When upgrading from version 2.1.48.0 or less, before installing a new version, the older version should to be uninstalled. To do this, go to the Control Panel and use Add/Remove Programs. The interface installation will not let a new version to be installed on top of an existing installation, if the old version is 2.1.48.0 or older. This requirement also applies when there are multiple copies of the interface are installed. All copies should be to be uninstalled and batch files should be saved to a different directory, before upgrading the interface.
DCOM Configuration Details
All current OPC servers and clients are based on Microsoft’s COM/DCOM (Distributed Component Object Model) technology. DCOM is the network communication protocol that allows different software components to communicate across networked nodes. DCOM is based on COM (Component Object Model), which provides a set of interfaces allowing clients and servers to communicate within the same node. These types of communications require a proper COM/DCOM security configuration. Hence both the OPC client and server nodes must have proper COM/DCOM settings permitting them to securely access one another locally or remotely.
If both OPC client and server are located on the same node, the communication goes through the COM layer. If they are located on separate nodes, the communication goes via DCOM. Configuring COM and DCOM is the same process that can usually be done by using the DCOM configuration utility. Hence, below we will refer only to DCOM configuration. This section describes COM/DCOM configuration on both client and server nodes.
DCOM security for OPC client-server connectivity should be configured in two major steps:
-
Configuration of DCOM security settings on the OPC Interface node;
-
Configuration of DCOM security settings on the OPC Server node.
If both OPC client and server are on the same node, DCOM settings still need to be configured. The general steps for DCOM configuration are similar. However, depending on whether the nodes are within the same domain or different domains, or even no domain, the sequence of steps will be different. In the following sections it is assumed that the nodes are within the same windows domain. If this is not the case, first read the section on Notes and Recommendations on DCOM Configuration for setting up access permissions and then follow the DCOM configuration sections for the appropriate Windows OS.
Note: Even if the server and client are on the same node, DCOM settings still need to be configured on that node.
General Steps for DCOM Configuration
DCOM security can be configured with the DCOM Configuration utility (dcomcnfg.exe) that comes with the Windows OS. In order to be able to use this utility, the user must be logged in with administrator’s privileges. This utility allows for the configuration of special security rules for all COM/DCOM objects on the local node. The DCOM Configuration utility may look slightly different and setting options may differ, depending on the version of the Windows OS. Therefore, below we will describe DCOM configuration for Windows XP (SP1/SP2), Windows 2003, and Windows 2000 separately.
DCOM Configuration for Windows XP (SP1/SP2) and Windows 2003
There are two main steps for DCOM configuration that must be done no matter if the OPC client (i.e. PI OPC Interface) and server are on the same node or on different nodes. The first step is to configure Default DCOM permissions on the client node. This step needs to be performed with caution, since it is going to affect all COM/DCOM applications running on this node. The second is to configure DCOM permissions for the specific OPC Server on the OPC Server node.
Default DCOM Permissions on OPC Client Node
1. Launch the DCOM Configuration utility: Type dcomcnfg in the Run dialog of Start menu and click OK.
2. Bring up the DCOM properties window for this machine: Go to Component Services in the window that appears, and click on the Plus signs to follow the branches of the directory tree.
Right click on My Computer and on the pop-up window select Properties. This should bring up the My Computer Properties window.
3. Configure the default DCOM settings for this machine: Select the Default Properties tab. Make sure that “Enable Distributed COM on this computer” is checked, “Default Authentication Level” is set to Connect, and “Default Impersonation Level” is set to Identify. These are the preferred settings that can be appropriate for most cases. However, due to domain or machine security policy and restrictions, these settings might not work. In this case, you should identify workable settings and use them here.
Caution: You should be aware that changing the Default Authentication and Impersonation levels will affect all COM/DCOM applications that use default settings on this machine. If this is causing issues with other applications, do not change them. Instead, you can set them specifically for the OPC Interface process by using /DI and /DA parameters in the start up file. See DCOM Security Configuration for the Interface section for more details.
Next select Default COM Security tab and click on “Edit Default…” button for Access Permissions. If running on Windows XP SP1 the following dialog should appear.
For Windows XP SP2 and Windows 2003, it should look like this:
Next the Group or user names listed for the Default Access Permissions of your machine will appear.
It is required to have “SYSTEM”, “NETWORK” and “INTERACTIVE” groups in this list. If they are not there, they can be added by clicking the “Add…” button and typing the name or selecting them from the list (Advanced…, Find Now). Having the account “Everyone” in this list might be useful at the beginning for connection testing purposes, since this will give access to all accounts that can log into the system. However, later it might be desirable to restrict access to a specific account/user. At a minimum, the account under which the OPC Server is running must be given permission. This step is completed by clicking the OK button. Similar steps will apply for the Default Launch Permissions.
Click OK to finish.
For Windows XP SP2 and Windows 2003, also check Edit Limits options for both Access and Launch permissions and make sure that all required accounts have been added as above.
DCOM Permission for an OPC Server on Server Node
1. Configuring DCOM security settings for an OPC Server: Click on the DCOM Config folder and expand the directory tree.
2. From the list of applications find the OPC Server and with the right click on the server application select Properties. This will bring up the Properties window for the server.
If, as above, the Authentication Level is set to “Default”, that means that whatever is set as the default Authentication Level for that node will also apply to the server. Do not change this setting unless there are problems connecting to the server.
