OPC Support IT-CO recommended DCOM settings for OPC

(1)

Final page 1

OPC Support

IT-CO recommended DCOM settings

for OPC

Document Version: 2.1

Document Issue: 2

Document Date: 12 December 2003

Document Status: Final

Document Author: Renaud BARILLERE

Abstract

This document presents the DCOM settings recommended by IT-CO for the use of OPC servers at CERN on the NICE infrastructure.

This recommendation is based on a document [1] internally published by the OPC

foundation. The procedure described hereafter has been used to install several OPC servers in laboratories and for production applications at CERN.

1 Pre-requisite

1. Operating Systems

In theory, OPC can be used on Windows 95, Windows 98, Windows NT and Window2000, but as it requires additional dll on non WNT/W2000 OS, we recommend to install W2000 if possible.

2. Privileges

In order to be able to set all the required DCOM properties one has to be logged as administrator.

3. OPC servers installations

The OPC servers have been installed on the PC. Although servers can be installed by any users having administrator privileges, we recommend to install them being logged as the local administrator.

(2)

OPC Support IT-CO recommended DCOM settings for OPC

2 Settings of the server PC Version/Issue: 2.1/2

page 2 Final

With the OPC DA v2.x specifications, it has been recommended to use the OPCEnum application to let OPC clients browse the available OPC servers. This application is usually provided with the COTS OPC servers, if not, the application is made available by the OPC foundation to all its members (CERN is one of them).

It is assumed that OPCEnum has been installed. It is not required that it is installed as a service. We will assume hereafter it has been installed as a standard application.

5. User groups

If several users shall be granted access rights to a given OPC server, we recommend the creation of a group of users. As it is, a priori, not possible for local administrators to create group valid in the CERN domain, we suggest to create local groups. This would obviously imply to duplicate this group creation on all the PCs where the OPC Server will be installed. The creation of local groups requires (usually?) administrator privileges.

2 Settings of the server PC

The OPC security is fully based on the DCOM security, therefore the default security settings selected for the OPC server and OPC client machines will affect all the executable irrespective of their link to OPC.

The principle of the recommended settings is to allow by default a wide access to the executable installed on the PC and to restrict the access to the critical OPC servers (i.e. the ones which allow access to actual devices).

For the procedure described bellow, it is mandatory to use the DCOM configuration tool: dcomcfng.

(3)

Final page 3

2.1 Default permission

a. Start dcomcfng:

Figure 1 DCOM setting window

(4)

page 4 Final

Figure 2 Default properties

c. Validate by pressing “Apply” button. d. Select the “Default Security” tag:

(5)

Final page 5

Figure 3 Default security

e. Open the Default Access Permission window by pressing the corresponding “Edit Default” button and add the users appearing in the figure below. The administrator is the one of the local machine.

(6)

page 6 Final

Figure 4 Default access permission

f. Close the window by pressing the “Ok” button.

g. Open the Default Launch Permission window by pressing the corresponding “Edit Default” button and add the users appearing in the figure below. The administrator is the one of the local machine.

Figure 5 Default launch permission

(7)

Final page 7

i. Open the Default Configuration Permission window by pressing the corresponding “Edit Default” button and add the users appearing in the figure below. The

administrator is the one of the local machine.

Figure 6 Default configuration permission

A Read access may be enough for the user “Everyone”, to be confirmed.

j. Validate the choices by pressing “Apply” in the Default Security window (Figure 3). k. Open the Default Protocols tag window, the selected protocols are the default ones. If

(8)

page 8 Final

Figure 7 Default protocols

l. Validate the choices by pressing “Apply” in the Default Security window (Figure 3).

2.2 OPCEnum settings

Once the settings have been set, the settings of the OPCEnum application have to be prepared. OPCEnum is the application which is used by any OPC DA2.0 client to browse the available OPC server on the local machine.

The required settings are the default ones, one just have to check that they are equals to the ones described below. They are accessible by selecting in the main dcomcnfg window the OPCEnum line and pressing the “Properties” button.

(9)

Final page 9

(10)

page 10 Final

(11)

Final page 11

(12)

page 12 Final

(13)

Final page 13

(14)

page 14 Final

(15)

Final page 15

Figure 14 OPCEnum protocol property

2.3 Specific OPC server settings

The settings of the specific OPC server have to be specified. The described ones have been successfully tested with a lot of OPC servers. However as these setting can be overridden from the source code of the server, it is not guaranteed that these settings will always work. To apply these settings, the line of the OPC server has to be selected in the main dcomcnfg window, and the “Properties” button pressed.

For the example below, we used the OPC server of Schneider which name is OPC Factory Server.

(16)

page 16 Final

a. In the General tab, the default choice should be let for the authentication level.

Figure 15 OPC server general property

b. As the OPC server has been installed in the local machine, the location property has to be specified as described below.

(17)

Final page 17

Figure 16 Location property

c. For the security properties the default settings will be overridden to restrict the remote access to the defined users group (See 1Pre-requisite):

(18)

page 18 Final

Figure 17 Security property

(19)

Final page 19

Figure 18 Access property

e. The list of authorised users should be modified as described above, the defined group of users being the local “opc users” group.

f. Repeat the same actions for the Launch permission property

Figure 19 Launch permission properties

(20)

page 20 Final

Figure 20 Configuration permission

h. For the identity property, it is essential to select a given user. If “Launching” is selected, several OPC server instances can be created when different users will try to connect. This is usually not possible if the OPC server instances require access to a given resource (e.g. PC Card). If “interactive” is selected, the OPC server will not be able to start without any active user session. The selected user has obviously to be member of the locally created group (here “opc users”).

i. For some OPC servers running under W2000 it is essential that the user account launching the server, has local administrator privileges and thus listed in the local administrator group. This user profile MUST also exist on the PC implying that the user has logged on at least once on this PC.

(21)

Final page 21

j. To include this account in the local administrator group right-click the mouse button on My Computer (Desktop) and select Manage.

(22)

page 22 Final

(23)

Final page 23

k. The “Endpoint” property has to be left to the default.

(24)

3 Settings on the Client PC Version/Issue: 2.1/2

page 24 Final

Figure 24 “Endpoint” property

3 Settings on the Client PC

In order to avoid conflicts when call backs are sent from the server, the default “general” dcom property have to be set as on the server:

(25)

Final page 25

4 Options

It may be possible to specify that the OPC server has to be started at boot time, as an NT service.

5 Reference

1 Demonstration Guidelines, 4th draft version, by the OPC foundation.

This document has been prepared using the SDLT Single File Template that have been prepared by the IPT Group (Information, Process and Technology), IT Division, CERN (The European Laboratory for Particle Physics). For more information, go to http://framemaker.cern.ch/.

(26)

5 Reference Version/Issue: 2.1/2

page 26 Final