.26". The use of IP addresses can possibly bring undesirable effects (resolution of IP - host name when using in scripts). If there are problems with the functionality when using IP addresses, you have to use the host names! 

Note:
This entry replaces the config entries "dataHost" resp. "dataPort" (known from former versions) which remain for compatibility reasons.

[all sections] dataHost

Type
string
Default
local host name
Obsolete entry. The computer name of the computer on which the Data Manager (WCCILdata) was started. All programs that want to connect to the Data Manager search the Data Manager on the specified computer. 
Redundancy:
The primary and secundary host are separated through '$'. This format of dataHost/eventHost switches on the redundancy. 
Caution:
This entry should not be used anymore. For defining the host names use the "data" entry.

[all sections] dataPort

Type
integer
Default
4897
Range
1024 .. 65535 (see RFC 1340 | /etc/services)
Port number of the Data Manager. 
Caution:
This entry should not be used anymore. For defining the port numbers use the "data" entry.

[all sections] dbg

Type
string
With this entry debug flags for managers can be defined. This is especially useful for the PMON when it is used as Windows-Service, as you can not define commandline arguments in this case. Example: dbg = "2,16,SOME_FLAG"

[all sections] dbgOffset

Type
integer
Default
1
Range
>0
Defines an offset for dbgCount. dbgCount = 100 and dbgOffset = 2 means that debug messages will be printed after 2, 102, 202, ... messages. Therefore the manager has to be started with the command line option '-dbg 17'. This option is implemented in the Data- and Event Manager as well as all drivers.

[all sections] DHParamFile

Type
string
Default
2048-bit MODP group 14
The path, relative to the projects root directory, and the name of a PEM file containing the DHparameter structure. The format of the structure is described by the PKCS#3 standard. This Parameter is only relevant for Cipher Suites supporting Diffie-Hellman(DHE) key exchange protocol.

[all sections] discreteImpulseAlertWithoutWent

Type
bool
Default
0
Range
0|1
Is this config file entry set no WENT event are created for discrete impulse alarms. This way state messages can be created for example: 1 open, 2 closed, 3 between, 4 error. According to the sequence of values in the alarm log is stored: open CAME; between CAME; closed CAME; error CAME ... - without this config file entry the WENT events are listed too in the alarm log (open CAME; open WENT; ...)

[all sections] distributed

Type
bool
Default
0
Range
0|1
Obligatory entry for a distributed system. A distributed system requires the "distributed = 1" entry. In addition, this value may be overwritten for individual managers. 

[ctrl_1]
distributed = 0
In this case the Control Manager with the number 1 cannot access DPs of other systems (DP identification is not transmitted to this manager).

[all sections] ECDHCurve

Type
string
Default
prime256v1
For Cipher Suites using the Ecliptic curve Diffie-Hellman (ECDHE) key exchange protocol, the name of the Elliptic curve to be used can be specified. Please run openssl.exe ecparam -list_curves to get a list of all curves supported by the installed version of OpenSSL

[all sections] event

Type
string
Default
lokaler Hostname, Port 4998
Specifies the host names and optional the port numbers of the Event Manager. The syntax of this entry is the same like the syntax of the config entry "data" (see above). 
Caution:
This entry replaces the config entries "eventHost" resp. "eventPort" (known from former versions) which remain for compatibility reasons.

[all sections] eventHost

Type
string
Default
lokaler Hostname
Obsolete entry. The computer name of the computer on which the Event Manager (WCCILevent) was started. All programs that want to connect to the Event Manager search the Event Manager on the specified computer. 
Redundancy:
Primary and secondary host are separated through '$'. This format of dataHost/eventHost switches on the redundancy. 
Caution:
This entry should not be used anymore. For defining the host names use the entry "event".

[all sections] eventPort

Type
int
Default
4998
Range
1024 .. 65535 (siehe RFC 1340 | /etc/services)
Port number of the Event Manager. 
Caution:
This entry should not be used anymore. For defining the port numbers use the entry "event".

