Mobile Equipment Monitoring

Mobile Equipment Monitoring

Getting communication data

The OBD2 Protocol

CAN Bus

Caterpillar Equipment

OPC UA

OPC UA

- OPC UA Local Discovery is a service provided by OPC Foundation which lists all the OPC UA's on a Machine. It listen to Port 4840
- OPC UA Security has several message security modes:
     - 1: No Security. The messages are neighther signed or encrypted
     - 2: With Security. The messages are signed or but not encrypted
     - 3: With Security. The messages are signed and encrypted
    
     So what does this mean?
     - The OPC UA specification allows all these type of communication. Yes, including 'no security'!
     - However, an OPC UA Server will  determine which one is allowed.
     - When a client is connecting to an OPC Server, he has the option to request what level of security he wants to connect to.
     - If 'No security' is used, this means:
         - There is no encryiption
         - NO SSL CERTIFICATE IS NEEDED. The client does not need to show a cert
         - The Server will accept all clients (Will not verify the SSL Cert)
- When an SSL Cert is required, OPC UA requres that such a cert is validated.
     - A Thumbprint is a unique id that is calculated by hashing via SHA-1 the contents of the cert. It has 40 characters
     - Validation is based on Subject Name which should be in the form of 'DC=ComputerName,CN=ProgramName". DC is distinguished name, CN is Common Name
- A client will need to scan the OPC UA Server and determin which security policy it implements. OPC UA Security Policies
     http://opcfoundation.org/UA/SecurityPolicy#None
     http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15 (Obsolete)
     http://opcfoundation.org/UA/SecurityPolicy#Basic256 (Obsolete)
     http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 [B]
     http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep [A]
- OPC UA Also allows authentication, typically authenticated againt windows username and password.
- In OPCUA Tree, each item is called a NODE. A Node can be of the following types; these are NODE TYPES (OR Sometimes refer to as Node CLASS)
     - Object = 1,
         - AN OBJECT IS BRANCH (YOU CANNOT SUBSCRIBE TO IT)
     - Variable = 2,
         - A VARIABLE CAN BE SUBSCRIBED TO. IT CAN ALSO BE A BRANCH
     - Method = 4,
         - A METhOD CAN BE CALLED
     - ObjectType = 8,
     - VariableType = 16,
     - ReferenceType = 32,
     - DataType = 64,
     - View = 128,
- Each Node regardless of whatever types, will have attributes. The following attributes must exist in all node types:
     - NodeId - Uniquely identifies a Node in an OPC UA server and is used to address the Node in the OPC UA Services
         - in OPCUA the NodeId, is rather confusing, like OPC Classic, the NodeId is a string, However, in OPC UA, it first
         - Starts with a NameSpace Index
             - A value between 0-65535 (Ushort)
             - Normally Namespace is zero (meaning no namespace)
         - The actual ID, which can be of 4 types:
             - Numeric = 0 (Unsigned Integer UINT, ranging from 0 to 4Billion)
             - String = 1
             - Guid = 2 (A specific guid)
             - Opaque = 3 (An Array of bytes)
         - Fully Qualified Name
             - Since this naming can be complicated, it is common to use a combined name which will look like the following:
                 - ns=<namespaceIndex>;<identifiertype>=<identifier>
                 - Identifier type can be:
                     - i    NUMERIC (UInteger)
                     - s    STRING (String)
                     - g    GUID (Guid)
                     - b    OPAQUE (ByteString)
             - Specfying the Fully Qualified Name seems to be the common practice for OPCUA Connectivity
                 -
     - NodeClass    - An enumeration identifying the NodeClass of a Node such as Object, Variable or Method
     - BrowseName - Identifies the Node when browsing the OPC UA server. It is not localized
     - DisplayName -    ontains the Name of the Node that should be used to display the name in a user interface.
- Nodes may have some additional attributes
     - The Variable Node Type must have in addition the the values
         - Value    - The actual value of the Variable. The data type of the value is specified by the DataType, ValueRank, and ArrayDimensions Attributes
         - DataType - DataTypes are represented as Nodes in the Address Space. This Attribute contains a NodeId of such a Node and thus defines the DataType of the Value Attribute
         - ValueRank    - Identifies if the value is an array and when it is an array it allows specifying the dimensions of the array
         - AccessLevel
             - A bit mask indicating whether the current value of the Value Attribute is readable and writable as well as whether the history of the value is readable and changeable
             - Readable = 1,
             - Readable | Writable = 3
         - UserAccessLevel - Contains the same information as the AccessLevel but takes user access rights into account       
     - The Attributes have attribute IDs
         - 1 = NodeId
         - 2 = NodeClass
         - 3 = BrowseName (A non-localized, human readable name for the node)
         - 4 = DisplayName (A localized, human readable name for the node)
         - 5 = Description (A localized description for the node)
         - 6 = WriteMask (Indicates which attributes are writeable)
         - 7 = UserWriteMask (Indicates which attributes are writeable by the current user)
         - 8 = IsAbstact (Indicates that a type node may not be instantiated)
         - 9 = Symmetric (Indicates that forward and inverse references have the same meaning)
         - 10= InverseName (The browse name for an inverse reference)
         - 11= ContainsNoLoops (Indicates that following forward references within a view will not cause a loop)
         - 12= EventNotifier (Indicates that the node can be used to subscribe to events)
         - 13= Value (The value of a variable) ---------------------------------------------------------------------------- MOST IMPORTANT!!!!!!
         - 14= DataType (The node id of the data type for the variable value)
         - 15= ValueRank (The number of dimensions in the value)
         - 16= ArrayDimensions (The length for each dimension of an array value)
         - 17= AccessLevel (How a variable may be accessed)
         - 18= UserAccessLevel (How a variable may be accessed after taking the user's access rights into account)
         - 19= MinimumSamplingInterval (Specifies (in milliseconds) how fast the server can reasonably sample the value for changes)
         - 20= Historizing (Specifies whether the server is actively collecting historical data for the variable)
         - 21= Executable (Whether the method can be called)
         - 22= UserExecutable
         - 23= DataTypeDefinition (Provides the metadata and encoding information for custom DataTypes)
         - 24= Permissions (The permissions available for the node)
         - 25= UserPermissions (The subset of permissions available for the current user)
         - 26= RolePermissions (The permissions granted to roles)

