ECOPETROL BARRANCABERJEJA. INTERFACES AL SERVIDOR PI:

ECOPETROL BARRANCABERJEJA. INTERFACES AL SERVIDOR PI: Este documento fue creado para apoyar la instalación de la(s) estación(es) que contiene(n) la(s) interface(s) al sistema PI de ECOPETROL-Barrancabermeja. Se hace referencia a rutas, archivos de instalación y documentos electrónicos contenidos en la carpeta junto a este documento. IMPORTANTE: Prerrequisitos generales Se asume que el sistema operativo, componentes de terceros y servicios TCP/IP se encuentran instalados y configurados, asimismo que existe comunicación TCP/IP (se puede hacer ping) a los hostnames e IPs de los servidores PI: 10.6.125.20 bjaesbpitrp 10.6.125.21 bjaesbpitrq La hora, fecha y zona horaria de la máquina son parámetros vitales para el correcto funcionamiento de las interfaces, deben estar bien configurados antes de comenzar la instalación. Se recomienda la utilización de algún mecanismo de sincronización para mantener los relojes de la estación interfaz PI, el PI Server y la fuente de los datos en correcta sincronización. Todas las operaciones descritas a continuación requieren un usuario con privilegios de Administrador local de la máquina o de administrador del dominio al que pertenece la máquina.

Interfaz PI OPC Cliente CASA BOMBAS B HOST: bjaed10438 - (1) Instancia de interfaz PI-OPC en plataforma Windows SO: Windows XP Professional RAM: 2 Gb D.D: 300 Gb IP Red A: 10.6.89.172 Dominio: Ecopetrol.com.co Verificación de componentes de la máquina:

Instalación de prerequisitos del Sistema Operativo.

Se instalarán o se realizarán actualizaciones de los componentes de Windows:.net framework, MDAC, MS Runtimes, MS XML, etc.

Instalación de API/SDK, Buffer Server, Buffer Subsystem y PI Interface Utility Ejecutar setup.exe

Se dejan las casillas sin marcar.

Instalación de la interfaz PI OPC Cliente Ejecutar Setup.exe

Verificación de instalación de Servicios PI:

Ubicación de archivos y carpetas Instalación PI.

Configuración de permisos a nivel del DCOM : DCOM Configuration Details All current OPC servers and clients are based on Microsoft s COM/DCOM (Distributed Component Object Model) technology. DCOM is the network communication protocol that allows different software components to communicate across networked nodes. DCOM is based on COM (Component Object Model), which provides a set of interfaces allowing clients and servers to communicate within the same node. These types of communications require a proper COM/DCOM security configuration. Hence both the OPC client and server nodes must have proper COM/DCOM settings permitting them to securely access one another locally or remotely. If both OPC client and server are located on the same node, the communication goes through the COM layer. If they are located on separate nodes, the communication goes via DCOM. Configuring COM and DCOM is the same process that can usually be done by using the DCOM configuration utility. Hence, below we will refer only to DCOM configuration. This section describes COM/DCOM configuration on both client and server nodes. DCOM security for OPC client-server connectivity should be configured in two major steps: 1. Configuration of DCOM security settings on the OPC Interface node; 2. Configuration of DCOM security settings on the OPC Server node. If both OPC client and server are on the same node, DCOM settings still need to be configured. The general steps for DCOM configuration are similar. However, depending on whether the nodes are within the same domain or different domains, or even no domain, the sequence of steps will be different. In the following sections it is assumed that the nodes are within the same windows domain. If this is not the case, first read the section on Notes and Recommendations on DCOM Configuration for setting up access permissions and then follow the DCOM configuration sections for the appropriate Windows OS. Note: Even if the server and client are on the same node, DCOM settings still need to be configured on that node. General Steps for DCOM Configuration DCOM security can be configured with the DCOM Configuration utility (dcomcnfg.exe) that comes with the Windows OS. In order to be able to use this utility, the user must be logged in with administrator s privileges. This utility allows for the configuration of special security rules for all COM/DCOM objects on the local node.

