PI Cloud Connect
Overview
Content
Product Overview ... 3
Sharing data with other corporations ... 3
Sharing data within your company ... 4
Architecture Overview ... 5
PI Cloud Connect and PI Cloud Services ... 5
How does PI Cloud Connect work? ... 5
Using the Customer Portal ... 6
PI Cloud Services ... 6
PI Cloud Connect ... 7
Supported AF Objects ... 20
Performance and Throughput ... 20
Best Practices ... 21
Security Overview ... 22
PI Cloud Connect Windows Azure Components ... 22
On-Prem Components Deployment ... 23
Overall data flow ... 28
Troubleshooting 101 ... 29
Signing in the Customer Portal ... 29
Node deployment ... 30
Accessing PI AF ... 31
Product Overview
PI Cloud Connect is the first of a set services delivered by OSIsoft that fall under the PI Cloud Services umbrella. PI Cloud Connect is a Cloud based Software as a Service (SaaS) offering managed by OSIsoft that allows you to share data between PI Systems.
Cloud based because the solution leverages components running in Windows Azure, the public Cloud offering from Microsoft
Managed by OSIsoft because we support, maintain and upgrade this service and all its components
PI Cloud Connect makes it easy to share data between PI Systems – both inside and outside your enterprise. You can publish data and grant access to other PI Cloud Connect users so that they can subscribe to that data. PI Cloud Connect secures and brokers communication between the publisher and subscriber, even when they are outside your
organization.
PI Cloud Connect offers many advantages:
Solution maintained and managed by OSIsoft with minimal On-Prem1 footprint
Scalable and reliable solution based on Windows Azure
Configuration and monitoring accessible through a Web-based Customer Portal that only requires a modern Web browser
Secure data sharing without requiring Virtual Private Networks (VPNs)
Seamless and simultaneous transfer of real-time and meta-data from your PI AF structures, this allows asset models in the PI System to be transferred
Publish/subscribe architecture that supports one-to-many, many-to-one and many-to-many data exchanges, which advantageously replaces point-to-point connections
Sharing data with other corporations
In many situations, all partners in a business collaboration — such as joint ventures, contract manufacturers, expert service providers, and operations and maintenance companies — need access to production data. When all partners have access to the real-time data, each of them can plan ahead for equipment maintenance or for scheduling the delivering of critical components.
PI Cloud Connect provides all parties a secure way of sharing data between their respective PI Systems without having to deploy point-to-point VPNs in multiple scenarios:
In a joint venture — even though only one company usually operates the assets — all partners need access to the production data
To deliver the best service possible, partners and vendors who supply raw materials, equipment or expertise need access to the real-time data collected at the operations sites
Contract manufacturers, who manufacture products on behalf of other companies need to expose the operation and quality data to those companies
1 On-Prem refers to components or deployments in situ (on site) as opposed to remote components or deployment such as in the Cloud.
Operations and Maintenance companies (O&M), Service Providers (SP), and Performance Analytic Vendors (PAV) also need access to the real-time data on site to provide expert knowledge about the efficiency and health of equipment such as pumps, compressors, generators or other components or additives that are critical to a certain process
Sharing data within your company
If you have a central PI System installed at your head office and other PI System instances deployed at operations' sites, you probably want to have a centralized view of your operations and make site-to-site comparisons. With PI Cloud Connect, sites that monitor assets and collect real-time data can publish their data so that your head office can subscribe to it.
Architecture Overview
PI Cloud Connect and PI Cloud Services
PI Cloud Services is the overall umbrella under which all OSIsoft Cloud based services are made available to customers. To simplify manageability, all the services are managed in one account. Besides PI Cloud Connect, the screenshot below shows others service that may be available in the future.
How does PI Cloud Connect work?
PI Cloud Connect is a Windows Azure hosted application that relies on a publish/subscribe mechanism to manage the data flow within and between accounts. Once they have signed-up for the PI Cloud Connect service, users can sign-in to the PI Cloud Connect Customer Portal to install the components required to securely and reliably connect their PI Systems and share data. Customers use the PI Cloud Connect Customer Portal to manage publications, subscriptions, users and nodes.