Networking

NETWORKING GENERAL

  • Networking  is  the  practice  of  linking  two  or  more  computing  devices together for the purpose of sharing data
  • Size Classification
    • LAN
    • MAN
    • WAN
  • Topology Classification
    • BUS
      • Simplest type of network
      • Shares a common cable/bus
      • Example
    • STAR
      • Most Common
      • Uses Switch, Hub or Computer
    • RING
  • Protocol Casting Classification
    • How a computer communicates with others based on a protocol
    • Types
      • Unicast
        • 1-to-1
        • Example
          • TCP, SMTP
      • Broadcast
        • 1-to-All
        • Example
      • Multicast
        • 1-to-Many
        • Example
          • IGP, PIM
    • Is determined by the Communication Protocol
  • The OSI Model
    • Layers are referred by the OSI model
      • Layer 1 – Physical
      • Layer 2 – Data Link
      • Layer 3 – Network
      • Layer 4 – Transport
      • Layer 5 – Session
      • Layer 6 – Presentation
      • Layer 7 – Application
    • Comparison with TCP Model
      • image

 

NETWORKING DEVICES

NETWORK ROUTING

LOCAL AREA NETWORKS

ANTI VIRUS

WSUS (Windows Server Update Services)

OPC

OPC

  • OPC previously stands for “OLE for Process Control”, however, now, OPC is just a brand name, with a tagline “Open Productivity & Connectivity”.
  • Physically, OPC is just a Standard i.e. a Document
  • From the document, it is common that a dll is produced which allows third party applications to connect with the OPC server using the dll. Vendors typically publish they’re own dll. However, it is most common to use the official OPC foundation dll, which can be downloaded from their website. However, take note some precautions:
    • Before attempting to download stuff from OPC Foundation, it is important to understand the following terminologies
      • In COM, a proxy/stub is the code used to marshal data across boundaries like process boundaries or apartment boundaries
      • A merge module is a special kind of Windows Installer database that contains the components needed to install a discrete software bundle
    • However, the OPC foundation has poor documentation and is very difficult to answer
    • It is always  best to use vendor dlls, the famous one being the Matrikon Automation dll. The file is called ‘OPCDAAuto.dll’
  • The key elements for OPC transmission is
    • Secure
    • Reliable
    • Vendor Neutral
  • History of OPC
    • The first standard, simply called “OPC Specification” was developed in 1996 by a collaboration task force consisting of various automation vendors and Microsoft.
      • Uses Microsoft COM and DCOM
      • The Idea came about the issue since each hardware/DCS manufacturer will need to create it’s own driver to interface with windows. Third party software developers will have to make different application interfaces to each separate driver
      • The OPC Specification was later name “OPC Data Access 1.0 Specification” or commonly known as “OPC DA”
    • OPC AE (Alarm and Events) standard was first released in 1999.
    • OPC DA 2.0 Specification (Specifically OPC DA 2.05a) was release in 2002
      • Still uses COM and DCOM
    • OPC DA 3.0 Specification was release in 2003
      • Still uses COM and DCOM
      • Technology wise not much changes, just added more software specifications in it
    • The most common OPC standard used worldwide is OPC DA 2.05. If someone says ‘I’m using OPC’, what he really means is that he’s using OPC DA 2.05. OPC DA 3.00 just adds some new features in it which is not so much difference with DA 2.05
    • image
