Академический Документы
Профессиональный Документы
Культура Документы
Managing Security
The Advanced Historian data archive is typically used in production systems where correct and reliable operation is important. For this reason, a number of security mechanisms are available to protect against both willful and accidental tampering with the system. These include operating system security, physical security, network security, and several levels of security within the Advanced Historian. For information about network and operating system security, consult your system administrator and Windows NT online help. IMPORTANT: The Windows NT login account AdvHistUser is created when you install the Advanced Historian. Do not modify or delete this account. It is required for the Advanced Historian to function properly.
To complete these tasks, log into the Advanced Historian with the piadmin account.
Examples
192.168.168.* 192.168.168.*
The second field defines the following keywords that instruct Pinetmgr whether or not it should complete the connection. ALLOW instructs Pinetmgr to complete the connection. DISALLOW instructs Pinetmgr to refuse the connection. When new connection request is received by Pinetmgr, the incoming host name and IP address are examined as follows: [1] If the request is from the computer on which Pinetmgr is running, the connection is automatically accepted. If the request is from a remote node (client), Pinetmgr searches the Firewall database for a matching IP address entry or host name entry. The search uses a wildcard compare. For example, the connecting address of 192.168.168.22 matches a address mask of 192.168.*.*. A matching DISALLOW has precedence over an ALLOW.
[2]
Using the table above, only hosts within the 192.168.168.0 subnet are allowed connections. However, the sepcific IP address 192.168.168.67 is not allowed to connect; even though it matches the first host mask. IMPORTANT: Adding an address mask of *.*.*.* and a value of DISALLOW to the Firewall database will prohibit all TCP/IP connections.
Once your changes are made, the Advanced Historian recognizes them within 15 minutes or when you restart the server. You can only modify the Firewall database from the computer running Pinetmgr. Listing Attributes and Entries The name of the Firewall database is Pifirewall. You can open the Firewall database by entering the following text at the Piconfig prompt:
piconfig> @table pi_gen,pifirewall
To list the field attributes in the database, enter the bold text at the Piconfig prompt:
piconfig> @?atr 1 - hostmask 2 - value 3 = NEWhostmask
Notice that the name of the address mask field in the Firewall database is hostmask. This is also the primary key. To display all entries in the database, enter the following text at the Piconfig prompt:
piconfig> @ostructure hostmask,value (define format of data printed to screen) piconfig> @select hostmask=* (specify primary key to select) piconfig> @endsection (end of selection) *.*.*.* ALLOW
This listing shows the default firewall setting; all connections are allowed.
10
piconfig> @mode create,t (put the database into create mode) piconfig> @istructure hostmask,value (define format of incoming data) piconfig> 192.168.168.*,ALLOW (enter mask and keyword)
name) Once this change takes effect, connection attempts from tomcat are prohibited. Consequently, you ran the Apisnap utility from tomcat to examine the value of a point, you would see the following text as a result of the attempted connection:
e:\pi\adm>apisnap tamarind:5450 PI-API version 1.2.3.4 Attempting connection to tamarind:5450 Error 2, connecting to tamarind:5450
Likewise, the file PIPC.LOG on the host tomcat contains the following entry:
Chapter 1. Managing Security
11
Examining the Advanced Historian servers message log also contains a message indicating the connection was not allowed:
0 pinetmgr 11-Dec-99 16:29:37 >> PInet Refused TCP/IP connection, hostname: tomcat.nowhere.com, 192.168.168.129
12
The Group database contains the following fields. The primary key for the database is the Group field. Table 1-1: Group Database Fields Field Name Group User Description Contains... The name of the account. The users assigned to this group. Text describing the account.
13
piconfig
Listing Attributes and Entries You can open the User database by entering the following text at the Piconfig prompt:
piconfig> @table piuser
To list the field attributes in the database, enter the bold text at the Piconfig prompt:
piconfig> @?atr 1 - USER 2 - DESCRIPTION 3 - GROUPS 4 - CONTEXT 5 - NEWUSER
To display all entries in the database, enter the following text at the Piconfig prompt:
piconfig> @ostructure user,description,groups (define format of data
printed to screen)
piconfig> @select user=* (specify primary key to select) piconfig> @endsection (end of selection) piadmin,PI Administration,piadmin pidemo,PI Demo,piuser
14
Listing Attributes and Entries The name of the Group database is Pigroup. You can open the Group database by entering the following text at the Piconfig prompt:
piconfig> @table pigroup
To list the fields in the database, enter the bold text at the Piconfig prompt:
piconfig> @?atr 1 - GROUP 2 - USERS 3 - DESCRIPTION 4 - NEWGROUP
To display all entries in the database, enter the following text at the Piconfig prompt:
piconfig> @ostructure group, description,users,... (define format of data
printed to screen)
piconfig> @select group=* (specify primary key to select) piconfig> @endsection (end of selection) piadmin,PI Administration,piadmin piuser,User,pidemo ptmaintenance,,
15
16
By default, these databases are owned by piadmin user account and belong to the piadmin group. Consequently only a user logged in as piadmin can create, edit, or delete objects stored in these databases. The security attributes of each database can be changed to meet system needs by modifying the database security table, Dbsecurity. This table contains the following fields: Table 1-3: Database Security Table Fields Field DBName access Defines... The database name. The type of access to the table. Access types can be none, read only, or read/write for the owner, the associated group, and the world (anyone not the owner or in the group). The group name The name of the user account that owns the table. By default, this field is set to Piadmin.