Data Sharing Workflow
On one hand, a publisher selects a set of data to include in a publication. A publication is configured by selecting a PI AF Element from any PI AF server that is accessible from a registered PI Connect node. A PI Connect node is a computer where the PI Connect components have been installed. The deployment of the PI Connect components is performed via the PI Cloud Connect Customer Portal.
Once a publication is configured, the publisher grants access to one (or more) PI Cloud Connect users to that
publication; and that user can then subscribe to it. To grant access to a publication, the publisher notifies via email one (or several) user(s) that they have access to the publication. The publisher needs to have an a priori knowledge of the subscriber(s) contact information2. Prior to using PI Cloud Connect for trans-enterprise data exchange, it is highly recommended that publishers and subscribers establish a business relationship to define the scope of the data exchange and share the contact information.
On the other hand, when users receive a notification (via email or directly in the Customer Portal) they can create a subscription associated with that publication. The association between a publication and a subscription is a contract between the publisher and subscriber that specifies what data is being shared.
When the configuration of the publication and the associated subscriptions is complete on both sides and the publication and the subscription are started, the exchange of data commences and continues until one of the parties decides to stop it.
Using the Customer Portal
PI Cloud Services
After signing in your account, you access the landing page of the Customer Portal that presents all the services available. After selecting the PI Cloud Connect tile, you enter the PI Cloud Connect Portal.
2 For obvious privacy and accounts’ data isolation reasons, the Customer Portal does not expose information from one account to another account unless specified.
PI Cloud Connect
The user interface provides easy-to-use Web pages for managing your publications, subscriptions and nodes. In the following sections, we explain some of the tasks you can perform from these pages.
Activities Summary
The main page is the Activities Summary page that presents an overview of the publications, subscriptions and systems. You access each of these sections by clicking a tile or the corresponding option on the left-hand menu.
Publications
The Publications page lists all your publications: the one created in your account by any of the users of that account as well as those you (or others users in your account) have been granted access to from others accounts. Note that
publications from other accounts can only be seen by the user(s) who have been given that access to these publications and not all users for that account. Granting access to a publication is a user based concept and not account based concept. Therefore, different users from the same accounts might see different publications listed in the Publications page.
From this page, you can:
create new publications
take specific actions when a publication is selected o manage a publication (stop/start/delete) o view details/subscribers
o subscribe to a publication
When you create a new publication, a wizard guides you through the steps required to configure that publication. Note that prior to creating a publication, a PI Connect node must be configured from the System page so that a data source (one or more PI AF Servers) is available. In the first step, the Wizard shows a list of the available AFserver.AFDatabase namespaces for each PI Connect node.
The list of namespaces can be sorted by Namespace, Node or Node User Account:
The Node User Account is the Windows account provided during the deployment of the PI Connect node for the Windows service which runs on the node under that account. More details are provided in the On-Prem deployemnet section of this document
The Node colum list the name of each deployed PI Cloud Connect node
The Namespace column lists all AFServer.AFDatabase namespaces accessible from any of the Node and Node User Account
In the Publication Scope step, two options are available in the dropdown menu:
Select AF Elements
Select AF Templates
In that case, the selected AF Element along with all its children AF Elements and associated real time data (AF Attributes mapped to PI Points) will constitute the publication scope. You should ensure the AF Elements in your publication contain only supported AF Objects, as described in the following section.
Note: If some AF Elements targeted by the publications are derived from AF Elements Templates, these AF templates will also be part of the publication.
The next step in the wizard allows you to retrieve historical data that is available prior to the time the publication is started. The value provided has to be an integer between 0 and 30 (both included).This setting only applies to the real time data associated with AF PI Points3 Data References.
The second option allows you to select AF Element Templates only. In that case, the scope of the publication is restricted to all the AF Element Templates of the AFserver.AFDatabase namespace selected during the previous step.
3 Only the most recent version of the AF Elements at the time of the publication start are included in the publication scope. The ‘history recovery’ doesn’t apply to AF Objects versions.
The Publishing Options step when choosing the AF Templates options has no configuration since there is no real time data associated with AF Templates.