  • The backwards compatibility of OPC is not guaranteed. In the following scenarios both may or may not work
    • An OPC DA 1.00 Client communicating with OPC DA 3.0 Server
      • This should be okay in general, as long as the vendor of the OPC DA 3.0 Server implements creates handlers for OPC DA 1.00 client
      • However, there is no guarantee that an OPC DA Server vendor may choose to do so.
    • An OPC DA 3.00 Client communicating with OPC DA 1.0 Server
      • This may not work if the OPC DA 3.0 client uses special function not implemented by OPC DA 1.0 Server.
      • In this typical scenario, the client should mention which OPC DA version it supports
  • The purpose of OPC is to provide a standard mechanism for communicating numerous data sources for the process industry
  • OPC is considerably fast. Tests have been done by OPC Foundation
    • In a nutshell, the speed is
      • A server can serve up to PC 50,000 Tags/S = each tag being a floating point (8 Byte) = 400 KB/s
      • Standard Ethernet network speed can go up to 1.2 MB/s. Therefore OPC would be no issue. However, nowadays people use Fast Ethernet (100Base-TX) which transfers at 12 MB/s
    • Test was done OPC Foundation
      • On Rockwell software using Pentium 266 Computers (5 Client, 1 Server) at ~500Mhz Processing Speed
      • Each Client added 10,000 Tags and requested the server to update the tag at 250ms per item. All data were changing to simulate a worst case scenario
      • The result was the server able to update 200,000 items per second
      • At average the update speed is
    • It is to note that even though OPC itself is fast, the underlying hardware system it communicates too may not be fast enough to give the actual update. For example, a the Yokogawa FCS’ can only serve around 2000 items per second. If the OPC is requesting more, some of the update cycles may drop out and the OPC server publishes the same items again and again.
  • OPC UA is the latest technology of the OPC Foundation
    • The key difference of OPC UA is
      • Base on SOA (Service Oriented Architecture). No longer based on DCOM
      • Platform Independence
    • Characteristics of OPC UA
      • Uses an Optimized TCP-based UA binary protocol.
      • A single port is sufficient
      • 3 Components (AE, DA,HDA) combined into 1 component
    • OPC UA Security
      • Based on WWW concept
      • Encompasses
        • User authentication
        • Signing of Messages
        • Data Encryption
      • OPC UA Reliability
        • Automatic Error Detection
        • Communication can be monitore
        • Redundancy

WINDOWS FILE SHARING

  • Two computers on two different domains/workgroup can talk to each other if the same local user on each computer with the same password exist on them
  • To share files remember there are TWO (NOT ONE) PERMISSIONS THAT NEEDS TO BE GIVEN
    • File Sharing PERMISSION
    • Security ACCESS PERMSSION
  • Both exist on two different tabs in the folder property

COM (Component Object Model)

  • COM are used to create objects in Visual Studio
  • To use COM, the DLL must first be registered into windows registry by using the command prompt
    • Regsvr32 [DLL File Name]
  • To uninstall the DLL, simply
    • Regsvr32 [DLL File Name] /u
  • Once registered, one can invoke the COM from VBscript using the create object method
    • Set ObjVar = CreateObject(“Matrikon.OPC.Automation”)
  • Before that, if you don’t know the COM name, you can search it in the windows registry
    • Open RegEdit from Start Run
    • Find/search Data for the DLL file name
    • If you find a folder called ProgID. Open it and the name of the name of the com will be displayed there

