Configure LaaS

Licensing as a Service (LaaS) is a licensing solution by AVEVA that provides hassle-free license management to customers. LaaS eliminates the need for you to manage an on-prem license server and instead moves license management to the cloud using CONNECT platform. See Work with LaaS for more information on LaaS.

LaaS also enables you to capture usage logs for AIM-hybrid (using AIMHybrid3DVS authentication).

Pre-requisites

• AIM 6.0 higher deployed in an on-prem environment using HTTPS.

• A CONNECT account must be requested via your AVEVA account manager. This is for viewing LaaS usage in CONNECT. As part of this activity, the account manager will need to raise a ticket with AVEVA mentioning:

  • Whitelist your applicationRootUri for your AIM-h service.

• The AIM user should be a user in a CONNECT account.

Enable LaaS

1. Configure the Credential Manager

   The Credential Manager (Aveva.Connect.Sdk.CredentialManager.exe) is a utility used to generate a refresh access token to check-out a Workhub license. It allows an end user to log in with a username and password and save the refresh token to %programdata%\.aveva. A non-interactive process can then read the refresh token and use it to obtain an access token silently.

   1. Ensure Microsoft Edge WebView2 is installed.

      To install, see https://developer.microsoft.com/microsoft-edge/webview2#download-section, and select the Evergreen Bootstrapper.

   2. Install the latest version of AIM on-prem.

   3. Navigate to C:\Program Files\AVEVA\AVEVA NET\Utilities\Credential Manager.

   4. Edit Credentials.json and fill in the following values.

      • RedirectUri: The value is any of the callback URLs configured for the auth0 client in CONNECT or the value of the avevanet:applicationRootUri key in the Dashboard application appSettings in the web.config file.

      • Authority: The value of the avevanet:authorityUri key in the Dashboard application appSettings in the web.config file.

      • ClientId: (The auth0 client ID). The value of the avevanet:dashboardClientId key in the Dashboard application appSettings in the web.config file.

      • Scopes: Values: openid and offline_access. Do not change the scopes, as these are fixed.

        An example web.config and Credentials.json for AIM-hybrid:

        

2. Run the Credential Manager:

   5. After setting up the values in Credentials.json, run Aveva.Connect.Sdk.CredentialManager.exe.

      

   6. Click Login. It will open a CONNECT login page. Login using your CONNECT username and password.

   7. After a successful login, it will create a credentials file in C:\ProgramData\.aveva.

      

   8. Setting the LaaS Url: Open a PowerShell with administrator privileges and run the SetLaasUrl.ps1 script that resides in C:\Program Files\AVEVA\AVEVA NET\Utilities\Credential Manager. It will set the given LaaS URL in the environment variable AVEVA_LICENSE_SERVER_LIST. You can verify the setting in the system properties. To log the LaaS usage in the LaaS administration, only a LaaS URL should be present in the environment variable.

   9. Run the Command: .\SetLaasUrl.ps1 -LicenseServerList “https://license.connect.aveva.com”

      

      Note: Running Aveva.Connect.Sdk.CredentialManager.exe with empty values in Credentials.json, will fail.

3. Change the Dashboard appSettings:

   After the deployment is done and the configuration settings have been received from AVEVA (as per the service request), some configurations need to be made to allow the on-prem AIM installation to connect to the AIM-h service.

   10. Open the AIM web.config file.

   11. In the configSections section, insert the specified lines as indicated below:

       <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral,PublicKeyToken=B77A5C561934E089" />
       <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0,Culture=neutral, PublicKeyToken=B77A5C561934E089" />

   12. Proceed to the appSettings section and include the provided configurations:

       Key	Needs Modification?	Value	Additional Description
       avevanet:authenticationProvider	No	AIMHybrid	Fixed value, no changes required. The value will be AIMHybrid
       avevanet:applicationRootUri	Yes	The HTTPS URL configured for the on-prem setup.	Owned by the customer.
       avevanet:authorityUri	Yes	https://signin.connect.aveva.com	CONNECT authority URI path.
       avevanet:dashboardClientId	Yes	As received from AVEVA.	Fixed value, no changes required (in prod-connect).
       avevanet:capabilityDefinitionName	Yes	Asset Information Management - hybrid	CONNECT capability definition name.
       avevanet:accountId	Yes	As received from AVEVA.	CONNECT account ID for the deployment.
       avevanet:workhubClientId	No	xyz	For an AIM-hybrid configuration, this value should be non-empty, but can have any string, for example, xyz.
       avevanet:auth0Authority	Yes	https://signin.connect.aveva.com	For Auth0 authentication.
       avevanet:serviceUAMUrl	Yes	https://services.connect.aveva.com/uam/v2/	For Auth0 authentication.
       avevanet:serviceSCMUrl	Yes	https://api.connect.aveva.com/scm/	For Auth0 authentication.
       avevanet:serviceAMUrl	Yes	https://api.connect.aveva.com/am/	For Auth0 authentication.
       avevanet:serviceAssetsUrl	Yes	https://api.connect.aveva.com/assets/v1/	For Auth0 authentication.
       avevanet:serviceAudience	Yes	https://services.connect.aveva.com	For Auth0 authentication.
       avevanet:resourceAudience	Yes	https://api.aimh.av.connect.aveva.com	For Auth0 authentication.
       avevanet:accessTokenCacheDuration	No	10	For Auth0 authentication.
       avevanet:serviceScopes	No	uam:read am:read scm:read ac_assets	For Auth0 authentication.
       avevanet:usingLaas	No	True	To enable LaaS
       avevanet:auth0SingleSignOutUrl	Yes	https://profile.connect.aveva.com/singlesignout	Logout Url for connect

       

   13. Configure the authentication under <system.webServer> to use anonymousAuthentication exclusively. Remove any references to Windows Authentication. Ensure that the locally hosted AIM site authentication is also set to anonymous.

       <authentication>

       <anonymousAuthentication enable="true" />

       </authentication>

       

   14. Locate each PortalID section where the AIM-h CONNECT account is required within the web.config.

       <portal id="Default">

       <Account Value="" />

       

   15. Append the following section towards the end of the web.config file.

       <system.identityModel>
       <identityConfiguration>
       <claimsAuthenticationManager type="AVEVA.NET.Dashboard.Infrastructure.DashboardClaimsAuthenticationManager, AVEVA.NET.Dashboard" />
       </identityConfiguration>
       </system.identityModel>

       

       When this configuration is completed, the on-prem AIM setup will be able to connect to AIM-hybrid.

4. To view usage logs for users go to the LaaS Administration page.

Usage Logs Troubleshooting

Here are some remedies to resolve Workhub licence issues when logging in to the Dashboard.

When accessing the Dashboard, if you see the Error getting Workhub license message, then check the detailed error in the Event Viewer. See the Windows Logs -> Application page, and view entries with a Source of AVEVA NET Workhub.

• If the detailed error message is No token in the cache or Cached token invalid then.

  1. Verify the dashboardclientid in the web.config file is similar to the clientid in the credentials.json file of the Credential Manager.

  2. Verify if the credential file is available for the clientId in the %program data\.aveva% folder.

  3. Rerun the Credential Manager.

• If the detailed error message is Refresh token has expired.

  1. Rerun the Credential Manager.

  2. Verify that the credential file is in the %program data\.aveva% folder.