PI Cloud Connect Overview Version 1.0.8
Content Product Overview... 3 Sharing data with other corporations... 3 Sharing data within your company... 4 Architecture Overview... 5 PI Cloud Connect and PI Cloud Services... 5 How does PI Cloud Connect work?... 5 Using the Customer Portal... 6 PI Cloud Services... 6 PI Cloud Connect... 7 Supported AF Objects... 20 Performance and Throughput... 20 Best Practices... 21 Security Overview... 22 PI Cloud Connect Windows Azure Components... 22 On-Prem Components Deployment... 23 Overall data flow... 28 Troubleshooting 101... 29 Signing in the Customer Portal... 29 Node deployment... 30 Accessing PI AF... 31 Accessing local log files... 31
Product Overview PI Cloud Connect is the first of a set services delivered by OSIsoft that fall under the PI Cloud Services umbrella. PI Cloud Connect is a Cloud based Software as a Service (SaaS) offering managed by OSIsoft that allows you to share data between PI Systems. Cloud based because the solution leverages components running in Windows Azure, the public Cloud offering from Microsoft Managed by OSIsoft because we support, maintain and upgrade this service and all its components PI Cloud Connect makes it easy to share data between PI Systems both inside and outside your enterprise. You can publish data and grant access to other PI Cloud Connect users so that they can subscribe to that data. PI Cloud Connect secures and brokers communication between the publisher and subscriber, even when they are outside your organization. PI Cloud Connect offers many advantages: Solution maintained and managed by OSIsoft with minimal On-Prem 1 footprint Scalable and reliable solution based on Windows Azure Configuration and monitoring accessible through a Web-based Customer Portal that only requires a modern Web browser Secure data sharing without requiring Virtual Private Networks (VPNs) Seamless and simultaneous transfer of real-time and meta-data from your PI AF structures, this allows asset models in the PI System to be transferred Publish/subscribe architecture that supports one-to-many, many-to-one and many-to-many data exchanges, which advantageously replaces point-to-point connections Sharing data with other corporations In many situations, all partners in a business collaboration such as joint ventures, contract manufacturers, expert service providers, and operations and maintenance companies need access to production data. When all partners have access to the real-time data, each of them can plan ahead for equipment maintenance or for scheduling the delivering of critical components. PI Cloud Connect provides all parties a secure way of sharing data between their respective PI Systems without having to deploy point-to-point VPNs in multiple scenarios: In a joint venture even though only one company usually operates the assets all partners need access to the production data To deliver the best service possible, partners and vendors who supply raw materials, equipment or expertise need access to the real-time data collected at the operations sites Contract manufacturers, who manufacture products on behalf of other companies need to expose the operation and quality data to those companies 1 On-Prem refers to components or deployments in situ (on site) as opposed to remote components or deployment such as in the Cloud.
Operations and Maintenance companies (O&M), Service Providers (SP), and Performance Analytic Vendors (PAV) also need access to the real-time data on site to provide expert knowledge about the efficiency and health of equipment such as pumps, compressors, generators or other components or additives that are critical to a certain process Sharing data within your company If you have a central PI System installed at your head office and other PI System instances deployed at operations' sites, you probably want to have a centralized view of your operations and make site-to-site comparisons. With PI Cloud Connect, sites that monitor assets and collect real-time data can publish their data so that your head office can subscribe to it.
Architecture Overview PI Cloud Connect and PI Cloud Services PI Cloud Services is the overall umbrella under which all OSIsoft Cloud based services are made available to customers. To simplify manageability, all the services are managed in one account. Besides PI Cloud Connect, the screenshot below shows others service that may be available in the future. How does PI Cloud Connect work? PI Cloud Connect is a Windows Azure hosted application that relies on a publish/subscribe mechanism to manage the data flow within and between accounts. Once they have signed-up for the PI Cloud Connect service, users can sign-in to the PI Cloud Connect Customer Portal to install the components required to securely and reliably connect their PI Systems and share data. Customers use the PI Cloud Connect Customer Portal to manage publications, subscriptions, users and nodes.
