PI Cloud Connect Frequently Asked Questions Version 1.0.5
Content FAQ...3 General questions... 3 Signing up... 4 Deployment... 5 Publishing... 5 Subscribing... 6 User accounts... 7 Security... 8 Pricing... 9 P a g e 2 9
FAQ General questions What is PI Cloud Connect? PI Cloud Connect is a multi-tenant, Cloud based Software as a Service (SaaS) offering managed by OSIsoft that allows you to share data between PI Systems. Multi-tenant because the solution can natively manage multiple organizations/companies who subscribe to the service Cloud based because the solution leverages components running in Windows Azure, the public Cloud offering from Microsoft Managed by OSIsoft because we support, maintain and upgrade this service and all its components What is the value of PI Cloud Connect? PI Cloud Connect enables you to easily share data stored in your PI Systems. It secures and brokers communications between a publisher and a subscriber, even if they are external to your organization. This way, you can share PI AF Elements and their associated data (both real-time and meta-data) via a simple web based Customer Portal. What is Software-as-a-Service? Software-as-a-Service (SaaS) is a software delivery model in which the application and associated data are centrally hosted in a remote data center (a.k.a. the Cloud). SaaS is typically accessed using a thin client through a web browser. Which Cloud infrastructure is used for PI Cloud Connect? Is it public or private Cloud? PI Cloud Connect uses Windows Azure, the public Cloud offering from Microsoft. At the moment, no others Cloud providers (private or public) are supported. The Cloud components of PI Cloud Connect are deployed in the OSIsoft Azure subscription. Customers using PI Cloud Connect do not need to subscribe to Windows Azure. What does On-Prem actually mean? On-Prem is contraction of On Premises that refers to software installed and run on computers on the premises of the organization that uses it, and not elsewhere (such as in a server farm or in the Cloud). What is a tenant? A tenant is an organization who has signed up for a SaaS application, such as PI Cloud Connect. Each PI Cloud Connect tenant has a unique portal accessed through a URL of the form: https://tenantname.picloudservices.com. Each tenant is fully isolated from other tenants and users belonging to one tenant do not know about other tenants or other users belonging to these tenants. What is the PI Cloud Connect Customer Portal? The PI Cloud Connect Customer Portal is the main user interface for using PI Cloud Connect. It s a Web based portal that customer access via a dedicated URL of the form: https://tenantname.picloudservices.com. From this portal, customers can manage users, publications, subscriptions and nodes. P a g e 3 9
What is an Identity Provider? An Identity Provider is an external party that provides a way to authenticate a user. Instead of providing its own mechanism for authentication, PI Cloud Connect relies on an external Identity Provider to authenticate users who want to sign-in. Each tenant can choose which Identity Provider should be used to authenticate its users. What is a PI Connect node? To use PI Cloud Connect for setting a data exchange, you need to download and install some components required to connect to your PI Systems and share data. The machine where these components are installed is called a node. A tenant can deploy multiple nodes. Nodes are deployed via the Customer Portal. A node can both send and receive data. What is a publisher? Within the Customer Portal, a publisher is a user who has been granted the publisher role. They can publish specific data and grant other users access to it. What is a subscriber? Within the Customer Portal, a subscriber is a user who has been granted the subscriber role. They can subscribe to publications they have been granted access to by setting up a subscription that defines where to store the received data. When I sign in the Customer Portal, some elements of the navigation seem to be missing? The PI Cloud Connect Customer Portal is built using HTML5 technology and Java Script. It should be rendered properly in any modern web browser on any device. You might want to adjust the security settings of your browser to enable Java Script. For customers using Windows, we recommend using Internet Explorer version 8 and higher. Signing up How quickly can I use PI Cloud Connect after I have completed the sign-up process? Once the sign-up process is completed, it takes up to 48 hours to provision a new tenant. You will receive an email at the Microsoft Account (Windows Live ID) provided during the sign-up process inviting you to activate your account and to sign-in in the PI Cloud Connect Customer Portal. When trying to activate my account, I got an error message saying that the ticket has expired. What should I do? For security reasons, the activation has to be completed within 48 hours of the reception of the invitation sent by email. After that period of time, we (OSIsoft) need to re-issue a new invitation for you to activate your account. Please send an email at PICCPreview@osisoft.com specifying your tenant name and user account so that we can resend an activation email. P a g e 4 9