The DCOM Configuration utility may look slightly different and setting options may differ, depending on the version of the Windows OS. Therefore, below we will describe DCOM configuration for Windows XP, 2003 Server, Vista, 2008 Server, and Windows 2000 separately. DCOM Configuration for OPC Client Node - Windows XP There are two main steps for DCOM configuration that must be done no matter if the OPC client (i.e. PI OPC Interface) and server are on the same node or on different nodes. The first step is to configure Default DCOM permissions on the client node. This step needs to be performed with caution, since it is going to affect all COM/DCOM applications running on this node. The second is to configure DCOM permissions for the specific OPC Server on the OPC Server node. Default DCOM Permissions on OPC Client Node 1. Launch the DCOM Configuration utility: Type dcomcnfg in the Run dialog of Start menu and click OK. 2. Bring up the DCOM properties window for this machine: Go to Component Services in the window that appears, and click on the Plus signs to follow the branches of the directory tree. Right click on My Computer and on the pop-up window select Properties. This should bring up the My Computer Properties window. 3. Configure the default DCOM settings for this machine: Select the Default Properties tab. Make sure that Enable Distributed COM on this computer is checked, Default Authentication Level is set to Connect, and Default Impersonation

Level is set to Identify. These are the preferred settings that can be appropriate for most cases. However, due to domain or machine security policy and restrictions, these settings might not work. In this case, you should identify workable settings and use them here. Caution: You should be aware that changing the Default Authentication and Impersonation levels will affect all COM/DCOM applications that use default settings on this machine. If this is causing issues with other applications, do not change them. Instead, you can set them specifically for the OPC Interface process by using /DI and /DA parameters in the start up file. See DCOM Security Configuration for the Interface section for more details. Next select Default COM Security tab and click on Edit Default button for Access Permissions. If running on Windows XP SP1 the following dialog should appear.

For Windows XP SP2 and Windows 2003, it should look like this: Next the Group or user names listed for the Default Access Permissions of your machine will appear.

It is required to have SYSTEM, NETWORK and INTERACTIVE groups in this list. If they are not there, they can be added by clicking the Add button and typing the name or selecting them from the list (Advanced, Find Now). Having the account Everyone in this list might be useful at the beginning for connection testing purposes, since this will give access to all accounts that can log into the system. However, later it might be desirable to restrict access to a specific account/user. At a minimum, the account under which the OPC Server is running must be given permission. This step is completed by clicking the OK button. Similar steps will apply for the Default Launch Permissions.

Click OK to finish. For Windows XP SP2 and Windows 2003, also check Edit Limits options for both Access and Launch permissions and make sure that all required accounts have been added as above.

DCOM Configuration for OPC Server Node - Windows 2000 The DCOM configuration is done in two main steps, no matter if the OPC client (i.e. PI OPC Interface) and server are on the same node or on different nodes. The first step is to configure Default DCOM permissions on the client node. This step needs to be performed with caution, since it is going to affect all COM/DCOM applications running on this node. The second is to configure DCOM permissions for the specific OPC server on the OPC Server node. Default DCOM Permissions on OPC Client and Server Nodes 1. Launching DCOM Configuration utility: Type dcomcnfg in the Run dialog of Start menu and click OK or type the following in the Command window: C:\winnt\system32\dcomcnfg.exe 2. A window that looks more or less like the following will show up. What is displayed may be a little different, depending on what versions of what Microsoft (TM) products are installed. 3. Configure the default DCOM settings for this machine: Select the Default Properties tab. Make sure that Enable Distributed COM on this computer is checked, Default Authentication Level is set to Connect, and Default Impersonation Level is set to Identify. These are the preferred settings that can be appropriate for most cases.

However, due to domain or machine security policy and restrictions, these settings might not work. In this case, you should identify workable settings and use them here. Caution: You should be aware that changing the Default Authentication and Impersonation levels will affect all COM/DCOM applications that use default settings on this machine. If this is causing issues with other applications, do not change them. Instead, you can set them specifically for the OPC Interface process by using /DI and /DA parameters in the startup file. See DCOM Security Configuration for the Interface section for more details. 4. Next click on Default COM Security tab. The following should be displayed:

Click on Edit Default button for Default Access Permissions. Make sure that at least all of the following accounts are there. It is required to have SYSTEM, NETWORK and INTERACTIVE groups in this list. If they are missing, they can added by clicking Add button and typing the name or selecting them from the list (Advanced, Find Now). Having the account Everyone in this list might be useful at the beginning for connection testing purposes, since this will give access to all accounts that can log into the system. However, later it might be desirable to restrict access to a specific account/user. At a minimum, the account under which the OPC Server is running must given permission. This step is completed by clicking the OK button. Similar steps will apply for the Default Launch Permissions. The Type of Access should be Allow Launch. Click OK, and get back to the main Default Security screen.