Group Owner
The Base subsystem, Pibasess, maintains the Point database, the User database, and the Digital State database. You must specify the name of the subsystem in order to modify the security on these databases. For example:
> @table dbsecurity,pibasess (open the database security table) > @?atr (display the fields of the database) 1 - DBName (D) (C) 2 - NEWDBName (D) (C) 3 - access (D) (C) 4 - group (D) (C) 5 - owner (D) (C) > @ostr dbname,access,group,owner (define format of data printed to the screen) > @select dbname=* (specify primary key to select) > @endselection (end of selection)
17
This example lists all the databases maintained by the Base subsystem. Pipoint is the Point database; Piuser, the User database; Pids, the Digital State database. The security attributes for each database are identical, defining Piadmin as the owner and group and setting the access type as follows: The owner has read/write access. Group members have read only access. The world has read only access.
When a point is created, the point and its attributes (such as zero, span, compression specifications) may be assigned to an owner and group that is different from the point data. Likewise, the read/write access for the point and its attributes may be different from the point data. Point Security Example In a typical facility, a control engineer may be assigned to be the owner of each point used by the instruments that he or she is responsible for configuring. The engineer (as the point owner) may be assigned ownership, and read and write access for the data as well. On the other hand, the control room staff as a group may be given read and write access to the data but be limited to read-only access to the point and its attributes.
19
piconfig> sinusoid, jin (enter data) piconfig> @mode list (put database into list mode) piconfig> @ostructure tag, ptowner (define format of data printed to screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,jin
Changing the attributes PtGroup, DataOwner, and DataGroup works similarly. Example: Changing Point Attribute Access Rights The following example shows how to open the table, list the attribute access rights, and change them by adding read access to the group and world:
piconfig> @table pipoint (open database) piconfig> @ostructure tag, ptaccess (define format of data printed to screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,o:rw g: w: piconfig> @mode edit (put database into edit mode) piconfig> @istructure tag, ptaccess (define incoming data format) piconfig> sinusoid,o:rw g:r w:r (enter access rights) piconfig> @mode list (mode database into list mode) piconfig> @ostructure tag, ptaccess (define format of data printed to screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,o:rw g:r w:r
Example: Changing the Point Data Owner and Group The following example shows how to open the Point database, list the DataOwner and DataGroup for the tag, and change the owner to Operator1 and the group to the Operations Group.
piconfig> @table pipoint (open database) piconfig> @ostructure tag, dataowner, datagroup (define format of data printed on screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,piadmin,piadmin piconfig> @mode edit (put database into edit mode) piconfig> @modify dataowner=Operator1, datagroup=OperationsGroup (modify owner and group) piconfig> @select tag =sinusoid (specify key to select) piconfig> @endsection (end of selection)
20
piconfig> @mode list (put database into list mode) piconfig> @ostructure tag, dataowner, datagroup (define format of data printed to screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,Operator1,OperationsGroup
Example: Changing Point Data Access Rights The following example shows how to open the Point database, list the access rights for a tag, and change the rights.
piconfig> @table pipoint (open database) piconfig> @ostructure tag, dataaccess (define format of data printed on screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,o:rw g:rw w:rw piconfig> @mode edit (put database into edit mode) piconfig> @istructure, tag, dataaccess (define format of incoming data) piconfig> sinusoid, o:rw g:rw w: (enter access rights) piconfig> @mode list (put database into list mode) piconfig> @ostructure tag, dataaccess (define format of data printed on screen) piconfig> @select tag=sinusoid (specify key to select) piconfig> @endsection (end of selection) SINUSOID,o:rw g:rw w:
21
Proxy Access
Processes that do not log in may only access objects that have world access privileges. For non-interactive programs, such as API programs, this can be a program because they cannot gain access to the objects they need. The Advanced Historian solves this problem by allowing you to define a proxy in the Proxy database, Piproxy. A proxy maps an IP address or host name to a specific user account. Once the proxy is configured, access requests from a given IP address or host are granted the same rights that are assigned to the associated user account. Example: Using Proxy Entries The following example shows proxy entries for Olive and Grape, both in the domain nowhere.com. Client connections from Olive assume the rights of the user account piadmin; client connections from Grape assume the rights of the user account pidemo.
Applications explicitly logging in from nodes with a proxy account receive the privileges associated with the latest login. For example, assume the computer Olive is assigned a proxy login of piadmin. When an application, such as PI-ProcessBook, logs in, it overrides the implied login to piadmin. This override is true even if the login fails. NOTE: Failed logins result in default access.
22
The Proxy database contains the following fields. The primary key for the database is the Host field. Table 1-4: Proxy Database Fields Field Name Host Contains... The name of the host or IP address. NOTE: The entire host and domain name are required. For example, olive.nowhere.com. Use the IP address if you are not sure of of the exact host name. Proxy Account The name of the user account to uses as a proxy.
23
screen)
piconfig> @select host=* (specify key to select) piconfig> @endsection (end of selection) 127.0.0.1,piadmin (default proxy entry)
Notice that the host and domain name are required. You can find the host names by examining the System log using the Pigetmsg utility. The Network Manager logs the host name and IP address of all clients attempting to connect.