[all sections] exitDelay

Type
uint
Default
0
Range
>=0
Defines how many seconds a manager has to wait before final exit (in this case a log message will be returned). If a manager is closed by a signal, this delay should not be used (e.g. stopping by console/pmon), otherwise it will be always used.

[all sections] ignoreManager

Type
string int
A driver ignores the hotlinks of a value change from certain managers. The manager name and numbers identifies each manager. The name corresponds to the section keyword without the brackets: e.g. "ctrl, or "ascii" for the ASCII Manager. Exceptions: All drivers are identified as "driver", all API as "api" and all device managers (SCA-RS) as "device". Example: [ssi] ignoreManager = "ascii" 1

[all sections] ip_allow, ip_deny

Type
string
Defines IP access control lists for servers providing TCP listening sockets (Event, Data, HTTP, etc.) which can limit the access to these for the defined clients. Wildcard characters * and ? are supported (e.g. "*.etm.at"). The special value "-empty list-" clears the list entries defined up till now (e.g. ip_deny = "-empty-list-") Multiple occurences will add the entries to the list. For further information see also IP access lists for TCP server sockets in the Online Help.

[all sections] kerberosSecurity

Type
string
Default
none
Range
none,auth,int,enc
Controls the behaviour of the client-server connection.
  • "none" is the default and specifies that Kerberos is not used.
  • "authenticate" specifies that clients and servers must authenticate themselves. Messages are neither signed nor encrypted.
  • "integrity" specifies that clients and servers must authenticate themselves and sign all messages thereafter. If one of the partners fails to verify the signature of a message from the other partner, the connection is aborted.
  • "encryption" specifies that clients and servers must authenticate themselves and encrypt all messages thereafter.
If one of the partners fails to decrypt the message from the other partner, the connection is aborted. If a client and a server contain different settings, the stronger (in the sequence: auth/ int/ enc) will win and determine the message behaviour. The (initial) INIT_SYS and KEEP_ALIVE messages are neither signed nor encrypted. These messages do not contain sensible data and the sending in clear text is not a problem. The reason for sending the messages in clear text is that one peer might be ready to sign or encrypt the message but the other side still needs more data to verify or decrypt the message.

[all sections] localAddress

Type
string
localAddress allows to specify the local network address of a server. By default a server can be reached via all local addresses. An exception is the Pmon, which by default listens to "localhost" and is reachable from the same computer only and not from others. localAddress allows to specify via which local IP addresses a server can be reeached, e.g. from the loopback address only (localhost or 127.0.0.1) or via a specific network card. Valid entries are "" for all addresses, "0.0.0.0" for all IPv4 addresses, "::" for all IPv6 addresses, "127.0.0.1" or "localhost for IPv4 loopback, "::1" for IPv6 loopback address, or every other local IP address.

[all sections] logFile

Type
bool
Default
1
Range
0|1
Directs the output of the error messages to a file. In the directory "log" of the project path each manager has such a file. 1...On, 0...Off.

[all sections] logStdErr

Type
bool
Default
0
Range
0|1
Defines if messages from the standard WinCC OA Error handler shall be written to stderr (Standard Error Output). stderr is redirected into a file {Manager}{Number}.log per Manager.

[all sections] maxDpNamesCount

Type
unsigned integer
Default
1.000.000
Range
>=0
Specifies how many data point elements the dpNames() or equivalent functions (getIdSet and similar functions) in API may return. If the number of DPEs is exceeded, the functions do not return anything (dpNames()) or an error. The value 0 allows an arbitrary number of values. Note that this number may also be exceeded, if for a DP the requested search object (DPE, alias, comment, etc) does not exist, but, however, the DP matches the filter criterion. For example, the number of DPEs (that match the filter criterion) in the function dpGetAllAliases() is compared with the number set in maxDpNamesCount, even if not all DPEs have an alias.

NOTE: If the result list of a function is bigger than the value of the config entry "maxDpNamesCount", the query is stopped. This applies, e.g. to the following functions:

- dpGetAllAliases()

- dpTypes()

- dpAliases()

- dpNames()

- All Query functions that use a pattern such as FROM '*.**' to filter by in the FROM part of a query.