Data Sharing Workflow On one hand, a publisher selects a set of data to include in a publication. A publication is configured by selecting a PI AF Element from any PI AF server that is accessible from a registered PI Connect node. A PI Connect node is a computer where the PI Connect components have been installed. The deployment of the PI Connect components is performed via the PI Cloud Connect Customer Portal. Once a publication is configured, the publisher grants access to one (or more) PI Cloud Connect users to that publication; and that user can then subscribe to it. To grant access to a publication, the publisher notifies via email one (or several) user(s) that they have access to the publication. The publisher needs to have an a priori knowledge of the subscriber(s) contact information 2. Prior to using PI Cloud Connect for trans-enterprise data exchange, it is highly recommended that publishers and subscribers establish a business relationship to define the scope of the data exchange and share the contact information. On the other hand, when users receive a notification (via email or directly in the Customer Portal) they can create a subscription associated with that publication. The association between a publication and a subscription is a contract between the publisher and subscriber that specifies what data is being shared. When the configuration of the publication and the associated subscriptions is complete on both sides and the publication and the subscription are started, the exchange of data commences and continues until one of the parties decides to stop it. Using the Customer Portal PI Cloud Services After signing in your account, you access the landing page of the Customer Portal that presents all the services available. After selecting the PI Cloud Connect tile, you enter the PI Cloud Connect Portal. 2 For obvious privacy and accounts data isolation reasons, the Customer Portal does not expose information from one account to another account unless specified.
PI Cloud Connect The user interface provides easy-to-use Web pages for managing your publications, subscriptions and nodes. In the following sections, we explain some of the tasks you can perform from these pages. Activities Summary The main page is the Activities Summary page that presents an overview of the publications, subscriptions and systems. You access each of these sections by clicking a tile or the corresponding option on the left-hand menu. Publications The Publications page lists all your publications: the one created in your account by any of the users of that account as well as those you (or others users in your account) have been granted access to from others accounts. Note that
publications from other accounts can only be seen by the user(s) who have been given that access to these publications and not all users for that account. Granting access to a publication is a user based concept and not account based concept. Therefore, different users from the same accounts might see different publications listed in the Publications page. From this page, you can: create new publications take specific actions when a publication is selected o manage a publication (stop/start/delete) o view details/subscribers o subscribe to a publication When you create a new publication, a wizard guides you through the steps required to configure that publication. Note that prior to creating a publication, a PI Connect node must be configured from the System page so that a data source (one or more PI AF Servers) is available. In the first step, the Wizard shows a list of the available AFserver.AFDatabase namespaces for each PI Connect node.
The list of namespaces can be sorted by Namespace, Node or Node User Account: The Node User Account is the Windows account provided during the deployment of the PI Connect node for the Windows service which runs on the node under that account. More details are provided in the On-Prem deployemnet section of this document The Node colum list the name of each deployed PI Cloud Connect node The Namespace column lists all AFServer.AFDatabase namespaces accessible from any of the Node and Node User Account After selecting one of the available data source, you can move to the next step.
In the Publication Scope step, two options are available in the dropdown menu: Select AF Elements Select AF Templates The first option allows you to select an AF Element that is the target for the publications.
In that case, the selected AF Element along with all its children AF Elements and associated real time data (AF Attributes mapped to PI Points) will constitute the publication scope. You should ensure the AF Elements in your publication contain only supported AF Objects, as described in the following section. Note: If some AF Elements targeted by the publications are derived from AF Elements Templates, these AF templates will also be part of the publication. The next step in the wizard allows you to retrieve historical data that is available prior to the time the publication is started. The value provided has to be an integer between 0 and 30 (both included).this setting only applies to the real time data associated with AF PI Points 3 Data References. The second option allows you to select AF Element Templates only. In that case, the scope of the publication is restricted to all the AF Element Templates of the AFserver.AFDatabase namespace selected during the previous step. 3 Only the most recent version of the AF Elements at the time of the publication start are included in the publication scope. The history recovery doesn t apply to AF Objects versions.