  image

Troubleshooting OPC DCOM

  • First do a Network Check
    • Check if the machines can ping each other
    • Check if the machines can Telnet each other on port 135
      • If telnet does not exists, se PuttY
    • Check network status as well (using netstat –an)
  • Next do a User Authentication check
    • Find what user the OPC Client is running as
      • This can easily be checked by checking the task manager
    • Make sure this User exists in the OPC Server machine and the passwords matches
      • It doesn’t matter if the user is in different domains, as long as the Username and Password matches, it works. E.g. Localhost\Administrator = DomainABC\Administrator
      • To check password use windows right click ‘runas’
    • Find what user the OPC Server is running as
      • This is harder to check as one needs to know the exact process the OPC server is running
      • Yokogawa ExaOPC/HISOPC Server run as ‘CTM_PROCESS’. This account needs to be created using the Create CTM Process Tool
    • Make sure the user exists in the OPC Client Machine and the passwords matches
      • To check password use windows right click ‘runas’
  • Finally do a System Wide DCOM  (dcomcnfg) on both OPC CLient and OPC Server
    • Under Default Properties
      • Check if DCOM is enabled
      • Check Default Authentication is either ‘None’ or ‘Connect’
      • Check Default Identification level is ‘Identify’. ‘Impersonte’ and ‘Delegate’ is ok but it is not secure
    • Under Default Protocols
      • Check the port ranges are set there. If there are any set, make sure those ports are open.
      • If any ports are set make sure ‘Internet Range’ is used
      • After setting a port, a computer restart is required.
    • Under COM Security
      • Under Access permission Edit Limits make sure Anonymous Logon is Set (This is usually set, if not, your windows won’t work!)
      • For Access permission Edit Default, Launch Activation Edit Limit and Launch Activation Edit Default ==> Usually this should be left as is.
        • But if you want to open DCOM security wide open, just add ‘Everyone’ and ‘Anonymous Logon’ as this covers everything (SYSTEM, GUEST, INTERACTIVE, NETWORK and SELF is included in EVERYONE)
        • Everyone includes GUEST, which is normally turned off anyway. But if you don’t want to include guest, use AUTHORIZED USERS which is EVERYONE minus GUEST’
    • Any changes on the Server Machine, make sure to restart the OPC Server Service and OPCEnum. One does not need to restart the Entire Server.
      • Some OPC servers do not need to be restarted…  I HAVE YET TO VERIFY THIS.
  • Check OPC Components
    • Install OPC Redistributables
  • Check OPCEnum
    • On the Server, OPCEnum DCOM Authentication Level is ‘None’. Restart OPCEnum service after changing this
    • On the Client, Anonymous Access is set in Default Access Permission.

OPC DCOM

  • MOST of the difficulties surrounding OPC is due to DCOM
  • DCOM stands for "Distributed Component Object Model (DCOM)”
  • How does OPC Relates to DCOM?
    • OPC is based on Microsoft’s Component Object Model (COM) technology.
    • Remote connectivity is accomplished using Distributed COM (DCOM), which contains a Security Layer.
    • DCOM Security is used to determine which users have Access and Launching rights in DCOM-enabled applications on either the local PC or on PCs in the local network/domain.
    • DCOM depends on Remote Procedure Calls (RPC) for remote connections. Any connection made to applications running under different accounts on a local PC is treated as a remote procedure call. This is important to remember when configuring the security settings.
    • DCOM was intended for use in domains, in which it is much easier to configure and manage connectivity. When connecting between Workgroup PCs or Domain and Workgroup PCs, the process becomes much more difficult.
  • It is a proprietary Microsoft technology for communication among software components distributed across networked computers
  • For example, one can create a program that has certain subroutines that can be processed not on the server but on another server in the network. Using DCOM interfaces, the program (now acting as a client object ) can forward a Remote Procedure Call ( RPC ) to the specialized server object, which provides the necessary processing and returns the result to the program.
  • DCOM in Windows Registry
    • In any system, every COM Object is listed in
      • HKEY_CLASSES_ROOT\
        • The OPC Address should be listed here.
        • In here reference to the CLSID should be given
    • Each com object will have a CLSID, which is listed under:
      • HKEY_CLASSES_ROOT\CLSID\
        • In here one will see a list of all the COM Objects IDs. these IDs are in the form of a GUID, which is a random ID Generator.
        • A reference for the AppID will also be given here
        • The AppID is DCOMs, because apart from a CLSID, it also as an APPID. The APPID represents a security setting which one would configure using the DCOMCNFG tool. One APPID can be shared by multiple CLSIDs
          • The APPIDs are all listed under HKEY_CLASSES_ROOT\AppID
            • In here all the APPID GUIDs will be listed
  • OPCEnum
    • is used to browse a particular machine.
      • OPC Enum is installed on the OPC Server. The remote client first connects to OPC Enum to browse all available OPC Servers.
      • NOTE: SOMETIMES IT IS NECESSARY FOR THE OPC CORE COMPONENTS REDISTRIBUTABLE TO BE INSTALLED ON THE CLIENT MACHINE AS WELL FOR OPC BROWSE TO WORK. This is probably because the client needs some of the OPC Components to work.
    • OPC Enum Can be downloaded from the OPC Foundation Website. It is called ‘OPC Core Components Redistributable’. There is x86 and x64 versions.
    • OPC Enum runs as a service, hence uses the ‘Local System Account’
    • When OPC Enum initiates a call back, the callback request comes as ‘Anonymous’, therefore ‘ANONYMOUS LOGON’ need to be allowed on the CLIENT MACHINE. OPC ENUM needs have AUTHENTICATION LEVEL SET as ‘NONE’
  • For OPC DCOM, some clients do not use OPC Enum. In this case, the OPC’s CLSID need to be manually added in the client machine
    • Below is example of a registry file (This needs to be copied and added to a .reg file)
        REGEDIT4
        [HKEY_CLASSES_ROOT\AppID\{F8582CF2-88FB-11D0-B850-00C0F0104305}]
        @="MatrikonOPC Server for Simulation and Testing"

