DCOM Configuration OPC and Trend Server US

DCOM Configuration for Freelance 800F Version 8.1 OPC Server and Trend Server

(October 2005)

1 Table of Contents 1 Table of Contents ...........................................................................................................2 2 Important Basic Settings on all Workstations ..................................................................3

2.1.1 Windows Firewall ...........................................................................................3 2.1.2 Required Local Security Setting ......................................................................4 2.1.3 Simple File Sharing.........................................................................................5 2.1.4 User Configuration in a Workgroup Environment ...........................................6

2.1.4.1 Required Local Windows User Accounts and Groups..................................7 2.1.4.2 Creating Local Users and Groups in the Workgroup Environment:............10

2.1.5 User Configuration in a Pure Domain Environment.......................................12 2.1.5.1 Creating User Accounts and Groups on the Domain Controller .................12

2.1.6 User Configuration in a Mixed Domain and Workgroup Environment...........15 3 Setting Up CBF and DigiVis Stations ...........................................................................17

3.1 Required Basic Windows XP Settings...................................................................17 3.2 Installing a DigiVis / CBF Station.........................................................................17 3.3 Running DigiVis in Operator Mode without Local Administrator Rights ..............18 3.4 Standard DCOM Settings for CBF and DigiVis Stations .......................................21 3.5 Setting Up the OPCEnum DCOM Component ......................................................25

4 Setting Up OPC or Trend Servers .................................................................................29 4.1 Required Basic Windows XP Settings...................................................................29 4.2 Standard DCOM Settings on the OPC / Trend Server............................................29 4.3 Setting Up the OPC/Trend Server DCOM Components ........................................31

Caution: The configuration settings described in this document exclusively apply to Freelance 800 F Version 8.1 running under Windows XP Service Pack 2. Due to essential changes in the DCOM security settings for Windows XP Service Pack 2 and the changes in Freelance 800 F Version 8.1 resulting from this, the configuration settings detailed in this document are not applicable to previous Freelance versions and cannot be used for them!

2 Important Basic Settings on all Workstations This section details the basis settings you have to make on all workstations in order run a Freelance OPC Server or Trend Server.

2.1.1 Windows Firewall Always disable the local Windows firewall on all computers. Proceed as follows: Under Start -> Control Panel -> Windows Firewall select the “OFF” radio button.

2.1.2 Required Local Security Setting Make the local security settings detailed below on each PC accessing the OPC/Trend Server and on the OPC / Trend Server itself. For this purpose, start the Local Security Policy application with : Start-> -> Control Panel ->Administrative Tools->Local Security Policy Under Security Settings -> Local policies -> Security Options -> Network access: Sharing and Security Model for local Accounts select “Classic – local users authenticate as themselves”:

2.1.3 Simple File Sharing “Simple File Sharing“ is a new Windows XP feature controlling not only the file enable dialog boxes, but also the user authentication behavior of the entire operating system. Therefore, it must be switched off on all systems as follows: Under Windows-Explorer -> Tools -> Folder Options -> View unselect the Use simple file sharing check box (last item in the list box seen below).

2.1.4 User Configuration in a Workgroup Environment As there is no central user administration in a workgroup (similar to a domain controller for a domain), it is important to use the same password for defining all user accounts and passwords on all workgroup computers sharing client/server services. This means: A user account requiring access permissions in the workgroup network must be defined on all computers that enable services in that workgroup. Such services can be, for example, file and print services, but also the DCOM permissions (see the DCOM configuration chapter). Important: The user account name and the corresponding password must be identical on all computers of the workgroup. Also, it is mandatory that the passwords are not empty. Recommendation: Use passwords of at least 8 character consisting of both numbers and special characters.