The Publishing Options step when choosing the AF Templates options has no configuration since there is no real time data associated with AF Templates. For either options (AF Elements or AF Elements Templates), the next step is to define the publication name and its description (optional). From the main Publication page, you can also select an existing publication and look at more detailed information about its status and the users who have been notified about and granted access to the publication.
From that page you can also grant access others users from others accounts to your publication. Note that for the publications that you ve been granted access to by others accounts, the only possible option is to subscribe. Subscriptions The Subscription page lists your existing subscriptions and allow you to take specific actions when a subscription is selected. This page is similar to the Publication page but cannot be used to create new subscriptions. Subscriptions are created from the Publication page by subscribing to a publication.
When you create a new subscription, the same wizard used to create a publication guides you through the steps required to configure that subscription, except that there are no subscribing options step in the wizard. Note also that before creating a subscription, a PI Connect node must be configured from the System page so that a Destination System (one or more PI AF Servers) is available. It is recommended that each subscription targets a dedicated PI AF Database to avoid potential conflicts with multiple subscriptions targeting the same AF Database. Also, keep in mind that at least 1 element needs to exist in the PI AF Database before configuring a subscription into that PI AF Database.
User Accounts Users account are managed at the PI Cloud Services level and are shared across all services. At the moment, all users have the same role (administrator) in PI Cloud Connect. Therefore, no specific configuration is accessible at the service level. A redirection to the PI Cloud Services Launchpad is provided. From the User Accounts page in the PI Cloud Services Launchpad, you can view a list of existing users and activate new users.
New users are added to an account by providing their First Name, Last Name and email address. Note that the email address provided does not have to be a Window Live account. That email address is first used to send an activation email to the new user and for future communication. However, during the activation process the user will have to use a valid Window Live account or authenticate with Active Directory Federated Services (ADFS) to be authenticated and granted access to the Customer Portal. When new users are added to an account, they have 48 hours to activate their account. Until the account is activated, the user s status is in a pending state. It is possible to resend an activation email to a pending user who has missed the 48 hours window for activation by selecting the Edit User menu.
System The System page has two sections: Nodes and Download. The Node section lists the different On-Prem nodes where PI Connect components have been deployed. The status icon indicates whether the PI Connect node as an active connection with the Cloud components (heartbeat).
The Download section is used for deploying new nodes. That section lists software pre-requisites and provides access to download the setup kit for deploying a new PI Connect node. More details about installing a new PI Connect node are provided in the Security Overview section of this document.
Supported AF Objects PI Cloud Connect currently supports the following AF Objects: AF Elements AF Element Templates AF Enumeration Sets AF Attributes configured with the following Data References: o None (static values) o PI Point o Formula data references which reference attributes that have been published AF Categories The only fully supported AF Objects are those listed above, here is a short list of the commonly used unsupported objects: Table data references will only transmit the configuration string, meaning the tables would have to be transferred manually via another method, i.e. XML import / export. AF Units of Measure Attributes which reference other attributes (using the Attribute format) PI Analyses or PI Analyses Templates PI Event Frames Custom Data References Custom AF Reference types PI Point Arrays PI Notifications AF File data types AF Transfers and Cases Support for other AF Data types and objects may be added in the future. Performance and Throughput PI Cloud Connect can sustain a data transfer rate of approximately 2,000 events/sec per node 4. When publishing or subscribing to data at a rate of 2,000 events/sec, 108 Kbytes/sec of network throughput will be utilized on a constant basis. As a comparison, average OSIsoft customers have data rates for their PI Interfaces of about 50 events/sec per 1,000 PI Points. Given an average customer, the bandwidth required per thousand (1,000) PI Points is approximately 2.7 Kbytes/sec. A subscriber will be able to create approximately 1,000 points in 1 hour on the initial startup. 4 If you going to be close to 2,000 events/sec on your publishing PI System, the MaxUpdateQueue tuning parameter on the PI Data Archive should be set to 240,000.