        [HKEY_CLASSES_ROOT\CLSID\{F8582CF2-88FB-11D0-B850-00C0F0104305}]
        @="MatrikonOPC Server for Simulation and Testing"
        "AppID"="{F8582CF2-88FB-11D0-B850-00C0F0104305}"

        [HKEY_CLASSES_ROOT\CLSID\{F8582CF2-88FB-11D0-B850-00C0F0104305}\ProgID]
        @="Matrikon.OPC.Simulation.1"

        [HKEY_CLASSES_ROOT\Matrikon.OPC.Simulation.1]
        @="MatrikonOPC Server for Simulation and Testing"

        [HKEY_CLASSES_ROOT\Matrikon.OPC.Simulation.1\CLSID]
        @="{F8582CF2-88FB-11D0-B850-00C0F0104305}"
    • Below is another example, this is for connecting to Yokogawa HIS OPC for Centum CS3000
        REGEDIT4
        [HKEY_CLASSES_ROOT\Yokogawa.CSHIS_AE.1]
        @="Yokogawa CSHIS OPC Alarms & Events Server"

        [HKEY_CLASSES_ROOT\Yokogawa.CSHIS_AE.1\CLSID]
        @="{21FF9972-DE40-11D1-B324-00A024770B10}"

        [HKEY_CLASSES_ROOT\CLSID\{21FF9972-DE40-11D1-B324-00A024770B10}]
        @="Yokogawa CSHIS OPC Alarms & Events Server"
        "AppID"="{21FF9972-DE40-11D1-B324-00A024770B10}"

        [HKEY_CLASSES_ROOT\CLSID\{21FF9972-DE40-11D1-B324-00A024770B10}\ProgID]
        @="Yokogawa.CSHIS_AE.1"

        [HKEY_CLASSES_ROOT\AppID\{21FF9972-DE40-11D1-B324-00A024770B10}]
        @="Yokogawa CSHIS OPC Alarms & Events Server"
        "RunAs"="CENTUM"
        "AuthenticationLevel"=dword:00000001