2.1.4.1 Required Local Windows User Accounts and Groups Read from the following table which user accounts and groups should be created on the individual workgroup computers: User name or group name

Type Defined on station Member of

Operators Group DigiVis (all stations) DigiVis **

- Operators (corresponding local group on the DigiVis stations)

- Users (WG) or administrators (WG), if applicable *

Operator1 User

OPC or Trend Server - OPCUsers (group on the OPC / Trend server)

- Users (WG) DigiVis **

- Operators (corresponding local group on the DigiVis stations)

- Users (WG) or administrators (WG), if applicable (WG) *

Operator2 bis OperatorX (nur bei Bedarf)

User

OPC or Trend Server OPCUsers (group on the OPC / Trend server) - Users (WG)

OPCUsers Group OPC or Trend Server OPC or Trend Server Administrators (WG) on the OPC /

Trend server OPCService User

DigiVis (all stations) Users (WG) Engineer1 User CBF *** Administrators (WG) Engineer2 to EngineerX (only if required)

User CBF *** Administrators (WG)

WG Standard local Windows Group given by the operating system.

* Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section “DigiVis Operator operation without local administrator rights”.

** It suffices to create only those Operator user accounts on the DigiVis PC that are needed on the corresponding DigiVis station.

*** It suffices to create only those Engineer user accounts on the CBF PC that are needed on the corresponding CBF station.

“Operators“ Group If at least 2 operators with 2 different user accounts (e.g. operator1, operator2) shall work on a DigiVis station without having local administrator rights, the “Operators” group should be created. Since a couple of system settings have to be made on the DigiVis system in order to bring the DigiVis to an executable state *, it is useful to assign these rights to the entire “Operators” group rather than to individual operators. Two advantages result from this:

- When assigning Windows XP permissions, it suffices to consider one group account instead of heaving to care for several user accounts. Among other things, this prevents that a user account is forgotten.

- If another user joins that group later on, he can operate DigiVis without having system administrator rights and without requiring that additional permissions are assigned within the system. You can simply add this user to the “Operators” group.

“OPCUsers“ Group The OPCUsers group is used to assign the corresponding DCOM communication rights on an OPC and Trend Server. It is useful to create this group, because it is assumed that users with different user accounts access the OPC or Trend Servers. As a result, it is possible to control the DCOM permission assignment on the OPC / Trend Server using this group. “OPCService“ User Account The “OPCService” user account is needed on the OPC Server, the Trend Server and all DigiVis stations. This user must be a member of the local Administrators group on the OPC or Trend Server. The OPC Server or Trend Server process is started under the “OPCService” user account. Since the OPC Server or Trend Server process needs local administrator rights on the system, this user account must become a member of the local Administrators group. Basically, the following can be stated for the DCOM configuration on the OPC / Trend Server described later in this document: All users in the “OPCUsers” group are authorized to start he DCOM Trend Server process, which, as a rule, runs under the “OPCService” user account (no matter if a user has logged on to the OPC Server / Trend Server or not).

Example: One Trend Server (TRNSRV) and three DigiVis stations (VIS1 ,VIS2, VIS3) are commissioned using Control Builder F (CBF). All DigiVis stations access the Trend Server. Two operators (Operator1, Operator2) and one commissioning engineer (Engineer1) are authorized to log on to the following computers: Engineer1 – CBF, TRNSRV,VIS1,VIS2,VIS3 Operator1 – VIS1, VIS2,VIS3 Operator2 – VIS2, VIS3 As a result, the following users / groups must be created on the PCs: VIS1: Local group: Operators Local user: Operator1, member of Users (and Administrators, if required *) and Operators Local user: Engineer1, member of Administrators Local user: OPCService, member of Users VIS2: Local group: Operators, member of Users Local user: Operator1, member of Users (and Administrators, if required *) and Operators Local user: Operator2, member of Users (and Administrators, if required *) and Operators Local user: Engineer1, member of Administrators Local user: OPCService, member of Users VIS3: Local group: Operators Local user: Operator1, member of Users (and Administrators, if required *) and Operators Local user: Operator2, member of Users (and Administrators, if required *) and Operators Local user: Engineer1, member of Administrators Local user: OPCService, member of Users CBF: Local user: Engineer1, member of Administrators TRNSRV: Local group: OPCUsers Local user: Operator1, member of OPCUsers Local user: Operator2, member of OPCUsers Local user: Engineer1, member of OPCUsers, Administrators Local user: OPCService, member of OPCUsers, Administrators