For either options (AF Elements or AF Elements Templates), the next step is to define the publication name and its description (optional).
From the main Publication page, you can also select an existing publication and look at more detailed information about its status and the users who have been notified about and granted access to the publication.
From that page you can also grant access others users from others accounts to your publication.
Note that for the publications that you’ve been granted access to by others accounts, the only possible option is to subscribe.
Subscriptions
The Subscription page lists your existing subscriptions and allow you to take specific actions when a subscription is selected. This page is similar to the Publication page but cannot be used to create new subscriptions. Subscriptions are created from the Publication page by subscribing to a publication.
When you create a new subscription, the same wizard used to create a publication guides you through the steps required to configure that subscription, except that there are no subscribing options step in the wizard. Note also that before creating a subscription, a PI Connect node must be configured from the System page so that a Destination System (one or more PI AF Servers) is available. It is recommended that each subscription targets a dedicated PI AF Database to avoid potential conflicts with multiple subscriptions targeting the same AF Database. Also, keep in mind that at least 1 element needs to exist in the PI AF Database before configuring a subscription into that PI AF Database.
User Accounts
Users account are managed at the PI Cloud Services level and are shared across all services. At the moment, all users have the same role (administrator) in PI Cloud Connect. Therefore, no specific configuration is accessible at the service level. A redirection to the PI Cloud Services Launchpad is provided.
From the User Accounts page in the PI Cloud Services Launchpad, you can view a list of existing users and activate new users.
New users are added to an account by providing their First Name, Last Name and email address. Note that the email address provided does not have to be a Window Live account. That email address is first used to send an activation email to the new user and for future communication. However, during the activation process the user will have to use a valid Window Live account or authenticate with Active Directory Federated Services (ADFS) to be authenticated and granted access to the Customer Portal.
When new users are added to an account, they have 48 hours to activate their account. Until the account is activated, the user’s status is in a pending state. It is possible to resend an activation email to a pending user who has ‘missed’ the 48 hours window for activation by selecting the Edit User menu.
System
The System page has two sections: Nodes and Download. The Node section lists the different On-Prem nodes where PI Connect components have been deployed. The status icon indicates whether the PI Connect node as an active connection with the Cloud components (heartbeat).
The Download section is used for deploying new nodes. That section lists software pre-requisites and provides access to download the setup kit for deploying a new PI Connect node.
Supported AF Objects
PI Cloud Connect currently supports the following AF Objects:
AF Elements
AF Element Templates
AF Enumeration Sets
AF Attributes configured with the following Data References: o None (static values)
o PI Point
o Formula data references which reference attributes that have been published
AF Categories
The only fully supported AF Objects are those listed above, here is a short list of the commonly used unsupported objects:
Table data references will only transmit the configuration string, meaning the tables would have to be transferred manually via another method, i.e. XML import / export.
AF Units of Measure
Attributes which reference other attributes (using the |Attribute format)
PI Analyses or PI Analyses Templates
PI Event Frames
Custom Data References
Custom AF Reference types
PI Point Arrays
PI Notifications
AF File data types
AF Transfers and Cases
Support for other AF Data types and objects may be added in the future.
Performance and Throughput
PI Cloud Connect can sustain a data transfer rate of approximately 2,000 events/sec per node4. When publishing or subscribing to data at a rate of 2,000 events/sec, 108 Kbytes/sec of network throughput will be utilized on a constant basis. As a comparison, average OSIsoft customers have data rates for their PI Interfaces of about 50 events/sec per 1,000 PI Points. Given an average customer, the bandwidth required per thousand (1,000) PI Points is approximately 2.7 Kbytes/sec. A subscriber will be able to create approximately 1,000 points in 1 hour on the initial startup.
4 If you going to be close to 2,000 events/sec on your publishing PI System, the MaxUpdateQueue tuning parameter on the PI Data Archive should be set to 240,000.
Best Practices
This section is a quick overview of the best practices for using PI Cloud Connect.
Each subscription should target its own PI AF Database.
