Configure the curation services AVEVA Identity Manager settings

Use the Staging Curation Service AVEVA Identity Manager (AIM) tab to configure the AIM client and AIM curator registration, and curator host service settings.

The MES Curator Web API is implemented using the security measures for System Platform that are enabled through the System Management Server. These measures include secure encrypted communications between nodes, AVEVA Single Sign-On (SSO), and certificate management. AIM manages the SSL certificates. The MES Curator Host service must be registered with AIM.

When you configure the Staging Curation Services AIM component:

• The MES Curator Host service fetches the SSL certificate from the Identity Manager Server and adds the information to the local node's Trusted Root folder.

• The MES Curator Host service is registered with AIM.

• A Windows firewall inbound rule exception is created to allow AVEVA Events to CONNECT to communicate with the MES Curator Web API.

Configure the Staging Curation Services AIM settings

1. Configure the AIM Client Registration settings:

   1. In the AIM Host field, enter the fully qualified domain name of the node on which the Identity Manager is running.

      IP addresses are not supported.

   2. In the AIM HTTPS Port field, enter the port number for the Identity Manager.

      The port number defaults to 443.

      The Identity Manager port number must match the System Management Server's HTTPS port number, which can be viewed or set on the System Management Server component's Advanced Configuration settings. For more information, see Implement secure communication with System Management Server.

   3. Enter the User Name and Password of the administrative account on the node on which AIM is running.

      If user accounts are managed with Windows Active Directory, the User Name must include the domain and user name in the format domain\username.

2. Configure the Curator Host settings:

   1. Verify the Account Name.

      Account Name is read-only field that shows the Windows user account that is currently assigned to the MES Curator Host service.

      The default user account is NT Service\MESCuratorHostService, which is created during the MES Curator component installation. This is a virtual service account that is based on using Active Directory (AD) for user account management.

      Notes:
      - If AD is being used to manage user accounts, you can leave the default user account or change it to another AD user account.
      - If Workgroups are being used to manage user accounts, you must change the MES Curator Host service's user account to a local Workgroups user account.
      - If you are running in Workgroup mode and SQL Server is on a different node, you must add the Workgroups user account to SQL Server and set the permissions manually.

      For more information on changing the user account, see Update the MES Curator Host service user account.

   2. Review the existing Preferred Curator Host field.

      The preferred curator host field is a read-only field that shows the fully qualified domain name (FQDN) of the machine that is preferentially polling the MES database.

      A preferred curator host is specified if multiple MES curator hosts are running in a multi-node environment to designate which one is the preferred host.

   3. (Optional) To set this account as the preferred curator host, select Set to preferred curator host.

   4. Select Set the minimal SQL permissions on the database for the service account to automatically add the MES Curator Host service Windows user account as a SQL Server login when the staging table settings are configured.

      This login will have the permissions to perform transactions with the MES staging tables. This option can be used in the following cases:

      • AD is being used to manage user accounts.

      • Workgroups are being used to manage user accounts and the MES Curator Host service is running on the same node as the MES database server.

      Note: Both of these cases require that Use Windows integrated security is enabled in the MES Curation Services Database Connection settings. If Windows integrated security is not used, then the MES Curator Host service must use an existing SQL Server login with the appropriate access to the MES database.

3. Configure the Curator AIM registration settings:

   1. Verify the Client Id field.

      Note: The Client Id field is read-only and contains the id used by the MES Curator Host service to authenticate communications with AVEVA Events to CONNECT. The id is automatically generated as [Machine Name].MESCURATOR.

   2. In the Client Secret field, enter the password for the Client Id.

      Important: The Client Id and Client Secret created during the MES Curation Services component configuration must be used to configure the Data Ingress Data Source Client Id and Client Secret. The client secret is not saved with the other component settings.

   3. In the Confirm Client Secret field, re-enter the password for the Client Id.

4. Complete the Staging tab. For detailed instructions, see Configure the curation services database settings.

5. If the Staging tab is complete, select Configure to configure the component.

   Progress information and any errors, if they occur, appear in the Configurator's Configuration Messages window.

   If the configuration completes successfully, a success message appears in the Configuration Messages window.

   If errors are encountered, check the Operations Control Management Console (OCMC) Log Viewer for details. To view additional details, enable the Log Script Execution log flag in the Log Viewer.