Professional Documents
Culture Documents
Setup
Application Execution
Networking and security must be set up correctly to ensure
remote server applications can be launched when authorized
operators are at the workstations. Clients must be able to launch
servers, and logging applications must be able to start automatically.
67
68 Software for Automation
NT Service
Some applications or components can optionally run as an NT
service. Services are applications that run in the background; they
do not have a user interface, since services are used by other
applications, not by users. Unlike most applications, services are
not launched by the user from the start button. Rather, they are
started and stopped by Windows. If an application runs as an NT
service, a new user can log in without restarting the application.
This is ideal for server applications such as the Windows IIS Web
server, OPC A&E servers such as alarm generators, as well as
alarm and historical trend loggers. These applications should be
running continuously regardless of which operator is using the
system. Other applications suitable to run as an NT service
include OPC tunnelling and security. Not all applications can run
as an NT service. Configuration of an application to run as an NT
service, or not, is done from within the application itself. Verify
with the vendor which applications are configured to run as an
NT service.
Windows Auto-start
When OPC clients are started, they automatically launch the asso-
ciated OPC servers. Thus, if a shortcut to the client is included in
the Windows Startup folder, it will subsequently also launch the
servers. For server computers in which no client is executed,
“server manager” utilities can be included in the Windows
start-up folder to launch the servers. Therefore, it is possible to
automatically start applications although they don’t run as an NT
service. Another advantage of server manager utilities is they can
keep a server running even if no client is connected. This is ideal
for systems where starting the server and establishing the initial
connection takes a long time.
System Networking
Because inserting firewalls between the automation network and
the information network creates the need for additional hardware
and software to support Web technologies, it is tempting to not
use a firewall. However, the firewall is necessary to protect the
control network from problems permissible in the execution and
business environment, but not in automation. Having the histo-
rian on the control network means substantial traffic sharing
bandwidth with the automation function. Therefore use fast
Ethernet and logically separate information from control on
automation level LAN using virtual LAN (VLAN).
These days, there is often a need for data to percolate up into the
MES and ERP levels. For this purpose, a router is used to tie the
automation system network to the plant LAN. By connecting to
the Internet, it is possible to gain access to the automation system
from anywhere to obtain information, or to perform remote opera-
tion or maintenance. Remote access is ideal for in-house as well as
external experts to solve problems in the automation system
outside regular working hours (Figure 3-1).
Terminal Server
Another scheme to create a multi-user environment is to use
terminal services built into servers. A terminal server is a server-
centric scheme in which an application runs in multiple inde-
pendent sessions on a server for each of many clients. Most appli-
Chapter 3 – Setup 73
DCOM Setup
DCOM is supported in Windows, except for the earliest versions.
However, verify on which specific operating systems the clients
and servers can run. In general, an OPC server needs to run on an
NT family operating system such as Windows NT4 (workstation
or server), Windows 2000, Windows XP, or later. A client can be
any of those, Windows 98, or Windows ME. Even Windows 95
with DCOM extension is possible. If the client and server are not
on the same computer, then DCOM security must be configured
to enable the necessary networking functions.
It may be a good idea to define groups because it makes it easy to add and
remove users, ensuring correct rights, as members join and leave the team.
DCOM Configuration
If client and server applications are located in different computers,
then DCOM must be enabled and configured in all client and
server computers to permit remote access, launch, and configura-
tion. OPC across a network is a classic example of remote access,
activation, and adjustment of remote components. For small
systems where client and server applications are in the same
computer, the default settings will work, and no configuration is
necessary unless there are special security requirements. Most
OPC server manuals explain this configuration systematically. The
steps are the same for all OPC clients and for all OPC servers, and
apply to other DCOM applications as well. The client-side and
server-side configuration is slightly different. Similarly, there are
slight differences between the workgroup and the domain access,
as well as some differences between versions of Windows. Details
of how this is done from DCOMCNFG are typically explained in
the OPC server documentation. Note that the DCOMCNFG utility
configures all COM on the computer, not just OPC, so it will be a
very long list of components (Figure 3-6).