2.1.4.2 Creating Local Users and Groups in the Workgroup Environment: The users and groups mentioned above can be created on each workstation under: Start-> Settings -> Control Panel-> Administrative Tools -> Computer Management -> Local Users and Groups T create a new user account, select: Users -> Right-click with the mouse -> New User:

Make the following important settings as seen in the above dialog window: User cannot change password -> Yes (if a user is authorized to change the password locally on his machine, it is no longer ensured that all passwords on all machines are identical) Password never expires -> Yes Account is disabled -> No

Create a new group under: Groups -> Right-click with the mouse -> New Group:

By selecting Add…you can add the users created earlier (here: operator1 and operator2) when creating the group (here: Operators). This example of a workgroup configuration shows that every new PC in a workgroup increases the required administration efforts for user accounts and groups. In order to minimize these efforts (e.g. in large networks), it is recommended to create a domain environment. Refer to the “User Configuration in a Pure Domain Environment” section for details.

2.1.5 User Configuration in a Pure Domain Environment Using a domain-based network environment considerably simplifies the user and group administration in larger networks, as the user accounts and groups are stored centrally on the so-called domain controller and have to be administered in one place, only. The following table shows the groups and user accounts required for pure domain operation: User name or group name


Operators Group Domain controller Operator1 User Domain controller - Operators (of the domain group)

- if required, Administrators (WG) * on the DigiVis stations - OPCUsers (of the domain group)

Operator2 to OperatorX (if required)

User Domain controller - if required, Administrators (WG) * on the DigiVis stations

OPCUsers Gruppe Domain controller OPCService User Domain controller - Administrators (WG) * on the OPC /

Trend Server - OPCUsers (of the domain group)

Engineer1 User Domain controller - Administrators (WG) * on the CBF station - OPCUsers (of the domain group)

Engineer2 to EngineerX (if required)

User Domain controller - Administrators (WG) * on the CBF station - OPCUsers (of the domain group)

WG = Standard local Windows Group given by the operating system. * Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local

Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section “DigiVis Operator operation without local administrator rights”.

2.1.5.1 Creating User Accounts and Groups on the Domain Controller Proceed as described below to create users and groups on Windows 2000 or Windows 2003 Server controllers. 1) On a domain controller, start the user administration:

Start -> Programs -> Administrative Tools-> Active Directory Users und Computers

2) In the tree view on the left hand side, select the corresponding domain and the appropriate Organizational Unit (OU) below it (if no OU structure has been defined, select Users)

3a) Create a user On the OU (or Users) -> Right-click with the mouse-> New -> User

Next>

Next -> in the following dialog -> Finish Important: The Password never expires option must be selected for the OPCService user account. In mixed environments (domain and workgroup) it is recommended to set the

“Password never expires“ option for all domain user accounts. The other user accounts can be set as seen above. 3b) Create a group

On the OU (or Users) -> Right-click with the mouse-> New -> Group

Group Scope: Global, Group Type: Security -> OK After creating the OPCUsers and Operators groups enter the corresponding domain user accounts in the above-listed table.

2.1.6 User Configuration in a Mixed Domain and Workgroup Environment Various scenarios are conceivable in mixed domain and workgroup environment. What is important for the mixed configuration is that “Password never expires“ is set on the domain controller for all user accounts and groups. Also refer to section Creating User Accounts and Groups on the Domain Controller. Seen from the network security point of view the pure domain model should be preferred to the mixed model. If, however, this is not possible, the following two main scenarios are possible: Scenario 1: The OPC Server or Trend Server workstation is a member of a domain, whereas some (maybe all) DigiVis stations or CBF stations are not. It is important in this scenario that, beside the OPSUser group needed in the pure domain model, a new local OPCUser group must be created on the domain level of the OPC Server or Trend Server. The OPCUsers domain group must be a member of the local OPCUsers group on the OPC Server or Trend Server. Additionally, all user accounts in the workgroup must be created on the OPC Server / Trend Server, using the same pattern, user name and password and must be members of this new OPCUsers group. With this procedure it is possible to group all workgroup users, similar to the domain users that are grouped in the OPCUsers domain group. Refer to section DCOM Configuration later in this document; it describes how the necessary DCOM permissions are assigned using this local group. User name or group name