The hierarchy used for PI Cloud Connect should only contain supported AF Objects (see the above section on
Supported AF Objects)
Limit the total events per second transmitted through a PI Connect node to approximately 2,000 events / sec.
Avoid potential circular publications and subscriptions. For example, in the scenario below you need at least 3 databases in order to publish AF Templates (1) from the Template AF Database, subscribing to the AF Templates into an AF Database (2) at the site, and then publishing the AF Elements from the site to the Corporate Asset Model AF Database (3). The AF Templates from Corporate located in the site AF Database (2) should not be modified. The AF Templates and AF Elements at the Corporate Asset Model AF Database (3) should not be modified either.
Palo Alto
Mountain
View (2)
San Jose
Cupertino Waverly Park
San
Francisco
S
P
PI Cloud Connect
Corporate AF
Collective
Security Overview
PI Cloud Connect deploys several levels of security to keep your information secure and still allow users access to the data they need:
At the infrastructure level: PI Cloud Connect is managed by OSIsoft and our administrators takes care of provisioning the infrastructure required for onboarding new accounts, updating information for existing accounts as well as upgrading the different components when new features or updates are available.
At the account level: an account represents a company, partner, or affiliate that has signed up for the PI Cloud Connect service. Each account has a unique access to the Customer Portal with a URL of the form:
https://accountname.picloudservices.com . Each account is fully isolated from other accounts. Users within an account do not know anything about other accounts or about other users belonging to other accounts.
At the sign-in level: to access PI Cloud Connect features, all users must sign in to their secure Customer Portal and are authenticated by an Identity Provider of their choosing5.
At the user level: When publishing data, the publisher decides which user has access to subscribe to the publication. This is done on a per user basis, not a per account basis.
Additionally, PI Cloud Connect is a reliable product designed to protect your information. The Web services used in Windows Azure as well as those exchanging information with On-Prem components are secured by the use of certificates or access tokens and the Customer Portal uses HTTPS to securely encrypt communication. HTTP Web sites send all communication in plain text, which anyone can read. But HTTPS works in conjunction with Secure Sockets Layer (SSL) to encrypt all communication.
PI Cloud Connect Windows Azure Components
PI Cloud Connect leverages several components in Windows Azure such as Web roles for the Customer Portal, worker roles for queuing and transferring data, Windows Azure Service Bus for establishing secure connection between the Cloud and your premise and security components such as Microsoft Azure Access Control Service (ACS) which is a federation provider in the Cloud.
Internally, PI Cloud Connect uses Secure Sockets Layer (SSL) to secure all in-transit data. PI Cloud Connect authenticates calls between, for example, the Customer Portal (Web role) and Microsoft Azure ACS or from the Customer Portal to the worker roles. PI Cloud Connect also makes secure calls to your PI servers and PI AF servers by using “claims-aware” tokens. This allows the Windows Service that runs on your premise to map the claims-aware Security Token that it
5 In this initial release, PI Cloud Connect supports Windows Live ID (Microsoft Account) and integration with Active Directory Federated Services (ADFS) as valid Identity Providers (IP).
receives from PI Cloud Connect to a Windows Security Token on your premise. Then the call from PI Cloud Connect running in Windows Azure is forwarded to your PI AF server using that Windows Security Token to identify the user.
Sign-in process
When you first sign in to the Customer Portal, it establishes a trust with Microsoft Azure ACS. ACS acts as a federation provider in the Cloud and facilitates authentication between an application and one or more identity providers. Here ACS facilitates authentication between the Customer Portal and one or more identity providers. When a user signs in using the identity provider(s) that has been configured for her Account, the ACS issues a Security Token for that user. This Security Token is used to make secure web service calls to the PI Cloud Connect server.
On-Prem Components Deployment
Deploying a new PI Connect node is managed via the Customer Portal. After downloading the installation kit, you can either proceed with the installation from the computer used to access the Customer Portal or deploy the setup kit on a different computer. Either way, the computer targeted as a PI Connect node must have an outbound connection to the Internet. The setup kit needs elevated Administer privileges to install PI Connect.
