Implement secure communication with System Management Server

Security measures for System Platform network topology are enabled through the System Management Server (SMS) and the AVEVA Identity Manager (AIM). These measures include secure encrypted communications between nodes, AVEVA Single Sign-On (SSO), and certificate management. The SMS stores shared security certificates and establishes a trust relationship between nodes in the System Platform network topology. These security components together make up the common platform security measures.

If not already installed as part of a System Platform installation, SMS and AIM are installed when any of the following MES components are installed:

• MES Middleware

• MES Middleware Proxy

• MES Web Portal

  Important: If you are operating License Server and License Manager in Secure Mode, you must configure the SMS before you configure AVEVA Enterprise License Server. In addition, if the SMS configuration is modified at any point, the License Server must be reconfigured to maintain secure operation. For more information on the Licensing, see Set up MES product licenses.

To implement secure communication with the MES middleware and for user authentication with the MES Web API, the SMS must be configured prior to configuring the MES components in the post-install Configurator.

If MES is being upgraded, then the MES components must be reconfigured to implement the latest security measures. In addition, all MES nodes on the network must be able to communicate with the System Management Server.

Note: MES does not support Azure AD in the System Platform configuration of SMS.

There should only be a single SMS in your System Platform network topology (additional redundant single sign-on servers can be configured). However, each node in the network has a SMS component that must be configured using the post-install Configurator.

SMS component settings

The SMS component settings include:

• Specifying whether the SMS is on the local node or a remote node.

• If on a remote node and connecting to an existing SMS, specifying the redundant SSO by selecting the check box on the local node.

• If on the local node, specifying the HTTPS port for the SMS. This port number also serves as the HTTPS port number for the local node's common platform communication over web ports.

• If on a remote node, specifying the HTTPS port used by the local node for common platform communication over web ports. Generally, this will be the same as the HTTPS port number for the SMS, but it could be different.

SMS configuration protocols

When configuring or reconfiguring the SMS component, the following protocols must always be followed:

• Primary node first: Always configure the main SMS node before configuring any nodes that will connect to it.

• Reconfiguration after updates: If the main SMS configuration is updated, all connecting nodes must also be reconfigured.

• Configurator status indicator: The SMS component status may not indicate that reconfiguration is required. Regardless of the status, always perform the reconfiguration.

  Notes: For complete information about configuring SMS, refer to the topic 'System Management Server Configuration' in the System Platform Installation Guide. For detailed instructions about updating the SMS settings for individual MES components, see the related MES component configuration procedure in this guide.