[all sections] messageCompression

Type
string
Default
none
Range
none, zlib, bzip2, zlib-bzip2
Use the config entry "messageCompression" to specify the compression scheme. The config entry may contain the following schemes:
  • "none" - no compression
  • "zlib" - compression using zlib (gzip, zip); see http://www.zlib.org
  • "bzip2" - compression by using the bzip2 algorithm (bzip2 is a freely available, high-quality data compressor; see http://www.bzip.org). "bzip2" compresses better than "zlib" at the cost of higher CPU utilization.
  • "zlib-bzip2" - compresses short messages using zlib and bigger messages like Identification using bzip2.
You can use the config entry in all config file sections. You can specify several schemes, for example, messageCompression = "zlib-bzip2,zlib". The client and the server agree on the first common scheme. Therefore, if you parameterize "zlib" on the client and "bzip,zlib" on the server, the "zlib" scheme is used. The default value is "none" and if you want to use compressed messages we recommend to use "zlib-bzip2".

[all sections] messageCompressionThreshold

Type
int
Default
0
Range
0 - MAX_INT
This entry specifies the threshold in bytes below which messages are not compressed. "0" means "compress all". Message compression always comes with a penalty of CPU usage. Sometimes it can be more effective to transmit small messages uncompressed because the throughput in the network would not change. A good estimate for this entry is the MTU, i.e. the max number of bytes which can be transmitted in one TCP packet. The MTU depends on the transmission used and can be as low as a few 100 bytes in case of PPP up to approximately 1200 bytes in case of Ethernet.

[all sections] mxProxy

Type
string
Default
derived from various settings
Range
n.a.

Syntax:
mxProxy = "<serverHost> <proxyHost[:proxyPort]> <securityMode>" | "none"

Z.B.
mxProxy = "system36 etmFW:5678 cert"
mxProxy = "system314 system314 cert"
mxProxy = "system310 system310 none"

mxProxy = "none"
This entry can occur multiple times, once for each connection.
  • serverHost Name of the host running the server (e.g. WCCILdata) to be communicated with.
  • proxyHost Name of the host running the WCCILproxy.
  • proxyPort Port that is used by the WCCILproxy (default port: 5678).
  • securityModePlease see the description for securityMode.
If no proxy configuration is available the client will directly connect to the host specified by the data config file entry, assuming that data and event managers as well as the proxy manager run on this host.
If the entry mxProxy="none" is used the WCCILproxy will be disabled.

[all sections] noReverseLookup

Type
bool
Default
0
Range
0|1
Defines if the IP address for a manager connection shall be resolved to an IP name. Default is 1 for Android and iOS and 0 for all other platforms

[all sections] optimisedRefresh

Type
Bool
Default
1
Range
0|1
During a redundancy switch a client sends a DISCONNECT_ALL message to the switching system. Because processing such a message is expensive a client usually does this only if there are dpConnects and the like for this system. With this config entry the client can be forced to send the message also, if there are no connects. Earlier systems like 3.11 need this message because they couldn't recognize in other ways if a manager was restarted.

[all sections] osErrorMode

Type
int
Default
1
Range
0,1,4,2,32768
The config entry deactivates the Windows error reporting dialogs. Several options can be used simultaneously for the entry as a mask. In this case use the binary operator (or) |.
  • Option 0 - Use the system default, which is to display all error dialog boxes. Option 1 (SEM_FAILCRITICALERRORS) - The system does not display the critical-error-handler message box. Instead, the system sends the error to the calling process. Option 4 (SEM_NOALIGNMENTFAULTEXCEPT) - The system automatically fixes memory alignment faults and makes them invisible to the application. Option 2 (SEM_NOGPFAULTERRORBOX) - The system does not display the Windows Error Reporting dialog. Option 32768 (SEM_NOOPENFILEERRORBOX) - The system does not display a message box when it fails to find a file. Instead, the error is returned to the calling process.
e.g. [general] osErrorMode=4|2

[all sections] refreshDelay

Type
int
Default
0
Range
>=0
Delay time in seconds for a refresh of connects after a redundancy switch. The given time is randomized per manager for better load distribution and is calculated based on this value.