Domain controller Operators Group DigiVis Station (of the workgroup)

Operator1 User Domain controller - Operators (of the domain group) - if required, Administrators (WG) * on

the DigiVis stations - OPCUsers (of the domain group)

DigiVis Station (of the workgroup)

- Operators (of the DigiVis station) - if required, Administrators (WG) * on

the DigiVis stations

Operator2 (from workgroup)

User

OPC / Trend Server - OPCUsers (on OPC / Trend Server)

Domain controller - OPCUsers (on OPC / Trend Server) OPCUsers Gruppe

OPC / Trend Server

Domain controller - Administrators (WG) * on OPC / Trend Server

- OPCUsers (domain group)

OPCService User

DigiVis (of the workgroup)

- Users (WG) on all DigiVis stations of the workgroup

Engineer1 User Domain controller - Administrators (WG) * on the CBF station

- OPCUsers (domain group) CBF station (of the workgroup

- Administrators (WG) * on the CBF station

Engineer2 (from workgroup)

User


WG = Standard local Windows Group given by the operating system.

* Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section “DigiVis Operator operation without local administrator rights”.

Scenario 2: The OPC Server or Trend Server workstation is not a member a domain, whereas the DigiVis stations and the CBF station are members. In this case, all necessary domain user accounts must also be created locally on the OPC Server or Trend Server. Additionally, a local OPCUsers group is needed on the OPC or Trend Server, as described for Scenario 1. The locally defined user accounts must be added to this group as new members. However, the “OPCUsers” group defined on the domain level and the “OPCService” domain user account are not needed in this case. User name or group name


Operators Group Domain controller

Domain controller - Operators (of the domain group) - if required, Administrators (WG) * on


Operator1

User


Domain controller - Operators (of the domain group) - if required, Administrators (WG) * on


Operator2 to OperatorX (if required)

User


OPCUsers Gruppe OPC / Trend Server

OPC / Trend Server - Administrators (WG) * on the OPC / Trend Server

- OPCUsers (on OPC / Trend Server)

OPCService User

DigiVis (all) - Users (WG) on all DigiVis stations

Domain controller - Administrators (WG) * on the CBF station

Engineer1 User


Domain controller - Administrators (WG) * on the CBF station

Engineer2 to EngineerX (if required)

User


WG Standard local Windows Group given by the operating system. * Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local

Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section “DigiVis Operator operation without local administrator rights”.

3 Setting Up CBF and DigiVis Stations

3.1 Required Basic Windows XP Settings Make sure that all required settings stated in section Important Basic Settings on all Workstations have been made:

- Windows Firewall switched off - Local Security Settings made as specified - Simple File Sharing switched off - All required user accounts and group created locally and, if necessary, on the domain

controller

3.2 Installing a DigiVis / CBF Station Log on as a user with local administrator rights and start the DigiVis or CBF setup program. When prompted by the system, reboot at the end of the setup procedure. Set up DigiVis or CBF using the Configure Tool. Subsequently, start the OPC or Trend Server setup program on the DigiVis or CBF station. Note that the OPC / Trend Server setup must be run on all workstations having access to an OPC / Trend Server. Avoid making any further settings from the OPC / Trend Server using the Configure Tool after termination of the setup. Reboot when prompted accordingly by the system after having terminated the setup

3.3 Running DigiVis in Operator Mode without Local Administrator Rights

If you do not want to assign Windows Administrator rights to the DigiVis operator on any of the DigiVis stations, additional measures must be taken after having installed DigiVis. The dialog windows seen in the following sections show how you can assign access rights a local “Operators“ group. If, however, the corresponding DigiVis station is a domain member, you must enter the “Operators” domain group instead. Setting NTFS Permissions for 800F Installation Folder Use the Explorer to select the appropriate installation folder, e.g.: C:\Program Files\ABB Industrial IT\Freelance 800F Right-click with the mouse on the Freelance 800F folder -> Sharing and Security…-> Security

->Select “Full Control” permissions for the “Operators” group.