Deployment Where do I install the PI Connect client? PI Connect (the On-Prem component of PI Cloud Connect) can be installed on any machine that has both access to the Internet and PI AF (via the AF Client). Do I have to install the PI Connect client on the PI or AF server? No you don t. PI Connect can be installed on any machine that has the AF Client installed and access to Internet. How many PI Connect node do I need? A single PI Connect node can be enough. But considering that access to PI AF is granted according to the privileges of the PI Connect Windows Service running on a PI Connect node, multiple PI Connect nodes might be required to allow for different levels of access to PI AF and more granularity in defining the related publications/subscriptions. During this CTP, each tenant is allowed to a maximum of two (2) nodes. It seems that I cannot deploy more than two PI Connect nodes. Is this to be expected? Yes. In the Customer Technology Preview (CTP), each tenant is allowed a maximum of two (2) PI Connect nodes. However, it is possible to uninstall a node to redeploy on a different computer. Can I have multiple PI Connect Clients running on the same node? No. A single machine/computer can only host one PI Connect Client. Could a PI Connect node be associated with multiple tenants? No. A PI Connect node should be considered as a physical resource/asset that belongs to only one organization. Does the PI Connect client require certain versions of PI Software or prerequisites to be installed? Yes, it does. PI Connect is only supported on the following Operating System (OS) versions: 32 or 64 versions of Windows Vista SP2, Windows 7 or Windows 8 32 or 64 versions of Windows Server 2008 SP2 64 versions of Windows Server 2008 R2 or Server 2012 PI Connect node also requires Microsoft.Net Framework 4.5 (including all the updates) or higher and AF Client 2012 SP2 (version 2.5.2) or higher. Besides, a direct access to Internet is required. Publishing Are there guidelines for what to publish or not publish? You can publish any of your AF assets that your business partners need to access to get their work done, such as AF templates, elements and real-time data. P a g e 5 9
Are there restrictions on significantly changing the amount of data I'm publishing? PI Cloud Connect has no special restrictions. Will I always know who is subscribed to the data I publish? Yes. Only people you grant access to your publications will be able to consume your data. A monitoring dashboard will be available to track how much data is being transferred between a publication and a subscription. When I create a publication, why would I not start publishing data right away? In most cases, it makes sense to start publishing data when you first create a publication. But you can choose to create the publication first, and start publishing data later. You might want to do this if your PI AF Structure does not yet contain meaningful information, or if you want the people you invite to subscribe to your data to see information starting on a certain date. Can I limit a subscriber to only parts of the data I publish? No. But you can create a separate publication for a particular user (or set of users) to which you publish only the data you want them to see. Does the data flow continuously between the publication and the subscription? It depends upon the nature of the data being exchanged. Data is sent whenever the publication has updates to real-time or meta-data. How long does it take to send data from my system to the subscriber s system? Can I control it and make it faster or slower? PI Cloud Connect processes the data as quickly as possible. There is no throttling management capabilities planned for the first release but we have received requests to support such feature and added them to our product backlog. Subscribing Should I create a special place in my AF element hierarchy for the content I subscribe to? How should I structure that? For each subscription, you might want to put subscribed content under a labeled node in your PI AF database so that you can easily find it. Does it cause problems if the PI AF structure of the publisher does not match that of the subscriber? When you set up a subscription, you create a copy of the PI AF scope that the publisher is sharing, so you do not need to create your own hierarchy first. Is only one subscription allowed for each publication? You can grant multiple users access to a single publication. This way, a single publication can be consumed by multiple subscribers at the same time. P a g e 6 9
When I create a subscription, why would I not start subscribing to data right away? In most cases, it makes sense to start subscribing to data when you first create a subscription. But you can choose to create the subscription first, and start receiving data later. Can I make changes to content that I am subscribed to? If yes, do my edits alter the publisher's source content? It is not recommended to make any changes to the data you receive as a subscriber. PI Cloud Connect enables you to maintain a copy of the data that is being published, it is not intended to merge data. However, if you make edits to the data by mistake, it will not affect the publisher's original data. You can use standard AF tools to link and re-organize the data copied in a different structure. Does subscribed content look any different than other content in my PI AF hierarchy? It does not look any different. For each subscription, you might want to put subscribed content under a specifically labeled node in your PI AF structure so that you can easily find it. You can also put this content is a different PI AF database. Are there restrictions on what types of objects I can subscribe to? You can receive any objects that are included in the publication. In the initial release of PI Cloud Connect, not all PI AF objects are supported. 