DCOM Permission for an OPC Server on Server Node 1. Configuring DCOM security settings for an OPC Server: Choose the Applications tab, Select the OPC server and click on Properties button. 2. On the DCOM window under General tab similar information should be displayed for the specific OPC Server. If, as above, the Authentication Level is set to Default, that means that whatever is set as the default Authentication Level for that node will also apply to the server. Do not change this setting unless there are problems connecting to the server. 3. Next select the Security tab. This is where accounts are specified for Launch and Access permissions. Both of them will present two options: Use Default or Customize. If Use Default is selected, it will use the default settings, like those specified for the client node in the first step. If Use Default is set, the default setting should be checked and possibly changed. We suggest using Customize instead, to set only the permissions for who can access the server, rather than changing DCOM permissions for all programs on the node. To specify which accounts can access the server, select Customize and click on the Edit button. Remember, the default permissions for the system specify who is allowed to get in, but the server-specific permissions

regulate who is allowed to actually connect to the server. Users who have permission under the default settings may be able to access other COM servers, and see that the OPC server is there, but if they do not have permission here in the Server security configuration, they won t be able to connect to the server Add all the UserIDs that will be used by clients to access the server. These may be individual users, who will run clients interactively, or it may be a Role account or Group. 4. The last tab in the DCOM configuration tool is Identity. We strongly suggest specifying a particular account, perhaps one created for OPC clients and servers, or for this server. Using The Interactive User will create problems if someone logs in who does not have permission to access the server. Using The launching user can lead to situations where multiple copies of the server are running, which can cause problems. Complete this step by clicking OK button. Remember any user account (domain account) can be used to run the client as long as it has been granted permissions in the DCOM settings for the server. If the DCOM settings have been configured as described above, then try connecting to the server by using PI OPCClient. Notes and Recommendations on DCOM Configuration Using DCOM without a Windows Primary Domain Controller If a Primary Domain Controller is not available, or if the OPC server and OPC client nodes are not on the same Windows domain, DCOM cannot use domain security to determine which machines can access each other. Therefore, it will fall back on the most basic of security models: the account(s) under which the client and server are running must be valid and privileged on both nodes. That means that the OPC Server node must have a user account defined that is the same as the user account on the OPC client node under which the client itself will run, and the passwords for those two accounts must also be identical. Likewise, the account under which the OPC server is running must also exist on the client node, and it must have the same password on the both nodes. Otherwise, DCOM will not pass any communication between the client and the server,

although it may well launch the OPC Server. Note that these accounts must be a local account on each node, not a domain account. Some sites have reported problems when their server and client nodes were in different Workgroups. If establishing communication between the server and a client is not possible, and the two machines are in different workgroups, it might succeed by moving the two machines into the same Workgroup. Note: Do not use the Local System account to run applications that use DCOM. While the Local System account has plenty of privileges locally, it has no authority outside its own system. DCOM Configuration on Two Nodes If two nodes are being used, both nodes have to be configured to allow access. That is because the OPC Server makes calls to the client, and the client makes calls to the server, and if the configuration is not set up to give them both permission to communicate, the windows system will not allow communication. DCOM Configuration on a Single Node Even if you are using the same node for both the OPC server and the OPC client, DCOM still needs to be configured. In this case, make sure that DCOM permissions have been granted to the accounts under which the OPC server and the client will run. Registration of Proxy DLLs The OPC clients (e.g. OPC Interface, PI OPCClient tool, etc.) use proxy DLL s to communicate with OPC Servers. On the client node the following files are needed opcproxy.dll and opccomn_ps.dll. These files are usually installed during the interface installation. However, if they are missing, the client will not be able to communicate to the server. These files are also located (usually in \system32 directory) on the OPC Server node. They can be manually copied and registered on the client node. Here is how to register: Make sure they are both copied (opcproxy.dll and opccomn_ps.dll) into \system32 directory. Run C:>regsvr32 opcproxy.dll The following dialog box should appear: Click OK, and then run C:>regsvr32 opccomn_ps.dll The following dialog box should come out:

Click on OK to complete this procedure.