      • Tested to work ==> The RunAs and AuthenticationLevel may be ommitted
  • The APPID configurations are stored in a registry key
    • [HKEY_CLASSES_ROOT\AppID\{<AppID>}]
  • Individual CLSID are mapped to their corresponding APPID in windows registrey
    • [HKEY_CLASSES_ROOT\CLSID\{<clsid>}]
    • "AppID" = "{<appid>}"
  • OPC ERROR CODES
    • OPC will give error codes, this will be given out by the client (in client logs, popup and etc). The common client codes are as follows:
      • 0xC0042329 : This means the OPC’s maximum connection has exceeded
  • DCOM Firewall Requirements
    • When a computer wishes to host a DCOM Service, it need to allow inbound TCP port 135
    • The computer will then dynamically allocate secondary inbound ports for communication. The client will connect to these inbound ports.
    • Due to this, for DCOM to work TCP Port 135 plus all the dynamically allocated ports need to be allowed pass the firewall
    • This is typically done by either
      • Allowing only the OPCEnum and OPCServer programs to communicate with unrestricted firewall port range
      • Limiting the dynamically allocated DCOM ports. This can be done in windows dcomcnfg window
        • From the Start menu, point to Programs, point to Administrative Tools, and then click Component Services to start Component Services.
        • Click to expand the Component Services and Computers nodes. Right-click My Computer, and then click Properties.
        • On the Default Protocols tab, click Connection-oriented TCP/IP in the DCOM Protocols list box, and then click Properties.
        • In the Properties for COM Internet Services dialog box, click Add.
        • In the Port range text box, add a port range (for example, type 5000-5020), and then click OK.
        • Leave the Port range assignment and the Default dynamic port allocation options set to Internet range.
        • Click OK three times, and then restart your computer.'
    • The following shows TCPView for OPC Server Connections
      • image
      • Port 135 is only used for initial connection. It will be disconnected once it’s finished
    • The following shows TCPView when 2 Machines are connected to the OPC Server
      • image
      • It is to note here that for the OPC Server, DCOM has allocated only one inbound IP address (22008) for both connection. A second IP Address (22007) is allocated for OPC Enum. We can conclude here that the port allocation is specific for each process. Theoritically, it should work if only 2 ports are allowed in DCOMCNFG, hence reducing the hole in the firewall. However, it is best to set it to five ports (1 for OPCEnum and 4 for OPC Server). The reason is because this is recommended by most vendors, Even though the current OPC Server only needs 1 dynamically allocated port, we do not sure what will happen to future releases.
  • DCOM Configuration Basics
    • It is important to note that any configuration changes you do on DCOM object the DCOM Application or Service needs to be restarted before the DCOM takes into effect.
    • Everytime you add a group to a particular user (join a user in a group), you need to either:
      • Log in using that user so that the User Profile gets registered into that group
      • Restart the machine
  • DCOM Configuration Steps for OPC
    • image 
    • image
    • image
    • The ‘Enable Distributed COM’ check box allows one to completely disable DCOM on a machine.
    • Default Authentication Level
      • Generally, we want to set this at ‘NONE’ or ‘CONNECT’
      • Authentication is the process of the DCOM to identify the caller’s identity. Authentication is specified for each DCOM object. There are several authentication levels which are:
        • None
          • No Authentication is performed between client and server (DCOM). In this case to access the DCOM object, no credentials are required. For this to work though, ANONYMOUS LOGON must be specified in the Edit limits (especially for Access Permission)
        • Connect
          • Authentication is done only during initial connection
        • Call
          • Authentication is done for every DCOM Call
        • Packet
          • Authentication is done for every packet. Packets are not signed, not encrypted
        • Packet Integrity
          • Authentication is done at for every packet. Packets are signed, not encrypted.
        • Packet Privacy
          • Authentication is done at for every packet. Packets are signed, encrypted.
      • Note that when anything other than ‘NONE’ is selected, the authentication must occur. This means that ‘ANONYMOUS LOGON’ will not work.
      • The ‘Default authentication level’ is used to specify when the DCOM object specified ‘Default’ in it’s setting. It’s can be said as a computer-wide security policy.
    • Default Impersonation Level
      • Generally, ‘Identify’ is used as it allows the DCOM object to verify the caller
      • Impersonation Level is the amount of authority/credentials given to each DCOM object to impersonate a client. If too little authority/credential is given, the DCOM server may refuse to run the call. If the too much authority is given, this can be dangerous as the server may impersonate ‘malicious’ clients.
      • Impersonation Levels
        • Anonymous
          • The client is anonymous to the server
          • In simpler words, the credentials of the caller is hidden/unknown.
        • Identify
          • The servers knows the client’s identity and uses it for Access Control List Checking
          • In simpler words, Allows the server to query the credentials of the caller
        • Impersonate
          • The server acts as the client (The server becomes the client)
          • The server cannot make out going calls on behalf of the client
