Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Manufacturing Execution System 2023 R2

Configure the MES DB/MW communication security settings

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Configure the MES DB/MW communication security settings

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 06, 2025
  • 5 minute read

The Security tab shows the Windows user account that is currently assigned to the MES middleware service.

If you are using Windows integrated security for the database connection strings on the Production and Restore tabs, you can select the Set the minimal SQL permissions on the database for the service account option. This will cause the middleware service Windows user account to automatically be added as a SQL Server login when the DB/MW Communications component is configured. This login will have the permissions to perform transactions with the MES database.

Post-install configurator showing the DB/MW Communication Security properties including middleware account name and database admin credentials.

Account Name

A read-only field that shows the Windows user account that is currently assigned to the MES middleware service. The default user account is NT Service\WCFHostService, which is created during the MES Middleware component installation.

Note: Read access is automatically granted to the certificate private key of the WCF host service of the configured account.

This is a virtual service account that is based on using Active Directory (AD) for user account management.

  • If AD is being used to manage user accounts, you can leave the default user account or change it to another AD user account.

  • If Workgroups is being used to manage user accounts, you must change the middleware service's user account to a local Workgroups user account. Also, if the MES database is on a remote server, the Workgroups user account must also be set up on the remote node where the database is located.

Changing the user account should be performed prior to the MES DB/MW Communication component configuration.

Change the user account

  1. Open the Services control panel applet and locate the MES Middleware Host service.

  2. Right-click the service entry and click Properties.

  3. Enter the new user account on the Log On tab.

If you change the user account after the MES DB/MW Communication component has been configured, perform the configuration again. For additional information about changing the service's Windows user account if the MES middleware and database are on different server nodes, see Guidelines for changing the MES Middleware Service Windows User Account.

Set the minimal SQL permissions on the database for the service account

Select this option to automatically add the middleware service Windows user account as a SQL Server login when the DB/MW Communications component is configured.

This option can be used in the following two scenarios:

  • AD is being used to manage user accounts.

  • Workgroups is being used to manage user accounts and the MES middleware service is running on the same node as the MES database server.

Both of these scenarios also require that the database connection strings on the Production and Restore tabs are set to use Windows integrated security.

If Windows integrated security is not or cannot be used, then the middleware service must use an existing SQL Server login with the appropriate access to the MES database. See Manually Adding a SQL Server Login for the Middleware Service.

If you run the DB/MW Communication configuration and the middleware service user account was not given the minimum SQL permissions to access the MES database, sample SQL statements to provide authorization are logged in the output window. You can also run these SQL statements manually to provide the minimum SQL permissions to the local user account.

Production database admin credentials for setting permissions

This setting only appears if the Set the minimal SQL permissions option is selected.

The user account specified here is used to create the SQL Server login for the middleware service Windows user account for the MES production database. Therefore, the user must have the SQL Server administrator credentials required to add a SQL Server login and assign it access to the MES production database.

  • To use the currently logged-in Windows user account, select the Use Windows integrated security option.

  • To use a SQL Server login, clear the Use Windows integrated security option and enter the SQL Server login username and password.

For more information about specifying the user account to access SQL Server, see Specify SQL Server user authentication.

Note that if a SQL Server login is provided for this option, the account information is not persisted by the Configurator.

Use production database credentials for the restore database

This setting only appears if the Enable Restore Database option and the Set the minimal SQL permissions option are selected.

Select this option to use the same user account to create the SQL Server login for the MES restore database as the one being used for the production database.

If not selected, the Restore Database Admin Credentials for setting permissions option appears.

Restore database Admin credentials for setting permissions

This setting only appears if the Set the minimal SQL permissions option is selected and the Use Production Database Credentials for Restore Database option is not selected.

The user account specified here is used to create the SQL Server login for the middleware service Windows user account for the MES restore database. Therefore, the user must have the SQL Server administrator credentials required to add a SQL Server login and assign it access to the MES restore database.

  • To use the currently logged-in Windows user account, select the Use Windows integrated security option.

  • To use a SQL Server login, clear the Use Windows integrated security option and enter the SQL Server login username and password.

For more information about specifying the user account to access SQL Server, see Specify SQL Server user authentication.

Note that if a SQL Server login is provided for this option, the account information is not persisted by the Configurator.

Grant Read access to the SMS local certificate

Starting with MES version 7.1 synchronous, asynchronous, and event broker messages are authenticated by the MES middleware by default. The MES middleware requires read access to the private key of the SMS local certificate to authenticate the messages.

MES must be properly configured to enable non-AVEVA client applications to make MES API calls. For more information, refer to Enabling Non-AVEVA Client Applications to Make MES Stateful and Stateless API Calls in the MES Stateless and Stateful API documentation.

Next Step

After configuring the middleware security settings, you are ready to register the MES middleware with the AVEVA Identity Manager. See Configure MES middleware AIM client registration.

In This Topic
TitleResults for “How to create a CRG?”Also Available in