Decouple LDS and server clients in ClientFindServers

Create two independent UA_Client instances in client_find_servers.c:
one for LDS discovery calls (FindServers, GetEndpoints) and one for
server session calls (readServerTime). This allows different security
modes, policies, auth, and trust lists for the LDS vs discovered
servers.

Config keys are now prefixed: discovery* for LDS connection settings,
server* for discovered server settings. All config files updated
accordingly with split trust lists (discoveryTrustList for LDS cert,
serverTrustList for server cert).

1 files changed, 41 insertions, 20 deletions

diff --git a/config/client_find_servers.conf b/config/client_find_servers.conf
index a9e29c8..bc16b18 100644
--- a/config/client_find_servers.conf
+++ b/config/client_find_servers.conf
@@ -1,29 +1,50 @@
 # ClientFindServers configuration
 #
-# Keys:
+# Shared keys:
 #   discoveryEndpoint   LDS endpoint URL (e.g. opc.tcp://localhost:4840)
 #   applicationUri      OPC UA application URI
-#   certificate         Path to client certificate (.der)
-#   privateKey          Path to client private key (.der)
-#   securityMode        None, Sign, or SignAndEncrypt
-#   securityPolicy      None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                       Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   authMode            "anonymous" or "user"
-#   username            Username (required when authMode = user)
-#   password            Password (required when authMode = user)
-#   trustList           Trusted certificate path (repeat for multiple)
+#
+# Discovery-side keys (LDS connection):
+#   discoveryCertificate      Path to certificate for LDS connections (.der)
+#   discoveryPrivateKey       Path to private key for LDS connections (.der)
+#   discoverySecurityMode     None, Sign, or SignAndEncrypt
+#   discoverySecurityPolicy   None, Basic256Sha256, Aes256_Sha256_RsaPss,
+#                             Aes128_Sha256_RsaOaep, or ECC_nistP256
+#   discoveryAuthMode         "anonymous" or "user"
+#   discoveryUsername         Username (required when discoveryAuthMode = user)
+#   discoveryPassword         Password (required when discoveryAuthMode = user)
+#   discoveryTrustList        Trusted certificate path (repeat for multiple)
+#
+# Server-side keys (connections to discovered servers):
+#   serverCertificate         Path to certificate for server connections (.der)
+#   serverPrivateKey          Path to private key for server connections (.der)
+#   serverSecurityMode        None, Sign, or SignAndEncrypt
+#   serverSecurityPolicy      None, Basic256Sha256, Aes256_Sha256_RsaPss,
+#                             Aes128_Sha256_RsaOaep, or ECC_nistP256
+#   serverAuthMode            "anonymous" or "user"
+#   serverUsername            Username (required when serverAuthMode = user)
+#   serverPassword            Password (required when serverAuthMode = user)
+#   serverTrustList           Trusted certificate path (repeat for multiple)
 
 discoveryEndpoint = opc.tcp://localhost:4840
 applicationUri = urn:bobink.ClientFindServers
-certificate = certs/ClientFindServers_cert.der
-privateKey = certs/ClientFindServers_key.der
-
-securityMode = SignAndEncrypt
-securityPolicy = Aes128_Sha256_RsaOaep
 
-authMode = user
-username = user
-password = password
+# Discovery (LDS) side
+discoveryCertificate = certs/ClientFindServers_cert.der
+discoveryPrivateKey = certs/ClientFindServers_key.der
+discoverySecurityMode = SignAndEncrypt
+discoverySecurityPolicy = Aes128_Sha256_RsaOaep
+discoveryAuthMode = user
+discoveryUsername = user
+discoveryPassword = password
+discoveryTrustList = certs/ServerLDS_cert.der
 
-trustList = certs/ServerLDS_cert.der
-trustList = certs/ServerRegister_cert.der
+# Server side
+serverCertificate = certs/ClientFindServers_cert.der
+serverPrivateKey = certs/ClientFindServers_key.der
+serverSecurityMode = SignAndEncrypt
+serverSecurityPolicy = Aes128_Sha256_RsaOaep
+serverAuthMode = user
+serverUsername = user
+serverPassword = password
+serverTrustList = certs/ServerRegister_cert.der