3. Next select the Security tab. This is where accounts are specified for Launch and Access permissions. Both of them will present two options: “Use Default” or “Customize”. If “Use Default” is selected, it will use the default settings, like those specified for the client node in the first step. If “Use Default” is set, the default setting should be checked and possibly changed. We suggest using “Customize” instead, to set only the permissions for who can access the server, rather than changing DCOM permissions for all programs on the node. To specify which accounts can access the server, select Customize and click on the Edit button. Remember, the default permissions for the system specify who is allowed to get in, but the server-specific permissions regulate who is allowed to actually connect to the server. Users who have permission under the default settings may be able to access other COM servers, and see that the OPC server is there, but if they do not have permission here in the Server security configuration, they won’t be able to connect to the server.
Add all user IDs which will be used by clients to access the server. These may be individual users, who will run clients interactively, or it may be a Role account or Group.
4. The last tab in the DCOM configuration tool is “Identity”. We strongly suggest specifying a particular account, perhaps one created for OPC clients and servers, or for this server. Using “The Interactive User” will create problems if someone logs in who does not have permission to access the server. Using “The launching user” can lead to situations where multiple copies of the server running might be running, which can cause problems.
This step is completed by clicking OK button.
Remember that any user account (domain account) can be used to run the client as long as it is granted permissions in the DCOM settings for the server. If DCOM settings are configured as described above, then try connecting to the server by using PI OPCClient.
DCOM Configuration for Windows 2000
The DCOM configuration is done in two main steps, no matter if the OPC client (i.e. PI OPC Interface) and server are on the same node or on different nodes. The first step is to configure Default DCOM permissions on the client node. This step needs to be performed with caution, since it is going to affect all COM/DCOM applications running on this node. The second is to configure DCOM permissions for the specific OPC server on the OPC Server node.
Default DCOM Permissions on OPC Client and Server Nodes
1. Launching DCOM Configuration utility: Type dcomcnfg in the Run dialog of Start menu and click OK
or type the following in the Command window: C:\winnt\system32\dcomcnfg.exe
2. A window that looks more or less like the following will show up. What is displayed may be a little different, depending on what versions of what Microsoft (TM) products are installed.
3. Configure the default DCOM settings for this machine: Select the Default Properties tab. Make sure that “Enable Distributed COM on this computer” is checked, “Default Authentication Level” is set to Connect, and “Default Impersonation Level” is set to Identify. These are the preferred settings that can be appropriate for most cases. However, due to domain or machine security policy and restrictions, these settings might not work. In this case, you should identify workable settings and use them here.
Caution: You should be aware that changing the Default Authentication and Impersonation levels will affect all COM/DCOM applications that use default settings on this machine. If this is causing issues with other applications, do not change them. Instead, you can set them specifically for the OPC Interface process by using /DI and /DA parameters in the start up file. See DCOM Security Configuration for the Interface section for more details.
4. Next click on Default COM Security tab. The following should be displayed:
Click on “Edit Default…” button for Default Access Permissions. Make sure that at least all of the following accounts are there.
It is required to have “SYSTEM”, “NETWORK” and “INTERACTIVE” groups in this list. If they are missing, they can added by clicking “Add…” button and typing the name or selecting them from the list (Advanced…, Find Now). Having the account “Everyone” in this list might be useful at the beginning for connection testing purposes, since this will give access to all accounts that can log into the system. However, later it might be desirable to restrict access to a specific account/user. At a minimum, the account under which the OPC Server is running must given permission. This step is completed by clicking the OK button. Similar steps will apply for the Default Launch Permissions.
The Type of Access should be Allow Launch. Click OK, and get back to the main Default Security screen.
DCOM Permission for an OPC Server on Server Node
1. Configuring DCOM security settings for an OPC Server: Choose the Applications tab, Select the OPC server and click on Properties button.
2. On the DCOM window under General tab similar information should be displayed for the specific OPC Server.
If, as above, the Authentication Level is set to “Default”, that means that whatever is set as the default Authentication Level for that node will also apply to the server. Do not change this setting unless there are problems connecting to the server.
3. Next select the Security tab. This is where accounts are specified for Launch and Access permissions. Both of them will present two options: “Use Default” or “Customize”. If “Use Default” is selected, it will use the default settings, like those specified for the client node in the first step. If “Use Default” is set, the default setting should be checked and possibly changed. We suggest using “Customize” instead, to set only the permissions for who can access the server, rather than changing DCOM permissions for all programs on the node. To specify which accounts can access the server, select Customize and click on the Edit button. Remember, the default permissions for the system specify who is allowed to get in, but the server-specific permissions regulate who is allowed to actually connect to the server. Users who have permission under the default settings may be able to access other COM servers, and see that the OPC server is there, but if they do not have permission here in the Server security configuration, they won’t be able to connect to the server
Add all the UserIDs that will be used by clients to access the server. These may be individual users, who will run clients interactively, or it may be a Role account or Group.
4. The last tab in the DCOM configuration tool is “Identity”. We strongly suggest specifying a particular account, perhaps one created for OPC clients and servers, or for this server. Using “The Interactive User” will create problems if someone logs in who does not have permission to access the server. Using “The launching user” can lead to situations where multiple copies of the server are running, which can cause problems.
Complete this step by clicking OK button.
Remember any user account (domain account) can be used to run the client as long as it has been granted permissions in the DCOM settings for the server. If the DCOM settings have been configured as described above, then try connecting to the server by using PI OPCClient.
Dostları ilə paylaş: |