These credentials are used to access the PI AF server(s) your data is read/write from/to. This account is also the account used to create and populate the PI Points associated with a subscription when that subscription is associated with a publication scoping real time data. Because the account is used for accessing the PI AF Server and PI Data Archive, this account will need read access when publishing, and write access when subscribing with PI Cloud Connect. This is the account under which the PI Connect Windows service is running. If you need to modify anything related to this account or the PI Connect service after installation, please contact our support team at [email protected]. Note:
Changing the Windows’ service credentials via the Services management console will not work properly and make the PI Connect node dysfunctional. An uninstall and reinstall of PI Cloud Connect is required in order to change the service credentials.
Here is a summary of the attributes required for the Windows Service Account running the PI Connect service:
‘Log on as a Service’ privileges
Must have been used once to log on the computer
Must have access to both PI AF and the default PI Server Data Archive associated with PI AF o To read the data targeted for a publication
o To write the data targeted for a subscription
When using a proxy server, that account should be able to communicate with the Internet via the proxy server.
The next step requires you to specify a name (pre-populated with the machine name) and description (optional) for the PI Connect you are deploying. That name/description will be used in the Customer Portal.
Before the installation process is completed, you are asked for another set of credentials that are used to establish a one-time connection between the local Windows Service and Windows Azure via the Azure Service Bus. The picture below shows the login screen provided by Microsoft (Windows Live ID) when it is used as the Identity Provider to authenticate with PI Cloud Connect.
After installation is completed, the Windows Service that runs on your premise starts automatically and initiates an outbound connection from your premise to PI Cloud Connect running in the Cloud using the Service Bus Relay (which is
part of Windows Azure services). The newly configured node should appear in the System/Nodes page of the PI Cloud Connect Customer Portal.
The use of certificates enables the Windows Service to be granted only least-privilege listen access to the Service Bus Relay. Similarly, PI Cloud Connect is granted permission to send to the Service Bus Relay, only. This means that PI Cloud Connect can connect between Windows Azure and your premise without you needing to open additional ports in your firewall. Also, data and other information cannot flow in an unintended direction.
Overall data flow
The diagram below shows the data flow between the Windows Services running On-Prem and the Windows Azure Components of PI Cloud Connect leveraging the Azure Service Bus Relay.
Each account has its own dedicated Service Bus Endpoints for each of the PI Connect node deployed. Each account can deploy multiple nodes, each node being a publisher, a subscriber or both.
Troubleshooting 101
This section presents the most common issues customers are faced with when starting to use PI Cloud Connect. For more help and support, please contact us at [email protected].
Signing in the Customer Portal
This error message is provided when an authentication against a Windows Live account fails. This might happen in different circumstances:
You have not verified your e-mail address, please check your inbox for a signup verification email.
The Live ID account/password combination provided is invalid
Live ID credentials were cached in your Browser and you didn’t get explicitly presented with the Windows Live sign in page
Your Live ID credentials are valid but they are not associated with a user in PI Cloud Services o You are not yet a user in PI Cloud Services for the account you are trying to access
o You used a different Live ID account when you activated your PI Cloud Services user account If you are still having issues, please contact support at [email protected]
Node deployment
When deploying a new node, the setup kit might not be able to complete successfully. Please send us the error log at
[email protected] . The Copy Errors button will copy the content of the error log to your clipboard to make it easy to paste it in your email.
Accessing PI AF
When creating or subscribing to a publication, the first step is to select a data source/destination from/to PI AF. This error message appears when it is not possible to reach out to your PI AF servers from the Customer Portal running in Azure. This may happen for several reasons:
No PI connect nodes have been configured for your account
The PI Connect nodes are not reachable (validate the node’s status icon)
o Communication between the Azure components and the On-Prem components is failing o The PI Connect Windows Service is down
Connection between the PI Connect node and the PI AF server is failing
The service account for the PI Connect service does not have access to your PI AF Server and PI AF Database.
Accessing local log files
The PI Connect Windows service logs information about its operation. These logs are located in the
%AppData%/OSIsoft/logs folder for the user account under which the PI Connect Windows service is running. When suspecting a problem with PI Cloud Connect on a specific PI Connect node, please send us these logs files at
