European Laboratory for Particle Physics Laboratoire Européen pour la Physique des Particules CH-1211 Genève 23 - Suisse OPC Support IT-CO recommended DCOM settings for OPC Document Version: 2.1 Document Issue: 2 Document Date: 12 December 2003 Document Status: Document Author: Renaud BARILLERE Abstract This document presents the DCOM settings recommended by IT-CO for the use of OPC servers at CERN on the NICE infrastructure. This recommendation is based on a document [1] internally published by the OPC foundation. The procedure described hereafter has been used to install several OPC servers in laboratories and for production applications at CERN. 1 Pre-requisite 1. Operating Systems In theory, OPC can be used on Windows 95, Windows 98, Windows NT and Window2000, but as it requires additional dll on non WNT/W2000 OS, we recommend to install W2000 if possible. 2. Privileges In order to be able to set all the required DCOM properties one has to be logged as administrator. 3. OPC servers installations The OPC servers have been installed on the PC. Although servers can be installed by any users having administrator privileges, we recommend to install them being logged as the local administrator. 4. OPCEnum installation page 1
With the OPC DA v2.x specifications, it has been recommended to use the OPCEnum application to let OPC clients browse the available OPC servers. This application is usually provided with the COTS OPC servers, if not, the application is made available by the OPC foundation to all its members (CERN is one of them). It is assumed that OPCEnum has been installed. It is not required that it is installed as a service. We will assume hereafter it has been installed as a standard application. 5. User groups If several users shall be granted access rights to a given OPC server, we recommend the creation of a group of users. As it is, a priori, not possible for local administrators to create group valid in the CERN domain, we suggest to create local groups. This would obviously imply to duplicate this group creation on all the PCs where the OPC Server will be installed. The creation of local groups requires (usually?) administrator privileges. 2 Settings of the server PC The OPC security is fully based on the DCOM security, therefore the default security settings selected for the OPC server and OPC client machines will affect all the executable irrespective of their link to OPC. The principle of the recommended settings is to allow by default a wide access to the executable installed on the PC and to restrict the access to the critical OPC servers (i.e. the ones which allow access to actual devices). For the procedure described bellow, it is mandatory to use the DCOM configuration tool: dcomcfng. page 2
2.1 Default permission a. Start dcomcfng: Figure 1 DCOM setting window b. Select the Default Property tag apply the settings as described by the figure below: page 3
Figure 2 Default properties c. Validate by pressing Apply button. d. Select the Default Security tag: page 4
Figure 3 Default security e. Open the Default Access Permission window by pressing the corresponding Edit Default button and add the users appearing in the figure below. The administrator is the one of the local machine. page 5
Figure 4 Default access permission f. Close the window by pressing the Ok button. g. Open the Default Launch Permission window by pressing the corresponding Edit Default button and add the users appearing in the figure below. The administrator is the one of the local machine. Figure 5 Default launch permission h. Close the window by pressing the Ok button. page 6
i. Open the Default Configuration Permission window by pressing the corresponding Edit Default button and add the users appearing in the figure below. The administrator is the one of the local machine. Figure 6 Default configuration permission A Read access may be enough for the user Everyone, to be confirmed. j. Validate the choices by pressing Apply in the Default Security window (Figure 3). k. Open the Default Protocols tag window, the selected protocols are the default ones. If your settings are not similar to the ones displayed in the figure below, update them. page 7
Figure 7 Default protocols l. Validate the choices by pressing Apply in the Default Security window (Figure 3). 2.2 OPCEnum settings Once the settings have been set, the settings of the OPCEnum application have to be prepared. OPCEnum is the application which is used by any OPC DA2.0 client to browse the available OPC server on the local machine. The required settings are the default ones, one just have to check that they are equals to the ones described below. They are accessible by selecting in the main dcomcnfg window the OPCEnum line and pressing the Properties button. page 8
Figure 8 Selection of OPCEnum page 9
Figure 9 OPCEnum general property page 10
Figure 10 OPCEnum location property page 11
Figure 11 OPCEnum security property page 12
Figure 12 OPCEnum configuration property page 13
Figure 13 OPCEnum identity property page 14
Figure 14 OPCEnum protocol property 2.3 Specific OPC server settings The settings of the specific OPC server have to be specified. The described ones have been successfully tested with a lot of OPC servers. However as these setting can be overridden from the source code of the server, it is not guaranteed that these settings will always work. To apply these settings, the line of the OPC server has to be selected in the main dcomcnfg window, and the Properties button pressed. For the example below, we used the OPC server of Schneider which name is OPC Factory Server. page 15
a. In the General tab, the default choice should be let for the authentication level. Figure 15 OPC server general property b. As the OPC server has been installed in the local machine, the location property has to be specified as described below. page 16
Figure 16 Location property c. For the security properties the default settings will be overridden to restrict the remote access to the defined users group (See 1Pre-requisite): page 17
Figure 17 Security property d. Select use custom access permission and press edit. page 18
Figure 18 Access property e. The list of authorised users should be modified as described above, the defined group of users being the local opc users group. f. Repeat the same actions for the Launch permission property Figure 19 Launch permission properties g. Repeat the same actions for the Configuration permission property page 19
Figure 20 Configuration permission h. For the identity property, it is essential to select a given user. If Launching is selected, several OPC server instances can be created when different users will try to connect. This is usually not possible if the OPC server instances require access to a given resource (e.g. PC Card). If interactive is selected, the OPC server will not be able to start without any active user session. The selected user has obviously to be member of the locally created group (here opc users ). i. For some OPC servers running under W2000 it is essential that the user account launching the server, has local administrator privileges and thus listed in the local administrator group. This user profile MUST also exist on the PC implying that the user has logged on at least once on this PC. page 20
Figure 21 Launching account configuration j. To include this account in the local administrator group right-click the mouse button on My Computer (Desktop) and select Manage. page 21
Figure 22 Groups management page 22
Figure 23 Local Administrator group k. The Endpoint property has to be left to the default. page 23
3 Settings on the Client PC Version/Issue: 2.1/2 Figure 24 Endpoint property 3 Settings on the Client PC In order to avoid conflicts when call backs are sent from the server, the default general dcom property have to be set as on the server: page 24
4 Options Version/Issue: 2.1/2 4 Options It may be possible to specify that the OPC server has to be started at boot time, as an NT service. 5 Reference 1 Demonstration Guidelines, 4th draft version, by the OPC foundation. This document has been prepared using the SDLT Single File Template that have been prepared by the IPT Group (Information, Process and Technology), IT Division, CERN (The European Laboratory for Particle Physics). For more information, go to http://framemaker.cern.ch/. page 25
5 Reference Version/Issue: 2.1/2 page 26