System Permissions: Setting the System Time In order to enable a DigiVis station’s time synchronization, adapt the following local security settings: Control Panel -> Administrative Tools -> Local security policy -> Local policy, User right assignment-> Change the system time:

- Double-click to add the “Operators” group. Under “Object Types”, select the “Groups” for this purpose

Setting Necessary Registry Permissions Start the Registry Editor: Start -> Run…-> regedit

Under HKEY_LOCAL_MACHINE\Software\Hartmann & Braun -> Right-click with the mouse -> Permissions… -> Select “Full Control” permission for the “Operators” group.

3.4 Standard DCOM Settings for CBF and DigiVis Stations Usually, the standard DCOM settings under Windows XP Service Pack2 after a Windows XP reinstallation are sufficient for DigiVis and CBF operation. All you have to do is check and, if required, re-do the following settings in case they should be different from the standard settings. Select Start -> Run …-> dcomcnfg to start the dcomcnfg application. Then select Component Services -> Computers -> My Computer – Right-click with the mouse - Properties Check that the settings in the following dialog windows are as seen below:

Check all four settings. Only the set permissions are shown here. The other check boxes must be empty: 1) Access Permissions -> Edit Limits…: ANONYMOUS LOGON -> Local Access ->Allow Everyone -> Local Access -> Allow Everyone -> Remote Access -> Allow 2) Access Permissions -> Edit Default… SYSTEM -> Local Access ->Allow SELF -> Local Access ->Allow SELF -> Remote Access ->Allow 3) Launch and Activation Permissions -> Edit Limits… Administrators -> Local Launch -> Allow Administrators -> Remote Launch - Allow Administrators -> Local Activation -> Allow Administrators -> Remote Activation-> Allow Everyone -> Local Launch -> Allow Everyone -> Local Activation -> Allow 4) Launch and Activation Permissions -> Edit Default… Administrators -> Local Launch -> Allow Administrators -> Remote Launch - Allow Administrators -> Local Activation -> Allow Administrators -> Remote Activation-> Allow INTERACTIVE -> Local Launch -> Allow INTERACTIVE -> Local Activation -> Allow SYSTEM -> Local Launch -> Allow SYSTEM -> Local Activation -> Allow

3.5 Setting Up the OPCEnum DCOM Component Beside making the standard DCOM settings you can also configure a special DCOM component called OPCEnum using the “dcomcnfg” application. If you should encounter any OPC or Trend Server access problems, you can use this application to restore the standard settings. First select the component: My Computer -> DCOM Config -> OpcEnum -> Properties:

Check that all settings are as seen below:

Caution: After having set up the OPC or Trend Server on the DigiVis or CBF station, the permissions are not set to “Use Default” as seen above. However, you should select the setting seen above when you have made/ checked the general DCOM settings according to section “General DCOM Settings for CBF and DigiVis Stations”. Advantage: You can centrally control all DCOM permissions by setting the “My Computer” properties. This kind of central configuration and access permission assignment is very useful for DCOM configurations of an OPC or Trend Server with many DCOM components.

4 Setting Up OPC or Trend Servers

4.1 Required Basic Windows XP Settings Make sure that all required settings stated in section Important Basic Settings on all Workstations have been made:

- Windows Firewall switched off - Local Security Settings made as specified - Simple File Sharing switched off - All required user accounts and group created locally and, if necessary, on the domain

controller

4.2 Standard DCOM Settings on the OPC / Trend Server Configure the OPC or Trend Server as described in section Standard DCOM Settings for CBF and DigiVis Stations. Only the settings stated under “COM Security” must be accordingly adapted or extended.