Chapter 3 – Setup 77
• Properties
• Security
• Protocols
Properties
It is possible to configure how strictly the server authenticates the
client, and if the server can impersonate the client’s identity when
performing certain tasks. It is possible to set these DCOM proper-
ties as a “Default” for the computer as a whole, as well as a
specific property for individual applications. The properties for
individual applications override the default properties. Some
combinations of the authentication and impersonation settings
will not work for OPC. The below configuration for the default
properties works for most installations, but some installations
may have special requirements:
Security
It is possible to make the “Default” DCOM security settings for
the computer as a whole as well as specific security settings for
individual applications. The security setting determines which
user or group of users can access, launch, and configure applica-
tions. For example, DCOM security is used to restrict application
use only to authorized persons. Three aspects of the application
are controlled:
• Access
• Launch (normally not required in clients)
• Configuration (normally not required in clients)
Protocols
It is possible to make the “Default” configuration for protocols
DCOM will try to use, and in which order for components in
general as well as specific protocol choice for individual applica-
tions. Fewer protocols reduce the time DCOM spends retrying,
thus notifying operators faster of any failure. The settings for indi-
vidual applications override the default settings. It is a good idea
to use only the single default protocol setting as much as possible,
since this is easier to manage than several individual settings for
each component.
Applications
Authentication level, security, and protocols can be adjusted for
each individual component in cases where the default computer-
wide settings are not suitable (Figure 3-7). Additionally, it is also
possible to set the location where the component will be
executed—that is, on which computer. Further, it is also possible
to run the component using a different user account. It is easier to
manage a single default configuration rather than individual
configuration for each component. Even documentation of
component specific settings gets very messy.
Summary
The server needs to be configured to enable calls (Table 3-1). The
“Default” properties are configured once and for all for the entire
computer. The application properties can be set for each applica-
tion. The security limits were introduced from Windows XP
Service Pack 2.
Chapter 3 – Setup 81
Indeed, it is also a good idea to use two sets of router and firewall, one on
the control network-side, and one on the IT network-side. This way,
control system engineers can administer one router/firewall, and IT
engineers the other, eliminating conflicts. Each side can configure their
firewall as per their requirement.
DCOM does not work well through firewall or router and across
the Intranet, Internet, domain, or workgroup. DCOM over
Internet is difficult because Network Address Translation (NAT) is
not permitted, since DCOM uses the true IP address. DCOM uses
a large number of ports with port numbers assigned dynamically.
Although the port range can actually be restricted, there will still
be too many “holes” in the firewall if a corresponding range was
opened. In short, DCOM is not “firewall friendly.” Therefore,
when an OPC client and server are located on different networks,
special solutions are required. Moreover, DCOM time-out and
retry is fixed in Windows and cannot be set. It works well for fast
LAN connections, but for low bandwidth connections such as
some wireless, modem, and satellite links, it does not perform
satisfactorily. Since DCOM and OPC are usually used within the
automation system, and not beyond, this is only very rarely a
problem. Most plants will never need to worry about this.
IP Port Tunnelling
Different applications are available that wraps DCOM into a
proprietary frame communicated through a single IP port (Figure
3-11). Using this scheme, only that single IP port in the firewall
need be opened to permit DCOM to be tunnelled through it.
Opening a single IP port in the firewall between the automation
system and the corporate Intranet is relatively secure since it is
within the company, and not the public Internet. However,
opening a wide range of ports would be too risky.
86 Software for Automation
Web Tunnelling
When tunnelling DCOM across the public Internet it is necessary
to use Web technologies such as SOAP, HTTP, XML, and HTML to
ensure the communication is not blocked by firewalls. HTTP uses
port 80, which firewalls permit to pass (Figure 3-12). Because of
the way HTTP operates, opening port 80 in the firewall is the
more secure option, albeit not completely protected. Since the
transport used is HTTP, the server-side network needs to have a
Web server installed to provide this transport. This Web server
can be in the same or a different computer.