[all sections] reportFile

Type
string
Defines the file to write the output of "-report ..." to. The file will be created in the log directory of the project. The placeholder $MAN$, $DATE$, and $TIME$ will be replaced by manager name and number, current date in the format YYYYMMDD and current time in the format HHMMSS, resp. Special names are "stderr" for output to stderr and "stdout" for output to "stdout". Default is to write to stderr.

[all sections] securityMode

Type
string
Default
cert
Range
plain | cert | winCert | none
  • cert SSL/TLS with PEM format certificate files are used for Multiplexing Proxy and the SSL communication between the managers and for the HTTP server between the client and server
  • winCert SSL/TLS with certificates stored in Windows Certificate Store are used for Multiplexing Proxy and the SSL communication between the managers and for the HTTP server between the client and server.
  • none The communication does not take place via WCCILproxy but directly with the server. This is introduced to support distributed system with different WinCC OA versions where the old versions do not have SSL capabilities.

[all sections] singleSourceConnect

Type
integer
Default
0
Range
0|1
The source IP addresses have to be different for redundant network connections. The second connect is closed if it has the same source IP address as the existing connection. If a computer establishes a connection to a redundant network via a network interface card, both connections have the same source IP address. In this case the config entry singleSourceConnect has to be set to 1.

[all sections] ssaCertCheck

Type
String
Range
chainPrefix=%chainPrefix%
With this entry you can set the ChainPrefix. This is required when Windows Cert Store certificates are used.

ssaChertCheck = "chainPrefix=rootCA;sub-CA1;sub-CA2;HOST_CERT"

If the config file entry ssaChertCheck is set, the start of the certificate chain has to match the given string.

[all sections] ssaCertificate

Type
string

"[type]:[value]"

  • type: can be "file" or "store" describing where the certificate is stored.
  • value: dependent on the "type", "value" is either the relative path of the certificate (type == "file") or is split into "loc:store:subject"

    - loc: Location of the store.

    "USER" is the current Windows Certificate Store user: CERT_SYSTEM_STORE_CURRENT_USER,

    "MACHINE" is the Windows Certificate Store account of the local machine: CERT_SYSTEM_STORE_LOCAL_MACHINE

    - store: is name of certificate store to be used

    - subject: search criteria to find the certificate by subject/SHA1 property

[all sections] ssaChainFile

Type
string
ssaChainFile = "[value]"

Value is the path of the certificate chain-file (can be either relative or absolute).

[all sections] ssaCRL

Type
string
ssaCRL = "[value]"

Value is the path of the CRL(Certificate revocation list) file. The path can be either relative or absolute.

[all sections] ssaPrivateKey

Type
String

"[type]:[value]"

  • type: can be "file" or "store" describing where the private key is stored.
  • value: dependent on the "type", "value" is either the relative path of the key (type == "file") or is split into "loc:store:subject"

    - loc: Location of the store.

    "USER" is the current Windows Certificate Store user: CERT_SYSTEM_STORE_CURRENT_USER,

    "MACHINE" is the Windows Certificate Store account of the local machine: CERT_SYSTEM_STORE_LOCAL_MACHINE

    - store: is name of certificate store to be used

    - subject: search criteria to find the key by subject/SHA1 property

[all sections] sslCertificate

Type
string
Default
[path]/host-cert.pem [path]/host-key.pem [path]/root-cert.pem

syntax:
sslCertificate = "<[path]/cert-file> <[path]/private-key> <[path]/CAFile>"

e.g.
D:/certificates/host-cert.pem
This entry is used when the security mode cert is configured. The sslCertificate entry specifies the absolute path of the 3 files needed for SSL/TLS encrypted communication. All files have to be PEM encoded.
  • <cert-file> X509 certificate of the host
  • <private-key>Private Key of the host
  • <CAFile> X509 certificate of the trusted CA (Certificate Authority) which signed the certificates of all hosts

[all sections] sslCRLfile

Type
string
The path, relative to the projects root directory, and the name of a PEM file containing the CRL. Please see the OpenSSL documentation ( openssl ca ) for details about CRL files.