1 User accounts What is a user? A user is someone who has access to the PI Cloud Connect Customer Portal. Users are set up by the tenant administrator. They can sign in to their tenant Customer Portal and perform functions according to the role(s) they have been granted. Can I have multiple user accounts within one tenant? If yes, can I have separate publications and subscriptions for each user? As long as you use a different email address for each account, your administrator can set up multiple user accounts for you on the same tenant portal. Each user account can set up its own publications and subscriptions, if the account is authorized to do so. The activation link for becoming a user has expired. What should I do? For security reasons, activation of a new user has to happen within a limited timeframe. If the activation link sent by email has expired, the person who has received the email should ask the administrator of the tenant to re-issue an activation link. This is currently achieved via the Customer Portal by removing and adding the user again. 1 In this pre-release version, only AF Elements and AF attributes are supported. Some Data References (PI Point Array, Table Lookup, Custom DR) and AF Attribute data types (Array Types, Enumeration Sets, Objects) are not supported. P a g e 7 9
Security Why do I need a Microsoft Account (a.k.a. Windows Live ID) and is it secure? In the Customer Technology Preview, a Microsoft Account is used as the Identity Provider to authenticate users signingin the Customer Portal. Microsoft Accounts are managed by Microsoft and support two-factors authentication that makes them less vulnerable to tampering and fraudulent use. How secure is the public Cloud offering from Microsoft (a.k.a. Windows Azure)? Does it comply with any Cloud certification program? Windows Azure has recently received the SOC 2 type 2 certification as well as validation FedRamp. For additional information visit the Trust Center to learn more about Windows Azure security and compliance. To help assess you Cloud readiness, Microsoft provides tools that guide you through the process of looking at the different aspects of your business that could impacted by a Cloud based solution. Is there in-coming traffic from the Cloud? Yes, there is. But any connection with Azure is first initiated from the On-Prem components as an outbound connection. When the channel between On-Prem and the Cloud is secured, bi-directional traffic is allowed. What ports need to be open between the PI Cloud Connect node and my PI System? In which direction? The same ports that need to be open between an AF Client and an AF Server. What security is required between my PI System and the cloud connect client? The same security that is required (or not) between an AF Client and the PI Server(s) mapped in the AF Server the AF client is connecting to. Do I need to open ports in my Firewall? PI Cloud Connect uses standard port 443 for HTTPS connection between On-Prem and Azure. Ports 9350 to 9354 are also used by default by the Service Bus Relay for connection to Azure but it will fall back on using port 443 if these ports are blocked. If my firewall needs exception rules to be configured, what are the endpoints accessed from the PI Connect nodes? Here are the different endpoints that need to be accessible from a PI Connect node to be successfully deployed and maintain connectivity with the Azure components. https://login.live.com:443 https://ixsengine.picloudservices.com:443 https://osisoftidentityservice.accesscontrol.windows.net:443 https://<namespace>.servicebus.windows.net https://<tenantname>.picloudservices.com https://logservice.picloudservices.com:443 P a g e 8 9
Is my data stored in the cloud? Except for buffering purposes, no data is stored in Windows Azure. Is the data going to the Cloud encrypted? The data sent from On-Prem to Azure is not specifically encrypted but is protected by using HTTPS communication with the SSL protocol. How does PI Cloud Connect support policies around data export restrictions? The answer to this question has two aspects: (1) From a technical perspective, the Azure based components of PI Cloud Connect are at the moment deployed in the Western North America region only. This means that all traffic and data exchange is routed through this region, regardless where the PI Connect nodes are deployed. We are looking into supporting deployment of our solution in multiple geographical regions to optimize the connection between Pi Connect nodes with more local Azure resources but also to accommodate for data export restrictions. (2) From a business perspective, our experience is that PI Cloud Connect customers will contractually manage the policies/restrictions around data being shared with another party in a different country or with a party that could export the data outside acceptable geo-boundaries. PI Cloud Connect doesn t know about the physical geolocation of the PI Connect deployed are located and doesn t enforce restrictions about where PI Connect nodes can be deployed. It is therefore the responsibility of the parties engaging into a data exchange to agree around policies for managing in-country data restrictions. Who at OSIsoft has access to my data and how do you ensure that it is not used for any purposes that I do not approve of? PI Cloud Connect is maintained and monitored by a dedicated team of people within OSIsoft. When subscribing to the PI Cloud Connect Service, customers will have access to a Privacy Policy document that describes OSIsoft privacy practices around supporting and managing this service. Pricing PI Cloud Connect is free of charge during the preview period that extends to March 31 st, 2014. More detailed pricing information will be announced during the preview and will take effect on April 1 st 2014. P a g e 9 9