          • In simpler words, Allows objects to use the credentials of the caller.
        • Delegate
          • The server acts as the client (The server becomes the client)
          • The server CAN make out going calls on behalf of the client
          • In simpler words, Allows objects to use the credentials of the caller and other object called by the first object to use the caller’s credentials as well
      • The default impersonation level simply sets the computer-wide default impersonation level. This will take place if the DCOM object does not set it’s impersonation level.
    • image
    • Over here, one is allowed to set the overall COM/DCOM Security.
      • COM/DCOM Security is about who can or cannot access the DCOM\COM. This sets computer-wide COM/DCOM Security
      • There are two types of security permissions
        • Access Permissions
          • Allow which users can connect to an Instance of a COM Class. In other words, authenticates who can access an already running COM/DCOM
        • Launch and Activation Permissions
          • Allows which users can start a new COM/DCOM
      • There are two type of Edits
        • Edit Limits
          • This modifies the computer-wide restriction policy. If an application specified an access setting for a particular account MORE then what is specified here, it will be limited. It is therefore generally recommended to put this as high as possible (i.e. Allow many access)
            • One thing to note here is for ‘NONE’ Authentication Level. ‘ANONYMOUS LOGON’ needs to be allowed in here for ‘NONE’ Authentication level to work.
          • Programatically, application that call the ‘CoInitializeSecurity’ win API. An application may opt not to set it’s security by not calling this function. In this case, the application will use the default COM Security.
        • Edit Default
          • This modifies the computer-wide default setting. Whenever an Application does not specify it’s access permission, this default will be used
          • Programatically, applications that do NOT call the ‘CoInitializeSecurity’ win API
      • The important thing here is that both needs to be configured with ‘ANONYMOUS LOGON’ for OPCEnum to work
      • Sometimes ‘NETWORK’ logon is also required. NETWORK logon is used for File/IIS Authentications
        • image
        • image
    • image
    • image
    • The General Tab
      • In the general Tab the Authentication Level is the key thing in allowing DCOM access
        • If Authentication is set ‘NONE’,
          • DCOM authentication will not perform any Authentication on the caller.
          • ‘ANONYMOUS LOGON’ need not be allowed, it still works without it.
            • however, ‘ANONYMOUS LOGON’ needs to be allowed in the ACCESS PERMISSION, LAUNCH AND ACTIVATION PERMISSIONS ==> EDIT LIMITS. Here, Anonymous logon needs to be keyed in.
          • This is least secure, but it works!
        • If Authentication is set other than ‘NONE’, DCOM authentication will be performed. ‘ANONYMOUS LOGON’ will not work.
          • ‘CONNECT’ means authentication will be performed upon connection
          • ‘PACKET’ means authentication will be performed for each packet. This is more secure
          • ‘PACKET' PRIVACY’ means authentication will be performed and the packets are all encrypted. This is the most secure
        • if Authentication is set as ‘DEFAULT’ it will be based on the computer-wide setting mentioned above.
      • Generally, we set this to connect meaning the DCOM will ask authentication upon connection. FOR QUICK and EASY configuration set the AUTHENTICATION to NONE.
    • image
    • The Location Tab
      • Determines where the DCOM will be run
      • Generally, should be set as ‘Run application on this computer’
    • image
    • The Security Tab
      • If default is selected, it will use the default settings set in the computer-wide default settings (set above)
    • image
    • The Identity Tab
      • Specifies what user account the application will run under when it is started. Descriptions of the options are as follows.
        • Interactive User:
          • A user running interactively on the desktop.
          • OR Application runs under the identity of the user who is currently logged on to the computer. This user's security credentials are used when the application is authenticated to access resources
        • Launching User:
          • The user that makes the initial connection request to an application thatQ is not running, but is launched.
          • OR application runs using the security context of the user who started the application (the launching user) so that the application can be authenticated in the domain.
          • The launching user may be the same as the interactive user
        • Specified User:
          • A specified user account on the PC. If the server is running as a service on a Windows XP or 2003 server OS, the account will not be able to be opened on the desktop.
          • OR application runs using the security context of the specified user account so that it can be authenticated in the domain
        • System Account:
          • Server application runs using the security context of the built-in System account (LOCAL SYSTEM)
          • This is the default for applications that are running as a service.
      • NOTE That not all OPC Servers are services. Some OPC Servers may be a simple windows application that is launced, e.g. the Yokogawa HIS OPC Server.
      • The identity has nothing to do with Impersonation. Identity is what is run on the server, impersonation is more on how to attribute the DCOM calls from the server

MODBUS


MODBUS

RS232

Transmitters

Transmitters

Smart Transmitters