[all sections] sslVerifyTime

Type
Bool
Default
1
Range
0 | 1
If sslVerifyTime = 1 is configured, certificates are checked for valid times.

[all sections] valueChangeTimeDiff

Type
unsigned integer
Default
30 (sec)
Range
>=0
If the original value is changed, the Event Manager checks if the provided source time is more than valueChangeTimeDiff seconds in the future. In this case the system adjusts the source time to the current time and additionally sets the status bit invalid source time (_original.._stime_inv). Thereby, the system also sets the invalid bit. 
Redundancy:
When a manager starts, it determines the time difference between its own computer and the computer of the server. If the system times differ for more than "valueChangeTimeDiff/2" seconds, the manager shows an error message. If the system times differ for more than "valueChangeTimeDiff" seconds, the manager closes the connection and shows an error message. If the valueChangeTimeDiff entry is set in the [event] section in older projects, the system shows an error message. The permitted time difference is 30 seconds. 
Caution:
If a difference between the system times arises during the operation, the system does not check the difference.

[all sections] winCert

Type
string

syntax:
winCert = "<location>:<store>:<cert-id>"

e.g.
winCert = "USER:MY:IOWASystem34"
winCert = "MACHINE:MY:3E 27 B3 87 52 25 70 E6 64 6B C8 FC 06 78 AD 62 CC 89 46 A2"
If security mode wincert is configured the config entry winCert determines which certificate from the Windows Certificate Store is used for SSL/TLS communication.
  • <location> Possible values are USER | MACHINE. If the value USER is specified the certificate is searched in CERT_SYSTEM_STORE_CURRENT_USER. If the value MACHINE is specified the certificate is searched in CERT_SYSTEM_STORE_LOCAL_MACHINE.
  • <store>The name of the store within location to be used.
  • <cert-id> Search criteria to find the certificate. If not specified differently by winCertSearchBy the given string is considered certificates subject name. If subject is not unique within the given location the first certificate valid regarding time is used. If sslVerifyTime = 0 is configured, each certificate is considered valid.
NOTE! If a private key for a certificate is available it is stored along with the certificate in the Windows Certificate store.

[all sections] winCertSearchBy

Type
string
Default
SubjectName
Range
SubjectName | SHA1
Specifies if the <cert-id> given in the winCert or winRootCA config entry is a subject string or the SHA1 fingerprint of the certificate given as string of hex digits. 

  e.g. SHA1 fingerprint given as string of hex digits
  "3E 27 B3 87 52 25 70 E6 64 6B C8 FC 06 78 AD 62 CC 89 46 A2"

[all sections] winRootCA

Type
string

syntax:
winRootCA = "<location>:<store>:<cert-id>"

e.g.
winRootCA = "MACHINE:ROOT:IOWARootCA"
winRootCA = "MACHINE:ROOT:58 BA 02 2F 3A 6F 0F 42 27 3E 87 F8 43 3B EB 53 FE B9 E0 AD"
If security mode winCert is configured the config entry winRootCA determines which certificate from the Windows Certificate Store to be used for certificate verification during SSL/TLS session negotiation. Please see the description of the SecurityMode entry.
  • <location> Possible values are USER | MACHINE. If USER is specified the certificate is searched in CERT_SYSTEM_STORE_CURRENT_USER. If MACHINE is specified the certificate is searched in CERT_SYSTEM_STORE_LOCAL_MACHINE.
  • <store>The name of the store within location to be used.
  • <cert-id> Search criteria to find the certificate. If not specified differently by winCertSearchBy the given string is considered the certificates subject name. Please see the description of the config entry "winCertSearchBy". If subject is not unique within the given location the first certificate valid regarding time is used. If sslVerifyTime = 0 is configured, each certificate is considered valid.