Best Practices This section is a quick overview of the best practices for using PI Cloud Connect. Each subscription should target its own PI AF Database. The hierarchy used for PI Cloud Connect should only contain supported AF Objects (see the above section on Supported AF Objects) Limit the total events per second transmitted through a PI Connect node to approximately 2,000 events / sec. Avoid potential circular publications and subscriptions. For example, in the scenario below you need at least 3 databases in order to publish AF Templates (1) from the Template AF Database, subscribing to the AF Templates into an AF Database (2) at the site, and then publishing the AF Elements from the site to the Corporate Asset Model AF Database (3). The AF Templates from Corporate located in the site AF Database (2) should not be modified. The AF Templates and AF Elements at the Corporate Asset Model AF Database (3) should not be modified either. Corporate AF Collective P S Template AF Database (1) Corporate Asset Model (3) PI Cloud Connect Palo Alto Mountain View (2) San Jose Cupertino Waverly Park San Francisco
Security Overview PI Cloud Connect deploys several levels of security to keep your information secure and still allow users access to the data they need: At the infrastructure level: PI Cloud Connect is managed by OSIsoft and our administrators takes care of provisioning the infrastructure required for onboarding new accounts, updating information for existing accounts as well as upgrading the different components when new features or updates are available. At the account level: an account represents a company, partner, or affiliate that has signed up for the PI Cloud Connect service. Each account has a unique access to the Customer Portal with a URL of the form: https://accountname.picloudservices.com. Each account is fully isolated from other accounts. Users within an account do not know anything about other accounts or about other users belonging to other accounts. At the sign-in level: to access PI Cloud Connect features, all users must sign in to their secure Customer Portal and are authenticated by an Identity Provider of their choosing 5. At the user level: When publishing data, the publisher decides which user has access to subscribe to the publication. This is done on a per user basis, not a per account basis. Additionally, PI Cloud Connect is a reliable product designed to protect your information. The Web services used in Windows Azure as well as those exchanging information with On-Prem components are secured by the use of certificates or access tokens and the Customer Portal uses HTTPS to securely encrypt communication. HTTP Web sites send all communication in plain text, which anyone can read. But HTTPS works in conjunction with Secure Sockets Layer (SSL) to encrypt all communication. PI Cloud Connect Windows Azure Components PI Cloud Connect leverages several components in Windows Azure such as Web roles for the Customer Portal, worker roles for queuing and transferring data, Windows Azure Service Bus for establishing secure connection between the Cloud and your premise and security components such as Microsoft Azure Access Control Service (ACS) which is a federation provider in the Cloud. Internally, PI Cloud Connect uses Secure Sockets Layer (SSL) to secure all in-transit data. PI Cloud Connect authenticates calls between, for example, the Customer Portal (Web role) and Microsoft Azure ACS or from the Customer Portal to the worker roles. PI Cloud Connect also makes secure calls to your PI servers and PI AF servers by using claims-aware tokens. This allows the Windows Service that runs on your premise to map the claims-aware Security Token that it 5 In this initial release, PI Cloud Connect supports Windows Live ID (Microsoft Account) and integration with Active Directory Federated Services (ADFS) as valid Identity Providers (IP).
receives from PI Cloud Connect to a Windows Security Token on your premise. Then the call from PI Cloud Connect running in Windows Azure is forwarded to your PI AF server using that Windows Security Token to identify the user. Sign-in process When you first sign in to the Customer Portal, it establishes a trust with Microsoft Azure ACS. ACS acts as a federation provider in the Cloud and facilitates authentication between an application and one or more identity providers. Here ACS facilitates authentication between the Customer Portal and one or more identity providers. When a user signs in using the identity provider(s) that has been configured for her Account, the ACS issues a Security Token for that user. This Security Token is used to make secure web service calls to the PI Cloud Connect server. On-Prem Components Deployment Deploying a new PI Connect node is managed via the Customer Portal. After downloading the installation kit, you can either proceed with the installation from the computer used to access the Customer Portal or deploy the setup kit on a different computer. Either way, the computer targeted as a PI Connect node must have an outbound connection to the Internet. The setup kit needs elevated Administer privileges to install PI Connect.