DCOM Security Configuration for the Interface The PI OPC Interface uses DCOM to communicate to a remote OPC server. DCOM is Microsoft s proprietary communication protocol that allows remote client and server applications to security communicate. DCOM uses Windows security model to authenticate clients and servers, while establishing a communication. In general, DCOM security for an OPC client application can be configured in two different ways: 1. Programmatically, when an application starts up; 2. Manually, by using DCOM Configuration utility (i.e. dcomcnfg.exe), before the start up. In order to set DCOM security programmatically, the OPC client application should make a specific Windows API call for DCOM security with desired options. If an application does not make that call, it will use the system s (i.e. local computer s) default DCOM security settings. These setting can be set up with DCOM Configuration utility (see Default DCOM Permissions on OPC Client Node section for more details). Security differences between Windows NT/2000 and XP/2003 Microsoft has made significant changes to DCOM security in recent releases of Windows. These changes include new system policies and more restrictive default settings which complicate configuration of OPC components. The Everyone group In Windows NT/2000, Everyone includes both authenticated and unauthenticated users. For these versions of Windows, Everyone should be included in access control lists for DCOM components with an authentication level of NONE. In Windows XP/2003, Everyone only includes authenticated users. For unauthenticated access to a DCOM server, the Anonymous Logon group must be included in access control lists in addition to Everyone. Simple File Sharing A Windows XP computer configured for workgroup operation defaults to Simple File Sharing mode. In this mode, the guest account is enabled, and all access to the computer is done anonymously. This mode affects DCOM server access as well as network sharing, and must be disabled in order for OPC connections to work. To disable Simple File Sharing: In the Windows Control Panel, select Administrative Tools Local Security Policy. Select Security Settings Local Policy Security Options.

Error! Utilice la ficha Inicio para aplicar Heading 1 al texto que desea que aparezca aquí. Select Network Access: Sharing and security model for local accounts. Verify that it is set to Classic: Local users Authenticate as themselves. Security Settings If you do not want to use the system s settings, you can use the interface s special command line parameters that can set the DCOM security for the interface. This can be done with /DA and /DI parameters. The changes made to those parameters will only affect the PI OPC Interface. Here is a brief description of what they do and configuration options: /DA parameter is used for setting up the Default Authentication Level. This setting is necessary for authentication of an OPC server application during establishing a communication and making calls. The possible options for this parameter are the following: Default Uses a standard negotiation between the interface and OPC Server for selecting an appropriate authentication level. This may vary depending on Windows OS; None Does not use authentication. All security settings are ignored; Connect The authentication takes place only when an initial connection is made to the server. After connection has been established, no additional authentication checks will be performed. Call The authentication occurs at the beginning of each RPC call (i.e. a callback from OPC Server). In this case the data packet headers are signed, but the data packets exchange is not signed or encrypted; Packet Authenticates the data on a per-packet basis. All data is authenticated. Packet Integrity Authenticates and verifies that the data packets are signed and have not been modified during transit (i.e. checks for packet integrity). The packets are not encrypted;

Error! Utilice la ficha Inicio para aplicar Heading 1 al texto que desea que aparezca aquí. Packet Privacy Includes all previous authentication levels and signs and encrypts each data packet. This setting ensures that the communication between the client and the server is confidential. If you do not set the Default Authentication Level correctly, the OPC server will not be able to send callbacks to the client. This usually means that all Asynchronous calls (e.g. Poll or Advise) will not return data updates. The most commonly used settings are Connect and None. /DI parameter sets up the Default Impersonation Level. The Default Impersonation Level is used for granting permissions to the PI OPC Interface for executing permissible operations on OPC Server objects. The possible options are as follows: Anonymous The client is anonymous to the server. This means that the identity of the user associated with the OPC Interface is hidden from the OPC server. Identify The OPC Server can identify the user associated with the OPC Interface, and can perform actions as that user. Impersonate The OPC Server can perform actions as the user associated with the OPC Interface, but is not allowed to access other computers as that user. Delegate The DCOM server can act as the user associated with the DCOM client, including access other computers as that user (only supported in Windows 2000 and later) The most commonly used settings are Identify and Impersonate.