Programs and ports that shall not be blocked are easily configured.
It may be a good idea to document all firewall exceptions.
Windows also prompts if an application is being blocked, permit-
ting user to unlock the communication. If communication does not
work and the software firewall is the suspected culprit, temporarily
turn off the Windows firewall to see if it is the source of trouble.
License
Most vendors freely distribute CD with all their software and
many applications can be downloaded from the Web. Getting and
installing software is not an issue. However, software comes with
a license agreement and, to run most automation software, you
need to activate some form of license to unlock the software.
Licensing can be based on either hard key (a.k.a. “Dongle”) or soft
key. The program files are available for free—what you pay for is
the activation license. These days many large applications are
modular, permitting you to customize it to fit your needs by
selecting the necessary application components you want to
license. The cost of the license depends on the components
chosen, how many points or devices it supports and the number
of users in the system. Every vendor has a slightly different
licensing policy. Most applications show the terms and conditions
of the license agreement at the time of installation, but it is
Chapter 3 – Setup 89
common to skip to the next step without actually reading it. Make
sure at least one person in the company reads and understands
the agreement. There can be important points with regards to the
use of the software, including issues with patents etc.
• Development
• Run-time
• Client
• Viewer
• Thin-client
90 Software for Automation
Apart from license for the client and server applications, it is also
necessary to have license for operating systems and other infra-
structure such as the SQL database. MSDE is a small-scale
database that can be used for free with a limited number of users.
MSDE is thus an attractive option for a small-scale system.
Similarly the IIS Web server is free with a limited number of users,
but requires a license to be purchased that supports many users.
Key
Licensing for automation software is typically controlled using
keys. The key can be a hardware key, which is simple device
plugged into the parallel port or USB port of the computer. Manu-
facturers have different schemes such as single user license and
multi-user license for different numbers of users that can be active
at any one time. Depending on the number of stations and the
number of users that need to access a particular software in the
automation system, it may make more sense to use either one or a
few single-user license, or go for a multi-user license.
Soft Key
The software key scheme is based on a unique identifier for the
hardware. The unique identifier is based on, for example, the hard
disk and other aspects. After installing the software, the license
utility runs. The license utility provides a code unique to the
computer. The code is then registered with the software vendor
via email or online over the Internet. The vendor provides a key
locked to the unique hardware code. The license key is then
entered in the license utility. The application will only run with
the key for the designated computer. Transferring the license from
one computer to another requires a removable disk such as a
floppy or thumb drive (i.e., the original computer must still be
fully functional to move the license). If the computer has some
kind of failure, this may not be possible.
Hard Key
The hardware key is based on a very small device, typically no
larger than a connector, plugged into the computer parallel or
USB port (Figure 3-15). The software only executes if the license
manager can detect the presence of the hard key. Transferring the
license from one computer to another is as easy as moving the
hard key.
Figure 3-15. Hard Keys for USB and Parallel Port (Courtesy: SafeNet, Inc)
94 Software for Automation
The software license can be lost due to hard disk crash, moved or
copied license file, deleted license file, formatted hard disk, change
of file system, partitioned hard disk, some defragmentation utili-
ties, change of computer name, uninstallation of the licensing
utility, or reinstallation of operating system etc. In this case, it is
necessary to run the license utility again to obtain the new hard-
ware code and submit this to the vendor to generate a new key.
If you know that the system will soon have to be changed, or expanded, it
may be a good idea to use a software key.
Advantages of hard keys include the fact that hard disk failure, or
any tampering with files, does not affect the key. The hard key can
easily be moved to another computer, even after the original
computer has suffered a complete failure. Hard key may be the
best choice for small systems not having hot-standby redundancy.
Hard key is quickly transferred to a replacement computer in case
of failure, thus minimizing downtime.
Exercises
1. Do applications stop executing when a new user logs in?