These credentials are used to access the PI AF server(s) your data is read/write from/to. This account is also the account used to create and populate the PI Points associated with a subscription when that subscription is associated with a publication scoping real time data. Because the account is used for accessing the PI AF Server and PI Data Archive, this account will need read access when publishing, and write access when subscribing with PI Cloud Connect. This is the account under which the PI Connect Windows service is running. If you need to modify anything related to this account or the PI Connect service after installation, please contact our support team at PICCPreview@osisoft.com. Note: Changing the Windows service credentials via the Services management console will not work properly and make the PI Connect node dysfunctional. An uninstall and reinstall of PI Cloud Connect is required in order to change the service credentials.
Here is a summary of the attributes required for the Windows Service Account running the PI Connect service: Log on as a Service privileges Must have been used once to log on the computer Must have access to both PI AF and the default PI Server Data Archive associated with PI AF o To read the data targeted for a publication o To write the data targeted for a subscription When using a proxy server, that account should be able to communicate with the Internet via the proxy server. The next step requires you to specify a name (pre-populated with the machine name) and description (optional) for the PI Connect you are deploying. That name/description will be used in the Customer Portal.
The setup kit will further proceed with the installation PI Cloud Connect Overview
Before the installation process is completed, you are asked for another set of credentials that are used to establish a one-time connection between the local Windows Service and Windows Azure via the Azure Service Bus. The picture below shows the login screen provided by Microsoft (Windows Live ID) when it is used as the Identity Provider to authenticate with PI Cloud Connect. After installation is completed, the Windows Service that runs on your premise starts automatically and initiates an outbound connection from your premise to PI Cloud Connect running in the Cloud using the Service Bus Relay (which is
part of Windows Azure services). The newly configured node should appear in the System/Nodes page of the PI Cloud Connect Customer Portal. The use of certificates enables the Windows Service to be granted only least-privilege listen access to the Service Bus Relay. Similarly, PI Cloud Connect is granted permission to send to the Service Bus Relay, only. This means that PI Cloud Connect can connect between Windows Azure and your premise without you needing to open additional ports in your firewall. Also, data and other information cannot flow in an unintended direction. Overall data flow The diagram below shows the data flow between the Windows Services running On-Prem and the Windows Azure Components of PI Cloud Connect leveraging the Azure Service Bus Relay. Each account has its own dedicated Service Bus Endpoints for each of the PI Connect node deployed. Each account can deploy multiple nodes, each node being a publisher, a subscriber or both.
Troubleshooting 101 This section presents the most common issues customers are faced with when starting to use PI Cloud Connect. For more help and support, please contact us at PICCpreview@osisoft.com. Signing in the Customer Portal This error message is provided when an authentication against a Windows Live account fails. This might happen in different circumstances: You have not verified your e-mail address, please check your inbox for a signup verification email. The Live ID account/password combination provided is invalid Live ID credentials were cached in your Browser and you didn t get explicitly presented with the Windows Live sign in page
Your Live ID credentials are valid but they are not associated with a user in PI Cloud Services o You are not yet a user in PI Cloud Services for the account you are trying to access o You used a different Live ID account when you activated your PI Cloud Services user account If you are still having issues, please contact support at PICCPreview@osisoft.com Node deployment When deploying a new node, the setup kit might not be able to complete successfully. Please send us the error log at PICCPreview@osisoft.com. The Copy Errors button will copy the content of the error log to your clipboard to make it easy to paste it in your email.
Accessing PI AF When creating or subscribing to a publication, the first step is to select a data source/destination from/to PI AF. This error message appears when it is not possible to reach out to your PI AF servers from the Customer Portal running in Azure. This may happen for several reasons: No PI connect nodes have been configured for your account The PI Connect nodes are not reachable (validate the node s status icon) o Communication between the Azure components and the On-Prem components is failing o The PI Connect Windows Service is down Connection between the PI Connect node and the PI AF server is failing The service account for the PI Connect service does not have access to your PI AF Server and PI AF Database. Accessing local log files The PI Connect Windows service logs information about its operation. These logs are located in the %AppData%/OSIsoft/logs folder for the user account under which the PI Connect Windows service is running. When suspecting a problem with PI Cloud Connect on a specific PI Connect node, please send us these logs files at PICCPreview@osisoft.com.