Check all four settings. Only the set permissions are shown here. The other check boxes must be empty (all non-standard Windows XP SP2 permissions are marked with a frame). Important: Enter the “OPCUsers” domain group exclusively in a pure domain configuration. Else, the “OPCUsers” group locally defined on the OPC or Trend Server must be entered!

1) Access Permissions -> Edit Limits…: ANONYMOUS LOGON -> Local Access ->Allow Everyone -> Local Access -> Allow Everyone -> Remote Access -> Allow 2) Access Permissions -> Edit Default… SYSTEM -> Local Access ->Allow SELF -> Local Access ->Allow SELF -> Remote Access ->Allow OPCUsers -> Local Access ->Allow OPCUsers -> Remote Access ->Allow 3) Launch and Activation Permissions -> Edit Limits… Administrators -> Local Launch -> Allow Administrators -> Remote Launch - Allow Administrators -> Local Activation -> Allow Administrators -> Remote Activation-> Allow Everyone -> Local Launch -> Allow Everyone -> Local Activation -> Allow OPCUsers -> Local Launch -> Allow OPCUsers -> Remote Launch - Allow OPCUsers -> Local Activation -> Allow OPCUsers -> Remote Activation-> Allow 4) Launch and Activation Permissions -> Edit Default… Administrators -> Local Launch -> Allow Administrators -> Remote Launch - Allow Administrators -> Local Activation -> Allow Administrators -> Remote Activation-> Allow INTERACTIVE -> Local Launch -> Allow INTERACTIVE -> Local Activation -> Allow SYSTEM -> Local Launch -> Allow SYSTEM -> Local Activation -> Allow OPCUsers -> Local Launch -> Allow OPCUsers -> Remote Launch - Allow OPCUsers -> Local Activation -> Allow OPCUsers -> Remote Activation-> Allow

4.3 Setting Up the OPC/Trend Server DCOM Components Beside making the standard DCOM settings you can also configure special DCOM components for the OPC / Trend Server using the “dcomcnfg” application. Additional DCOM components are registered in the system for each instance of an OPC / Trend Server created using the Configure Tool (indicate the Resource ID). The following DCOM components are installed when the OPC/ Standard Trend Server instances have been created: OPCEnum (only registered once ) Freelance 2000 OPCServer Diagnosis Class (only registered once) Freelance 2000 OPCServer <ResID> (exists for each OPC or Trend Server instance) Freelance 2000 OPCAEServer <ResID> (exists for each OPC or Trend Server instance) All DCOM components listed above must have the same configuration. The DCOM configuration for this instance must be repeated for each OPC or Trend Server instance added later! Like on the DigiVis station or CBF station it is useful to configure standard settings. However, there is one important difference from the DCOM component configuration on a DigiVis or CBF station: In the Identity window you must enter the OPCService user under “This User”. DCOM Component Configuration Under Start -> Run …-> dcomcnfg, start the “dcomcnfg“ application. Then select the following for all above-listed components, one after the other: My Computer -> DCOM Config -> <Component Name>- >Right-click with the mouse-> Properties: Check the following settings for each component:

Caution: After having set up the OPC or Trend Server, the permissions are not set to “Use Default” as seen above. “Use Default” as seen above. However, you should select the setting seen above when you have made/ checked the general DCOM settings according to section “General DCOM Settings on the OPC and Trend Server”. You can centrally control all DCOM permissions by setting the “My Computer” properties. This simplifies the access permission configuration, as the basic settings only have to be under “My Computer“.

Important: Enter the “OPCUsers” domain group exclusively in a pure domain configuration. Else, the “OPCUsers” group locally defined on the OPC or Trend Server must be entered!

DCOM Configuration OPC and Trend Server US

Documents

Transcript of DCOM Configuration OPC and Trend Server US